Breach Notification
,
Government
,
Industry Specific
Cyber Security and Resilience Bill Includes 72-Hour Reporting Deadline, Hefty Fines
The U.K. government’s proposed Cyber Security and Resilience Bill is a “good step forward” to encourage business to report ransomware incidents, said Ciaran Martin, the former National Cyber Security Centre chief. But he said the success of the new regulations also hinges on the support mechanism for cyber victims.
See Also: The CIS Security Operations Center (SOC)
The U.K. government is expected to take up the Cyber Security and Resilience Bill in March. Although details are sparse, government officials indicated a key provision will be a mandatory 72-hour deadline for reporting ransomware and other cyber incidents to the government (see: UK Labour Introduces Cyber Security and Resilience Bill).
The bill is as the U.K. equivalent of the Cyber Resilience Act in the European Union, which mandates incident reporting as well as patching and vulnerability disclosure.
“It’s a good step forward,” said Martin, now working as professor of management practice at the University of Oxford, who said the regulations can play a pivotal protecting the country’s critical infrastructure. The reporting requirement also can help the government and law enforcement agencies collect important data needed to address cyber incidents, said Martin, who was the founding head of the U.K. National Cyber Security Centre.
The U.K. Information Commissioner’s Office calls for businesses and other organizations to report a cyber incident within 72 hours depending on the severity of the attack on the targeted systems, but victims often do not report incidents, fearing reputation damage and fines (see: Half of UK Firms, Charities Failed to Report Cyber Incidents).
For instance, the U.K. ICO in August said it would fine Advanced Computer Software Group 6.09 million pounds for failing to prevent a ransomware attack and data breach in 2022 that disrupted a national urgent care medical helpline (see: UK’s Advanced Faces 6M Pound Fine After LockBit Attack).
Underreporting of cyber incidents has been a challenge, especially for the U.K.’s law enforcement agencies, such as the National Crime Agency, which has said the lack of data on cyberattacks is preventing the organization from understanding the scale cyberthreats facing the country, or respond quickly to incidents (see: UK ICO and NCA to Collaborate on Cyber Incident Preparedness ).
If enacted, the bill will be the first to introduce mandatory reporting obligations for cyber incidents.
Given that ransomware and similar cyberattacks are often a “traumatic experience” for the victims, Martin said the effectiveness of the bill will depend on nuances such as making sure the government has adequate resources to help cybercrime victims come forward, rather than victimizing them even more.
“It shouldn’t be that law management companies just filled up the state inboxes with the incident reports, and the companies heard nothing back. The victims need to get the right help, in terms of what they can and can’t expect when they do report things.” Martin said
Looming Threat From China
Martin said nation-state threat pose a major risk to the U.K. Chinese groups, especially Volt Typhoon, are focused on U.K.’s critical infrastructure. While China’s hacking operation over the last two decades has been largely focused on spying and espionage, the activities of Volt Typhoon and other groups indicate changes in tactics with more disruptive attacks targeting Western critical infrastructure.
“I think Volt Typhoon is the most significant change in the cybersecurity threat picture in terms of nation-state threat to Western interests that way,” Martin said.
Volt Typhoon, which has been active since mid-2021, in recent months has targeted critical infrastructure sectors such as communications, information technology and government agencies. In May, the U.S. government and its Five Eyes intelligence-sharing alliance revealed that the group targeted critical infrastructure in Guam and the United States (see: Chinese State Hacker ‘Volt Typhoon’ Targets Guam and US).
The group is among a roster of Chinese nation-state groups known to conduct extensive reconnaissance by compromising flaws in edge devices. Other groups following similar tactics include Salt Typhoon and Flax Typhoon.
Martin said it’s crucial for the government and private industry to work together to improve the nation’s overall security posture.
“I think the whole thing comes back to having long-term solutions, it’s about planning for disruption, but also improving defenses as best you can. It is about security by design of software and software-related products,” Martin said.