Julia Lopez – 2022 Statement on Public Consultations to Improve UK Cyber Resilience

The statement made by Julia Lopez, the Minister for Media, Data and Digital Infrastructure, in the House of Commons on 19 January 2022.

Today, my Department has launched two consultations seeking public views on our proposals to improve the UK’s cyber resilience.

The UK, as one of the leading digital nations, has accelerated its adoption of digital technologies. These technologies have rapidly become integral to the functioning of our economy and form an important part of our critical national infrastructure. In order to ensure our continued prosperity, it is vital that cyber-security is a fundamental part of our country’s digital transformation journey.

Cyber-security incidents are increasing in frequency and sophistication, with the potential to cause severe damage to critical national infrastructure and the economy. Over the course of the last year, the National Cyber Security Centre has faced an unprecedented increase in the volume of cyber-security incidents to which it has had to respond. In addition, there have been a number of high-profile cyber incidents within the last year, both domestically and abroad, which have highlighted the increasing sophistication of threats to the UK’s cyber resilience. The faster paced digitisation of the UK’s economy means that these attacks will have an even greater impact on British businesses and consumers.

Incidents such as the SolarWinds supply chain compromise in December 2020 and the ransomware attack on the Colonial pipeline in May 2020 demonstrated how such cyber-attacks can impact critical services and national infrastructure. At the same time, they have also highlighted the increased need for a sustained supply of diverse and skilled individuals into the cyber workforce to make systems more resilient against cyber-threats like these.

Today’s consultations are aimed at addressing these challenges. They are divided into three distinct pillars, which are discussed over two separate consultations, given the nature and audience of the differing pillars.

The first consultation covers pillars 1 and 2, and applies to the whole of the United Kingdom. Changes proposed here affect the Network and Information Systems (NIS) Regulations 2018. This is a key piece of cyber-security legislation which establishes legal measures to strengthen the overall level of security (both cyber and physical resilience) of network and information systems that are critical for the provision of essential UK services, such as transport, energy, water, digital infrastructure, arid health, as well as key digital services.

Proposals in pillar 1 seek to bring additional critical providers of digital services under the NIS regulations. The proposals also establish a new risk-based and proportionate supervisory framework for all digital service providers in scope of NIS. Combined, these proposed measures will strengthen the oversight of providers who frequently have privileged access and provide critical support to essential UK services, and ensure that these businesses have adequate cyber-security protections in place.

The proposals in the second pillar seek to future-proof the NIS regulations, by allowing changes to be implemented so the UK can adapt to evolving threats and technological developments. The Government propose powers to allow important updates to the NIS framework to be made in the future, either to respond to changing threats or technology or to cover other areas as necessary, as well as provisions to secure the most critical organisations on which essential services depend. The Government would also propose to make changes to the current cost recovery system and the incident reporting framework under NIS. Measures proposed in both of these pillars seek to address some of the supply chain cyber-security issues which we have experienced, and which, given the nature of the digital economy, are here to stay.

The second consultation covers the third pillar. Its audience is different from the first two pillars and its proposals are limited to England only. It proposes a set of additional approaches the Government can provide in quality-assuring the cyber profession. This includes exploring both legislative and non-legislative options. The Government will look to the UK Cyber Security Council to be the professional authority to ensure efforts to supply the cyber workforce with diverse and high-quality individuals is done consistently and sustainably. The role of the council will involve developing professional standards and a career pathways framework, bringing together the existing qualification and certification market under a coherent structure. The consultation seeks to gather views on embedding a legislative underpinning for the cyber profession as well as non-legislative measures including a potential role for Government procurement requirements that explores the extent to which a similar demonstration of competence should be required for specific Government functions.

Copies of the consultation on proposals for legislation to improve the UK’s cyber resilience and embedding standards and pathways across the cyber profession by 2025 can be found on the Government website: https://www.gov.uk/government/consultations/proposal-for-legislation-to-improve-the-uks-cyber-resilience.

Sharing views will help improve the UK’s cyber-security regulations. By strengthening the oversight of critical digital suppliers, existing cyber-regulation, and improving the UK’s cyber-security profession, we can solidify the UK’s position as a democratic and responsible cyber-power and protect our essential services (such as the NHS, transport services, digital services and energy supplies). This will, ultimately, defend the interests, livelihoods, and economic prosperity of our people and businesses.