UK Cyber Bill teases mandatory ransomware reporting

[Pelican Press 0]

This is the hidden content, please

• Sign In
• or
• Sign Up

*** Cyber Bill teases mandatory ransomware reporting

Keir Starmer’s Labour government is to bring forward a

This is the hidden content, please

• Sign In
• or
• Sign Up

in the new parliamentary term, with the intent of strengthening the ***’s cyber defences and ensuring the continuity and protection of digital services, with a proposed mandate on compulsory ransomware reporting a keystone of the law.

One of many potential new pieces of legislation trailed in the King’s Speech at the State Opening of Parliament, the Bill recognises that *** plc is increasingly attacked by financially-motivated cyber ********** and state actors alike, with organisations both large and small frequently targeted.

Existing cyber laws, the government said, reflect law inherited from the ********* Union (EU) which is now being superseded by Brussels and therefore need an urgent update to keep pace.

The government said essential services and critical national infrastructure (CNI) in particular are vulnerable to hostile actors, as evidenced by a litany of cyber attacks over the past few years affecting NHS suppliers and Trusts, the Ministry of Defence, the British Library, the Electoral Commission, Royal Mail, and countless other bodies.

As such, the Bill contains two main objectives, to expand the remit of existing regulation and give regulators a more solid footing when it comes to protecting digital services and supply chains, and to improve reporting requirements to help build a better picture of cyber threats.

In future, said the government, a greater number of regulatory bodies may receive enhanced powers including, potentially, cost recovery mechanisms to provide resources, and the ability to proactively investigate vulnerabilities in IT systems.

Meanwhile, it said, mandatory incident reporting will help the government collate better data on cyber attacks, to improve the national understanding of the threats the *** faces, and help alert organisations and individuals to potential attacks by expanding the type and nature of incidents that must be reported by a regulated entity. This would, naturally, include ransomware attacks.

Ransomware reporting

Given part of the government’s aim is to keep up with the EU – particularly as it prepares to commence enforcement, on 17 October 2024, of the next-gen

This is the hidden content, please

• Sign In
• or
• Sign Up

(NIS2) – if it is successful in its ambition to mandate ransomware reporting, the *** will actually move ahead of Europe in some regards, a point noted by risk experts at law firm

This is the hidden content, please

• Sign In
• or
• Sign Up

.

Matt Worsfold, partner with Ashurst Risk Advisory said: “If the proposed legislation goes ahead as outlined, it will be striking to see how the statistics around ransomware attacks potentially jump in the face of mandatory reporting, given that the widely held view to date is that current statistics are not representative of the reality.”

Strong commitment

Louise Marie Hurel, a cyber research fellow at the

This is the hidden content, please

• Sign In
• or
• Sign Up

(RUSI) think tank, said the Bill was a strong indication of the government’s commitment to cyber and contrasted strongly to a single reference to cyber attacks in the Labour manifesto. She argued that cyber security was some way beyond a niche topic, indeed it has now become “transversal to ensuring the sustainability of the government’s strategy in a range of areas”.

“While there is still limited visibility over the text of the proposed Bill, the document will need to ensure that any reporting requirements are implementable and done in a dialogue with industries of different sizes if it is to be effective,” said Hurel.

“This will require a fine balance between innovation and updates to existing data and cyber incident reporting requirements. But the Bill, albeit an indicator of commitment to ensuring enhanced national cyber resilience, needs to be part of a vision that effectively integrates prevention and responses to cyber threats.

“The next months will show on how the Labour government will seek to enhance the ***’s capacity to combat cyber ****** – and especially ransomware – as part of its mentions to online ****** in the manifesto and respond to state-affiliated cyber threats, which should also be included in the upcoming defence review.”

This is the hidden content, please

• Sign In
• or
• Sign Up

director of critical infrastructure Trevor Dearing was among many security leaders to praise the government’s plans, but he tempered this with a warning.

“Increased powers for regulators and reporting will be critical for building cyber resilience,” he said. “However, regulation will only be successful if accompanied with additional funding for public bodies, otherwise all that will happen is that regulations create an unrealistic goal that is cost-prohibitive to implement.   

 “It’s also important that we see a strong emphasis on supply chain security given that third-party providers form the lifeblood for government departments. Cyber ********** will always go after the weakest link in the chain to gain access to more valuable system, so we must recognise the inevitability of a breach from suppliers and mitigate risk accordingly. A risk-based approach to security is key to achieving this, making sure that the most threatened services get the most resource.” 

Cyber wishlist

Others said they wished the government had dared to go further. Camellia Chan, CEO of

This is the hidden content, please

• Sign In
• or
• Sign Up

, a specialist in secure data storage, said she would have liked to see more emphasis placed on combating cyber ******, and in particular keeping the NHS safe.

“Healthcare – from national health services to small hospitals and pharmacies – is a goldmine for ********** looking to extort data and demand financial compensation. However, the consequences of such attacks can extend far beyond financial losses and directly impact patient care,” said Chan.

“This can result in delays in receiving vital medication, medical results being unavailable, and facilities closing, all which could be fatal. In the case of the NHS, ransomware attacks have led to the cancellation appointments, delaying treatment for thousands of patients. It’s time for health organisations, including the NHS, and the government to take action and put their money where their mouth is by investing in the latest cyber innovations.”

Meanwhile, NCC’s Matt Hull, speaking in his capacity as a representative of the long-running

This is the hidden content, please

• Sign In
• or
• Sign Up

campaign that wants urgent reform of the outdated Computer Misuse Act of 1990 – which risks penalising legitimate threat research with ********* sanctions in its current form, said the group would keep up the pressure in the new parliament. 

“The introduction of the Cyber Security and Resilience Bill today will be key to keeping the *** safe from rising cyber attacks. With cyber ****** rising by nearly a third last year, it is heartening to see the government prioritise updates to our cyber laws,” said Hull.

“We look forward to working with the government on further ways to upgrade the country’s cyber resilience, particularly on any efforts to tackle the outdated Computer Misuse Act 1990.

“Updating the Act will enable the ***’s cyber professionals to better protect the *** online, safeguarding the digital economy and unlocking the full growth potential of our cyber security industry,” he added.

This is the hidden content, please

• Sign In
• or
• Sign Up

#Cyber #Bill #teases #mandatory #ransomware #reporting

This is the hidden content, please

• Sign In
• or
• Sign Up

This is the hidden content, please

• Sign In
• or
• Sign Up