Does the Cyber Security and Resilience Bill make you feel secure?
The UK government's latest cyber security regulations are hugely important but remain riddled with inconsistencies and vagaries - substantial changes are needed before it becomes law
The bill is intended to "make provision about the security and resilience of network and IT systems used or relied on in connection with the carrying on of essential activities" and includes amending the Network and Information Systems (NIS) Regulations 2018.
As the UK’s first law with “cyber security” in its title, it is clearly important. As the debate ably demonstrated though, it requires substantial amending on its parliamentary journey if it is to become significant and consequential.
The government has stated it sees the bill as essential for bringing cyber rules governing critical infrastructure in line with modern threats, economic realities and technological developments. And, that it must also retain flexibility to keep pace with the ever-changing cyber landscape.
So, while under those attacks, probably, at this point, it’s worth reminding ourselves of the time the bill has been under consideration and its key provisions.
New sectors
First consulted on in 2022, the CSRB updates the NIS regulations. The first change brings new sectors into scope of NIS regulations including datacentres, managed service providers, energy flexibility providers and designated critical suppliers. The government will also get the power to bring other sectors into scope in future.
Incident reporting rules for affected NIS-regulated organisations are expanded, so that cyber breaches that have the potential to cause significant impacts need to be reported to regulators. An initial notification must be made within 24 hours and a fuller report within 72.
It's curious that a cross-sector approach is considered necessary with cyber security but not with AI. Why this lack of consistency?
Chris Holmes
The secretary of state is given new powers to set duties and security requirements, issue a code of practice to aid compliance with those regulations, and set the priority outcomes regulators will have a duty to seek to achieve.
A new cost recovery framework is introduced to expand the options regulators have for recovering costs – for example, through a periodic fee placed on regulated entities.
The maximum financial penalty is materially raised - up to £17,000,000, or 4% of worldwide turnover, whichever is higher.
The government will be permitted to direct regulators or regulated entities to take targeted and proportionate action in response to imminent threats that risk UK national security.
Urgency and peril
Key questions asked of the minister throughout the debate tested all of the bill’s provisions and highlighted how much work there is to be done if it is to shape up to not only its claims but the urgency and peril of the current UK circumstances.
I and many colleagues asked, how will the government ensure that incident reporting requirements under the bill are aligned with existing regulatory regimes and do not create unnecessary duplication for organisations responding to cyber incidents? It is this point where the bill makes its first departure from the EU NIS2 requirements without any sense of how such divergence helps or what it attempts to achieve.
The bill requires a full notification at 72 hours. NIS2 - which the government's impact assessment says it aims to align with where appropriate - requires only an assessment report at 72 hours, with the full report at one month. The Bill therefore demands at three days what the EU allows a month for. I won’t labour the point, only to add that cyber professionals body ISC2 has asked for NIS2 alignment.
It was also important to ask how the government will ensure that reporting thresholds and other requirements are clear, practical, proportionate and sector-specific, particularly where organisations may not know the full scale or downstream impact of an incident within the first 24 hours. So, there are difficulties with the 24 and 72 hour requirements for different but important reasons.
Read more about the Cyber Security and Resilience Bill
The cyber law that could change everything - The aim of the Cyber Security and Resilience Bill is to target critical infrastructure operators and essential service providers.
There are further vagaries surrounding the proposed reporting thresholds and thus problems with their consistent application in practice. Just one illustration - terms such as “significant impact” are highly contextual and risk driving defensive over-reporting, where organisations may well choose to submit precautionary notifications simply to avoid regulatory scrutiny. This could overwhelm regulators with low-value reporting while providing limited national security benefit.
This challenge is especially acute for managed service providers, which may be able to identify disruption to their own services but often cannot assess the wider operational or societal impact on individual clients. Complex digital supply chains, are, as their name suggests, complex.
There is a similar lack of clarity in the current draft of the bill when it comes to the new security and resilience requirements, not least in terms of whether they are outcome-focused, measurable and operationally effective.
Lack of consistency
The minister argued for a cross-sector approach to cyber and yet the bill does not currently achieve this. Key sectors, such as space, are - extraordinarily - not included.
Curious that a cross-sector approach is considered necessary with cyber but not with AI. I asked the minister directly, why this lack of consistency?
It is also abundantly clear that, in the cyber context, we need a single or lead regulator if we are to achieve precision, effectiveness and efficiency in the reporting and regulating process. I would suggest that the National Cyber Security Centre should have a key voice in this decision.
The CSRB must deliver practical resilience outcomes in the real world. It is important we ensure that through the committee and report stages it becomes consequential, significant, adaptable and aligned. That’s substantial change before it reaches statute.
Even then it is but part of what is required, we need a deep, cross-economy, cross-society stance if we are to succeed.
I would welcome your thoughts on changes you’d like to see to the bill before the next parliamentary stage in early September – please contact me through the usual channels.