9
A Cyber Security and Resilience Bill was part of the King’s Speech on July 17, when King Charles III set out what law-making the new Labour Government has in mind.
Among the cyber and resilience proposals according to background notes are mandated ‘increased incident reporting to give government better data on cyber attacks, including where a company has been held to ransom’; and ‘potential cost recovery mechanisms to provide resources to regulators and providing powers to proactively investigate potential vulnerabilities’. More digital services and supply chains will come under such regulating. The notes point to the ‘recent ransomware attack impacting London hospitals’, and attacks on the British Library and Royal Mail; and Ministry of Defence.
The notes point out that the UK’s cyber regulations covering critical infrastructure date from 2018, that is, before Brexit; the European Union has updated its, while the UK’s ‘require urgent update’.
Comments
Matt Hull, representative of the CyberUp campaign for updating UK law on cyber, described the Cyber Security and Resilience Bill as key to keeping the UK safe from rising cyberattacks. “With cybercrime rising by nearly a third last year, it is heartening to see the Government prioritise updates to our cyber laws. We look forward to working with the Government on further ways to upgrade the country’s cyber resilience, particularly on any efforts to tackle the outdated Computer Misuse Act 1990. Updating the Act will enable the UK’s cyber professionals to better protect the UK online, safeguarding the digital economy and unlocking the full growth potential of our cyber security industry.”
John Smith, Veracode EMEA CTO, said: “In an increasingly volatile world, the UK government should push for Secure by Design principles to be embedded into the way that software and systems are created and maintained. Our world now runs on software that’s built with AI – but security risk is the price we pay in this new world. Because AI systems are what is creating risk, it is imperative to think about protecting against risk using the same paradigm.”
Dominic Trott, Director of Strategy and Alliances at Orange Cyberdefense, the security arm of telecoms firm Orange Group, said: “Any steps to further strengthen our defences and ensure that more essential digital services than ever before are protected must be welcomed. Over the past year we have seen a series of attacks on organisations providing critical services to the UK. In the healthcare sector, for example, the pressures that hospitals have faced have been heightened by the growing threat of cyber criminals who have brazenly targeted the critical systems of the most vulnerable.
“According to our own data there were 69 cyber extortion attacks on healthcare businesses during Q1 of this year, up more than 100pc from Q1 in 2023. To combat this, organisations must optimise access to skills, adoption of appropriate processes and the right use of technology to achieve cyber resilience. It is pleasing to see that the Bill will make updates to the legacy regulatory framework by expanding the remit of the regulation to protect supply chains, which are an increasingly significant threat vector for attackers.”
Mark Jow, Security Evangelist, at the cloud and network security product company Gigamon said: “Cyber incidents affecting CNI such as the recent attacks on NHS London hospitals and MoD are extremely serious, and we welcome the cyber security and resilience bill outlined today in The King’s Speech. Similar to the EU Cyber Resilience Act, it aims to protect the nation’s critical infrastructure and public services from foreign actors.
“The time is now to implement comprehensive, robust, and punitive legislation, ensuring all commercial and public organisations AND their supply chain finally take cyber protection seriously – rules for third party contractors has been neglected for far too long and there must be visibility into the security posture of entire ecosystems. Unfortunately, all too often bad actors know the potential for disruption by targeting CNI and use this as an opportunity to extort more money from their victims, and downtime can be devastating in sectors such as healthcare. It’s fair to say in situations like this it has the potential to be a ‘life or death’ matter for those affected, and we simply cannot be in the same situation again as last month where more than 800 planned operations were postponed, including 100 cancer treatments.
“Cyber-attacks on CNI can have far more malicious intentions than just the threat actor’s financial gain. The institutions behind national stability and security must be as robustly defended as possible, without room for security blind spots. As part of moving forward with this cybersecurity bill, there are a few proactive steps Keir Starmer should expect from organisations looking to protect themselves against cyber threats and improve detection and remediation of any intruders.
“Firstly, it is critical to understand the risk brought about by an insecure supply chain. In this threat environment, all organisations must have confidence in not only their own security posture, but those of all their suppliers, with evidence of the security of their entire supply chain. When selecting suppliers and vetting third parties, it’s important that organisations assess not just the quality and price of services offered, but also the IT maturity of the supplier. This incident really does reinforce the importance of vetting suppliers to critical infrastructure organisations like the NHS, ensuring they have implemented best practices in securing themselves, and holding them to account when these situations arise.
“Secondly, know where attackers could gain a “foothold” in your organisation. The number of connected devices within the Internet of Things is rising, but IoT is often highly vulnerable to cyber-attacks.” This is mainly because 5G technology increases the ‘attack surface’ for malicious actors by introducing a whole new class of targets to the internet-connected ecosystem, he added.
Camellia Chan, CEO of cyber product firm Flexxon, wished that cyber crime – and specifically keeping healthcare services safe – were a greater priority in the King’s Speech. She said: “Healthcare – from national health services to small hospitals and pharmacies – is a gold mine for criminals looking to extort data and demand financial compensation. However, the consequences of such attacks can extend far beyond financial losses and directly impact patient care. This can result in delays in receiving vital medication, medical results being unavailable, and facilities closing, all which could be fatal. In the case of the NHS, ransomware attacks have led to the cancellation appointments, delaying treatment for thousands of patients. It’s time for health organisations (including the NHS) and the government to take action and put their money where their mouth is by investing in the latest cyber innovations.”
And Arun Kumar, UK Regional Director at the IT security product company ManageEngine, spoke of a turning point in the UK’s approach to AI. “It could give businesses guidance on how to prioritise trust and safety, introducing essential guard rails to ensure the safe development and usage of AI. And hopefully any new legislation will go a long way in helping to tackle the risks that come from a lack of specialised knowledge around this relatively new technology. Our recent research showed 45 per cent of IT professionals only have a basic understanding of GenAI technologies and most don’t have governance frameworks in place for AI implementation.
“Steps to tether cybercrime will be welcomed. Digital supply chains are emerging as enablers of complex attacks and allow adversaries to exploit gaps in cyber defences. Introducing a mandate that proactively prevents risks is a strong starting point. However, we also need closer collaboration between regulators, governments and industry to build a shared infrastructure – alongside the skills and security practices necessary to keep pace with the ever-evolving cyber security developments. This will offer the most robust defence and protection needed for our society moving forwards.”
Source link