King’s Speech moves cybersecurity in the right direction

Once the true extent of the Labour landslide became evident following the UK general election, I posed the question of what the new government would bring to the cybersecurity table. Now that Sir Kier Starmer has confirmed his plans, through the ceremonial nonsense of the King’s Speech, we have a much better idea, with the announcement of the Digital Information and Smart Data Bill and the Cyber Security and Resilience Bill.

The first of these, the Digital Information and Smart Data Bill, covers new digital verification services. The idea is to promote better use of customer data sharing with third parties in order to bring economic benefit.

There are obvious privacy concerns when it comes to doing this, but I’m more interested in the impact of the Cyber Security and Resilience Bill. In particular, how will it help protect critical national infrastructure, given the worrying weaknesses exposed by ransomware attacks on third-party service suppliers to the NHS, for example.

This new law will, when passed (and it’s likely to be “when” rather than “if” given the size of the Labour majority), give regulators more power to encompass supply chains as well as increase the robustness of the regulatory process to ensure it isn’t just a tickbox exercise.

Related: UK government’s cybersecurity survey makes for grim reading

Cybersecurity experts’ reaction to King’s Speech

So, how has Charlie’s Chat, sorry, I mean the King’s Speech, gone down with cybersecurity experts?

“According to our own data there were 69 cyber extortion attacks on healthcare businesses during Q1 of this year, up more than 100% from Q1 in 2023,” said Dominic Trott, Director of Strategy & Alliances at Orange Cyberdefense.

“It is pleasing to see that the Bill will make updates to the legacy regulatory framework by expanding the remit of the regulation to protect supply chains, which are an increasingly significant threat vector for attackers.”

John Smith, Veracode EMEA CTO, feels similarly positive. “I am very pleased that the new government has pledged to strengthen the UK’s cybersecurity and resilience,” he said.

“Whilst the new government has previously stated it will conduct a strategic defence review within its first year and set out the path to spending 2.5% of the GDP on defence, strengthening cybersecurity will mean having a specified proportion of that focused on the betterment of the UK’s cybersecurity posture.”

But more needs to be done…

Which isn’t to say that enough is being done, according to Smith. “In an increasingly volatile world, the UK government should push for Secure by Design principles to be embedded into the way that software and systems are created and maintained.”

Smith isn’t alone in pointing out what was missing in the King’s speech.

This will be the first time in six years that cybersecurity legislation has been updated, and just think about how the threat landscape has changed in that time. Al Lakhani, CEO of IDEE, says that while necessary, the new Bill “doesn’t fully protect the UK’s defences, and it would be foolish to think we’ve suddenly addressed all the vulnerabilities that will remain as the bill is implemented.”

He added: “We can and must go further, and additional legislation and resources will be needed to tackle the ongoing risks facing the UK’s long-neglected digital infrastructure.”