Police powers: Protests
An overview of the relevant legislation, guidance and debates concerning the policing of protests.
This briefing provides an overview of cybersecurity in the UK. It explains the nature of the cyber threat, including how cyber attacks work. It describes the policy and regulatory frameworks, as well areas of reform such as 'ethical hacking'.
Cybersecurity in the UK (833 KB , PDF)
Cybersecurity is the practice of protecting IT systems, devices, and the data they hold from unauthorised access and interference (known as cyber attacks).
This briefing focuses on policy and legislative efforts to improve the UK’s cybersecurity. It does not discuss cyber in the context of military operations.
Cybersecurity policy is a reserved matter, as are many related policy areas such as national security, product safety and consumer protection. In devolved matters, such as education, the devolved administrations have their own strategies for implementing the UK Government’s overarching cyber policy.
The cyber threat to the UK comes from a range of actors, including state and state-sponsored groups, financially motivated criminal organisations, and ‘hacktivists’ with political aims.
The boundaries between these groups can be unclear. For examples, cyber criminal groups can operate with the implicit backing of states, choose targets for political reasons, or sell their cyber attack services to others (known as ‘as-a-service’ business models).
Cyber attacks typically involve malicious software (known as ‘malware’) being executed on the target’s system. Malware is an umbrella term for various types of software designed to damage, disable, and extract data from computer systems.
Cyber attackers deliver malware to the target’s IT system by exploiting technical vulnerabilities and human error, then run the malware to achieve their aim (such as stealing or encrypting data).
An estimated 95% of cyber attacks succeed because of human error. This includes ‘active’ errors such as opening malicious email attachments and ‘passive’ errors such as using weak passwords.
It is difficult to estimate the impact of cyber attacks because they are often not reported. The available data is based on survey evidence, and it can be hard for organisations to quantify the impact of a cyber attack beyond direct effects, such as money paid to attackers.
The Cyber Breaches Survey, conducted annually by the Department for Science, Innovation and Technology (DSIT) reported in April 2024 that around half of UK businesses had experienced a cyber attack in the previous 12 months. The larger the organisation the more likely they were to have experienced an incident and the more they had to pay to resolve it.
Cybersecurity is a cross-cutting and technical issue, with multiple responsible government departments, such as the Cabinet Office, DSIT and the Home Office. Non-departmental public bodies are also involved in cybersecurity, such as the National Cyber Security Centre (NCSC), which advises public and private sector organisations.
The National Cyber Strategy 2022 describes the UK’s overarching cyber policy. The strategy takes a ‘whole-of-society’ approach, arguing that the government must work in partnership with private sector organisations and cybersecurity professionals to improve cybersecurity.
The strategy aims to shift the burden of cybersecurity from individual citizens to the organisations best placed to manage cyber risks. The government is therefore seeking to improve uptake of the NCSC’s cybersecurity guidance, incentivise investment in cybersecurity measures, increase the number of skilled cyber professionals, and strengthen statutory cybersecurity responsibilities.
The UK’s regulatory framework for cybersecurity comes from multiple pieces of primary and secondary legislation. Different legislation covers the cybersecurity of IT systems, internet-connected products and personal data.
The legal obligations in cybersecurity legislation apply to sectors and organisations where cybersecurity breaches would have a significant impact on society, the economy or individual rights. These include operators of essential services, such as telecommunications and transport, or digital service providers, such as online search engines (designated under the Network and Information Systems (NIS) Regulations 2018).
The Product Security and Telecommunications Infrastructure Act 2022 will, from April 2024, place cybersecurity requirements on manufacturers and distributors of internet-connected consumer products.
Cybersecurity regulations set general expectations rather than specific measures that responsible organisations must take. This provides organisations with a degree of flexibility, which the government regards as important given the rapidly changing nature of cyber threats. Government departments and regulators also publish guidance tailored to specific sectors.
Reforms under debate among policymakers and industry stakeholders include:
The UK Government has also proposed reforms including:
Negotiations are ongoing at the United Nations regarding a new international cybercrime treaty, proposed by Russia. It would seek to harmonise cyber legislation and improve international collaboration on cyber issues. However, the treaty has drawn criticism from human rights campaigners for its proposed criminalisation of ‘content-based’ activities in cyberspace such as disseminating ‘seditious’ material.
Cybersecurity in the UK (833 KB , PDF)
An overview of the relevant legislation, guidance and debates concerning the policing of protests.
Ofcom enforces measures in the Online Safety Act to protect web users from suicide or self-harm content. It also regulates broadcast media, but not the press.
A Westminster Hall debate has been scheduled for 1.30pm on 5 September on waste crime in Staffordshire. The debate will be opened by Adam Jogee MP.