The UK government has proposed new laws to strengthen cyber resilience in the private sector. The proposals include expanding cybersecurity rules for national infrastructure operators to include managed service providers, stricter incident breach reporting requirements, and legislation to establish the UK Cyber Security Council as the standards-setting body for the cybersecurity profession. Experts have welcomed the proposals, but say more clarity is needed before they can be put into action.
New cybersecurity laws in the UK
As part of the UK’s new £2.6bn National Cyber Strategy, the Department of Digital, Culture, Media and Sport (DCMS) yesterday opened a consultation on a new set of rules designed to strengthen cybersecurity in the private sector.
One of the key aims is to address the risks surrounding managed service providers (MSPs). These have become the target of high-profile cybersecurity attacks in recent months, as criminals seek to compromise not only the MSPs themselves but also their network of customers. A ransomware attack on US MSP Kaseya last year is believed to have affected up to 1,500 of its customers.
MSPs “provide an essential service to other businesses and organisations,” wrote Julia Lopez MP, minister of state for media, data, and digital infrastructure, in her foreword to the proposals. “We do not want to interfere in their ability to operate. But they do create risks which we need to manage, especially when their clients include government departments and critical infrastructure.”
The government proposes to expand the scope of the Security of Networks & Information Systems (NIS) directive to include MSPs. The directive currently requires national infrastructure operators, such as energy and transport providers, to meet certain cybersecurity standards and report incidents to the relevant regulators. Failure to comply can lead to fines of up to £17m.
Tightening cybersecurity rules for MSPs is a good idea, says Niel Harper, cybersecurity policy advisor to the World Economic Forum. MSPs “not only have privileged access to their customers’ infrastructure and applications, but also to the personal data of millions of citizens,” he says. “A single breach of an MSP can potentially allow threat actors to compromise hundreds, even thousands of organisations.”
New breach reporting rules for infrastructure operators
The government is also proposing a change to NIS rules so that companies covered by the directive must report any cybersecurity breach to their regulator, not only those that have a “significant impact” on their operations.
An investigation by Sky News last year found that the Department for Transport had received no cybersecurity incident reports from travel operators under the NIS directive in 2019, but had received nine on a voluntary basis. This suggests that the directive itself is not promoting transparency. “There needs to be a mechanism that incentivises earlier reporting of significant breaches, even if they don’t lead to impact in terms of continuity of service or financial loss,” Dr Tim Stevens, head of the Cyber Security Research Group at King’s College London, told Tech Monitor at the time.
Requiring infrastructure operators to report all incidents allows governments to share information with other operators and tackle threats as they emerge. It can also help protect consumers who might be affected by a breach, explains Harper. “It ensures that [regulators] keep pace with the evolving threat landscape to better protect consumers by allowing them to respond quicker to leaks of their information,” he says.
The proposed rules would also encourage operators to tighten their defences, says Jaclyn Kerr, senior research fellow for defence and technology futures at US military academy the National Defense University. “It requires companies to be more accountable for security failings, which in turn can also contribute to better risk assessment,” she says.
Toby Lewis, global head of threat analysis at security company Darktrace, welcomes the proposed update to reporting rules but warns that its wording may need clarification. “The definition of a ‘cyberattack that doesn’t affect services’ could prove confusing for companies to have to report as this could theoretically include every log from your firewall or every bit of malware found by your anti-virus.”
The proposed expansion to the scope of the NIS directive also requires clarification, Lewis says. “At the moment, there is little clarity on which organisations fall within the scope of these new laws and why.”
New laws to empower the UK Cyber Security Council
Alongside the proposed legislative changes, the government has also launched a consultation on new measures to ’empower’ the UK Cyber Security Council, the self-regulatory body for the cybersecurity profession.
The Council was launched in March 2021, after a previous government consultation found that cybersecurity professionals and their employers are hampered by a glut of overlapping qualifications and certification bodies. The Council was tasked with providing clarity by establishing new standards and other mechanisms, such as a Career Pathways Framework.
The government is concerned, however, that the Council’s standards may not be adopted voluntarily. “This approach has been undertaken previously in this space and has not achieved the intended objective of embedding professional standards and pathways,” it said this week.
DCMS is therefore inviting views on whether further government intervention, such as legislation that formally recognises the Council as the standards-setting body for the cybersecurity profession, is required to ensure take-up of its standards.
Other proposed measures include a Register of Practitioners for cybersecurity, as exists in the medical and legal professions. “This would set out the practitioners who have met the eligibility requirements to be recognised as a suitably qualified and ethical senior practitioner under a designated title award.”
As well as helping companies find suitably trained staff, more reliable certification for cybersecurity skills would also help them assess the capabilities of their suppliers, observes Kerr. “The focus on certifying levels of training for people working in cybersecurity appears also to be directed partly at supply chain and service risks.”