King’s Speech: Security in the spotlight as government promises new efforts to lock down insecure IT supply chains

Among the 40 bills announced by King Charles III during the King’s Speech this week, new cybersecurity legislation has received broad praise from industry stakeholders.

The new Cyber Security and Resilience Bill will be introduced to expand the UK’s current cyber regulations to cover more digital services and toughen up organizations’ supply chains, particularly those in the public sector .

The new regulations will mandate increased incident reporting obligations for organizations to help improve the nation’s ability to respond and recover from cyber attacks.

This legislation will also give regulators more power to ensure proper security measures are being implemented across both the private and public sector.

Dominic Trott, director of strategy & alliances at Orange Cyberdefense, welcomed the announcement, stating the proposed bill comes at a crucial time for the UK as an increased volume of cyber attacks wreak havoc on the nation’s critical infrastructure .

“Any steps to further strengthen our defenses and ensure that more essential digital services than ever before are protected must be welcomed. Over the past year we have seen a series of attacks on organizations providing critical services to the UK,” he explained.

“In the healthcare sector, for example, the pressures that hospitals have faced have been heightened by the growing threat of cyber criminals who have brazenly targeted the critical systems of the most vulnerable.”

Trott cited recent research conducted by Orange Cyberdefense, which highlighted the growing dangers posed to UK organizations by threat actors.

Ransomware threats in particular were identified as a recurring issue faced by security teams across the country.

“According to our own data there were 69 cyber extortion attacks on healthcare businesses during Q1 of this year, up more than 100% from Q1 in 2023. To combat this, organizations must optimize access to skills, adoption of appropriate processes and the right use of technology to achieve cyber resilience ,” he added..

“It is pleasing to see that the Bill will make updates to the legacy regulatory framework by expanding the remit of the regulation to protect supply chains , which are an increasingly significant threat vector for attackers.”

Sprawling supply chains in the crosshairs at the King’s Speech

Attacks conducted via third parties are a major security blindspot for organizations around the world, with research from SecurityScorecard showing that 29% of all breaches in the last quarter of 2023 were attributable to a third party attack vector.

These supply chain risks are particularly relevant for organizations operating in the public sector, where there are often a vast number of interconnected systems governed by separate entities.

As a result, Al Lakhani, CEO at authentication software company IDEE, said he was reassured by the government’s acknowledgement of the threat third parties expose massive public institutions to when they fail to implement robust security measures.

“It looks like the UK government has finally woken up to the massive threat that cyber criminals pose to our public infrastructure . After an election campaign that ignored one of the biggest threats to national security, the new legislation requiring private companies in public sector supply chains to beef up their cybersecurity could be a real game-changer. I can sleep a little easier tonight knowing someone in charge is finally taking action.

But Lakhani qualified his praise by noting these new regulations would merely get the UK up to speed on current threats after years of inaction, and thus are not quite a cause for major celebration.

“However, let’s not start celebrating just yet. This move, while necessary, doesn’t fully protect the UK’s defenses, and it would be foolish to think we’ve suddenly addressed all the vulnerabilities that will remain as the bill is implemented,” he explained.

“It might be hard to believe, but this is the first time cybersecurity legislation has been updated in six years – imagine how far behind we’ve fallen compared to the rapidly evolving capabilities of hostile actors in that time.”

Securing supply chains is vital, but it’s time to go further

Lakhani stressed that it is vital the government continues with its efforts to raise standards of cyber resilience around the country, suggesting a number of core areas he thinks it should prioritize.

“We can and must go further, and additional legislation and resources will be needed to tackle the ongoing risks facing the UK’s long-neglected digital infrastructure ,”

“Credential phishing and password-based attacks remain the most common methods used by both state and non-state actors to undermine our democracy. I just hope the government and businesses continue to prioritize transitive trust and same-device MFA 2.0 solutions, as they are the quickest and most effective means to prevent such attacks.”

Trevor Dearing, director of critical infrastructure at Illumio, expressed a similar sentiment, stating that beyond expanding the security obligations of critical third parties and incident reporting requirements, investment will be a vital part of improving cyber resilience in the public sector.

Enable foundation model customization

“Increased powers for regulators and reporting will be critical for building cyber resilience, however, regulation will only be successful if accompanied with additional funding for public bodies, otherwise all that will happen is that regulations create an unrealistic goal that is cost-prohibitive to implement.”

Dearing said he would like to see the government address the growing risk posed by legacy systems used across public services, with new investment needed to replace these vulnerable assets.

“I’d also like to see further steps taken to reduce the risk from legacy systems across all public services. This technology accounts for 30-50% of all IT services in the NHS, so we need to see extra funding and support to help Trusts replace systems  as soon as possible. The cost of upgrades and replacements will be well worth it if it helps reduce the chances of multi-million-pound breaches .”