UK proposes new laws to boost cyber resilience
The proposals would see more companies adopt improved cyber security measures, but there's no mention of open source
The UK is planning new laws to help boost the country's resilience from cyber attacks, following a rise in attacks targeting critical infrastructure and supply chains worldwide.
On Wednesday, the Department for Digital, Culture, Media and Sport (DCMS) published the government's 2022 cyber security incentives and regulation review, detailing the progress made in improving cyber resilience between 2016 and 2021, and providing evidence as to why further measures are required to ensure that businesses and organisations in the digital economy are adequately protected against cyber threats.
'Raising cyber resilience across the economy and society, even if it is just the basics of ensuring good cyber security practices are implemented consistently, is the first line of defence against cyber attacks,' the review document says.
'The government recognises this is a complex challenge that needs the involvement of businesses, organisations and the public if the UK is to succeed in becoming more cyber resilient.'
Under new proposals, the government wants to revise the Network and Information systems (NIS) Regulations, which came into effect in 2018 to boost the cyber and physical security of the networks and information systems belonging to firms providing essential services such as energy, transport, water, and healthcare.
As part of the change, such firms would be required to put effective security measures in place. Moreover, managed service providers would need to register with the Information Commissioner's Office and to provide proportionate security measures.
Another proposed change to the NIS regulations is the need for large firms to provide better cyber incident reports to regulators like Ofcom, the ICO and Ofgem. That would include making it a requirement to inform regulators of any cyber attack the firms suffer, not just those that impact their services.
The government also intends to give itself the power to modify the NIS regulations in the future without introducing new legislation.
Another part of the DCMS' proposals is to give additional powers to the UK Cyber Security Council, which started working as an independent body last year.
The Council, which aims to improve professional standards and career opportunities for cybersecurity professionals, will be able to define and recognise cyber job titles, as well as link them to current qualifications and certificates.
The new approach is part of the government's National Cyber Strategy, which it published at the end of last year.
The government will drive the programme with £2.6 billion of funding over the next three years, to carry out both offensive and defensive cyber warfare.
"The UK government's move to bolster cyber resilience is long overdue. However, today's review overlooks one of the most pressing challenges facing businesses today - open source security as a part of the supply chain," said Ilkka Turunen, Field CTO, Sonatype.
"Despite open source components forming the foundations of our digital economy - comprising 80-90 per cent of the code in modern applications - there is not a single reference to open source in the 11,000+ word document. Until significant emphasis is put on improving open source practices on a national level, the government is unlikely to deliver on its objectives.
"While the government has rightly recognised the importance of digital supply chain security at large, in neglecting to mention, or more importantly understand the use of open source in software development, it has ignored the significant threat posed by the careless use of the software supply chain itself. The Log4j vulnerability that set the internet ablaze in recent weeks demonstrates the far reach and relative opaqueness of open source adoption. It is now a matter of extreme urgency and the UK must move quickly to introduce measures in line with those being implemented in the US to ensure companies know what's in their software.
"Failure to move beyond awareness-building and implement practical software supply chain security measures leaves the UK in a precarious position. Both the government and businesses need to take responsibility for securing the software supply chain. Only then will companies be able to truly improve their cyber resilience."