New Cyber Security and Resilience Bill Introduced to UK Parliament

The UK government will today introduce their new Cyber Security and Resilience Bill (CSRB) to parliament, which aims to toughen existing defences against cyberattacks – particularly those that impact the health, energy, water and transport networks – and imposes new requirements on broadband, mobile, managed service providers, data centres and even their suppliers.

Regular readers will know that the previous government already implemented new laws in this area via the tedious Product Security and Telecommunications Infrastructure Act (here). But that act has since been superseded in the EU, and thus the UK legislation required another update to “ensure that our infrastructure and economy is not comparably more vulnerable.”

The CSRB will bring many more organisations and suppliers (i.e. medium and large companies providing services like IT management, IT help desk support and cybersecurity to private and public sector organisations), such as data centres, into scope of the regulations. It will also mean that third-party suppliers must boost their security in areas such as risk assessment to minimise the possible impact of cyber-attacks, while also beefing up their data protection and network security defences.

Organisations in scope will also need to report more harmful cyber incidents to their regulator and the National Cyber Security Centre (NCSC) within 24 hours, with a full report within 72 hours, to ensure support can be on hand more quickly to “help build a stronger national picture of cyber threats“.

In addition, if a data centre, or digital and managed service providers “face a significant or potentially significant attack“, they will have to notify customers which are likely to be impacted promptly, so organisations can act fast to protect their business, people and services.

The government will also gain “greater flexibility to update regulatory frameworks when needed” and will hand the Technology Secretary new powers to direct regulated organisations to shore up their monitoring and cyber defences, such as when responding to “changing threats and technological advancement” (there’s a focus on particular high-risk systems).

New safeguards will also cover organisations that manage the flow of electricity to smart appliances like electric vehicle (EV) charge points and electrical heating appliances in homes. “This will reduce the risk of disruption to consumers using smart-energy appliances, and the grid, bolstering the UK’s energy security,” said today’s announcement.

Naturally, enforcement will also play a role for those that fail to grasp the nettle. Enforcement will be “modernised”, which means “tougher turnover-based penalties for serious breaches so cutting corners is no longer cheaper than doing the right thing“. In particular, the government rightly expects that companies providing taxpayer services should make sure they have “tough protections in place to keep their systems up and running“, although such things should ideally already be happening as part of contractual requirements.

Liz Kendall, UK Science, Innovation, and Technology Secretary, said:

“Cyber security is national security. This legislation will enable us to confront those who would disrupt our way of life. I’m sending them a clear message: the UK is no easy target.

We all know the disruption daily cyber-attacks cause. Our new laws will make the UK more secure against those threats. It will mean fewer cancelled NHS appointments, less disruption to local services and businesses, and a faster national response when threats emerge.”

Dr Richard Horne, CEO of the National Cyber Security Centre, said:

“The Cyber Security and Resilience Bill represents a significant step towards ensuring the nation’s most critical services are better protected and prepared in the face of an increasingly complex threat landscape.

The real-world impacts of cyber attacks have never been more evident than in recent months and so we welcome the move to strengthen legislation and regulatory powers to help drive up the level of defence and resilience across critical national infrastructure.

Cyber security is a shared responsibility and foundation for prosperity, and so we urge all organisations, no matter how big or small, to follow the advice and guidance available at ncsc.gov.uk and to act on it with the urgency that the risk requires.”

The OBR estimates that a cyber-attack on critical national infrastructure could temporarily increase borrowing by over £30 billion – equivalent to 1.1% of GDP, so it’s easy to understand why the government wants to get tougher with its rules.

However, it may be worth pointing out that any organisation, individual or business with a public online presence (public website, servers etc.) will be getting hit by robotic attacks on a more or less daily basis, which has long been par for the course with the internet. But this does make separating that out from more serious attacks quite difficult, such as in terms of the new reporting requirements.

In principle, all of the above sounds like positive news, although we do worry about the risk of excess political interference creating an increasingly cumbersome burden for network security teams. In some cases, the extra admin from this might actually risk slowing down their ability to respond to sudden threats or cause an excessive cost burden.

Similarly, it’s easy for the government to put all the pressure and responsibility on network operators and businesses, but we must not forget that they are also the victims of cyberattacks. On the flip side, there seems to be less of a focus on bolstering the police and security services, which need more resources to help combat and pursue the perpetrators of such crimes.