UK cybersecurity bill excludes government, sparking debate

Coverage from The Register indicates that cyber incidents are increasingly common in the UK government, with the NCSC reporting 40% of managed attacks targeted the public sector. Despite this growing threat, the UK's flagship Cyber Security and Resilience (CSR) Bill excludes both central and local government.

Sir Oliver Dowden, former digital secretary and current shadow deputy PM, urged the government to reconsider the exclusion of central government from the CSR Bill, which aims to update outdated NIS 2018 regulations. The bill includes measures for managed service providers and datacenters, similar to the EU's NIS2 directive, but unlike its European counterpart, it omits public authorities. Minister Ian Murray acknowledged the suggestion and pointed to the Government Cyber Action Plan, launched concurrently with the bill's second reading. This plan proposes holding government departments to equivalent security standards without legal obligations.

The exclusion of the public sector from the CSR Bill raises concerns about accountability, especially given past reports highlighting significant security flaws in government systems. While the government has introduced a Cyber Action Plan, the lack of legislative enforcement for public bodies is seen by some as insufficient. Experts suggest that legislating in smaller, targeted steps, potentially with separate legislation for the public sector, might be a more effective approach than a single, broad bill.

Source: The Register