With cybercrime rates doubling since 2019, and ransomware tripling since 2020, the UK government is seeking to bolster the nation’s cyber defences, publishing the National Cyber Strategy 2022 and enhancing the four-year-old Network and Information Systems Regulations (‘NIS Regulations’). BCL’s Julian Hayes and Andrew Watson discuss the NIS regulations and look into the challenges for the reforms of the NIS regulations in the face of increased online threats.
After keeping trains running to and from besieged towns and distributing humanitarian aid despite great personal risk, few would doubt the courage of the drivers of Ukrainian Railways since the invasion of their country. But their efforts could have been thwarted and the loss of life far greater had the ‘wiperware’ – malware installed by hackers and designed to incapacitate the rail network – not been neutralised before the Russian assault. Hostile states, though, are not the only threat actors menacing electronic communications networks supporting essential services across the world, with cybercrime rates in general reported to have doubled since 2019, and ransomware tripling since 2020. Targets have included hospitals, schools and local authorities. In the face of increased online threats, the UK government is seeking to bolster the nation’s cyber defences, publishing the National Cyber Strategy 2022 and enhancing the four year old Network and Information Systems Regulations (‘NIS Regulations’) to ensure the UK remains, in the government’s words, “confident, capable and resilient in this fast-moving digital world.”
National Cyber Strategy
Developed against the backdrop of the 2020 SolarWinds and 2021 Colonial Pipeline cyber-breaches in the US which respectively compromised secure government networks and fuel supplies to the US east coast, the UK’s National Cyber Strategy recognised the significant progress towards cyber resilience made by the UK in the past decade. But whilst celebrating the work of the National Cyber Security Centre, the much-admired scion of GCHQ, and the proliferation of cyber security guidance available to UK businesses and other organisations, the Cyber Strategy recognised the need to reduce cyber risks still further so businesses can take advantage of the economic benefits of widespread digitisation and citizens feel more secure online. That will require increased levels of cyber resilience, particularly within critical national infrastructure (‘CNI’) and to achieve it, the Cyber Strategy foreshadowed significant reform to the NIS Regulations.
The NIS Regulations
At present, the NIS Regulations apply to ‘operators of essential services’ (‘OES’), including utilities, health, transport, and to ‘relevant digital service providers’ (‘RDSPs’) including online market places and cloud computing services. They set a base level of security for network and information security systems (that is, electronic communications networks and devices which normally process digital data) used by these entities, and mandate the reporting of cyber security incidents which disrupt the continuity of service, for example, in the supply of electricity, the access to drinking water or the availability of healthcare. A government review of the NIS Regulations in May 2020 found that, while they had improved cyber-security standards of in-scope entities, there was room for improvement. Business-to-business suppliers of outsourced digital services (‘managed service providers’) such as remote security monitoring, virtual desktop providers and billing services presented a particular risk, offering an exposed flank to hackers bent on circumventing the defences raised by OES and RDSPs themselves. As a result of the review’s findings, modifications were made to the NIS Regulations in December 2020.
The government has now consulted on a series of more substantial reforms of the NIS Regulations. These include:
- drawing managed service providers which are too important to fail into the UK’s cybersecurity regulatory framework, obliging them to have appropriate and proportionate security measures to protect their own network and information systems, and requiring them to register with the Information Commissioner’s Office (‘ICO’);
- creating a two-tier supervisory regime administered by the ICO for all digital service providers with proactive regulation of those offering services which are essential to government and CNI, and a requirement that they positively demonstrate compliance with their duties under the NIS Regulations;
- building flexibility into the legislative scheme by creating a power to amend the NIS Regulations via delegated legislation to allow rapid response to changes in the cyber landscape; and
- lowering the incident reporting threshold so that cyber incidents must be notified where there is a risk of service disruption rather than limiting it to instances of actual disruption.
The government has consulted separately about standardising competency levels throughout the cybersecurity profession.
The proposals for reform of the NIS Regulations will give rise to quibbles; the additional workload placed on the ICO by bringing a raft of managed service providers within scope is likely to require significant additional resources, and while permitting amendment by Statutory Instrument may achieve legislative ‘agility’ the principle of democratic scrutiny should not lightly be side-stepped. For individual businesses, the proposals will increase compliance costs with the government seeking to give competent authorities under the NIS Regulations the ability to recover all their costs from in-scope businesses. This could place a heavy financial burden on small and micro-businesses which may be caught by the regulatory regime despite their size if they present a large-scale disruptive risk because of the particular services they offer, or if they must comply with divergent UK and EU regulatory regimes.
Nevertheless, given the increasingly unstable international outlook, the aims behind the proposals are laudable, and are mirrored elsewhere, with the US President, Joe Biden in 2021 issuing an Executive Order imposing a series of cybersecurity measures on US government departments, and in March 2022, exhorting US business executives to build up their capacity to cope with Russian cyber-attacks as a “patriotic obligation”. The EU is also well down the road of reforming the NIS Directive (on which the NIS Regulations are based) expanding it to all large and medium-sized organisations in a wide range of sectors, and also addressing the cybersecurity of information and communications technology supply chains. Once the final text of the EU’s proposals are adopted, member states will have two years to implement them in national legislation, meaning the UK’s reforms to the NIS Regulations are likely to come into force first. Given the interconnectedness of the digital ecosystem, the sooner that comparable standards of cybersecurity are adopted internationally, the more secure the online sphere is likely to become.
As the UK Cyber Strategy indicates, the scale and speed of technological change is bringing with it immense opportunities but also causing unprecedented complexity, instability and risk. Legislation becomes quickly out-of-date and legislative processes seem flat-footed in the face of such challenges. One constant, however, is the willingness of threat actors, be they rogue states, organised criminal gangs or ill-intentioned individuals to take advantage of the criminal opportunities presented by innovative technology to pursue their aims. Governments everywhere are scrambling to keep pace and to tackle the problems which arise. The proposals for reform of the NIS Regulations are just one element of the UK government’s efforts in this regard and, while not without issues, indicate a careful and well-intentioned response to the difficulties presented by the digital revolution now well underway.