Cybersecurity in the UK

Cybersecurity is the practice of protecting IT systems, devices, and the data they hold from unauthorised access and interference (known as cyber attacks).

This briefing focuses on policy and legislative efforts to improve the UK’s cybersecurity. It does not discuss cyber in the context of military operations.

Cybersecurity policy is a reserved matter, as are many related policy areas such as national security, product safety and consumer protection. In devolved matters, such as education, the devolved administrations have their own strategies for implementing the UK Government’s overarching cyber policy.

Who carries out cyber attacks?

The cyber threat to the UK comes from a range of actors, including state and state-sponsored groups, financially motivated criminal organisations, and ‘hacktivists’ with political aims.

The boundaries between these groups can be unclear. For examples, cyber criminal groups can operate with the implicit backing of states, choose targets for political reasons, or sell their cyber attack services to others (known as ‘as-a-service’ business models).

How are cyber attacks carried out?

Cyber attacks typically involve malicious software (known as ‘malware’) being executed on the target’s system. Malware is an umbrella term for various types of software designed to damage, disable, and extract data from computer systems.

Cyber attackers deliver malware to the target’s IT system by exploiting technical vulnerabilities and human error, then run the malware to achieve their aim (such as stealing or encrypting data).

An estimated 95% of cyber attacks succeed because of human error. This includes ‘active’ errors such as opening malicious email attachments and ‘passive’ errors such as using weak passwords.

What is the impact of cyber attacks?

It is difficult to estimate the impact of cyber attacks because they are often not reported. The available data is based on survey evidence, and it can be hard for organisations to quantify the impact of a cyber attack beyond direct effects, such as money paid to attackers.

The Cyber Breaches Survey, conducted annually by the Department for Science, Innovation and Technology (DSIT) reported in April 2024 that around half of UK businesses had experienced a cyber attack in the previous 12 months. The larger the organisation the more likely they were to have experienced an incident and the more they had to pay to resolve it.

What is the Government’s approach to improving cybersecurity?

Cybersecurity is a cross-cutting and technical issue, with multiple responsible government departments, such as the Cabinet Office, DSIT and the Home Office. Non-departmental public bodies are also involved in cybersecurity, such as the National Cyber Security Centre (NCSC), which advises public and private sector organisations.

The National Cyber Strategy 2022 describes the UK’s overarching cyber policy. The strategy takes a ‘whole-of-society’ approach, arguing that the government must work in partnership with private sector organisations and cybersecurity professionals to improve cybersecurity.

The strategy aims to shift the burden of cybersecurity from individual citizens to the organisations best placed to manage cyber risks. The government is therefore seeking to improve uptake of the NCSC’s cybersecurity guidance, incentivise investment in cybersecurity measures, increase the number of skilled cyber professionals, and strengthen statutory cybersecurity responsibilities.

How is cybersecurity regulated?

The UK’s regulatory framework for cybersecurity comes from multiple pieces of primary and secondary legislation. Different legislation covers the cybersecurity of IT systems, internet-connected products and personal data.

The legal obligations in cybersecurity legislation apply to sectors and organisations where cybersecurity breaches would have a significant impact on society, the economy or individual rights. These include operators of essential services, such as telecommunications and transport, or digital service providers, such as online search engines (designated under the Network and Information Systems (NIS) Regulations 2018).

The Product Security and Telecommunications Infrastructure Act 2022 will, from April 2024, place cybersecurity requirements on manufacturers and distributors of internet-connected consumer products.

Cybersecurity regulations set general expectations rather than specific measures that responsible organisations must take. This provides organisations with a degree of flexibility, which the government regards as important given the rapidly changing nature of cyber threats. Government departments and regulators also publish guidance tailored to specific sectors.

Proposals for regulatory reform

Reforms under debate among policymakers and industry stakeholders include:

• a defence in law for legitimate cybersecurity researchers who adopt methods used by malicious actors (known as ‘ethical hacking’).
• obligations on the victims of cyber attacks, such as banning ransoms and to obliging victims to report cyber incidents.

The UK Government has also proposed reforms including:

• increasing the scope of the NIS Regulations by including more organisations and requiring a broader range of incidents to be reported. The government says that these reforms will be implemented once a “suitable legislative vehicle” is found.
• introducing a ‘cyber duty to protect’, which would place greater responsibilities on organisations who manage online personal accounts. The government has not yet responded to this consultation.
• increasing corporate responsibility by requiring large organisations to include a ‘resilience statement’ in their annual reports describing how they manage threats, including from cyber attacks. The government withdrew this legislation on the basis that it would be ‘burdensome’.

Negotiations are ongoing at the United Nations regarding a new international cybercrime treaty, proposed by Russia. It would seek to harmonise cyber legislation and improve international collaboration on cyber issues. However, the treaty has drawn criticism from human rights campaigners for its proposed criminalisation of ‘content-based’ activities in cyberspace such as disseminating ‘seditious’ material.