As the Director of National Resilience at NCSC, the announcement of a Cyber Security and Resilience Bill in July 2024 by the government was a pivotal step towards addressing the increasing cyber threats to essential services, including water, power, and healthcare. Today, we appreciate the publication of the Department of Science, Innovation and Technology’s (DSIT) Cyber Security and Resilience Policy Statement, which outlines a range of legislative initiatives designed to combat the escalating and varied cyber threats facing the UK.
Addressing the ‘Widening Gap’
As highlighted by Richard Horne, the CEO of NCSC, in his speech for the launch of the 2024 NCSC Annual Review:
the gap is ever widening between the threats we face and our preparedness to counter them
We are observing more frequent, sophisticated, and severe hostile activities within UK cyberspace. There is a global trend indicating that critical systems are becoming attractive targets for hostile states and malicious cyber actors.
UK’s essential services are heavily dependent on our online infrastructure, making them vulnerable to exploitation by hostile actors who execute cyber attacks aimed at causing maximum disruption. The June 2024 cyber attack on Synnovis, which affected vital healthcare services in the UK, illustrated this dependency on online technology.
The Network and Information Systems Regulations 2018 (NIS Regulations) are the UK’s only cross-sector cyber legislation, and while they enhanced security across critical networks, the increasing capabilities of adversaries urge the need for more robust legislative and regulatory measures to bolster our cyber security and resilience. The Telecoms Security Act of 2021 showcased the effectiveness of introducing regulations in response to evolving threats in this sector.
How Will the Proposed Legislation Address Cyber Threats?
The legislative initiatives presented by DSIT today are crucial for narrowing the gap between cyber threats and our defensive capabilities.
Potential Outcomes if These Proposals Are Adopted:
Broader scope for the NIS Regulations: More organizations and suppliers will be included under the NIS Regulations, extending the strengthened framework’s reach to data centres, Managed Service Providers (MSPs), and critical suppliers.
Increased tools for regulators: Regulators will be equipped with additional tools to enhance cyber security and resilience in the sectors they oversee, including the obligation to report a broader range of significant cyber incidents.
Enhanced flexibility in updating the framework: The government will gain more flexibility to adjust the cyber security framework in response to evolving threats, such as expanding its applicability to new sectors.
New executive powers: The government will acquire new powers to address cyber threats as needed for national security.
How NCSC Will Assist
One of NCSC’s vital roles is to heighten awareness regarding cyber threats to the UK and direct citizens and organizations towards reliable cyber security advice, tools, and services, thereby promoting best practices and preparedness. Additionally, the NCSC is instrumental in fortifying the nation’s cyber ecosystem, endorsing its growth and nurturing talent.
The newly announced proposals will strengthen the regulatory framework, ensuring effective and uniform application across various NIS-regulated sectors. The NCSC will support this with the following resources:
- The NCSC Cyber Assessment Framework (CAF) will assist those operating essential services and digital providers governed by the NIS Regulations in managing and assessing cyber risk.
- The Cyber Resilience Audit scheme and the Cyber Essentials assessment service will offer industry professionals independent verification against CAF outcomes, providing resources to promote resilience and cyber security within their sectors.
What Comes Next?
The proposed legislative changes present a significant opportunity to address the growing pace and variety of cyber threats targeting the UK’s critical sectors. We will collaborate closely with DSIT, governmental colleagues, and our partners from industry and the broader cyber ecosystem as these proposals continue to develop and be implemented. We urge organizations that may be impacted by these proposals to familiarize themselves with the details outlined in the DSIT Cyber Security and Resilience Policy Statement.
Jonathon Ellison, NCSC Director of National Resilience
Based on an article from ncsc.gov.uk: https://www.ncsc.gov.uk/blog-post/cyber-security-resilience-bill-policy-statement
