Cyber Security | UK Regulatory Outlook May 2023

Advisory published on 'snake' malware

Following on from the alert by the National Cyber Security Centre (NCSC) in April 2023 (see our previous Regulatory Outlook), the UK and international allies have now issued a joint advisory, detailing the technical details about the sophisticated malware threat posed by Centre 16 of the Russian Federal Security Service (FSB).

"Snake" malware has enabled the FSB to collect sensitive and confidential information from more than 50 countries around the globe. The advisory, published by the NCSC in tandem with agencies from the US, Canada, Australia and New Zealand has been put together to help organisations from across the world to better understand how "Snake" malware operates and to better defend against its threat.

Paul Chichester, the NCSC Director of Operations, said: "We strongly encourage organisations to read the technical information about 'Snake' malware (in the advisory) and implement the mitigations to help detect and defend against this advanced threat."

Snake is purpose-built to avoid large scale detection, but the Cybersecurity & Infrastructure Security Agency (CISA) recommends several detection techniques that organisations can take, and discusses the advantages and disadvantages of each detection methodology alongside preventative measures organisations can take.

NCSC and ICO urge businesses to be more transparent about cyber attacks

The National Cyber Security Centre (NCSC) and the Information Commissioner's Office (ICO) are urging organisations to be more transparent about their experiences with cyber attacks, to encourage reporting and to prevent future incidents.

The NCSC and ICO are concerned that incidents are going unreported and have highlighted the following key misconceptions they believe are discouraging organisations from reporting incidents to regulators:

1. covering up an attack means everything will be ok;
2. reporting an incident to the authorities makes it more likely the incident will go public;
3. paying a ransom resolves the incident;
4. an organisation will not need to pay a ransom if they have good backups;
5. if there is no evidence of data theft, the incident does not need to be reported; and
6. an organisation will only be fined if data is leaked.

The NCSC and ICO emphasise that victims that are proactive with reporting can benefit from expert NCSC advice. The post also indicates that organisations taking a proactive approach to reporting incidents "can positively impact the ICO's response".

UK Parliament report warns new EU cyber laws could result in increased costs for businesses

The European Scrutiny Committee has released a report on the upcoming EU Cyber Resilience Act.

The proposed Act aims to protect consumers and businesses from products with inadequate security features and will introduce mandatory cybersecurity requirements for "products with digital elements" as well as software applications.

The report states that British companies exporting relevant goods and software to the EU market will be affected by the Act, and warns that connected consumer devices in particular will face overlapping obligations under the UK's own cybersecurity laws in the form of the Product Security and Telecommunications Infrastructure Act 2022.

NCSC report on threat from commercial cyber proliferation

The National Cyber Security Centre (NCSC) produced a report informing about the threat to the UK industry and society from commercial cyber tools and services.

The report notes that the commercial proliferation of cyber tools and services has lowered the barrier to entry to state and non-state actors in obtaining capability and intelligence to carry out attacks.

Looking ahead, it notes that in the next five years it is likely that a wider range of sectors will be targeted through the expansion of the global commercial intrusion sector.

UK government announces new cyber security measures

As part of the government's strategy to improve cyber security across the UK, it has announced new cyber security measures to improve the UK's cyber resilience.

GovAssure, the new cyber security regime, will be run in partnership with the National Cyber Security Centre and will require all central government departments to have their cyber security and health reviewed at annual intervals, under new, more stringent rules.

The government launched the Government Cyber Security Strategy (GCSS) in early 2022 which laid out the cyber security issues facing government security. GovAssure is a step towards achieving one of the key goals of the GCSS, which is improving the resilience of government systems against cyber threats.

Twelve month countdown for new product security regime begins

The countdown has begun for the world-leading Product Security and Telecommunications Infrastructure (Product Security) Regime which is due to come into effect on 29 April 2024. Please see the Products section for more.