Labour calls for mandatory cyber breach reporting

The Labour Party has called for another UK defence review to consider creating a statutory requirement for firms to report serious cyber attacks

The Labour Party has called for another UK defence review to consider creating a statutory requirement for firms to report serious cyber attacks.

In the 2010 Strategic Defence and Security Review, the government allocated £650m for UK cyber defences over a four-year period after cyber security was named as a top national security threat.

Companies should be forced to admit when they have had online security breaches to protect national security, according to Labour’s shadow defence secretary Vernon Coaker.

"New types of threat, such as cyber, will increasingly test the resilience of UK critical infrastructure networks,” he told an audience at the Royal United Services Institute.

“In the face of increasing sophistication, serious questions need to be asked about the nature of the cyber threat facing the UK,” he said.

These include probing whether the concept of deterrence applies in cyber warfare as it does in conventional warfare and whether the MoD doing enough to recruit the skilled people it needs to enhance cyber defence capabilities, reports the Telegraph.

Cyber security charter

“Labour has already called on the government to ensure that every company working with the Ministry of Defence (MoD), regardless of its size or the scale of its work, signs up to a cyber security charter,” said Coaker.

“Building on this, we will also consult on the prospect of creating a statutory requirement for all private companies to report serious cyber-attacks threatening the UK’s national infrastructure.”

Arabella Hallawell, vice-president of corporate strategy for Arbor Networks, said a study has shown that 57% of IT executives admit they do not voluntarily report incidents, unless legally required to do so.

That is despite the fact that two-thirds believe that responding effectively to an online breach can enhance their firm’s reputation, the survey – conducted with the Economist Intelligence Unit – revealed.

Executives hostile to disclosure

The study also showed little support among executives for regulation requiring businesses to make all incidents public.

Only 22% believe it would be worthwhile, while more than double that number believe it would do more harm than good.

“Yet, the malicious threats that organisations face today are evolving so quickly that keeping up-to-speed, with limited visibility, is very difficult,” said Hallawell.

“More requirements to disclose incidents will hasten organisational maturity in developing effective response plans that better protect customers and their business,” she said.

Hallawell believes the trend is towards more disclosure of breaches, whether forced by regulators, customers or emerging best practices.

Read more on Hackers and cybercrime prevention