Fight them on the breaches: Interrogating the UK Cyber Security and Resilience Bill
Industry insiders react to new rules designed to keep Britain safe in an increasingly forbidding threat landscape.
Westminster has set out new measures to "bolster the UK's online defences" as part of the Labour government's so-called "Plan for Change".
It has published details of the Cyber Security and Resilience Bill, which will be introduced later this year and is designed to help this sceptred isle "face down a growing range of online threats."
Hospitals and energy suppliers will be pushed to upgrade their digital defences, with 1,000 service providers due to fall under the scope of the rules.
Cybersecurity threats drained almost £22 billion a year from the UK economy between 2015 and 2019, the government reported.
Last summer’s attack on Synnovis - a provider of pathology services to the NHS - cost an estimated £32.7 million and saw thousands of missed appointments for patients.
Politicians fear an attack focused on key energy services in the South East of England alone could wipe over £49 billion from the wider UK economy.
Peter Kyle, Secretary of State for Science, Innovation, and Technology, said: "Attempts to disrupt our way of life and attack our digital economy are only gathering pace, and we will not stand by as these incidents hold our future prosperity hostage."
"The Cyber Security and Resilience Bill will help make the UK’s digital economy one of the most secure in the world - giving us the power to protect our services, our supply chains, and our citizens – the first and most important job of any government."
More organisations and suppliers will now need to meet "robust cybersecurity requirements", including data centres, Managed Service Providers (MSPs) and critical suppliers. Organisations impacted will have to improve their cyber security in areas such as risk assessment to minimise the impact of attacks while also beefing up their data protection and network security defences.
Meanwhile, regulators will be given a wider range of tools to security and resilience, with companies required to report a wider range of incidents to "help build a stronger picture of cyber threats and weaknesses in our online defences."
Richard Horne, CEO of the The National Cyber Security Centre (NCSC), said: "The Cyber Security and Resilience Bill is a landmark moment that will ensure we can improve the cyber defences of the critical services on which we rely every day, such as water, power and healthcare.
"It is a pivotal step toward stronger, more dynamic regulation, one that not only keeps up with emerging threats but also makes it as challenging as possible for our adversaries."
Industry responses to the Cyber Security and Resilience Bil
We asked experts for their views on the new rules.
Tom Exelby, Head of Cyber at Red Helix, said they could be a "crucial step in strengthening national resilience".
"Expanding the bill’s scope to include IT providers and MSPs is a welcome move, ensuring better protection for the many businesses that rely on them for cyber security," he continued. "Stricter incident reporting requirements will reinforce the importance of basic cyber hygiene, particularly for organisations handling sensitive data or concerned about reputation.
“Crucially, the bill confirms suspicions that the bill will focus not only on providers of critical services but also on their wider supply chain. This will spark an impetus to identify and evaluate supply chain partners to define where compliance needs to be met, as lack of resources or knowledge is no longer an excuse."
By aligning with EU standards, the bill also facilitates international trade, Exelby added.
Carla Baker, Senior Director, Government Affairs UK&I at Palo Alto Networks described the Bill as "welcome", but missing key elements.
"While we support the announcement of the Bill and the intentions set out in the policy statement, we believe the government could go further to protect the UK by including the public sector in the scope of the legislation," Baker warned. "A NAO report published in January found that 58 critical government IT systems independently assessed in 2024 had 'significant gaps in cyber-resilience'.
"It also showed the government did not know how vulnerable at least 228 ageing and outdated legacy IT systems were to cyber-attacks. The government can no longer afford to sit on the sidelines and solely focus on pushing security obligations onto industry. Recent high profile public sector cyber attacks have demonstrated exactly why the government must do more to enhance its own resilience and lead by example. The time to act is now."
For Stephen Terry, UK MD at Arctera, the Bill has the potential to "radically improve the reliability of digital services for millions of people". He urged businesses to "proactively get ahead of the new rules".
“The new bill already brings supply chains and MSPs into the scope of its regulation and the government is now considering adding data centres into the mix too," he told Machine. "This would mean that providers serving critical national infrastructure – or those in a supply chain that does – would be required to ensure resiliency of their services. The good news for everyone is that this universally improves security for anyone using those suppliers.
“However, with the government also considering powers to force compliance on its own terms, any firm that now falls under this regulation should start planning now for how they’re going to meet the requirements of the bill. It will be far easier for suppliers to plan their own projects than to have something thrust upon them.”
Defending Critical National Infrastructure
A key part of the Bill is its extension of which organisations are considered critical infrastructure (CNI).
Anthony Young, CEO of Bridewell, said: "The new bill will ensure that we are not only looking at what used to be considered 'traditional CNI organisations' but also those organisations that are essential to keep them running.
"Supply chain attacks have been increasing over the last 10 years and therefore having a bigger focus on the supply chain is a positive move for UK CNI. Increasing incident reporting requirements will also improve our visibility and intelligence of cyber attacks across the UK."
Jamie Akhtar, CEO and Co-founder of CyberSmart, said the UK's CNI is now an "easy target", with high-profile attacks on countless NHS trusts, water suppliers, and wider supply chains.
"After years of underinvestment, it’s vital that our critical services’ defences, often creaking and barely fit for purpose, are bolstered," he added. "To do anything else risks a serious incident that could cripple vital services in the country. This bill needs to be the start of a ‘levelling up’ (to borrow a phrase) of cybersecurity across the UK.
What's missing from the Cyber Security and Resilience Bill?
Unfortunately, bureaucrats are notorious for moving at a much slower pace than threat actors - which is very dangerous in an era in which it's getting easier and easier to launch attacks.
Cato Networks recently demonstrated the nature of the threat facing Britain and the world by instructing a publicly available large language model (LLM) to develop a fully functional infostealer - reminding us that "zero-knowledge attackers" can easily create malicious software without deep coding skills.
"As generative models empower even novice attackers to build malware with simple prompts, regulation must look beyond infrastructure and consider the evolving landscape of malicious intent," said Etay Maor, Chief Security Strategist at Cato Networks.
"The UK’s Cyber Security and Resilience Bill represents a necessary evolution in regulatory thinking: it acknowledges that cyber threats aren’t just increasing – they’re industrializing.
"This bill is a necessary course correction. However, while the Bill rightly focuses on MSPs and data centers, it must also anticipate the impact of AI."
Clare Joy, Global Director of Identity Partnerships at Entrust, described the Bill as a "welcome move" but highlighted areas which have not yet been addressed.
"When the measures are introduced specifically later this year, we would hope it includes provisions for protecting these providers from unauthorised access, including identity management systems," Joy said. "Biometric verification and authentication remains one of the most robust and secure protections against credential theft and brute force attacks to gain access to networks, especially when a component of a multi-factor authentication process.
"It is also essential where connected systems and devices, such as medical equipment, need to have tightly controlled access. Furthermore, the measures should ensure adequate protection against AI-enabled identity attacks, which have revolutionised how cybercriminals attempt to penetrate an organisation’s network.
"The other important area that this act should cover is around post-quantum readiness, and ensuring that key providers are enacting the recently proposed NCSC three-step plan to migrate to post-quantum cryptography over the next decade."
Gerasim Hovhannisyan, CEO of EasyDMARC, pointed out another gaping hole in the new Bill. "Without a serious focus on phishing, it leaves the front door wide open for cybercriminals," he said. "America’s Cyber Defence Agency found that over 90% of cyber attacks begin with phishing, and the healthcare sector is one of the most exposed.
"If phishing isn’t explicitly addressed through enforceable technical standards with clear compliance timelines and robust enforcement mechanisms, we’ll continue to see critical services fall victim to preventable breaches.
Trevor Dearing, Director of Critical Infrastructure at Illumio, also said: "Attacks aren’t slowing down, they’re getting worse – recent research shows 62% of UK businesses have shut down operations because of ransomware.
"The Bill will provide better support for organisations under attack. However, the goal must be to get to a place where organisations can contain and limit the impact of attacks before they can cripple essential services. Anything less would be a gift to cybercriminals."
"Default disconnect": Airgapping the UK
Tony Hasek, CEO and co-founder of Goldilock, a NATO-backed UK cyber scaleup, told us that the government should consider a more innovative intervention to protect the nation's cybersecurity. Goldilock has a physical cybersecurity device which can instantly disconnect a network from the internet or physically segment it in the event of a breach to contain a breach and block data exfiltration.
"If the government wants growth in line with its wider Plan for Change Policy, it needs to promote real change in how we protect critical, IT-driven services across both the private and public sectors through its regulation," he said. "It’s great that we’re widening the pool of organisations subject to cyber regulation to include data centres and larger IT providers and giving the government more flexibility to update regulation as threats evolve.
"However, we are only going to keep pace with cyber adversaries if we make sure organisations of all kinds – but especially those governing critical services such as healthcare and energy – are doing everything they can to make it as challenging as possible to breach networks.
"The best way to guarantee the safety of a network is to physically isolate it from the internet, thereby removing all attack vectors. To truly ensure the UK’s digital infrastructure is the most secure in the world, the government has to think about implementing legislation that enforces a ‘default disconnect’ posture.
"The opposite of the ‘always-on’ mindset we’ve come to inhabit as a result of digitalisation across sectors, default disconnection would create an impenetrable, physical firebreak between systems and the threats attempting to breach them whenever it’s unnecessary for them to be online, dramatically reducing the attack surface of the UK and its critical networks as a whole."
Have you got a story or insights to share? Get in touch and let us know.
