Documents to download

As IT systems become increasingly vital to the functioning of society and the economy, so too are they increasingly valuable targets for a variety of malicious activities. A cyber attack is an attempt by an unauthorised user to gain access to an electronic network or device. Cybersecurity is the practice of protecting IT systems devices and the data they hold from unauthorised access, interference, and use.

This briefing focuses on policy and legislative efforts to improve the UK’s cybersecurity, broadly defined as resilience to cyber attacks. It does not discuss cyber in the context of military operations.

Cybersecurity policy is a reserved matter, as are many of the policy areas that it touches, including national security, product safety, and consumer protection. In devolved matters, such as education, the devolved administrations have their own strategies for implementing the UK Government’s overarching cyber policy.

Who carries out cyber attacks?

The cyber threat to the UK comes from a range of actors with differing motivations and levels of sophistication. They include state and state-sponsored groups, financially-motivated criminal organisations, and ‘hacktivists’ with political aims. The boundaries between these groups can be unclear. For examples, cyber criminal groups can operate with the implicit backing of states and (especially since the war in Ukraine) may choose targets, in part, for political reasons.

An additional complication is the rise in ‘as-a-service’ business models, where criminal groups or individual hackers sell their services to other actors.

How are cyber attacks carried out?

Cyber attacks typically involve malicious software (known as ‘malware’) being executed on the target’s system. Malware is an umbrella term for various types of software designed to damage, disable, and extract information from computer systems.

To carry out a cyber attack, threat actors typically need to:

  • Develop or acquire malware;
  • Identify a vulnerability in the target’s IT systems – software applications, networks, devices – that allows them to install the malware;
  • Deliver the malware to the target system and run it;
  • Carry out the desired activities, such as stealing or encrypting data.

An estimated 95% of cyber attacks succeed due to human error on the part of users. This includes ‘active’ errors such as opening attachments in malicious emails and ‘passive’ errors such as using weak passwords.

What is the impact of cyber attacks?

It is difficult to estimate the impact of cyber attacks because a significant amount of activity goes unreported. The available data is based on survey evidence, and it can be hard for organisations to quantify the impact of a cyber attack beyond direct effects, such as money paid to attackers.

The Cyber Breaches Survey, conducted annually by the Department for Science, Innovation and Technology (DSIT) reported in March 2023 that around a third of business and a quarter of charities had experienced a cyber attack in the previous 12 months. The larger the organisation the more likely they were to have experienced an incident: 69% of large firms and 76% of charities with annual incomes over £5 million reported breaches.

Larger organisations also face higher costs in responding to cyber attacks because they hold more data and attackers base ransom demands on the victim’s ability to pay. In 2016, for example, a hair salon in Cheltenham was reported to have paid a £1,600 ransom after their computers were encrypted in an attack. At the other end of the scale, Capita, the UK’s largest business process outsourcing firm, has estimated that responding to a ransomware attack in March 2023 will cost it £20 million.

What is the Government’s approach to improving cybersecurity?

Cybersecurity is a cross-cutting and technical issue. The key government departments are: the Cabinet Office, which has overall responsibility for cyber policy; DSIT, which is responsible for implementing large parts of domestic cybersecurity law and policy; and the Home Office, which is responsible for policy on cyber crime.

There are also various non-departmental public bodies involved in cybersecurity. The main one is the National Cyber Security Centre (NCSC), launched in 2016, which provides technical advice and guidance on cyber security.

Overarching policy on cybersecurity is contained in the National Cyber Strategy (NCS) 2022. The Strategy sets a series of objectives intended to achieve the Government’s vision, which is that in 2030 the UK will

continue to be a leading responsible and democratic cyber power, able to protect and promote our interests in and through cyberspace in support of national goals.

The NCS 2022 takes a ‘whole-of-society’ approach to cybersecurity, arguing that in order to improve the UK’s resilience to cyber attacks the Government will need to work in partnership with private sector organisations and the cybersecurity profession.

One of the basic aims of the strategy is to shift the burden of cybersecurity from individual citizens to the organisations best placed to manage cyber risks. For this reason the Government is seeking to improve uptake of the NCSC’s cybersecurity guidance, incentivise investment in cybersecurity measures, increase the number of skilled cyber professionals, and strengthen statutory cybersecurity responsibilities.

How is cybersecurity regulated?

The UK’s regulatory framework for cybersecurity consists of a patchwork of primary and secondary legislation. Different legislation covers the cybersecurity of IT systems, internet-connected products, and personal data.

Cybersecurity legislation is risk-based. Legal obligations are aimed at sectors and organisations where cybersecurity breaches would have a significant impact on society, the economy, or individual rights. This includes organisations designated under the Network and Information Systems (NIS) Regulations 2018 as operators of essential services (such as telecommunications and transport) or digital service providers (such as online search engines). The Product Security and Telecommunications Infrastructure Act 2022 will, once implemented, place cybersecurity requirements on manufacturers and distributors of internet-connected consumer products.

Organisations not covered by the above regulations will most likely encounter cybersecurity responsibilities through data protection legislation.

The obligations imposed by cybersecurity legislation are typically principles-based. They set general expectations regarding cybersecurity but do not prescribe specific measures that responsible organisations must take.

This approach provides organisations with a degree of flexibility in how they meet their cybersecurity requirements. The Government regards this flexibility as important given the rapidly changing nature of cyber threats. To support organisations, relevant government departments and regulators publish guidance tailored to specific sectors.

Proposals for regulatory reform

The cyber threat landscape is constantly evolving as threat actors look for new methods and targets. Policy and legislation must therefore also adapt to keep up. Proposals for reform include the following:

  • Reforms under debate among policymakers and industry stakeholders:
    • Whether there should be a defence in law for legitimate cybersecurity researchers who, in the course of their work, adopt methods used by malicious actors. This is known as ‘ethical hacking’. Proponents of reform say that vulnerability to legal action has a ‘chilling’ effect on the cyber profession. Opponents say that permitting ‘ethical hacking’ could provide cover for malicious actors.
    • Whether ransom payments to cyber criminals should be banned. While paying ransoms to cyber criminals is strongly discouraged by the Government it is not illegal in most cases. Proponents of a ban point out that, while it is individually rational, paying ransoms is collectively irrational because it encourages criminals to engage in cyber attacks. Opponents argue that it is wrong to criminalise victims and that cyber criminals would likely adapt their methods in response.
  • Reforms proposed by the UK Government through published consultations:
    • Strengthening the NIS Regulations by bringing more organisations into scope and broadening the range of incidents that need to be reported. The Government says that these reforms will be implemented once a “suitable legislative vehicle” is found.
    • Introducing a ‘cyber duty to protect’ which would place greater responsibilities on organisations who manage online personal accounts. The Government has not yet responded to this consultation.
    • Strengthening corporate responsibility by requiring large organisations to include a ‘Resilience Statement’ in their annual reports. The statement would set out the company’s approach to managing threats to its resilience, including from cyber attacks. The Government has said that it will introduce the reforms but legislation has not yet been introduced.
  • Reforms at the international level:
    • Negotiations are currently ongoing at the United Nations regarding a new international cybercrime treaty. Like the existing Budapest Convention, ratified by 68 countries including the UK, it would seek to harmonise cyber legislation and improve international collaboration on cyber issues. However, the treaty, which was proposed by Russia, has drawn criticism from human rights campaigners for its proposed criminalisation of ‘content-based’ activities in cyberspace such as disseminating ‘seditious’ material.

Documents to download

Related posts