After years of delays in passing new cybersecurity legislation, the UK’s National Cyber Security Centre (NCSC) has expressed growing frustration and called for a more strategic approach to address the increasing risks.
While the NCSC, part of the UK’s intelligence agency GCHQ, does not have policymaking authority, its latest blog highlights the urgent need for political attention to cybersecurity, emphasizing that technology and legislation are not keeping up with rapid changes.
NCSC’s Frustration Over Cybersecurity Lag
The NCSC’s blog post was co-written by Ollie Whitehouse, the agency’s chief technology officer, and Paul W., its principal technical director. Whitehouse has repeatedly criticized the technology market for failing to build secure, resilient systems, arguing that regulation is falling behind technological advances.
He compared the UK’s situation to the U.S., where during the Biden administration, software manufacturers were urged to create secure-by-design products.
Although there has been some support for regulation within the UK Labour Party’s 2024 manifesto, the current government has shown little sign of taking significant actions despite the ongoing rise in cyberattacks.
Political Apathy and the Need for Legislation
The lack of action on cybersecurity in the UK has been notable, especially during the 2024 election campaign, when experts pointed out the lack of political focus on the issue.
Despite mounting cyberattacks, particularly during the election, politicians have largely stayed silent, suggesting that cybersecurity is viewed as a technical issue rather than one that requires political accountability.
The delay in addressing ransomware threats is one example of the government’s slow response. A consultation on how to tackle ransomware has yet to see a published response, and new legislation on cybersecurity remains absent from Parliament.
The long-awaited Cyber Security and Resilience Bill, which aims to address critical infrastructure and ransomware payments, has not yet been introduced, despite the government’s previous claims that the country’s cyber laws had already been updated three years ago.
The Limitations of Current Cybersecurity Bills
The Cyber Security and Resilience Bill, while focused on infrastructure resilience and ransomware payments, is unlikely to address the broader systemic issues identified by Whitehouse. He emphasized that while we know how to build secure products and services, the commercial incentives for adopting secure solutions are insufficient.
Joe Jarnecki, a research fellow at the Royal United Services Institute (RUSI), echoed this sentiment, explaining that the bill does not aim to address the broader cybersecurity challenges faced by consumer technology products.
Jarnecki pointed out that the UK’s approach to cybersecurity has historically involved imposing minimal regulations on vendors. This, he argued, has not created the conditions necessary for secure technology adoption.
For instance, the government had to intervene and pass legislation to force Internet of Things (IoT) vendors to stop using easily guessable default passwords, a basic cybersecurity measure that many companies had neglected to implement on their own.
Calls for Stronger Regulations and Vendor Accountability
Despite the NCSC’s lack of policymaking power, its calls for stronger regulation reflect growing frustration with companies that fail to produce secure technology. Jarnecki noted that while the Biden administration’s national cybersecurity strategy has started holding large tech vendors more accountable for their products’ security, this approach remains uncertain under the Trump administration.
Meanwhile, the EU has introduced several cybersecurity laws, but delays in implementing these due to economic concerns and lobbying by AI advocates indicate that progress is slow.
The NCSC also warned about the long-term costs of underinvesting in cybersecurity, which are ultimately borne by customers, insurers, governments, and society. Addressing these market fundamentals, according to the NCSC, is crucial to preventing the exploitation of vulnerabilities in software and hardware.
The UK is facing a critical moment in its approach to cybersecurity. The National Cyber Security Centre’s recent call for stronger policy measures highlights the urgent need for more regulatory action. As cyber threats grow, the lack of political will to address these issues head-on remains a significant concern.
Without meaningful legislation and incentives for secure technology, the risks will continue to rise, potentially harming individuals, businesses, and the economy.
