Government introduces Cyber Security and Resilience Bill to strengthen cyber defences

Bill will receive first reading this afternoon

The government hopes that the Cyber Security and Resilience Bill will strengthen national security by improving the cybersecurity posture of essential services and digital infrastructure.

The Cyber Security and Resilience Bill draft will receive its first reading this afternoon in the House of Commons. The Bill aims to strengthen national security and economic growth by enforcing a stronger cybersecurity posture in essential services and supply chains.

Companies providing IT management, support and cybersecurity to private and public sector organisations like the NHS, will be regulated for the first time and will be required to meet certain security standards. This includes reporting significant or potentially significant cyber incidents (not just successful attacks) promptly to government and their customers as well as having robust plans in place to deal with the consequences.

The government also claims to be boosting enforcement, with tougher turnover-based penalties for serious breaches, and the Technology Secretary and regulators such as Ofwat and NHS Improvement being given new powers to designate critical suppliers. The aim is to ensure those companies meet certain security requirements. The government hopes this will make supply chains less of an easy target for cyber criminals.

More robust enforcement is welcomed by some industry commentators, including Trevor Dearing, Director of Critical Infrastructure at Illumio

“The shift from reporting only successful breaches to reporting all cyber incidents is long overdue and will drive rapid improvements in how organisations protect their most critical assets and respond to attacks.

“Granting the Technology Secretary new powers to ensure that regulators and organisations monitor or isolate high-risk systems is a smart move. The goal must be to reach a point where organisations can contain and limit the impact of attacks before they cripple essential services, isolating critical systems helps to achieve this. “

Dearing does however caveat his comments with the proviso that organisations should be supported to improve their cybersecurity stance. He continues:

“Whilst it is understandable that the government is introducing tougher penalties for poor security practices, it is equally important that sufficient support is provided to help organisations achieve compliance. The government must ensure that investment is made in supporting organisations, particularly those with limited budgets.”

Cost of weak cybersecurity

The new Bill is launched alongside independent research showing that the average cost of a significant cyber-attack in the UK is now over £190,000. This amounts to around £14.7 billion a year across the economy - equivalent to 0.5% of the UK’s GDP.

The cost of a disabling attack on CNI is likely to be far greater.

The Bill has been broadly welcomed by the cybersecurity industry, and by defence and cybersecurity thinktanks, with most welcoming the emphasis on national security. Many emphasise our collective responsibility for cybersecurity in their comments, and the need for organisations which fall outside the scope of the Bill to up their game.

National Cyber Security Centre CEO Dr Richard Horne said:

“As a nation, we must act at pace to improve our digital defences and resilience, and the Cyber Security and Resilience Bill represents a crucial step in better protecting our most critical services.

“Cyber security is a shared responsibility and a foundation for prosperity, and so we urge all organisations – no matter how big or small – to follow the advice and guidance available at ncsc.gov.uk and act with the urgency that the risk requires.”

James Morris Chief Executive of the UK’s Cyber Security and Business Resilience Policy Centre, the CSBR said:

“It is to be welcomed that the government is setting the proposed bill in the context of protecting national security. This is an important emphasis given the changing the nature of the threat landscape and the high profile attacks we have seen over recent months.

“Framing the bill in terms of enhancing national security is an important recognition that threats to our critical national infrastructure and economic resilience not only require a robust legislative response but a whole of society effort. When the bill is published later, we will scrutinise the detail of what is proposed particularly around the nature of the powers of direction which will be handed to Ministers and the other detailed provisions of the bill.”

Jamie MacColl, Senior Research Fellow, Cyber and Tech, Royal United Services Institute said:

“The arrival of new legislation to better protect our most critical national infrastructure is an important step in improving cyber resilience in the UK.

“However, it is also important that organisations outside of the scope of the Bill up their game on cyber security and resilience. We urgently need to build collective resilience to inspire confidence in the face of threats from hostile states and criminals.”