The introduction of the Cyber Security and Resilience Bill has been described as a ‘landmark moment’ by an executive from GCHQ’s National Cyber Security Centre (NCSC). The legislation aims to address the escalating cyber threats to the U.K.’s critical national infrastructure systems by enhancing the protection of the nation’s essential services.
“For the NCSC, the cyber threat to the services on which we all rely, such as water, power, and healthcare, is one which we must continue to urgently address,” Jon Ellison, director of national resilience at the NCSC wrote in a Wednesday blog post. “The scale, pace, and complexity of the threat to the critical national infrastructure (CNI) underpinning these vital services is rising.”
He added that alongside the threat from ransomware actors “we now also see a rise in state and state-aligned groups interested in targeting our CNI.”
Flagging the recent CrowdStrike disruption, Ellison said “Last week cyber security was unexpectedly thrust into the spotlight by an IT outage which caused significant worldwide disruption. While the incident was not the result of a cyber attack — as the NCSC was quick to establish — it provoked debate in the UK about the resilience of our networks.”
The NCSC, with the wider U.K. government, regulators, and industry have made significant progress against the threat, but not at the pace necessary to match that of the adversaries. “Effective regulation, enforced by capable and well-resourced regulators, is one of government’s most powerful tools to accelerate progress and impose cost on adversaries. The proposed legislation is a crucial step towards a more comprehensive and effective regulatory regime, fit for our volatile world,” he added.
“We have worked with wider government to ensure the proposed changes meet the reality we see in our day-to-day work,” according to Ellison. “The proposed package will make it harder for malicious actors to exploit weak points in CNI supply chains, and will also address some of the common constraints on regulators.”
He recognized that regulation is “not the only way to strengthen the security of our critical systems and we can’t expect this approach to stop every incident. But our collective objective should be to make it as hard as possible for our adversaries to succeed, and to be able to respond and recover well when our defenses are breached.”
“We are seeing a rising threat from adversaries to our CNI. We must be equally bold in our defense,” Ellison said. “This legislation is a crucial step forward on this journey.”
The Cyber Security and Resilience Bill will expand ‘the remit of the existing regulation, putting regulators on a stronger footing, and increasing reporting requirements to build a better picture in government of cyber threats.’
The Bill will make crucial updates to the legacy regulatory framework by expanding the remit of the regulation to protect more digital services and supply chains. These are an increasingly attractive threat vector for attackers. The Bill will fill an immediate gap in the nation’s defenses and prevent similar attacks experienced by critical public services in the U.K., such as the recent ransomware attack impacting London hospitals.
The introduction of the U.K. legislation comes as EU policymakers and lawmakers have moved to update the original NIS regime – ‘NIS 2’ is due to be implemented in the EU member states by Oct. 17, 2024.
Last November, the NCSC recognized the emergence of state-aligned hackers as a new cyber threat to critical national infrastructure, the continuation of Russia’s illegal invasion of Ukraine, and the concerns around the potential risks from AI – all of which drive the need for NCSC interventions and support.