With cyber threats growing in number and complexity, the British Government hopes to legislate its way forward and maintain control from the centre, and via its regulators. The result? The new Cyber Security and Resilience Bill, with ‘resilience’ being the key word, perhaps, in a realm of digital shock and aftershock.
But is legislation really the right approach? My previous report explained why there are risks in tackling cybersecurity with bureaucracy. So, what does the Government believe it is doing, and why? Especially when it has been accused of being too close to tech corporations in key areas of tech policy and governance.
Liz Kohorn-Hill is Deputy Director of the Department for Science, Innovation and Technology (DSIT). Speaking at the perfect venue for clarity on this topic, a Westminster eForum policy conference on cybersecurity, she says:
“It’s important to remember that the starting point here is that the Prime Minister has said that the fundamental task of politics right now is to take the decisions needed on national security to deliver security for people at home. And for me, that is why we need to take forward this Bill.
“We know that the cyber threat is increasing. There has been a surge of cyber criminals who view critical national infrastructure as vulnerable and lucrative. And we know there are more state-backed and aligned groups who are targeting our critical national infrastructure for espionage or disruption – potentially due to our support of Ukraine, but also for other reasons.
“And the technology that criminals and aggressors are using has become more sophisticated, and organizations are becoming more interconnected, which increases vulnerabilities further.
UK remains a top target for cyberattacks
The UK itself is being targeted, she explains:
“There was a stat, a few years ago, saying that the UK was the third most cyber-attacked country in the world after the US and Ukraine. And, I believe, we are still the most attacked in Europe through the cyber vector. Last year, the National Cyber Security Centre (NCSC) managed 89 nationally significant cyber instances, which means they had a substantial impact on either national security, economic stability, or public safety. That is one every four days
Indeed. But, while that provides an obvious context for legislation and regulation, neither seems likely to achieve much in practical terms to mitigate the threat – beyond (belatedly) seeing data centers and Managed Service Providers (MSPs) as part of critical national infrastructure, as the Bill does.
That is, if one views the plans through a resilience lens, rather than a security one, it makes more sense – maintaining coherence and uptime rather than avoiding attack. Keeping the Good Ship Britain afloat – somewhere in mid-Atlantic, perhaps.
She continues:
“Obviously, government doesn’t set cyber requirements across the economy. We have best practice and guidance, but we can only dictate cybersecurity safeguards for our critical national infrastructure – services that underpin the day-to-day lives of the public and the functioning of the economy: running water, electricity, digital services, the NHS.
“So, we need to take forward the Bill now, because we know that the UK’s only cross-sector cyber-led legislation is out of date, and insufficient now to tackle cyber threats.
“One priority is expanding scope, so strengthening the cybersecurity of more types of services, fixing vulnerabilities that stem from large gaps in the coverage of our regulations.
“The second is making sure that regulators can be even more effective: creating a stronger regulatory landscape with a reinforced security baseline, a faster reporting of incidents. Better resourced regulators fixing inconsistent enforcement.
Funding challenges for expanded regulatory role
Bold words, but therein lies the rub. Regulators have already been tasked with supporting innovation and growth as a priority, alongside their traditional remit of consumer protection. But now the Government is suggesting their role should be expanded even further to protect the national infrastructure from attack – at a time of funding cuts and belt tightening.
Previous eForums on, for example, Artificial Intelligence (AI) policy and governance have heard regulators say, “We can do this ever-expanding job. But where is the money for new staff, new training, new enforcement, and new skills?” Where indeed? In the multibillion post-Brexit fiscal black hole, perhaps? So, a well-intentioned plan, no doubt, but is a low-budget version likely to succeed?
And there is another problem: the tortoise pace of legislation versus the hare of all that innovation the Government doesn’t want to impede. To her credit, Kohorn-Hill acknowledges the challenge:
“The third strand is making sure that the Government has more agile powers. We know that the threat is evolving all the time, which means we know that by the time we’ve enacted this Bill, it could already be out of date. So, how do we make sure there are new powers for ministers to continue to strengthen security requirements in a proportionate way?
“But also, we know that threats in cyberspace can come from out of nowhere and suddenly be severe. So, how do we also arm ministers with national security powers to respond to imminent threats?
Conference culture needs fewer questions, more answers
At this point, some notes in the margin from a grumpy journalist. Time after time, in recent years, I hear speakers at conferences stand onstage – or sit on camera in Zoom and Teams – and use this endlessly repeating form of words, as if they are a meme: ‘So, how do we do x? So, how do we ensure y?” Indeed, some presentations are little more than a long list of these questions.
Call me old fashioned, but forums used to answer these questions, not ask them. But today’s conferences see presenter after presenter do little more than stand onstage shouting, “HELP ME I DON’T KNOW WHAT TO DO!” while harried delegates nod sadly into their flat whites and gratuity muffins.
No wonder users of social platforms follow extreme opinions and bold pronouncements: what today’s extremist commentators and mystic seers of the Singularity are saying online may be total BS and preposterous nonsense designed to drive up engagement and share prices, but at least they are offering solutions. After all, we can’t ask ChatGPT or Claude for reliable answers anymore, as model collapse and a flood of synthetic data means that AI search is even more likely to lie to you than the AI’s Chief Executive Officer.
So, could I gently suggest a new form of words for conferences in the me-me-me/meme age? Say, “We know these are the pain points. And this is our preferred solution. Now let’s talk about it.” The first person to do that wins a candlelit dinner with me at a cheap restaurant, and my eternal admiration.
In fairness, I suppose that’s what Bills are designed to do – the government kind, not the restaurants – so buy your own dinner, you cheapskate.
But I digress. Despite all the questions, Kohorn-Hill makes some bold claims about the legislation:
“The Bill will make the public safer. It will protect working people and businesses from cyberattacks, so they can just get on with their normal lives – shoring up, making sure that people can switch on their tap and there’ll be running water or switch on their light and there’ll be electricity!”
If this doesn’t guarantee that a passing teenager will decide to dismantle Britain’s water supply for drugs and giggles, then I am just a cynical old hack. Then she continues:
“The second is, it will strengthen our national security, so it will make sure that we are building stronger defences again, and intelligence about cyberattacks so that government can respond to the evolving threat landscape, both in the moment and in the future!
“And the third is really important for this Government. Supporting economic growth through stability! So, how do we reduce business exposure and costs from cyberattacks, enabling them to sort of innovate and grow?
I don’t know, Liz. Maybe tell us? Then she adds:
“So, that’s the sort of, I guess, context piece for this Bill.
My take
As she says, that is indeed the sort of context piece. I guess.
