Government Proposes New Laws In Cyber Security Review
New measures proposed to bolster the resilience of British businesses facing an ever growing number of cyber attacks
The government is seeking to improve the ability of British businesses to resist the increasing number of cyber attacks directed against them.
The government is therefore proposing new laws that will improve security standards in outsourced IT services used by almost all UK businesses.
It proposes that any firms providing essential digital services should follow strict cyber security duties, with large fines for non-compliance. Other legislative proposals include improved incident reporting and driving up standards in the cyber security profession.
Cyber resilience
It comes after the British government last month published its National Cyber Strategy, designed to ensure the country has the necessary means to defend itself in cyberspace.
That strategy aims to reinforce the UK’s economic and strategic strengths in cyberspace, including more diversity in the workforce.
And now the government is proposing new laws to improve security standards.
One of these additional proposal concerns the independent UK Cyber Security Council, which regulates the cyber security profession.
The government believes the Cyber Security Council needs additional powers to raise the bar and create a set of agreed qualifications and certifications, so those working in cyber security can prove they are properly equipped to protect businesses online.
The government points to high profile cyber attacks such as SolarWinds and on Microsoft Exchange Servers which highlighted the vulnerabilities in third-party products and services used by businesses, which in turn can be exploited by cybercriminals and hostile states, affecting hundreds of thousands of organisations at the same time.
And of course there is the ever increasing ransomware scourge, which in 2021 crippled critical infrastructure in the United States such as the Colonial Pipeline attack in the US.
Indeed, so serious was that attack that the US government engaged emergency powers and US President Joe Biden received “personal briefings” about it. And the attack dominated the face-to-face meeting in June 2021 between Biden and Russia’s President Vladimir Putin.
The US government is thus now forcing all federal agencies to ensure their IT systems are running the latest patches, and the British are looking to follow suite.
Criminals, hostile states
“Cyber attacks are often made possible because criminals and hostile states cynically exploit vulnerabilities in businesses’ digital supply chains and outsourced IT services that could be fixed or patched,” noted Minister of State for Media, Data, and Digital Infrastructure, Julia Lopez.
“The plans we are announcing today will help protect essential services and our wider economy from cyber threats,” said Lopez.
“Every UK organisation must take their cyber resilience seriously as we strive to grow, innovate and protect people online,” she said. “It is not an optional extra.”
To make the UK more secure and help prevent these types of attacks the government is aiming, through new legislation, to take a stronger approach to getting at-risk businesses to improve their cyber resilience as part of its new £2.6 billion National Cyber Strategy, introduced in December 2021.
This week the Government has proposed updating the Network and Information Systems (NIS) regulations, which came into force in 2018 to improve the cyber security of companies which provide essential services such as water, energy, transport, healthcare and digital infrastructure.
Organisations which fail to put in place effective cyber security measures can be fined as much as £17 million.