The UK’s legal and regulatory ecosystem to tackle cyber threats should offer a finely balanced, three-pronged approach to punishing cyber criminals, making organisations harder to attack in cyberspace, and allowing cyber defenders to act to maximum effect. But with cyber defenders currently unable to deploy their full capabilities, a close look is needed at the changes required to cover all angles.
Deter and punish cyber criminals
On the one hand, there are those laws intended to punish cyber criminals. As the National Crime Agency highlights, “cyber-crime costs the UK billions of pounds, causes untold damage, and threatens national security”. In June this year, officers from Regional Cyber Crime Units issued seven warrants against offenders who had amassed over 1,000 offences under the Computer Misuse Act. Indeed, the Computer Misuse Act, alongside other pieces of fraud and theft-related legislation mean that criminals who steal data and money, disrupt business attacks, and defame websites can be punished for their actions. The full force of the law might also act to deter some individuals from committing criminal acts in the first place.
Make organisations harder targets for cyber attacks
On the other hand, we also have those laws, rules and requirements that apply to those who are likely to be the targets of cyber criminals. Schemes like Cyber Essentials, guidance like the Consumer IOT Code of Practice, and legislation like the Data Protection Act and the NIS Regulations all seek to ensure that organisations become harder to attack by proposing or mandating to comply with baseline security requirements. Organisations are recommended or required to follow best practice to be eligible for contracts or avoid fines, but ultimately to improve their cyber resilience. The recently proposed multi-million pound fines for British Airways and Marriott offer an indication of just how seriously these requirements are likely to be enforced.
Current legislation thus seeks to deter and punish attackers, and make targets harder to attack.
But does it allow cyber defenders to protect and safeguard organisations as best they can?
The UK Government is investing in improving local and regional police forces’ cyber security capabilities and the British Army will introduce new divisions to better tackle the threat of cyber warfare.
While these measures are incredibly important to safeguard the whole of the UK in cyberspace, we should not ignore the potential of private sector cyber defenders in offering protection and resilience to individual organisations. Indeed, law enforcement – from the National Crime Agency to local police forces – recognises the opportunities that close partnership working with the cyber security industry offers: augmenting specialist skills and capabilities and providing scarce resources.
But what is currently missing is the right legal and regulatory framework for those cyber industry defenders to act to maximum effect. As the cyber security industry evolved and matured in the last two decades, its broader ecosystem has failed to keep up to date. So while we are able to punish offenders and encourage organisations to protect themselves as best possible, we are currently making it incredibly difficult for cyber defenders to do what they are technically capable of.
We need to take a look at the current laws and regulations to put the final piece of the puzzle into place.
A recent FSB cyber report highlights that small firms suffer close to 10,000 cyber-attacks daily. To find out more read the FSB report here.