Author(s): Raghu Gopal
On 10 May, the UK government announced new measures to protect health, water, energy, transport and digital infrastructure against digital threats. The announcement means that companies in these critical industries must ensure they have "robust safeguards in place against cyber threats".
The government will be hoping that the new law announced by the UK's Digital Minister, Margot James, will help reduce the number of cyber-attacks affecting the UK. The National Cyber Security Centre, set up in October 2016 as part of the Government Communications Headquarters, has already responded to more than 950 significant incidents, including the infamous WannaCry attacks of May 2017, which caused chaos in the country's National Health Service.
Earlier in 2018, the British government urged critical industries to do more to protect themselves from the growing threat of online attacks. It appointed sector-specific regulators to ensure that essential services are protected, and warned organisations that they would risk fines of up to £17 million if they failed to adopt effective cybersecurity measures.
The new rules will give regulators powers to assess these industries and make sure plans are in place to prevent attacks. Regulators will also be able to issue legally-binding instructions to improve security, and if necessary, impose significant fines. The legislation will cover other threats affecting IT such as hardware failures and environmental hazards.
The directive is an important part of the government's five-year, £1.9 billion National Cyber Security Strategy to protect the country. It aims to ensure that providers of essential services are taking the necessary action to safeguard their IT systems.
In 2017, the US government had also warned of ongoing cyber-attacks against industries like the energy, nuclear and manufacturing sectors of the economy. There had been a number of successful attacks against some of these services, highlighting a weakness in the country's security. Experts suggest that every device on a network must be identified, secured and authenticated to ensure that data is consistently transmitted unaltered, and only to intended recipients.
Globally, such attacks come from several sources, including state-sponsored bodies with extensive funding. The stakes are high: a successful attack could wreak as much damage as a military operation, without the inconvenience (and public profile) of sending armed forces to blow up equipment.
By issuing the new rules, the UK government is essentially drafting public and private industry sectors to become a front line in the country's national defence, highlighting the significance of the problem. The escalating conflicts in cyber space are pushing governments to create and enforce rules for the good of the general public. Vital services provided at sites such as hospitals, airports and power plants are now involved in the battle.
Mobile and broadband communications, now indispensable to our daily lives, need solid protection too. As recent events have shown, these cyber-attacks are no longer just conceptual — they're very real and have the potential to be extremely serious. Industries around the world should take steps to protect themselves, or governments might need to step in.
Sign up to our free Daily Insight service here.