Government looks to tighten up cyber security laws on outsourced IT
The consultation – issued last week by the Department of Media Culture and Sport – is part of a £2.6billion National Cyber Strategy drive by the government to improve the cyber resilience of businesses and organisations across the economy.
In 2018 Network and Information Systems regulations were introduced to improve the cyber resilience of companies that provided essential services such as water, healthcare, energy, transport and digital infrastructure. Organisations that fail to implement effect security measures can be fined up to £17m.
The new regulations seek to widen the NIS Regulations’ scope, requiring large companies to provide better cyber incident reporting to regulators such as Ofcom, Ofgem and the ICO, as well as several other measures.
The move follows several high profile US cyberattacks which compromised government bodies and utilities – such as the SolarWinds supply chain compromise, the ransomware attack on the Colonial Pipeline and the July 2021 attack on the managed service provider Kaseya.
According to Julia Lopez MP, Minister of State for Media, Data, and Digital Infrastructure, the detrimental impact that supply chain attacks are having on business and infrastructure worldwide has only recently been acknowledged and the government is seeking proposals aimed at addressing these risks.
She said in a statement: “What was not recognised until recently, was that having companies with the ability to automatically access the networks of thousands of other companies, would create a unique security threat.
“One that can, and has, been exploited by our adversaries. Rather than having to exploit vulnerabilities in thousands of companies, the threat can manifest itself only through a small proportion of those organisations.
While Lopez recognised that these managed IT service suppliers played an important part in the UK’s digital economy and the government did not want to interfere with they way they operate, she said that the risks they pose needed to be managed “ especially when their clients include government departments and critical infrastructure.”
She added that the proposals in the consultation are aimed at addressing these risks, while allowing these services to continue and succeed.
“Through these proposals, we will provide a comprehensive framework to ensure that managed services take appropriate and proportionate measures to secure their services. This will allow us to gain from their benefits, whilst mitigating against their risks.”
According to Lopez the scope of the consultation will also look at how they can manage future risks, enabling amendments in cyber security legislation to be made, improving incident reporting, and bringing new sectors into the scope.
The consultation on proposals for new laws to improve the cyber resilience of managed service providers closes on 10 April 2022.
Meanwhile the UK government appears to be backing away from proposals to remove the individual’s right to challenge decisions made about them by artificial intelligence following an earlier analysis of its consultation process.
In September 2021, the government published a consultation that suggested it could water down individuals’ rights to challenge decisions made about them by AI – a right initially granted in the EU’s 2018 GDPR regulation.
However, at a Westminster eforum policy conference on date protection and the future of data regulation, Harry Lee, deputy director, data protection and data rights, DCMS, said that the government would look to the “efficacy of safeguards” with respect to automated decision-making about people, rather than the removal of safeguards.
This week is TechInformed’s Cyber Security Themed Week in which we put a lens to the biggest trends in enterprise security.
Subscribe to our Editor's weekly newsletter