The UK is planning new laws to strengthen the county’s cyber-resilience in response to surging critical infrastructure and supply chain attacks.
The proposals were published by Department for Digital, Culture, Media and Sport (DCMS) today, who stated that new measures are required to drive up security standards in IT services used by almost all UK businesses.
This involves amending and widening the Network and Information Systems (NIS) Regulations 2018, which places cybersecurity obligations on companies that provide essential services such as water, energy, transport, healthcare and digital infrastructure. This includes requirements to undertake risk assessments, put in place reasonable security measures to protect their network and report significant events. Failure to comply can result in fines of up to £17m.
The government now wants to include managed service providers (MSPs) within the scope of this legislation. This is because MSPs have privileged access to their client’s networks and systems, potentially enabling attackers to attack a wide range of organizations through a single breach.
The government also wants to amend the NIS regulations to force large companies to provide better cyber-incident reporting to regulators like Ofcom, Ofgem and the ICO. This includes a requirement to inform these bodies of all cyber-attacks they are hit with, not just those impacting their services. In addition, the government plans to give itself the power to update the NIS regulations in the future without introducing new legislation.
Minister of State for Media, Data, and Digital Infrastructure, Julia Lopez, commented: “Cyber-attacks are often made possible because criminals and hostile states cynically exploit vulnerabilities in businesses’ digital supply chains and outsourced IT services that could be fixed or patched.
“The plans we are announcing today will help protect essential services and our wider economy from cyber-threats. Every UK organization must take its cyber-resilience seriously as we strive to grow, innovate and protect people online. It is not an optional extra.”
Another aspect of the DCMS’ plans is to give more powers to the UK Cyber Security Council, which began work as an independent body last year. Under the proposals, the council, which works to boost professional standards and career prospects for cybersecurity professionals, will be able to define and recognize cyber job titles and link them to existing qualifications and certifications.
This means people would have to meet competency standards set by the council before using a specific job title in cybersecurity. This will help employers identify the specific cyber skills they need in their organizations and develop clearer career pathways for those operating in the sector. As part of this initiative, a Register of Practitioners will be created to show the cyber professionals recognized as ethical, suitably qualified or senior. This is similar to registers that exist in the medical and legal professions.
Simon Hepburn, the CEO of the UK Cyber Security Council, said: “The UK Cyber Security Council is delighted that these proposals recognize our cyber workforce lead role that will help to define and recognize cyber job roles and map them to existing certifications and qualifications.
“We look forward to being involved in and contributing to this important government consultation and would encourage all key stakeholders to participate too.”
The DCMS is now inviting stakeholders to respond to these proposals, with a deadline of April 10 2022 regarding the planned legislation to improve the UK’s cyber-resilience, and March 20 2022 for the plans to embed standards and pathways across the cyber profession.
The strategy forms part of the UK government’s National Cyber Strategy, which was published at the end of last year.