People in the technology sector often joke that anything new in winter will be obsolete by spring. This is especially the case in cybersecurity, where hacker groups and cybersecurity teams are locked in an ever-escalating war of attrition.
The speed of obsolescence far outpaces the legislative process: it can take up to two years for government bills to be enacted into law. This is due to the parliamentary process, where various readings, committee hearings and reports are required to ensure that bills are adequately scrutinized.
An outdated system
“The legislative process in this country is essentially a Victorian process, in the sense it takes a long time,” says James Morris, chairman of CSBR, who spoke to ITPro earlier this month at InfoSecurity Europe in London.
“Meanwhile, the world is changing every day. How you deal with that is, I think, a question of not wanting to try and do everything at once.”
Legislation tends to lag behind technology as the speed of technical innovation far outpaces the law-making process. Therefore, cybersecurity legislation risks becoming redundant before it is enacted.
Compounding this challenge is the intensification of cyber threats, in particular the problem of state-sponsored hacker teams and organized crime groups repeatedly targeting national infrastructure for financial or political gain.
“The Cyber Security and Resilience Bill represents a step change to our national security that will protect the services people rely on every day - reducing the risk of disruption to public services and businesses, and ensuring a faster national response when threats emerge,” said a spokesperson for the government.
“The Bill gives government powers to update cyber regulations as risks evolve, so our defences can keep pace with evolving threats. But there is also a lot we can do, and are doing, outside legislation. For instance, we're urging organizations across the economy to boost their resilience by signing up to the Cyber Resilience Pledge.”
As few politicians have an in-depth understanding of cybersecurity, they hence rely on committee hearings in order to become informed on the subject. However, the expert speakers have purely an advisory capacity, so governments are not bound to abide by their guidance.
As a consequence, there is often friction between government regulators and private enterprise. The government regulators could perceive emerging technologies as a potential risk to the public, whilst technology companies might consider that regulatory guard rails hamper development and innovation.
Regulation vs innovation
“There's a tension between regulation and innovation, and wanting the UK to be a technological cyber power in its own right,” says Morris.
“That’s a constant tension in policy, and that applies to the Cybersecurity and Resilience Bill as well, because as that regulatory system starts to get embedded, it's going to have an impact on small and medium-sized companies. We don't want to over-regulate markets which present the UK with growth opportunities.”
Given the rate of progress in technology, acts of law set broad expectations, with associated government regulation intended to give specific minimum expected requirements. Regulations are far easier to revise than government acts, as they often incorporate the so-called Henry VIII powers.
Henry VIII powers are clauses within government regulation that bestow upon government ministers the authority to change secondary legislation (such as regulations) without oversight from Parliament. However, the lack of transparency in Henry VIII powers means they often have restrictions on the extent of their authority, in order to limit potential abuse.
In order to ensure accountability for Henry VIII powers, the authorising partner can be cross-examined before a parliamentary committee on the reasoning behind regulatory updates they actioned.
Organizations can help by engaging with the legislative process, through offering their expertise to parliamentary committees, which regularly seek expert views.
“Any responsible government needs to be engaging. One of my concerns around the Cybersecurity and Resiliency Bill has been it's a bit top down. It gives government a lot of power and doesn't really talk about consulting with business,” says Morris.
“I'd like to see more of that because you're not going to make progress in improving standards across the board if you just impose stuff top down.”
The role of AI
AI is one of the key areas of current focus and technological development. It is one of the most rapidly developing fields of technology, and there are growing calls from many sectors for regulation.
“The challenge is about timescale and the rapidity of innovation, because when the Cybersecurity and Resilience Bill was introduced 16 months ago, AI was being talked about,” says Morris.
“But in that period, if you think of all the different innovations and things that have happened around AI, it's become much more of a central focus in discussions about resilience and critical national infrastructure.”
In addition to this, data sovereignty is coming to the fore as one of the key issues surrounding the use of AI. “I think we should be developing more sovereign technological capability, because we are very dependent on US data processing, and so on,” says Morris.
Many state-run organizations are colossal institutions with massive amounts of data, which could potentially be used to train AI tools to help government departments become more efficient. For example, Microsoft’s Dragon Copilot is being trialled to transcribe patient consultations with a clinician and automate the associated note-taking and form-filling.
Also, with current geopolitics, there is a question regarding whether the government and national infrastructure should move towards using systems developed within the UK. The UK government has previously found itself reliant on external technology providers, such as Huawei, which could potentially cause security concerns and data sovereignty issues.
“We need to look at how the legislative process could be improved, as it not just affects cybersecurity, but lots of other aspects, particularly around infrastructure development,” Morris adds.
“In the age we're living in, we need to look at how we can speed up legislation, because parliament is still operating like it was on a very traditional model.”
-
UK business leaders think AI will create more jobs that it destroysNews Despite repeated warnings that AI could render millions of roles obsolete, UK business leaders are confident the technology will deliver positive long-term gains
-
Simplicity and unity will win the fight against AI cyberattacksIndustry Insights How MSPs can turn the rise of AI-driven breaches into a business advantage
-
95% of organizations don’t fully trust their cybersecurity vendors – here’s whyNews Organizations are struggling to assess vendor credibility as trust becomes a key factor in risk management.
-
Government CIOs prepare for big funding boosts as AI takes hold in the public sectorNews Public sector IT leaders need to be mindful of falling into the AI hype trap
-
Proofpoint's acquisition spree continues with Nuclei dealNews The vendor will integrate Nuclei’s compliance archiving and data-enrichment capabilities into its human-centric security platform
-
Women show more team spirit when it comes to cybersecurity, yet they're still missing out on opportunitiesNews While they're more likely to believe that responsibility should be shared, women are less likely to get the necessary training
-
Osney Capital unveils UK's first seed fund for cybersecurity startupsNews VC firm Osney Capital has launched the UK’s first specialist cybersecurity seed fund, saying it plans to back 30 companies at the seed and pre-seed stage.
-
IBM pledges support for UK government cyber skills programNews The CyberFirst Girls competition is aimed at increasing diversity in the cyber security workforce
-
DigiCert targets APAC, EMEA growth with double leadership hireNews Paul Holt joins DigiCert as EMEA group vice president, while James Cook takes the reins in APAC
-
CISOs are working harder than ever, but their pay isn’t keeping paceNews Many CISOs are being asked to take on more responsibility for domains that would normally lie outside of their remit
