Recent cyber attacks on the NHS and Ministry of Defence (MoD) have led to widespread concern that nation state adversaries from the likes of Russia and China are getting out of control.

In June, a ransomware attack on pathology services provider Synnovis by Russia-backed Qilin led to the cancellation of 6,000 NHS appointments and procedures. In May, it emerged that attacks on the MoD were perpetrated by China-linked adversaries, leading to heightened calls for the government to intervene.

Amid increasing pressure to act, the King’s Speech on Wednesday saw the introduction of the Cyber Security and Resilience Bill, the Starmer government’s answer to cracking down on cyber-criminals and nation state attackers to protect essential public services and infrastructure.

The new Bill

Among its stipulations, the Cyber Security and Resilience Bill will expand the remit of the existing regulation, covering a wider range of businesses and services including the supply chain. It aims to put regulators in a better position to ensure best practices are implemented and will increase reporting requirements to become mandatory for ransomware attacks.

The proposed rules will “improve our understanding of the threats and alert us to potential attacks by expanding the type and nature of incidents that regulated entities must report,” the background briefing notes to the King’s Speech, published by 10 Downing Street, say.

However it stops short of an outright ban on ransom extortion payments as apparently planned by the previous government.

Nation state attacks

The Bill’s focus on supply chain security has been welcomed by experts. The Synnovis attack is just one example of the devastating impact of increasing attacks on supply chains – an area being increasingly targeted by nation states as a route in, says Darren Anstee, chief technology officer for security at NETSCOUT. “We’re also seeing the nature of the threats we all face evolve, with more sophistication and broader, increasingly persistent activity from nation state affiliated actors.”

Over the last few years, the UK government has been very outspoken about attacks by both Russia and China-backed adversaries. The UK’s National Cyber Security Centre recently issued guidance warning organisations that Chinese adversaries were widening their capabilities. Meanwhile, GCHQ says China is a top priority.

The Cyber Security and Resilience Bill builds on the work the previous government had already started, says Philip Ingram, a former colonel in British military intelligence. For example, the UK has taken a hard line on Chinese technologies and vulnerabilities in IoT default settings, he points out.

“Russia and China in particular have been exploiting our systems and connectivity for years; the time has come to stop it,” Ingram says.

UK crackdowns on nation states can and do happen, with the government imposing sanctions on Chinese adversaries in March this year. However, things can be complicated by trade dependencies, says Ian Thornton Trump, CISO at Cyjax. “Billions of pounds in manufacturing as well as heavy ‘dirty’ industry is at risk, not to mention significant Chinese investment which has defined the UK’s relationship with China since the 1980s.”

Funding needs

It is with this in mind that much of the government’s focus is on defence and reporting to boost cybersecurity across critical industries. Increased powers for regulators and reporting will be critical for building cyber resilience needed to prevent and mitigate nation state attacks, says Trevor Dearing, director of critical infrastructure at Illumio.

However, regulation will only be successful if accompanied with additional funding for public bodies, he says. “Otherwise all that will happen is that regulations create an unrealistic goal that is cost-prohibitive to implement. ”

Funding is also key for organisations to update legacy systems. The infamous WannaCry attack of 2017 impacted the NHS because it relied on out of date Windows XP systems.

Taking this into account, Dearing highlights a need for further steps to reduce the risk from legacy systems across all public services. “This technology accounts for 30 to 50 per cent of all IT services in the NHS, so we need to see extra funding and support to help Trusts replace systems as soon as possible. The cost of upgrades and replacements will be well worth it if it helps reduce the chances of multi-million-pound breaches.” 

Increased defence spending

As Labour starts to deliver on promises including increased spending on defence outlined in its manifesto, the new Bill looks good, in theory, but with limited details available, no one knows exactly how far it will go.

As Aaron Walton, threat intel analyst at Expel asks: “What additional power will regulators be given to ensure businesses are better protecting themselves, their employees and customers from cyber attacks? To what extent will businesses need to report?”

When it launches, the Bill will need to ensure reporting requirements are “implementable and done in a dialogue with industries of different sizes,” says Louise Marie Hurel, cyber research fellow at the Royal United Services Institute. This, she says, will require “a fine balance between innovation and updates to existing data and cyber incident reporting requirements”.

Kate O'Flaherty Cybersecurity and privacy journalist