The UK’s Cyber Security and Resilience (CSR) Bill represents a golden opportunity to enhance Britain’s national cyber security posture but risks losing the support of key industry stakeholders unless its backers adopt a more comprehensive outlook, a group of MPs has warned.
In a report published 11 June, the Cyber Innovation All-Party Parliamentary Group (APPG) said that they found widespread support for stronger cyber laws, but that more collaboration and a “more ambitious, future-proofed” approach was needed to maximise its benefits.
In compiling its report, the APPG conducted a national study of cyber professionals, incorporating inputs from a roundtable discussion at which representatives of managed security services providers (MSSPs), cyber suppliers, academics and other organisations shared their views.
It said that while 46% of respondents believed the CSR Bill will support economic growth, 44% merely saw “the potential”. The APPG warned that amid ongoing cyber attacks targeting the British economy – notably the retail sector – this underscored the need for politicians to be more ambitious and inclusive.
Cyber Innovation APPG chair, recently elected MP and former BCS policy lead Dan Aldridge said: “This bill is a historic opportunity to strengthen the UK’s cyber resilience, but we risk falling short if we don’t listen to those on the frontline.
“We’re calling on DSIT to open up the conversation, coordinate across government, to provide a timeline and process for tackling the urgent issues that are deemed out of scope. By future-proofing regulations and giving parliament a clear role in oversight, we can make sure the UK remains secure and competitive in a rapidly changing digital world.”
Till Sommer, policy counsel at the Cybersecurity Business Network (CBN) – a coalition of security organisations that also provides the APPG’s secretariat, added: “We need all the inputs we can get for the bill, from across the cyber sector in the UK. We encourage stakeholders nationwide to participate in these crucial discussions so that the CSR Bill delivers the resilience, innovation and growth our sector needs.”
Ransomware is not the only issue we face
Since it was first floated in last summer’s King’s Speech, the CSR Bill has attracted headlines and stimulated much debate thanks to clauses that will mandate ransomware incident reporting for key sectors including local councils, schools and NHS Trusts. This is something the government is keen to get through because it believes this will provide better data on cyber incidents, improve the UK’s national understanding of the treacherous threat landscape and potentially provide early warning of incoming attacks.
However, cyber security is about much more than ransomware prevention, and the APPG report acknowledges this, saying that the CSR Bill, while transformative, is too narrow in its scope and excludes key opportunities which may be very beneficial to the economy, and wider society.
The APPG highlighted several areas in which it believes the bill could be enhanced. These include embedding corporate governance in decision-making flows, better empowering cyber pros to address new threats and offering those in threat intel functions better legal protections, and aligning regulatory requirements to reduce compliance issues and elevate standards.
It called the government to enter into more consultation with Britain’s cyber sector and bring stakeholders into the drafting process, account for the increased use of AI and quantum computing and the passing of NIS2 in the European Union (EU).
The APPG also said stakeholders wanted to see more done on regulatory alignment and favoured a more collaborative approach with regulators, and supported the Bill’s proposals around the power of direction and use of secondary legislation for future-proofing the bill, provided these are robust and Parliament’s role is clearly defined.
