Analysis The introduction of fresh UK cybersecurity legislation, though delayed, is timely.

The Cyber Security and Resilience (CSR) Bill announced in the King's Speech follows a series of high-profile attacks affecting critical national infrastructure (CNI), and with current cross-sector rules heavily outdated, the regulations will seek to catch up with other territories like the EU.

It comes as London hospitals reel from Qilin's attack on pathology services provider Synnovis, forcing it to issue a second urgent appeal for blood donations as stores run low.

Attacks on other major UK organizations such as the British Library and the UK's Ministry of Defence are also fresh in the memory, but for such a landmark piece of new legislation, it's decidedly lacking in key details. The floor has opened with rampant speculation about how it might look way down the road when it becomes law.

The bill in brief

We know the general gist of the bill - more stringent rules for defenders to apply and for those rules to govern a greater pool of organizations than the existing regulations.

The idea is that if more organizations have to keep their security controls in line with government-set standards, that will ease the risk of total disaster should an attack strike anywhere along the major supply chains.

It will apply to more organizations, meaning more than the current 12 regulators will be responsible for ensuring in-scope organizations fall in line. The initial details provided about the bill in the King's Speech alluded to giving regulators "a stronger footing" to enforce the new standards, and this would include access to greater resources and powers to investigate security shortcomings.

For context, just over half of in-scope organizations improved their cybersecurity following the introduction of the Network and Information Systems (NIS) Regulations in 2018, per a review carried out four years later. With these extra powers, we expect improvements to be made by a greater proportion of in-scope organizations in much less time.

But perhaps the standout update brought by the CSR Bill is the expansion of mandatory security incident reporting. The EU's NIS2 directive in 2022 made this a reality before the UK and US also recently proposed a similar update to CIRCIA. It will give sector regulators a bank of data they can use to inform others of attacks happening in real time, and hopefully prevent attacks against the wider industry.

Why the UK needs this bill

Put simply, the UK's current legislation is entirely out of date.

The CSR Bill recognizes that the 2018 NIS Regulations were well behind the times compared to the EU's NIS2 directive, for example, which came into force last year and must be transposed into members' domestic law by October 2024.

Former Prime Minister Rishi Sunak's Conservative government announced plans to modernize these regs in 2022, with the standout takeaway being that managed service providers (MSPs) would be included in the scope, but those plans never came to fruition.

This means the only cross-sector cybersecurity laws in the UK are now six years out of date and the current Labour government understands these require an "urgent update" to reduce the likelihood of large-scale attacks on critical services.

Experts believe the bill has the potential to usher in positive change for defenders, supplying them with the rapid-response information they need to keep their organization safe.

The specifics of how this will take shape are currently unknown, but there will be an increase in government-mandated incident reporting for in-scope regulated organizations.

The US's CIRCIA enforces a 72-hour window in which to notify the Cybersecurity and Infrastructure Security Agency (CISA) of incidents. NIS2 also enforces the same 72-hour window for known incidents, while also requiring early warnings of possible incidents to be sent to national CSIRTs within 24 hours. With this in mind, it's likely the UK's model will be along the same lines.

Experts speaking to The Register about the bill have unanimously welcomed the increase in mandatory incident reporting, saying the rapid dissemination of sector-specific information will almost certainly help industry peers avoid similar attacks, which in turn is a net positive for the digital economy.

Aside from the National Cyber Security Centre's (NCSC) Early Warning initiative, defenders essentially rely on patches and the myriad advisories from vendors and cybersecurity agencies, complete with intel and indicators of compromise, to devise their defenses.

The issue here is one of volume. With such a wealth of information out there all advising urgent action on a swathe of threats, defenders are left not knowing what to prioritize, which is where the bill's mandatory incident reporting comes in.

Andrew Rose, chief security officer at SoSafe, said this information will be more useful to defenders than a patch because patching is a painful process that requires rounds of testing and monitoring to ensure it's safe to push (take note, CrowdStrike). 

"However, the information that people get from an incident and another organization is information that can be acted on immediately and it has no negative repercussions," says Rose.

"At that point, what you're doing is you're using your endpoint detection response system, you're using your SIEM and your SOC tools to actually say 'all right, well, these are the alerts, these are the signals that organization found that showed they have malware on their system, so let me look for that. Let me see if there's any evidence on my network now of that malware.'"

From there, defenders can assess whether the abuse of the same malware or vulnerability in attacks on other industry organizations is also present on their networks. If it is, they then know what updates to prioritize.

"It might have taken a month, two months, three months to apply that patch but if you know that people are exploiting it right now, you can push that right to the top and you can start to be a bit more embracing of risk," Rose adds.

That vital time saving could go a long way in reducing the ever-increasing rates of successful cyberattacks on UK soil. 

The Information Commissioner's Office (ICO) said in May that the UK sustained a record-high number of attacks in 2023, and the government tech department's recent breaches survey revealed that 50 percent of all organizations contributed to this rise.

It illustrates clearly that more must be done to combat the growing threat of cybercrime.

Unanswered questions linger

The ideas behind the CSR Bill do indeed sound like a step in the right direction, but perhaps the only thing more obvious than the need for updated legislation is the lack of detail in the initial proposals.

It's true that all legislation starts out as a relatively blank slate, and once the industry's experts weigh in with their views and everything is finalized by the two Houses, its minutiae is defined to a considerably greater extent.

Among the more obvious omissions is the information about punishments for non-compliance - the type we've seen shock boardrooms into action with the likes of the GDPR.

Sure enough, the EU brought fines with GDPR and has done the same with NIS2, opting for a similar but not identical structure. Essential entities - which are decided by size, sector, and criticality - face maximum fines of €10 million ($10.8 million) or 2 percent of their global annual revenue, whichever is higher. For important entities, the fines are slightly less at €7 million or 1.4 percent of their global annual revenue.

However, there is no mention of fines in the CSR Bill's announcement and there is no indication about whether they will be introduced later down the road or not. But, with the relative success of GDPR's fines, even as a scare tactic, it would be reasonable to expect some kind of punishment for non-compliance.

Rose says the broader idea of incentivizing in-scope organizations to comply with the new legislation is something that will require a great deal of effort to finalize, but history has shown that scary fines do the trick.

"As we've seen from GDPR, having a relatively high top-level figure for punitive damages does focus a board's attention," he says. "So, you can push out a compliance standard, but if it's got no teeth associated with it, then organizations will probably not pay much attention… however, if it comes with massive teeth like GDPR did, then everybody complies.

"GDPR went through a lot of grief when it came up with those big figures. But actually, it worked. It worked really well.

"So I think that that's an opportunity here and I think that's possibly a way to get this to cascade down properly. That will incentivize the regulators to pass it down to the industries, the industries will then need to push that down to the supply chain.

"Knowing that they're in peril of a large fine, they will do a good job of doing that. They will apply the right level of resource and they will have due scrutiny over the supply chain as well. So, it should start to cascade down far enough to make a difference."

Data collection

One of the key tenets of the bill is, of course, the increase in mandatory incident reporting. It will supply critical sectors with important information about attacks targeting them in rapid time. 

But, for Richard Cassidy, EMEA CISO at Rubrik, the big question that remains is how this data is going to be collected in a privacy-conscious manner and then disseminated without revealing where the attack is taking place.

Nothing has been said yet about what data regulators will demand from organizations experiencing a security incident, how it will be collected and shared with other sector members, or how regulators will ensure the intel it shares is actually utilized across every organization.

Cassidy said that from a technical perspective, it's all possible, but the way it's going to be implemented will require some thought.

"The platforms that would take it in from a true source and then anonymize it back out to a number of extra sources - those technologies are out there, so it's easy enough to do," he says. 

"You'll need to change domain name data if it's got customer information, change IP addresses because they're not relevant, unless they're public IPs, which are part of the impact vectors. Anything that identifies the company can be very easily scrubbed by SIEM platforms, data anonymizing platforms - they all do that out of the box today.

"But the real problem is who's going to control what that means and how that's redistributed and in what fashion. And then even why we would be redistributing it is a question this bill has not asked and it really needs to think about."

Scope for future expansion

Another notable absence from the King's Speech was any reference to ambitions of updating the legislation more frequently than it has done in recent years. It seems like the CSR Bill will be largely technical in nature, but some think it should probably be expanded down the line given the human aspect always comes into play in cybersecurity.

Rose says: "One of the things that I would want to see generally within standards coming forward in the future is a greater focus on the softer side of cybersecurity. It's all well and good to say 'go and find your vulnerabilities and perhaps within 30 days, make sure you have a firewall and a pen test every six months,' whatever it happens to be. All of those technical pieces are fine.

"But what we see from the statistics is that most of the breaches happen because of people. They happen because the attackers are using social engineering to trick people into becoming their accomplices effectively, either with business email compromise… or with getting them to run malware, which then delivers ransomware and then delivers impact to the organization."

The latest Verizon Data Breach Investigations Report pegged the proportion of breaches catalyzed by social engineering or some other human factor at 68 percent, and Forrester's analysts predict this figure will grow by the end of the year, largely thanks to generative AI.

"I would like to see prioritized that human aspect of cybersecurity," says Rose. "It's more than just saying 'oh, you must do security awareness' and throwing it at that because there's a lot more to it than just security awareness.

"There's a whole behavior change, culture change, human risk management lifecycle, and I would like to see that reflected more in the full text of the regulations when it comes forward. I just think that's an oversight."

Ransom payments

This is always on everyone's minds, isn't it? Will they ban it, won't they?

Some movement either way was expected by some corners of the industry, and if the sources of former vultures are correct, the bill's proposals would have outright banned payments for CNI operators and required a license for others before making a payment before they were weakened somewhat before the King's Speech.

If the UK is to follow in the US's footsteps, then it's likely such rules won't come into effect. CISA director Jen Easterly recently said she couldn't see a ban on ransom payments being introduced, owing to impracticalities.

It's a tough one to regulate. Even if the UK banned in-scope organizations from making payments, they could easily get others such as incident response teams or insurers to do it on their behalf - as is sometimes the case nowadays.

The difficulty here is perhaps why the UK has been so unreserved lately when talking about the idea of resilience - a core theme of the NCSC's most recent conference. If implementing a ransom payment ban is too much of a headache, then the best we can do is become as resilient as possible to adversaries. That's one view, anyway. The debate around ransom payment bans is still as fierce as ever, and there is still no overwhelmingly convincing side. ®

https://www.theregister.com//2024/07/30/uk_csr_bill_analysis/