ANALYSIS From May's cyberattack on the Legal Aid Agency to the Foreign Office breach months later, cyber incidents have become increasingly common in UK government.
The scale extends far beyond these high-profile cases: the NCSC reports that 40 percent of attacks it managed between September 2020 and August 2021 targeted the public sector, a figure expected to grow.
Given this threat landscape, why does the UK's flagship Cyber Security and Resilience (CSR) Bill exclude both central and local government?
Sir Oliver Dowden, former digital secretary and current shadow deputy PM, led calls in the House of Commons this week urging Labour to rethink its stance on excluding central government from the Cyber Security and Resilience (CSR) Bill.
"I would just urge the minister, as this bill passes through Parliament, to look again at that point, and I think there is a case for putting more stringent requirements on the public sector in order to force ministers' minds on that point."
The CSR bill was announced days into Sir Keir Starmer's tenure as Prime Minister, aiming to provide an essential refresh of the country's heavily outdated NIS 2018 regulations.
It proposed to bring managed service providers into scope, as was scheduled in 2022 before those plans fell by the wayside, and datacenters, among many other aspects.
Parallels can be drawn with the EU's NIS2. However, the CSR bill's scope is narrower, excluding public authorities, unlike the EU's equivalent regulatory refresh.
Ian Murray, minister of state across two government departments and responsible, in part, for data policy and public sector reform, thanked Dowden for his suggestions and promised to take them on board.
In responding to the shadow deputy PM, Murray also pointed to the Government Cyber Action Plan, which it launched hours before the CSR bill was set for a second reading in the Commons.
... continue reading