Legislation aimed at shoring up the UK’s national cybersecurity capabilities is set to be introduced in parliament today – but some security experts have questioned the scope and practicality of new rules.
The Cyber Security and Resilience Bill comes in direct response to growing cyber threats faced by private and public sector organizations, targeting stronger defenses in areas such as healthcare, energy, and transport networks.
The bill also comes at a critical time, with figures from the Office for Budget Responsibility (OBR) showing attacks on critical infrastructure could have a massive impact on the economy.
Analysis from the OBR found a major attack could result in a temporary increase in borrowing by over £30 billion, or equivalent to around 1.1% of GDP.
Elsewhere, the financial impact of attacks across both the public and private sectors has been growing. Research published this week shows the average cost of a “significant cyber attack” on the UK now stands at over £190,000.
“Cybersecurity is national security,” said technology secretary Liz Kendall. “This legislation will enable us to confront those who would disrupt our way of life. I’m sending them a clear message: the UK is no easy target.”
So what can we expect from the bill?
What’s covered under the bill?
Under the legislation, digital and essential services such as IT management for critical sectors will be regulated for the first time and subject to robust minimum security standards.
“Because they hold trusted access across government, critical national infrastructure, and business networks, they will need to meet clear security duties,” the government said in a statement.
“This includes reporting significant or potentially significant cyber incidents promptly to government and their customers, as well as having robust plans in place to deal with the consequences.”
Elsewhere, regulators and government ministers will be given sweeping new powers to ensure organizations meet these base requirements.
“The technology secretary gets new powers to instruct regulators and the organizations they oversee, like NHS trusts and Thames Water, to take specific, proportionate steps to prevent cyber attacks where there is a threat to UK national security,” the government added.
Does the bill go far enough?
The introduction of the bill has, by and large, been welcomed by security industry stakeholders as a positive step toward limiting the impact of cyber attacks on critical infrastructure.
In particular, new rules around incident reporting will play a vital role in bolstering collective defense against growing threats, according to Trevor Dearing, director of critical infrastructure at Illumio.
“The shift from reporting only successful breaches to reporting all cyber incidents is long overdue and will drive rapid improvements in how organizations protect their most critical assets and respond to attacks,” he said.
“Granting the technology secretary new powers to ensure that regulators and organizations monitor or isolate high-risk systems is a smart move,” Dearing added.
However, some industry stakeholders have questioned the scope of the legislation, arguing that it fails to address lingering issues in some key areas.
Chris Dimitriadis, chief global strategy officer at ISACA, suggested the sharpened focus on critical infrastructure fails to address the reality of the modern digital economy.
Moreover, omitting particular sectors, such as retail, is an oversight on the part of the government given the spate of attacks waged against high street brands this year.
“The era when cyber regulation could focus solely on critical national infrastructure is over,” he said. “Today, every major employer is part of the digital economy - and therefore part of the threat landscape.”
“Yet many remain outside the scope of meaningful legislative protections. Recent attacks on major retailers such as M&S and Co-op are perfect examples of how vulnerable our digital ecosystem is and the urgent need to take action.”
Matt Houlihan, VP of government affairs at Cisco, also questioned the practicality of compliance for organizations that fall under the scope of the legislation.
"The success of this bill will rely on clarity and practical timelines to help organizations implement necessary measures effectively,” he said.
“We'd also urge the government not to miss an important opportunity to tackle the growing risks from unsupported, end-of-life equipment – a persistent weak point in UK infrastructure that too often leaves organizations exposed.”
Dearing echoed Houlihan’s comments on reporting, again noting that support for organizations will be crucial.
“Whilst it is understandable that the government is introducing tougher penalties for poor security practices, it is equally important that sufficient support is provided to help organizations achieve compliance,” he said.
“The government must ensure that investment is made in supporting organizations, particularly those with limited budgets.”
Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.
MORE FROM ITPRO
-
What is a tensor processing unit (TPU)?Explainer Google's in-house AI chips are the most notable alternative to Nvidia at the enterprise scale
-
Proofpoint targets further expansion with Cork investment, new AI innovation centerNews The vendor is adding 45 new specialist jobs to its Ireland operations, with plans to increase the figure to 100 over the coming years
-
Lack of visibility creates "cascade" of security risk, says KiteworksNews Organizations that don't keep track of data breaches, shadow AI, and third-party counts face dramatically worse outcomes across every metric
-
Public sector cyber leaders are tired of clunky, outdated toolsNews Cybersecurity practitioners in the public sector need more powerful tools to contend with a growing array of threats
-
SonicWall appoints Michael Crean to lead new Managed Security Services DivisionNews The industry and channel veteran will spearhead the security vendor’s ongoing expansion into managed security services
-
AI tools are a game changer for enterprise productivity, but reliability issues are causing major headaches – ‘everyone’s using AI, but very few know how to keep it from falling over’News Enterprises are flocking to AI tools, but very few lack the appropriate infrastructure to drive adoption at scale
-
Everything you need to know about Sophos’ new partner programNews The vendor’s new channel initiative unifies the Sophos and Secureworks channel ecosystems to generate new partner opportunities
-
Upskilling staff is key to mitigating cyber attacks: Here's how a cybersecurity certification can helpISACA's CCOA certification grants access to practical learning opportunities so cybersecurity analysts can grow into their roles and keep their organizations safe
-
Proofpoint bolsters Microsoft 365 protection with Hornetsecurity acquisitionNews Proofpoint said the acquisition will “significantly enhance” its human-centric security capabilities
-
ReliaQuest targets international growth, agentic AI gains with $500 million investmentNews Cybersecurity firm ReliaQuest has raised $500 million as part of a funding round aimed at accelerating international growth and product development.
