Cyber security | UK Regulatory Outlook February 2024
Published on 28th Feb 2024
LockBit operations disrupted by international law enforcement | Joint advisory about state-sponsored cyber attackers compromising critical infrastructure | Potential delay to Cyber Resilience Act
LockBit operations disrupted by international law enforcement
On 20 February 2024, Europol announced that a joint international operation between ten countries successfully disrupted the operations of the LockBit ransomware group "at every level" to reduce the ransomware threat to organisations worldwide. Last year, the National Cyber Security Centre (NCSC) warned that LockBit presented the greatest ransomware threat to businesses in the UK.
Law enforcement agencies have also released free decryption tools to help organisations recover files encrypted by the LockBit ransomware. See the NCSC statement.
To find out about how to respond effectively to a ransomware attack, register to attend an in-person cyber "tabletop exercise" where Osborne Clarke's cyber team will take you through incident response best practice.
Joint advisory about state-sponsored cyber attackers compromising critical infrastructure
On 7 February 2024, the UK and its allies issued a warning to critical infrastructure operators about the threat from cyber criminals "living off the land" (LOTL) – a cyber attack technique where criminals compromise the IT environments of organisations by using legitimate IT administration tools to avoid detection.
The advisory updates the warning sent in May 2023 on China state-sponsored activity against critical infrastructure networks.
UK critical infrastructure operators are urged to follow the recommendations in the new identifying and mitigating living off the land guidance to help mitigate, detect and prevent LOTL activity.
To stay up to date with the latest cyber security obligations, register for our Dipping into Data webinar on "Cybersecurity: navigating the developing legal landscape".
Potential delay to Cyber Resilience Act
The European Council and Parliament reached a provisional agreement on the Cyber Resilience Act (CRA) in November 2023. The CRA will introduce cybersecurity requirements for products with digital elements, requiring manufacturers to ensure products conform with minimum technical requirements and disclose certain cybersecurity aspects to consumers.
As previously reported, work will continue to agree the full text of the CRA. However, there was recent speculation that the CRA will be delayed until September or October 2024. We will provide further updates once more official news has been published.
New international initiative to tackle commercial cyber intrusion sector
On 6 February 2024, the deputy prime minister, Oliver Dowden, hosted a conference attended by 35 nations on the proliferation and use of commercial cyber intrusion tools and services such as hackers-for-hire.
In response to the cyber threat, the government launched the Pall Mall Process declaration, a new international agreement signed by a number of countries, industries and members of civil society and academia pledging to take joint action to tackle commercial cyber intrusion capabilities.
Government response to call for views on software resilience and security for businesses
The government published its response to the Department for Science, Innovation and Technology (DSIT)'s call for views on software resilience and security for businesses and organisations. Three key themes identified were:
- setting clear expectations for software vendors – the government plans to address this through the introduction of a voluntary code of practice for software vendors;
- strengthening accountability in the software supply chain – the government will address this by developing cybersecurity training aimed at UK procurement professionals, creating standardised procurement clauses for organisations to insert into contracts, working with the NCSC to publish content on the use of a Software Bill of Materials; and
- protecting high risk users and addressing systemic risks – by exploring the creation of minimum security requirements for organisations supplying software to the government and a government initiative to improve the resilience of free and open source software, working with the industry on incorporating best practice into government.
NCSC report on impact of AI on cyber security
The NCSC published a report assessing the future impact of AI on the cyber threat over the next two years and on how AI will affect cyber operations. The NCSC takes view that AI "will almost certainly" enhance the amount and impact of cyber attacks over the next two years in the UK and globally, because it enables cyber threat actors to analyse data faster and more effectively. AI also lowers the barrier for new cyber criminals: the NCSC finds that all cyber threat actors currently use AI to some extent.
Among other things, the report suggests that AI helps to lower the barrier to cybercrime by enabling unskilled threat actors to carry out effective reconnaissance and social engineering, finding that threat actors of all skill levels are currently using AI.
See the press release. The NCSC has also published guidance designed to help managers, board members, and senior executives to understand the cyber security risks and benefits of using AI tools within their organisations.
Call for views on new draft Cyber Governance Code of Practice
The DSIT published a new draft Cyber Governance Code of Practice that sets out actions directors and senior leaders should take to improve their cyber resilience. Among other things, it recommends providing training to employees to improve skills and awareness of cyber issues.
The government has launched a call for evidence on the draft code, which will closes on 19 March 2024. See the press release and the government's cyber resilience policy for business and organisations.
ESAs publish rules under DORA on classification of incidents and cyber threats
The three European Supervisory Authorities (EBA, EIOPA and ESMA) published the first set of draft technical standards under the Digital Operational Resilience Act (DORA), which aims to strengthen and harmonise the IT requirements and third-party risk management and incident reporting frameworks for financial entities. See the press release.
UK and Japan sign Memorandum of Cooperation on cyber
On 17 January 2024, Japan and the UK signed a Memorandum of Cooperation with the aim of deepening public-private partnerships in cyber at a National Cyber Advisory Board event. Topics discussed include securing digital supply chains, engaging businesses on cyber resilience and best practice recruitment to increase cyber skills in both countries.