Given the harm that recent highly-publicised cyber attacks did to United States tech firms Solarwinds and Kaseya, and the physical effects of a cyber attack on the US Colonial Pipeline last year, should the UK make a law about ‘cyber resilience’, particularly to cover critical IT? That is posed by a consultation document by DCMS (Department for Digital, Culture, Media & Sport).
In a foreword, Julia Lopez, Minister for Media, Data, and Digital Infrastructure at DCMS, describes what’s proposed as ‘proportionate responses to a changing threat landscape’, while admitting that the Government needs ‘buy-in from industry’. As she points out, the threat from such cases as Solarwinds is that rather than attack perhaps thousands of firms, by going after software used in many places – perhaps including government departments and critical infrastructure – a common, supply chain, vulnerability may mean hackers may be able to ‘access the networks of thousands of other companies’.
As the consultation document points out, the UK already has the Network and Information Systems Regulations 2018 that requires CNI (critical national infrastructure, ‘essential’ services such as transport, energy, water, health, and digital services such as cloud computing) to report breaches, besides a similar more general requirement under GDPR. However, the document suggests that more is needed, due to an ‘evolving threat’, and would take a new law. The document says that the authorities are getting ‘very few’ incidents reported, under NIS; it speaks of some ‘incidents that do not meet NIS or UK GDPR definitions or thresholds, and yet have been serious enough to warrant, in a reasonable scenario, competent authorities and law enforcement to have been informed’.
The consultation gives the example of the March 2021 attack on Microsoft, when their Exchange server (governing their email, calendar, contact, scheduling, and collaboration platform) was compromised. “This could have led to an attacker gaining a deeper foothold into the victim’s networks”; while Microsoft was able to respond quickly and effectively, such a breach may leave the victim open for follow-up attacks by taking control over their networks – ‘a direct threat to the continuity of those essential services’, according to the document.
Among proposals are: a ‘cost recovery model’ (someone has to pay for the ‘regulatory action’), changes to the ‘incident reporting framework’, and delegated powers to make secondary legislation to allow necessary updates to regulations. Among the digital services that will fall under the regime are front office/back office, payroll and accounting; and Security Operations Centres, SOCs for short; and business continuity and disaster recovery (BC and DR) services.
Boiled down, the DCMS wants to see cyber security protections in those critical services, and ‘a two-tier supervisory regime for providers of digital services’, reactive, ‘light touch’ for the less important services, and proactive, including monitoring by the ICO, of the most critical ones. As for the cyber people doing the work, DCMS wants ‘consistent competency standards across the cyber profession’.
The consultation closes on April 10. For the full document, visit the DCMS website. Separately, the Department is also consulting on ‘Embedding standards and pathways across the cyber profession by 2025’.
More in the March 2022 print edition of Professional Security magazine. Picture by Mark Rowe; pylon, Gloucestershire, summer.
