Last week I failed a test. I received an email indicating that my Royal Mail parcel could not be delivered. How exciting!
You know where this is going. I click. You have failed the phishing attempt test. Oh, the shame! I should have known.
These tests may seem like a ruse to embarrass you in front of your IT department, but they are a crucial part of a wider cyber-protection strategy aimed at reducing opportunities available to cybercriminals to exploit vulnerabilities and access sensitive data. But are these cyber strategies commensurate with current threats? And is the government doing enough to support UK businesses?
Watch the gap
The 2022 Cyber Security Skills in the UK Labour Market report revealed that 51% of UK businesses have a basic cyber-skills gap; 47% of them also indicated that they were not confident in handling cyber-attacks. And around 21,600 new recruits are needed every year to satisfy demand in the still nascent cyber sector.
Efforts to bridge the gaps are under way, such as the Upskill in Cyber programme, but more is needed both to ensure businesses have the resources they need to update cybersecurity systems and that employees are suitably trained.
In September, the Electoral Commission admitted that it had failed a cybersecurity test in the same year that hackers successfully accessed personal data of over 40 million people on the electoral registers. The commission had used the voluntary government-backed Cyber Essentials scheme which was intended to promote a ‘minimum standard’ of security. But the commission could not even meet the minimum standard. Shouldn’t the commission have been aiming for more than the minimum standard in the first place?
For operators of essential services (healthcare, energy, transport, infrastructure), and relevant digital service providers (such as cloud services operators), cybersecurity testing must comply with such higher standards pursuant to the Network and Information Systems Regulations 2018. These regulations require the implementation of robust cybersecurity measures and advanced cyber-resilience programs. For all other organisations, the Data Protection Act 2018 and UK GDPR should be sufficient impetus to implement ‘more than the bare minimum’ measures.
But as hackers always seem one step ahead, what was an advanced cyber-resilience program one day is inadequate the next. Businesses must invest more resources in trying to keep up.
An easy fix?
In 2022, the government published its National Cyber Strategy with plans to expand the UK’s offensive and defensive cyber-capabilities, and prioritise cybersecurity in the workplace, boardrooms and digital supply chains. This was followed by the government’s Cyber Strategy, which outlined its approach to cyber-protection in the public sector.
The National Cyber Advisory Board met earlier this year to discuss the areas of priority in delivering that Strategy: upskilling the workforce in cybersecurity, strengthening the security of supply chains, and increasing awareness of cyber-attacks. The offensive part of the government’s strategy, however, should also be an area of priority, given that punishing businesses, which have limited access to cybersecurity resources, does nothing for cybersecurity morale.
No one is under any illusion that our old friend on the frontline of the UK’s offensive against cybercrime, the Computer Misuse Act 1990 (CMA), is fit for purpose. A 2020 report by the Criminal Law Reform Now Network estimated that there were only about 500 prosecutions of CMA offences between 1990 to 2018.
Reform on the horizon
It was welcome news, therefore, that a review of the CMA earlier this year proposed some legislative changes. These included expanding law enforcement’s ability to seize domain names and IP addresses being used by cybercriminals, and preserving data relevant to an investigation. A new offence is also proposed for the possession or use of illegally obtained data where the person possessing the data did not themselves commit an offence to obtain it.
Key areas of proposed reform include expanding extra-territorial provisions to establish clearer jurisdiction when offences do not take place in England and Wales, and increasing maximum sentences for offences to ensure courts are confident in issuing higher penalties. If implemented, these reforms would hopefully provide a stronger deterrent effect.
There certainly has been an uptick in National Crime Agency enforcement efforts. Last month, the UK and US jointly sanctioned a further 11 members of the Conti/Trickbot ransomware group, bringing the total to 18 sanctioned since the beginning of 2023. This followed other successful operations, such as the take down of the Genesis online marketplace and the Oakbot malware.
A raft of new legislation pursuant to the UK’s Fraud Strategy may also assist enforcement efforts. These measures include a new failure to prevent fraud offence in the Economic Crime and Corporate Transparency Act, as well as the forthcoming Online Safety Bill, the Victims Bill and the Digital Markets, Competition and Consumers Bill. While it must be remembered that not all cybercrime is fraud-based, the Fraud Strategy may helpfully restrict cybercriminals’ access to some tools commonly used to carry out cybercrime, such as SIM farms.
If these reforms are implemented, and if the government continues to invest in the NCA’s Cyber Unit via the National Cyber Fund, then the UK may finally have the legislative framework, enforcement tools, and necessary resources to pursue and secure convictions. Only then will its strategy pass the cybersecurity test.
Charlotte Tregunna is a partner and Sabrin Fetih a trainee solicitor at Peters & Peters LLP