UK Cyber Bill teases mandatory ransomware reporting
In the Cyber Security and Resilience Bill introduced in the King’s Speech, the UK’s new government pledges to give regulators more teeth to ensure compliance with security best practice, and to mandate incident reporting
Keir Starmer’s Labour government is to bring forward a Cyber Security and Resilience Bill in the new parliamentary term, with the intent of strengthening the UK’s cyber defences and ensuring the continuity and protection of digital services, with a proposed mandate on compulsory ransomware reporting a keystone of the law.
One of many potential new pieces of legislation trailed in the King’s Speech at the State Opening of Parliament, the Bill recognises that UK plc is increasingly attacked by financially-motivated cyber criminals and state actors alike, with organisations both large and small frequently targeted.
Existing cyber laws, the government said, reflect law inherited from the European Union (EU) which is now being superseded by Brussels and therefore need an urgent update to keep pace.
The government said essential services and critical national infrastructure (CNI) in particular are vulnerable to hostile actors, as evidenced by a litany of cyber attacks over the past few years affecting NHS suppliers and Trusts, the Ministry of Defence, the British Library, the Electoral Commission, Royal Mail, and countless other bodies.
As such, the Bill contains two main objectives, to expand the remit of existing regulation and give regulators a more solid footing when it comes to protecting digital services and supply chains, and to improve reporting requirements to help build a better picture of cyber threats.
In future, said the government, a greater number of regulatory bodies may receive enhanced powers including, potentially, cost recovery mechanisms to provide resources, and the ability to proactively investigate vulnerabilities in IT systems.
Meanwhile, it said, mandatory incident reporting will help the government collate better data on cyber attacks, to improve the national understanding of the threats the UK faces, and help alert organisations and individuals to potential attacks by expanding the type and nature of incidents that must be reported by a regulated entity. This would, naturally, include ransomware attacks.
Ransomware reporting
Given part of the government’s aim is to keep up with the EU – particularly as it prepares to commence enforcement, on 17 October 2024, of the next-gen Network and Information Security Directive (NIS2) – if it is successful in its ambition to mandate ransomware reporting, the UK will actually move ahead of Europe in some regards, a point noted by risk experts at law firm Ashurst.
Matt Worsfold, partner with Ashurst Risk Advisory said: “If the proposed legislation goes ahead as outlined, it will be striking to see how the statistics around ransomware attacks potentially jump in the face of mandatory reporting, given that the widely held view to date is that current statistics are not representative of the reality.”
Strong commitment
Louise Marie Hurel, a cyber research fellow at the Royal United Services Institute (RUSI) think tank, said the Bill was a strong indication of the government’s commitment to cyber and contrasted strongly to a single reference to cyber attacks in the Labour manifesto. She argued that cyber security was some way beyond a niche topic, indeed it has now become “transversal to ensuring the sustainability of the government’s strategy in a range of areas”.
“While there is still limited visibility over the text of the proposed Bill, the document will need to ensure that any reporting requirements are implementable and done in a dialogue with industries of different sizes if it is to be effective,” said Hurel.
“This will require a fine balance between innovation and updates to existing data and cyber incident reporting requirements. But the Bill, albeit an indicator of commitment to ensuring enhanced national cyber resilience, needs to be part of a vision that effectively integrates prevention and responses to cyber threats.
“The next months will show on how the Labour government will seek to enhance the UK’s capacity to combat cyber crime – and especially ransomware – as part of its mentions to online fraud in the manifesto and respond to state-affiliated cyber threats, which should also be included in the upcoming defence review.”
Illumio director of critical infrastructure Trevor Dearing was among many security leaders to praise the government’s plans, but he tempered this with a warning.
“Increased powers for regulators and reporting will be critical for building cyber resilience,” he said. “However, regulation will only be successful if accompanied with additional funding for public bodies, otherwise all that will happen is that regulations create an unrealistic goal that is cost-prohibitive to implement.
“It’s also important that we see a strong emphasis on supply chain security given that third-party providers form the lifeblood for government departments. Cyber criminals will always go after the weakest link in the chain to gain access to more valuable system, so we must recognise the inevitability of a breach from suppliers and mitigate risk accordingly. A risk-based approach to security is key to achieving this, making sure that the most threatened services get the most resource.”
Cyber wishlist
Others said they wished the government had dared to go further. Camellia Chan, CEO of Flexxon, a specialist in secure data storage, said she would have liked to see more emphasis placed on combating cyber crime, and in particular keeping the NHS safe.
“Healthcare – from national health services to small hospitals and pharmacies – is a goldmine for criminals looking to extort data and demand financial compensation. However, the consequences of such attacks can extend far beyond financial losses and directly impact patient care,” said Chan.
“This can result in delays in receiving vital medication, medical results being unavailable, and facilities closing, all which could be fatal. In the case of the NHS, ransomware attacks have led to the cancellation appointments, delaying treatment for thousands of patients. It’s time for health organisations, including the NHS, and the government to take action and put their money where their mouth is by investing in the latest cyber innovations.”
Meanwhile, NCC’s Matt Hull, speaking in his capacity as a representative of the long-running CyberUp campaign that wants urgent reform of the outdated Computer Misuse Act of 1990 – which risks penalising legitimate threat research with criminal sanctions in its current form, said the group would keep up the pressure in the new parliament.
“The introduction of the Cyber Security and Resilience Bill today will be key to keeping the UK safe from rising cyber attacks. With cyber crime rising by nearly a third last year, it is heartening to see the government prioritise updates to our cyber laws,” said Hull.
“We look forward to working with the government on further ways to upgrade the country’s cyber resilience, particularly on any efforts to tackle the outdated Computer Misuse Act 1990.
“Updating the Act will enable the UK’s cyber professionals to better protect the UK online, safeguarding the digital economy and unlocking the full growth potential of our cyber security industry,” he added.
Read more on Regulatory compliance and standard requirements
Labour government plans new laws around cyber security, data sharing and skills
By: Bryan Glick
Government not facing up to CNI cyber risks, committee warns
By: Alex Scroxton
Top 10 investigations and national security stories of 2023
By: Bill Goodwin
Critical UK infrastructure a ‘hostage of fortune’ to ransomware
By: Alex Scroxton