Labour calls for mandatory cyber breach reporting

The Labour Party has called for another UK defence review to consider creating a statutory requirement for firms to report serious cyber attacks

The Labour Party has called for another UK defence review to consider creating a statutory requirement for firms to report serious cyber attacks.

In the 2010 Strategic Defence and Security Review, the government allocated £650m for UK cyber defences over a four-year period after cyber security was named as a top national security threat.

Companies should be forced to admit when they have had online security breaches to protect national security, according to Labour’s shadow defence secretary Vernon Coaker.

"New types of threat, such as cyber, will increasingly test the resilience of UK critical infrastructure networks,” he told an audience at the Royal United Services Institute.

“In the face of increasing sophistication, serious questions need to be asked about the nature of the cyber threat facing the UK,” he said.

These include probing whether the concept of deterrence applies in cyber warfare as it does in conventional warfare and whether the MoD doing enough to recruit the skilled people it needs to enhance cyber defence capabilities, reports the Telegraph.

Cyber security charter

“Labour has already called on the government to ensure that every company working with the Ministry of Defence (MoD), regardless of its size or the scale of its work, signs up to a cyber security charter,” said Coaker.

“Building on this, we will also consult on the prospect of creating a statutory requirement for all private companies to report serious cyber-attacks threatening the UK’s national infrastructure.”

Arabella Hallawell, vice-president of corporate strategy for Arbor Networks, said a study has shown that 57% of IT executives admit they do not voluntarily report incidents, unless legally required to do so.

That is despite the fact that two-thirds believe that responding effectively to an online breach can enhance their firm’s reputation, the survey – conducted with the Economist Intelligence Unit – revealed.

Executives hostile to disclosure

The study also showed little support among executives for regulation requiring businesses to make all incidents public.

Only 22% believe it would be worthwhile, while more than double that number believe it would do more harm than good.

“Yet, the malicious threats that organisations face today are evolving so quickly that keeping up-to-speed, with limited visibility, is very difficult,” said Hallawell.

“More requirements to disclose incidents will hasten organisational maturity in developing effective response plans that better protect customers and their business,” she said.

Hallawell believes the trend is towards more disclosure of breaches, whether forced by regulators, customers or emerging best practices.

Read more on Hackers and cybercrime prevention

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

Informed debate over an issue like this brings its own value in reducing Cyber crime.

However, the article admirably exposes a key issue - "Firms to report Cyber crime", how about Government reporting cyber crime? - crimes against the state would presumably in general carry a higher security threat than a random small company problem (as the MoD reference suggests and I suspect many people have heard of Edward Snowden & NSA, relatively few of the Target credit card skim incident - for obvious reasons, but we don't eat state secrets.)

I think the counter position that reporting Government events might be more damaging than the event itself is certainly tenable. Perhaps "confidential reporting" for all - but if it's a secret it hardly educates and increases confidence.

So I look forward to what I hope will be a lively, well informed and well publicised debate - quite possibly followed by remarkably little obvious action. So well done for raising the issue Vernon, but with no sarcasm whatever in mind, please don't let yourself get FORCED to actually do anything concrete beyond constructive debate!


The need is not to report breaches (a futile tick box paper chase that make politicains and regualtors feel they are doing something). The need is to report the attacks to some-one who will collate the results and take action.

Merely reporting breaches penalises those who monitor their systems and (perhaps more importantly) the exerience of their customers and know they have been breached (or more often, in the case of well run organisations, some-one in their supply or distribution chain has been breached).

Breach notification rewards those who do not undertake such monitoring and allow the organisation and its customers to be ripped off until some-one else tells them. Target (for example) did not know it had been breached until it was told after the FBI found its customers' details being sold on-line.

It also raises a question as to whether there has been a data breach if a securely encypted laptop has been stolen or if government has released (under open data or statutory requirements, e.g. Companies House) the data necessary for an individual or organisation to be impersonated.

This is a forward looking and constuctive a response to the impending tsunami of cybercrime as the EU Data Protection and Electtonic Identity regulations.