UK Issues Fresh Proposals to Tackle CyberthreatsConsiderations Include Improved Incident Reporting, Large Fines for Noncompliance
The U.K. government is considering new measures to boost security standards in the country. The proposed laws recommend levying large fines on essential digital service providers for noncompliance with strict cybersecurity rules, and improving incident reporting.
The Network and Information Systems, or NIS, regulations, which came into force in 2018, must be updated to improve the cybersecurity of companies offering essential services such as transport, healthcare, water, energy and digital infrastructure, the government's statement says.
The NIS regulations currently require essential service providers to undertake risk assessments and provide adequate security measures to protect their network, as well as report significant incidents and have plans for quick recovery.
Organizations that fail to put in place effective cybersecurity measures can be fined as much as 17 million pounds, according to the statement.
This move follows a 2021 research report conducted by the Department for Digital, Culture, Media and Sport, that shows that only 12% of companies review cybersecurity risks from their immediate suppliers and only 5% address vulnerabilities in their wider supply chain.
The announcements come on the back of "notable global increase in ransomware attacks, causing severe disruption to critical national infrastructure and government agencies," according to a policy paper from the department.
The government had also recently introduced a 2.6-billion pound National Cyber Strategy to ensure that at-risk businesses improve their cyber resilience (see: New UK Cyber Strategy Adopts Whole-of-Society Approach).
The government has sought to widen the scope of the law to include Managed Service Providers, which provide specialized online and digital services such as security services, workplace services and IT outsourcing.
"These firms are crucial to boosting the growth of the country's 150.6-billion-pound digital sector and have privileged access to their clients' networks and systems," the report says.
"While the regulations apply to some digital services such as online marketplaces, online search engines and cloud computing, there has been an increase in the use and dependence on digital services for providing corporate needs such as information storage, data processing and running software."
Expanding NIS regulations to include MSPs will allow smaller businesses to attain a higher level of cyber resilience, says Tim Mackey, principal security strategist at the Synopsys Cybersecurity Research Center. The recent Log4Shell vulnerability has illustrated that cyber resilience is a function of how well software supply chains are understood, he says.
"Unfortunately, few organizations review the cybersecurity risks within their immediate software supply chain. By requiring larger companies to report all cyberattacks they experience, the proposed NIS regulations are effectively encouraging risk assessments within software supply chains as software risk is business risk," Mackey tells ISMG.
Adenike Cosgrove, cybersecurity strategist for international products at cybersecurity firm Proofpoint, says she agrees: "When the NIS came into effect, it formalized requirements for baseline cyber hygiene and disclosure, while bringing awareness of risks to board level. Expanding these regulations beyond their original scope makes sense as more and more digital services become part of critical national infrastructure."
Cosgrove says raising general standards and bringing more executive layers into contact with cybersecurity issues is a positive but adds that it is very difficult to legislate supply chain security because a supplier can be secure today but insecure tomorrow due to unpatched systems.
Low Focus on Supply Chain, Open-Source
There's little reason to believe that incidents such as SolarWinds could have been prevented with regulation alone, Cosgrove says.
"These attacks were the result of changing threat landscapes and new vulnerabilities in systems. That said, the majority of breaches start with phishing. More attention should be paid to the risk posed by supply chain email threats that affect almost every business on a weekly basis."
Ilkka Turunen, field CTO of software security specialist Sonatype, says the proposed regulations don't give enough attention to open-source and software supply chain security.
"Despite open-source components forming the foundations of our digital economy - comprising 80% to 90% of the code in modern applications - there is not a single reference to open-source in the 11,000-plus Word document. Until significant emphasis is put on improving open-source practices on a national level, the government is unlikely to deliver on its objectives," he says.
Turunen says the U.K. government must urgently look at software bills of material, as the Biden administration is doing.
Focusing on improvement of the cybersecurity workforce in the U.K, the proposals call for the UK Cyber Security Council, which regulates the cybersecurity profession, to be given certain powers to "raise the bar and create a set of agreed qualifications and certifications," the statement says
The move, according to the government's Department for Digital, Culture, Media and Sport, will ensure that those working in cybersecurity can "prove they are properly equipped to protect businesses online."
The council must be allowed to define and recognize cyber job titles and link them to existing qualifications and certifications, the department says.
"People would have to meet competency standards set by the council before they could utilize a specific job title across the range of specialisms in cybersecurity. It would make it easier for employers to identify the specific cyber skills they need in their organizations and create clearer information on career pathways for young people as well as existing practitioners, without providing unnecessary barriers to entry and progression," the statement says.
The government also proposes the creation of a register of practitioners, similar to those in medical and legal professions, to list practitioners who are recognized as ethical, suitably qualified or senior.
Next Steps for the Proposals
These various proposals are part of an open consultation process that invites interested parties to comment on the legislation to improve the U.K.'s cyber resilience. The deadline for comments is April 10, 2022.
The process also involves consultation on embedding standards and pathways across the cyber profession by 2025. The deadline for that consultation is March 20, 2022.
The government says it will use the information obtained during the open consultation process to shape future policy development and "will publish a response in due course." This response, in the form of legislation, would then need to be debated and approved by Parliament before it could become law.