The government has said it will strengthen the UK’s cyber defences with a new law that would expand the remit of existing regulation and give more power to regulators.
The government will also increase cyberattack reporting requirements placed on businesses, including where a company has been subject to a ransomware attack, saying it will allow agencies to get a better picture of current vulnerabilities.
“Our essential services are vulnerable to hostile actors and recent cyber attacks affecting the NHS and Ministry of Defence show the impacts can be severe,” the briefing note said.
It added: “We need to take swift action to address vulnerabilities and protect our digital economy to deliver growth. The Bill will strengthen the UK’s cyber defences, ensure that critical infrastructure and the digital services that companies rely on are secure.”
Legislation Must Be Fit for Purpose
Carla Baker, senior director of government affairs for the UK and Ireland at cybersecurity firm Palo Alto Networks, welcomed the news, saying cybersecurity plays a vital role in building resilience among critical sectors as well as driving economic growth.
“Maintaining the security of the critical national infrastructure in the face of the continually changing threat landscape must be a priority, and we welcome the announcements today,” she said.
Ms. Baker cautioned, however, that “it will be vital that the government work with industry to ensure that security requirements in the legislation are fit for purpose and strike the right balance between building resilience and fostering innovation.”
Ransomware Attack on NHS
The bill was revealed after the UK experienced a number of high-profile cyberattacks in the last year.The NHS later confirmed that criminals had published the stolen data online.
China, Russia, Iran, and North Korea Pose Greatest Risk
A significant attack on the UK’s democratic institutions was revealed in March, when then-Deputy Prime Minister Oliver Dowden told the House of Commons that hackers affiliated with the Chinese communist regime had conducted a campaign of online reconnaissance aimed at the email accounts of MPs and peers. They were also responsible for a cyberattack on the Electoral Commission.In response, the UK sanctioned the Wuhan Xiaoruizhi Science and Technology Company Limited, a front company of the Chinese regime-affiliated hacking group APT31, and Zhao Guangzong and Ni Gaobin, members of APT31.
The National Cyber Security Centre (NCSC)—part of GCHQ and the UK’s technical authority on cyber security—said last year in its annual review that the nation’s critical sectors face “enduring and significant” threats, owing in part to an increase in hostile states and state-sponsored actors engaging in aggressive cyber activity.
CEO of the NCSC Felicity Oswald said during the CyberUK conference in May that Russia, China, Iran, and North Korea “continue to pose the greatest risk to the UK and our allies.”
