UK government pushing for cybersecurity clarity

Written by Antony Peyton
5th February 2018

The UK government has set out its cybersecurity law strategy with plans to simplify incident responses and a reduction in fines.

To get you up to speed, the National Cyber Security Strategy was unveiled on 1 November 2016 and set out its plan for the UK in 2021 to cope with cyber threats.

As reported last year, there was also a new cybersecurity innovation centre in London and investment of up to £14.5 million to develop technology to help keep the nation safe.

And don’t forget in February 2017, the new National Cyber Security Centre (NCSC) was unveiled. As its name suggests, it’s a single, central body at a national level.

On 8 August 2017, the UK government published its proposals for improving the security of essential services, through its plans to implement the Security of Network and Information Systems Directive (known as the NIS Directive), in a public consultation.

That consultation covered six main topics. These include how to identify essential services; a national framework to manage implementation; and security requirements for operators of essential services.

In addition, it mentioned incident reporting requirements for operators of essential services; requirements on digital service providers; and the proposed penalty regime.

Now, the government has revealed the feedback – with over 350 responses to its consultation which showed “that in the main, the government’s proposals were thought to be appropriate and proportionate”.

Respondents also highlighted areas of concern and the government has ideas for some main changes.

These include clarifying the thresholds required to identify operators of essential services; the role of the competent authority and how powers may be delegated to agencies; and that the role of the National Cyber Security Agency is limited to cybersecurity.

There are also expectations on operators within the first year or so; and the definitions of digital service providers.

In terms of plans, the government will simplify the incident response regime to separate incident response procedures from incident reporting procedures. It will also change the penalty regime slightly, and reduce the risk of fines in excess of £17 million.

As you can imagine, the information is extensive. The full 35-page report can be found here.

A year on

In a separate announcement, today (5 February), the NCSC indulged in some public back-slapping by reporting it had detected and prevented millions of online commodity attacks against the UK.

In “Active Cyber Defence – One Year On”, a summary compiled by the NCSC’s technical director Dr Ian Levy, it described its triumphs.

Four active cyber defence (ACD) programmes – Web Check, DMARC, Public Sector DNS and a takedown service – were launched last year as part of the National Cyber Security Strategy to “improve basic cybersecurity by disrupting commodity cyber attacks that affect UK citizens”.

The technology, “which is free at the point of use”, improves defence against threats by blocking fake emails, removing phishing attacks and stopping public sector systems veering onto malicious servers.

Key findings amongst the analysis show that since the ACD was introduced:

UK share of visible global phishing attacks dropped from 5.3% (June 2016) to 3.1% (November 2017);
Removed 121,479 phishing sites hosted in the UK – and 18,067 worldwide spoofing UK government;
Takedown availability times for sites spoofing government brands down from 42 hours to ten hours;
“Dramatic” drop of scam emails from bogus ‘@gov.uk’ accounts (total of 515,658 rejected in year);
Average 4.5 million malicious emails per month blocked from reaching users (peak 30.3 million in June);
More than one million security scans and seven million security tests carried out on public sector websites.

You can read the full report here. (Don’t worry – the link is safe.)