Regulatory amendments could see vast swathes of IT suppliers brought under the scope of laws that can punish those that break them with £17m fines. PublicTechnology examines the planned changes.
“What was not recognised until recently, was that having companies with the ability to automatically access the networks of thousands of other companies, would create a unique security threat. One that can, and has, been exploited by our adversaries.”
This, according to the then digital infrastructure minister Julia Lopez, was the background against which government decided to make changes to the laws intended to monitor and ensure the cybersecurity of the UK’s network infrastructure.
The Security of Network and Information Systems Regulations (NIS) were introduced in 2018, with the aim of providing a legal framework for measuring and bolstering the networks that underpin the delivery of critical services and the operations of businesses and public bodies across the country.
“What was not recognised until recently, was that having companies with the ability to automatically access the networks of thousands of other companies, would create a unique security threat. One that can, and has, been exploited by our adversaries.”Julia Lopez, former minister for digital infrastructure
The laws place minimum security requirements on those that operate digital infrastructure and services, as well as obligations regarding what steps to take in the event of a cyber incident or other form of outage.
Following a public consultation, the government late last year announced planned changes to NIS that, according to ministers, “will be implemented as soon as parliamentary time allows”.
The proposals set out two key amendments, the first of which concerns the expansion of the scope of the regulation to include a greater range of services.
If and when the updated law comes into effect, the intention is that it will be expanded to be applied of providers of digital managed services.
The definition of such a service encompasses business-to-business offerings – provided to an organisation by an external supplier – that rely on network connectivity to provide ongoing management of a client’s IT infrastructure, systems, or services.
Currently, the laws are only applied to providers of cloud computing services, search engines and online marketplaces. The inclusion of managed services would mean that thousands – perhaps tens of thousands – of IT firms would be required to comply with the laws. This would encompass almost every IT reseller or software and services firm, and anyone providing outsourced support for technology.
The vast majority of IT suppliers to the public are likely to find at least a part of their business subject to new legal requirements – the punishments for breaching which include enforcement notices issued by the Information Commissioner’s Office, and fines of up to £17million for the most serious cases.
A policy document published late last year setting out the proposed legislative changes includes an illustrative list of the kind of services that will now come under the scope of the law. Featured are a wide range of the most commonly used IT services – including managed print, virtual desktops, WAN and LAN support, and technology consultancy.
“The majority of digital managed services – for example security monitoring, managed network services or the outsourcing of business processes – are not currently within the scope of NIS Regulations,” the document added. “However, they play a central role in supporting the UK economy and are critical to the functioning, reliability, and availability of essential services in the UK. They are an attractive and high-value target for malicious threat actors, and can be used as staging points through which threat actors can compromise the clients of those managed services.
It added: “Even more worrying, attackers can use managed services, and their providers, to gain access to clients at scale, potentially disrupting hundreds of companies and essential services at once, as well as accessing intellectual property, sensitive information, and critical data. These clients include companies across multiple sectors of the UK economy and critical national infrastructure.”
Room for change
The second of the major proposed changes is needed to allow ministers to make any changes in the first place – and any future amendments.
“The UK government has no power to make policy updates to the NIS Regulations directly; any amendment, however small, must be done via primary legislation,” the policy note explained. “As the NIS Regulations concern a sector that is continuously developing at a high speed, it is imperative that the regulations remain relevant and up to date in order to be effective.”
The proposal document added that the ability for ministers to make periodic changes is crucial for a piece of legislation that – in order to be effective – will need to keep up with the progression of technology. Particularly as it used that might wish to attack or otherwise threaten networks and services.
The government said: “It is highly likely that future amendments will continue to be required under the NIS Regulations; firstly, the advance of new technologies, threats, and new approaches that threat actors may employ will require the regulations to be flexible and agile enough to respond to them. Secondly, as the regulations are constantly reviewed – either informally or via statutory reviews such as the Post-Implementation Review – it is likely that improvements will be identified, either to reduce burdens, consolidate processes, or add new provisions to make them more effective.”
In introductory foreword the then minister Lopez reinforced the pace of progress in the technology sector, and the need for our laws to reflect such constant change.
“Five years ago, few people outside of the tech industry had heard of managed service providers,” she said. “Cloud was the big thing that was going to change the world – and many argue it has already. But managed services such as remote security operations, automatic patching, and digital accounts and billing were considered mainly as corporate benefits, a means to improve services and reduce costs. What was not recognised until recently, was that having companies with the ability to automatically access the networks of thousands of other companies, would create a unique security threat. One that can, and has, been exploited by our adversaries.
She added: “Rather than having to exploit vulnerabilities in thousands of companies, the threat can manifest itself only through a small proportion of those organisations. These companies provide an essential service to other businesses and organisations. They allow other companies to thrive and are helping the UK develop its digital economy. We do not want to interfere in their ability to operate. But they do create risks which we need to manage, especially when their clients include government departments and critical infrastructure.”