Cyber security | UK Regulatory Outlook November 2023

NCSC annual review 2023

On 14 November 2023, the National Cyber Security Centre (NCSC) published its annual review, covering key developments from September 2022 to August 2023. These include:

• publication of guidance on the MOVEit ransomware attack and assessing supply chain cyber security (see more in our Insight);
• issuance of joint guidance exposing Snake malware (see our previous Regulatory Outlook); and
• publication of a joint advisory on the most common vulnerabilities exploited in 2022 (see our previous Regulatory Outlook).

The NCSC also outlined the three priorities that it will focus on in the coming year:

• improving the UK's cyber resilience to significant cyber risks;
• ensuring the country stays ahead of future cyber security challenges and technological innovations; and
• continuing to evolve as the national technical authority on cyber security by engaging with experts and increasing workforce diversity.

Consultation response to review of Computer Misuse Act 1990

On 14 November 2023, the Home Office published its analysis of the consultation responses to its review of the offences and powers available to law enforcement agencies to investigate those offences in the Computer Misuse Act 1990, which ran from February to April 2023.

Among other things, the Home Office notes that there was broad support for a new power to allow law enforcement to take down and seize domains and IP addresses, and calls to review the levels of sentencing and statutory defences for the current Act. The Home Office will continue to work with public and private sector partners to consider the proposals further, with the aim of providing legislative solutions in due course.

Counter Ransomware Initiative joint statement discouraging ransom payments

On 1 November 2023, members of the international Counter Ransomware Initiative (CRI), which includes the EU, US and the UK, released a joint statement to publicly denounce ransomware and discourage ransom payments being made to cyber criminals.

The CRI committed to lead by example by asserting that member institutions under their respective national governments will not pay any ransomware extortion demands.

On 2 November, members of the CRI affirmed that relevant funds from central government should not be used to pay ransom payments. It was also the first time the UK government publicly confirmed the central government policy of not making ransom payments.

DIST publishes policy paper on frontier AI: capabilities and risks

On 25 October 2023, the Department for Science, Innovation and Technology (DIST) published a discussion paper on capabilities and risks from frontier AI, as part of the AI Safety Summit 2023.

The summit defined frontier AI as "highly capable general-purpose AI models that can perform a wide variety of tasks and match or exceed the capabilities present in today's most advanced models". This includes large language models (LLMs).

The paper emphasised that frontier AI is likely to "significantly exacerbate" existing cyber risks due to its ability to be used by potentially anyone, even those unskilled in programming, to create tailored phishing campaigns or replicate existing malware. The sectors most at risk from future frontier AI developments include critical infrastructure, such as energy, transportation, health care and finance.

The paper concludes that AI systems are likely to be used both to conduct and defend against cyber attacks due to their potential to upskill threat actors in conducting attacks and, in terms of acting as a defence, by improving the cybersecurity of systems.

UK-Republic of Korea joint advisory about DPRK state-linked attacks on supply chains

On 23 November 2023, the National Cybersecurity Centre (NCSC) and the National Intelligence Service of the Republic of Korea released a joint advisory warning about the rising risk of Democratic People's Republic of Korea (DPRK) state-linked cyber actors targeting software supply chain products.

Organisations (particularly those in the public, financial services and defence industry sectors) are advised to take note of the tactics, techniques and procedures detailed in the advisory, and implement suggested preventative measures to mitigate supply chain compromises.

The joint cybersecurity advisory follows the announcement of the UK-Republic of Korea Strategic Cyber partnership on 22 November 2023, as part of the new Downing Street Accord, in which the two countries commit to working together to address common cyber threats and attacks.