Cyber Security and Resilience Bill

Last updated

On July 17th 2024, it was announced at the State Opening of Parliament that the Labour government will introduce the Cyber Security and Resilience Bill (CS&R). [1] The proposed legislation is intended to update the existing Network and Information Security Regulations 2018, known as UK NIS. [2] CS&R will strengthen the UK's cyber defences and resilience to hostile attacks thus ensuring that the infrastructure and critical services relied upon by UK companies are protected by addressing vulnerabilities, while ensuring the digital economy can deliver growth. [3]

Contents

The legislation will expand the remit of the existing regulations and put regulators on a stronger footing, as well as increasing the reporting requirements placed on businesses to help build a better picture of cyber threats. [4] Its aim is to strengthen UK cyber defences, ensuring that the critical infrastructure and digital services which companies rely on are secure. [5] The Bill will extend and apply UK-wide. [3]

The new laws are part of the Government's pledge to enhance and strengthen UK cyber security measures and protect the digital economy. [6] CS&R will introduce a comprehensive regulatory framework designed to enforce stringent cyber security measures across various sectors. This framework will include mandatory compliance with established cyber security standards and practices to ensure essential cyber safety measures are being implemented. Ultimately, businesses will need to demonstrate their adherence to these standards through regular audits and reporting. [7] Also included in the legislation are potential cost recovery mechanisms to provide resources to regulators and provide powers to proactively investigate potential vulnerabilities. [8]

Key facts

The key facts from the King's Speech are: [3]

i) The current UK NIS cyber security regulations play an essential role in safeguarding the UK’s critical national infrastructure by placing security duties on industry involved in the delivery of essential services. [9] These regulations cover the five sectors of transport, energy, drinking water, health and digital infrastructure, as well as some digital services including online marketplaces, online search engines, and cloud computing services. 12 regulators are responsible for implementing the present regulations.

ii) Hostile cyber actors are increasingly targeting UK critical sectors and supply chains. Recent serious high-profile attacks impacting London hospitals and the Ministry of Defence, as well as ransomware attacks on the British Library and Royal Mail, have highlighted that UK services and institutions are vulnerable to attack.

iii) The impacts of a cyber attack on these sectors pose severe risks to UK citizens, core services and the economy at large. For example, as a result of the ransomware attack affecting the NHS in England in June [2024], 3,396 outpatient appointments and 1,255 elective procedures were postponed across King's College Hospital, Guy’s Hospital and St Thomas’ Hospital, all in South London. It has been estimated that the cost of cybercrime in the UK in 2023 was $320 billion, near £225 billion. [10]

iv) The National Cyber Security Centre (NCSC) assess that the increased threat from hostile states and state-sponsored actors continues to escalate. At a recent speech at CyberUK, NCSC CEO Felicity Oswald warned that providers of essential services in the UK cannot afford to ignore these threats. [11]

v) 2 UK NIS Post-Implementation Reviews found that the original regulations are having a positive impact, but that progress has not been fast enough. [12] [13] In 2022 the review found that they "are a vital framework in raising wider UK resilience against network and information systems security threats", but updates are required to keep pace with growing threats. Just over half of the operators of essential services have updated or strengthened existing policies and processes since the inception of the UK NIS Regulations in 2018, which were introduced after EU NIS Directive 2016/1148. [2] [14]

Consequences

Digital verification services would be established and include "digital identity products to help the public quickly and securely share key information about themselves as they use online services in their everyday life." [4]

A National Underground Asset Register would be created enabling "planners and excavators instant, standardised access to pipe and cable data around the country." [4]

The Bill will enable the creation of smart data schemes, "which would allow for the secure sharing of customer data, upon their request, with authorised third-party service providers." [4]

It will introduce compulsory ransomware reporting so that the authorities can better understand the threat and "alert us to potential attacks by expanding the type and nature of incidents that regulated entities must report." [6] [15] While this information collection is likely to increase resilience to attacks, the administrative burden for businesses from this reporting might well bring with it additional costs as well as the original cyber incident's expense. [6]

As modern business practices are interconnected, organisations must ensure that their partners and suppliers also adhere to the standards set by the CS&R. [6]

In the EU, the original Network and Information Security Directive (NIS Directive 2016/1148) is being updated to Directive 2022/2555, known as EU NIS 2. [16] [17] EU NIS 2 introduces wide-reaching changes to the existing EU cyber security laws for network and information systems. [16] The CS&R should bring the existing UK NIS regulations 2018 to a framework similar to that of the EU. [16] [18]

The Bill as yet has no information on any punishments for non-compliance or what the data regulators' demands from an organisation that has experienced a cyber security incident will be. [19]

Reaction

Jon Ellison, NCSC Director of National Resilience, said that the proposed bill was "a landmark moment tackling the growing threat to the UK's critical systems". [20] He continued that it will be "a crucial step towards a more comprehensive regulatory regime, fit for our volatile world". [20]

Former head of the NCSC Ciaran Martin along with other experts welcomed the legislative proposal. On social media, he wrote that the proposed legislation seemed sensible, with mandatory reporting requirements being significant and positive steps. [21]

A representative of the CyberUp Campaign Matt Hull said that the organisation is looking forward to the Government updating UK cyber resilience and in particular the Computer Misuse Act 1990. Any updates to this Act would help cyber professionals protect the U.K., safeguard the digital economy and unlock the potential growth within the cybersecurity industry. [21]

Schedule

The Bill will proceed through seven stages of the legislative process which happens in both houses of the UK parliament: first reading, second reading, committee stage, report stage, third reading, opposite house and royal assent.

  1. July 17th Bill announced. [1]
  2. Stage: Pre-legislative Scrutiny (current).
  3. Stage: First reading - The Bill will be introduced to Parliament in 2025. [22]

See also

Related Research Articles

<span class="mw-page-title-main">Computer security</span> Protection of computer systems from information disclosure, theft or damage

Computer security is the protection of computer software, systems and networks from threats that can lead to unauthorized information disclosure, theft or damage to hardware, software, or data, as well as from the disruption or misdirection of the services they provide.

<span class="mw-page-title-main">Cybercrime</span> Type of crime based in computer networks

Cybercrime encompasses a wide range of criminal activities that are carried out using digital devices and/or networks. These crimes involve the use of technology to commit fraud, identity theft, data breaches, computer viruses, scams, and expanded upon in other malicious acts. Cybercriminals exploit vulnerabilities in computer systems and networks to gain unauthorized access, steal sensitive information, disrupt services, and cause financial or reputational harm to individuals, organizations, and governments.

<span class="mw-page-title-main">Markets in Financial Instruments Directive 2014</span> European Union law

Markets in Financial Instruments Directive 2014, is a directive of the European Union (EU). Together with Regulation No 600/2014 it provides a legal framework for securities markets, investment intermediaries, in addition to trading venues. The directive provides harmonised regulation for investment services of the member states of the European Economic Area — the EU member states plus Iceland, Norway and Liechtenstein. Its main objectives are to increase competition and investor protection, as well as level the playing field for market participants in investment services. It repeals Directive 2004/39/EC.

A cybersecurity regulation comprises directives that safeguard information technology and computer systems with the purpose of forcing companies and organizations to protect their systems and information from cyberattacks like viruses, worms, Trojan horses, phishing, denial of service (DOS) attacks, unauthorized access and control system attacks. While cybersecurity regulations aim to minimize cyber risks and enhance protection, the uncertainty arising from frequent changes or new regulations can significantly impact organizational response strategies.

Christopher W. Johnson, FRSE, FRAeS, FBCS, is a British computer scientist and pro vice chancellor for engineering and physical sciences at Queen's University, Belfast. Previously he was professor and head of computing science at the University of Glasgow, UK. From July 2024, he will serve as chief scientific advisor to the Department for Science, Innovation and Technology.

A supply chain attack is a cyber-attack that seeks to damage an organization by targeting less secure elements in the supply chain. A supply chain attack can occur in any industry, from the financial sector, oil industry, to a government sector. A supply chain attack can happen in software or hardware. Cybercriminals typically tamper with the manufacturing or distribution of a product by installing malware or hardware-based spying components. Symantec's 2019 Internet Security Threat Report states that supply chain attacks increased by 78 percent in 2018.

<span class="mw-page-title-main">Robert Hannigan</span> British cybersecurity specialist

Robert Peter Hannigan CMG is a cybersecurity specialist who has been Warden of Wadham College, Oxford, since 2021. He was a senior British civil servant who previously served as the director of the signals intelligence and cryptography agency the Government Communications Headquarters (GCHQ) and established the UK's National Cyber Security Centre. His sudden resignation as director was announced on 23 January 2017, and he stepped down at the end of April 2017 to pursue a career in private sector cyber security, academia and as a security commentator. In 2021 he became Warden of Wadham College, Oxford.

<span class="mw-page-title-main">IASME</span>

IASME Governance is an Information Assurance standard that is designed to be simple and affordable to help improve the cyber security of Small and medium-sized enterprises (SMEs).

The United Kingdom has a diverse cyber security community, interconnected in a complex network.

The Indian Computer Emergency Response Team is an office within the Ministry of Electronics and Information Technology of the Government of India. It is the nodal agency to deal with cyber security incidents. It strengthens security-related defence of the Indian Internet domain.

Cyber Essentials is a United Kingdom certification scheme designed to show an organisation has a minimum level of protection in cyber security through annual assessments to maintain certification.

<span class="mw-page-title-main">National Cyber Security Centre (Ireland)</span>

The National Cyber Security Centre (NCSC) is a government computer security organisation in Ireland, an operational arm of the Department of the Environment, Climate and Communications. The NCSC was developed in 2013 and formally established by the Irish government in July 2015. It is responsible for Ireland's cyber security, with a primary focus on securing government networks, protecting critical national infrastructure, and assisting businesses and citizens in protecting their own systems. The NCSC incorporates the Computer Security Incident Response Team (CSIRT-IE).

The National Cyber Security Centre (NCSC) is an organisation of the United Kingdom Government that provides advice and support for the public and private sector in how to avoid computer security threats. It is the UK's National technical authority for cyber threats and Information Assurance. Based in Victoria, London, it became operational in October 2016, and its parent organisation is GCHQ.

<span class="mw-page-title-main">WannaCry ransomware attack</span> 2017 worldwide ransomware cyberattack

The WannaCry ransomware attack was a worldwide cyberattack in May 2017 by the WannaCry ransomware cryptoworm, which targeted computers running the Microsoft Windows operating system by encrypting data and demanding ransom payments in the Bitcoin cryptocurrency. It was propagated using EternalBlue, an exploit developed by the United States National Security Agency (NSA) for Windows systems. EternalBlue was stolen and leaked by a group called The Shadow Brokers a month prior to the attack. While Microsoft had released patches previously to close the exploit, much of WannaCry's spread was from organizations that had not applied these, or were using older Windows systems that were past their end of life. These patches were imperative to cyber security, but many organizations did not apply them, citing a need for 24/7 operation, the risk of formerly working applications breaking because of the changes, lack of personnel or time to install them, or other reasons.

<span class="mw-page-title-main">Cybersecurity and Infrastructure Security Agency</span> Agency of the United States Department of Homeland Security

The Cybersecurity and Infrastructure Security Agency (CISA) is a component of the United States Department of Homeland Security (DHS) responsible for cybersecurity and infrastructure protection across all levels of government, coordinating cybersecurity programs with U.S. states, and improving the government's cybersecurity protections against private and nation-state hackers.

<span class="mw-page-title-main">Health Service Executive ransomware attack</span> 2021 cyber attack on the Health Service Executive in Ireland

On 14 May 2021, the Health Service Executive (HSE) of Ireland suffered a major ransomware cyberattack which caused all of its IT systems nationwide to be shut down.

<span class="mw-page-title-main">Lindy Cameron</span> British civil servant and diplomat

Lindy Cameron is a British civil servant and diplomat, serving from April 2024 as British High Commissioner to India. From 2020 to 2024 she was chief executive officer at the National Cyber Security Centre, and before that Director-General in the Northern Ireland Office and the Department for International Development.

<span class="mw-page-title-main">European Union submarine internet cables</span> Issues around EU cable infrastructure

Submarine internet cables, also referred to as submarine communications cables or submarine fiber optic cables, connect different locations and data centres to reliably exchange digital information at a high speed.

<span class="mw-page-title-main">Cyber Resilience Act</span> Proposed cybersecurity regulation in the EU

The Cyber Resilience Act (CRA) is an EU regulation proposed on 15 September 2022 by the European Commission for improving cybersecurity and cyber resilience in the EU through common cybersecurity standards for products with digital elements in the EU, such as required incident reports and automatic security updates. Products with digital elements mainly are hardware and software whose "intended and foreseeable use includes direct or indirect data connection to a device or network".

The Digital Operational Resilience Act (DORA), officially Regulation (EU) 2022/2554 is a European Union regulation. It requires financial entities to improve their digital operational resilience.

References

  1. 1 2 Seddon, P. (15 July 2024). "Key points in King's Speech at a glance". BBC News . Retrieved 30 July 2024.
  2. 1 2 "King's Speech: new cyber resilience laws planned in the UK". Pinsent Masons. 17 July 2024. Retrieved 5 August 2024.
  3. 1 2 3 "The King's Speech 2024" (PDF). UK GOV. p. 94. Retrieved 30 July 2024.
  4. 1 2 3 4 Griffin, A. (17 July 2024). "Labour announces host of new tech rules – but does not reveal much-hyped 'AI bill'". Independent . Retrieved 30 July 2024.
  5. Patefield, D.; Broom, J.; Collings, A.; Tsolova, R.; Modha, T. (19 July 2024). "Government announces new Bill to strengthen the UK's cyber security and resilience". techUK. Retrieved 30 July 2024.
  6. 1 2 3 4 "Cyber Security and Resilience Bill: what businesses and insurers need to know". CMS Legal. 18 July 2024. Retrieved 30 July 2024.
  7. "What businesses need to know about the Cyber Security and Resilience Bill". ITN. 22 July 2024. Retrieved 30 July 2024.
  8. "UK set to debut Cyber Security and Resilience Bill to boost national cyber defenses, secure critical infrastructure". Industrial Cyber. 19 July 2024. Retrieved 30 July 2024.
  9. "The Network and Information Systems Regulations 2018". Crown. 10 May 2024. Retrieved 4 August 2024.
  10. "Annual cost of cybercrime in the UK 2017-2028". Ani Petrosyan. 1 December 2023. Retrieved 7 August 2024.
  11. "CYBERUK 2024: Felicity Oswald keynote speech". National Cyber Security Centre. May 2024. Retrieved 15 August 2024.
  12. "Review of the Network and Information Systems Regulations". Crown. 29 May 2020. Retrieved 2 November 2024.
  13. "Second Post-Implementation Review of the Network and Information Systems Regulations 2018". Crown. 27 July 2022. Retrieved 15 August 2024.
  14. "Directive (EU) 2016/1148 of the European Parliament and of the Council". Crown. 6 July 2016. Retrieved 22 August 2024.
  15. Muncaster, P. (18 July 2024). "UK Government Set to Introduce New Cyber Security and Resilience Bill". Reed Exhibitions. Retrieved 5 August 2024.
  16. 1 2 3 Belcheva, R. (23 July 2024). "New Cyber Security & Resilience Bill announced in King's Speech". The Lens. Retrieved 13 August 2024.
  17. "The NIS 2 Directive". Cyber Risk. 2022. Retrieved 13 August 2024.
  18. Poireault, K. (12 August 2024). "Navigating Regulation Discrepancies: EU's NIS 2 v UK's Cyber Security and Resilience Bill". RELX . Retrieved 26 September 2024.
  19. Jones, C. (30 July 2024). "Revamped UK cybersecurity bill couldn't come soon enough, but details are patchy". The Register . Retrieved 4 August 2024.
  20. 1 2 Say, M. (25 July 2024). "NCSC highlights importance of Cyber Security Bill". Informed Communications Ltd. Retrieved 29 August 2024.
  21. 1 2 Akshaya, A. (17 July 2024). "UK Labour Introduces Cyber Security and Resilience Bill". Information Security Media Group. Retrieved 16 August 2024.
  22. "Cyber Security and Resilience Bill". Crown. 30 September 2024. Retrieved 11 October 2024. The Bill will be introduced to Parliament in 2025
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.