After years of delays, the UK government has finally introduced landmark cybersecurity legislation that could reshape how British organisations defend against digital attacks.
The Cyber Security and Resilience Bill arrives as cyber-attacks cost the British economy an estimated £14.7 billion annually - approximately 0.5% of GDP.
The bill significantly expands the types of organisation required to meet cybersecurity standards, including previously unregulated suppliers to critical sectors like healthcare and water utilities. It also covers managed service providers - the IT companies that often provide essential digital services to multiple organisations' systems.
The legislation will deliver new powers to the Technology Secretary, directing companies to take specific security actions when national security is threatened.
"The nod to national security serves as a reminder that modern warfare includes the digital arena," says Josh Davies, Principal Market Strategist at Fortra. "Recent high-profile breaches and rising geo-political tensions are driving this legislation," he said.
"Critical infrastructure has always been a target of war, whether it is torching windmills and grain stores during a medieval siege, or Russian missiles hitting energy infrastructure in Ukraine," explains Davies. " The strategic benefits for targeting critical infrastructure have not changed, but the methods have."
Hostile nations can now maintain what Davies described as "stealthy persistent access to critical infrastructure," which he describes as "the modern day 'mutually assured destruction.'"
"Why fire a nuke when you could remotely explode a nuclear power plant, then position it as an accident and avoid political or legal condemnation thanks to uncertain attribution and plausible deniability?" Davies said chillingly.
Recent high profile cyber incidents underscore the urgency. The Synnovis laboratory cyber attack contributed to at least one patient death, while hackers hit hard at manufacturing giant Jaguar Land Rover.
Such attacks often succeed because organisations operate aging systems with known security vulnerabilities, or have failed to put adequate measures in to make infiltration by hackers harder.
The UK Government bill works in tandem with plans to ban critical infrastructure and public bodies from paying ransoms - an attempt to make such targets less attractive to malicious hackers.
"Part of the benefit of this act is in the optics," Davies explains. "An indirect outcome of these measures is to tell adversaries that these organisations are not easy targets and will not be profitable to financially motivated threat actors."
This directly addresses how hospitals and essential services have been "compromised through legacy systems, technical debt and third-party service providers and easily extorted due to the high pressure and direct impacts to quality of life when offline," Davies continued.
The government's message is clear: "Money spent on extortion payments will not be spent on defences, making it more difficult for opportunistic adversaries to breach and then monetise the breach," according to Davies.
Companies that fail to meet the new standards face substantial fines. While implementation costs for UK businesses are estimated £590 million, this pales against the billions lost annually to cyber attacks.
Despite its ambitions, questions remain. The bill won't be enforced until 2027, giving organisations a two-year grace period that seems generous given the current perceived threat level. There's also the challenge of ensuring regulators have sufficient resources and expertise to enforce these new rules across thousands of organisations.
Editor’s Note: The opinions expressed in this and other guest author articles are solely those of the contributor and do not necessarily reflect those of Fortra.
Compliance Is Not Security, But It's a Start
Mature beyond checkbox compliance. Fortra® helps organizations around the world follow regulatory compliance mandates and align with security frameworks to strengthen their security posture.
