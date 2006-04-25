from the snooper's-charter-2? dept.
The UK's technology secretary revealed the full breadth of the government's Cyber Security and Resilience (CSR) Bill for the first time this morning, pledging £100,000 ($129,000) daily fines for failing to act against specific threats under consideration.
Slated to enter Parliament later this year, the CSR bill was teased in the King's Speech in July, shortly after the Labour administration came into power. The gist of it was communicated at the time – to strengthen the NIS 2018 regulations and future-proof the country's most critical services from cyber threats – and Peter Kyle finally detailed the plans for the bill at length today.
Kyle said the CSR bill comprises three key pillars: Expanding the regulations to bring more types of organization into scope; handing regulators greater enforcement powers; and ensuring the government can change the regulations quickly to adapt to evolving threats.
Additional amendments are under consideration and may add to the confirmed pillars by the time the legislation makes its way through official procedures. These include bringing datacenters into scope, publishing a unified set of strategic objectives for all regulators, and giving the government the power to issue ad-hoc directives to in-scope organizations.
The latter means the government would be able to order regulated entities to make specific security improvements to counter a certain threat or ongoing incident, and this is where the potential fines come in.
If, for example, a managed service provider (MSP) – a crucial part of the IT supply chain – failed to patch against a widely exploited vulnerability within a time frame specified by a government order, and was then hit by attacks, it could face daily fines of £100,000 or 10 percent of turnover for each day the breach continues.
"Resilience is not improving at the rate necessary to keep pace with the threat and this can have serious real-world impacts," said Kyle. "The government's legislative plan for cyber security will address the vulnerabilities in our cyber defenses to minimize the impact of attacks and improve the resilience of our critical infrastructure, services, and digital economy."
[...] The third pillar – giving the government the authority to flexibly adapt the regulations as new threats emerge – is the lesser known of the three and wasn't really referred to in the King's Speech.
This could bring even more organizations into scope quickly, change regulators' responsibilities where necessary, or introduce new requirements for in-scope entities.
[...] In revealing the bill's details today, the tech secretary said the UK continues to face "unprecedented threats" to CNI, citing various attacks that plagued the country in recent times. Synnovis, Southern Water, local authorities, and those in the US and Ukraine all got a mention, and that's just scratching the surface of the full breadth of recent attacks.
Kyle said in an interview with The Telegraph that shortly after the UK's Labour party was elected, he was briefed by the country's spy chiefs about the threat to critical services – a session that left him "deeply concerned" over the state of cybersecurity.
"I was really quite shocked at some of the vulnerabilities that we knew existed and yet nothing had been done," he said.
[...] However, William Richmond-Coggan, partner of dispute management at legal eagle Freeths, warned:
"Even if every organization that the new rules are directed to had the budget, technical capabilities and leadership bandwidth to invest in updating their infrastructure to meet the current and future wave of cyber threats, it is likely to be a time consuming and costly process bringing all of their systems into line.
"And with an ever evolving cyber threat profile, those twin investments of time and budget need to be incorporated as rolling commitments – achieving a cyber secure posture is not a 'one and done'. Of at least equal importance is the much needed work of getting individuals employed in these nationally important organisations to understand that cyber security is only as strong as its weakest link, and that everyone has a role to play in keeping such organisations safe."
