Ever since 1983's WarGames, cybersecurity attacks have become a staple of blockbuster Hollywood films. The trite image of a youth in a hoodie hovering over a keyboard and threatening national security is ingrained in our collective memories. Since the internet went 'mainstream', nation states, companies and individuals exist in an increasingly digitised world. We rely heavily on secure and stable IT and OT systems to lead our daily lives, to run companies and to govern countries. Cyberattacks are designed to disrupt this; WarGames is now our reality.
The consequences of a cybersecurity attack are usually severe, from business interruption to the possible exfiltration and public disclosure of commercially sensitive and/or personal data. Regulatory action often follows, leading to fines and litigation risk. Service providers and suppliers may bring claims for breach of contract or negligence, and the UK is facing an increasing number of class action-style claims for breaches of privacy and cybersecurity legislation. In short, it is a legal minefield.
The UK government is responding to this threat and the current policy focus is on ransomware. Ransomware is the right place to start due to the nearly five-fold increase in attacks in 2020. In April 2021, several UK government agencies joined the Ransomware Task Force, a global forum seeking to address the global ransomware threat. This is a step in the right direction.
Those on the cybersecurity frontline know that the—very welcome—evolution of the public policy response to cybersecurity attacks lags behind the threat actors and their evolving capabilities. Companies do not have the luxury of waiting for future government policy, they must defend themselves.
Understanding the complex myriad of legal standards is key to avoiding falling prey to 'cyber snake-oil'. Meeting the legal requirements involves at least an appreciation of the appropriate technical and organisational cybersecurity measures for your organisation. But what is appropriate for a local widget manufacturer is very different to what is appropriate for an international tech giant.
When the worst happens, a common mistake is to treat a cybersecurity attack as an isolated IT issue. Cybersecurity risk is a category of legal and operational risk which is exacerbated by breakdowns in internal procedures, people, and systems. The last thing victims of cyberattacks want is to emerge from having contained and remediated an incident, only to be thrust back into the misery of endless regulatory scrutiny and litigation. Cybersecurity risk should be treated the same way as other serious operational and legal risks, and not simply delegated to IT or InfoSec. Organisations can, and should, address their cybersecurity risks by preparing, planning and practising.
The most effective preparation for a cyberattack involves the development, and practice, of a cyber incident response plan with clear allocations of roles and responsibilities involving diverse stakeholders from the Chief Information Security Officer to the Head of Communications and Legal.
Companies are helping themselves in the cyber arms race, so how can government policy assist? First, the government should continue its review of the Network and Information Systems Directive as implemented in the UK. The recent review of the Directive envisaged amendments to go beyond “the limitations of the Directive” and further reduce cyber risk. Second, careful consideration needs to be given to calls to ban ransom payments as, while this may stem the proliferation of ransomware attacks, it may also leave businesses vulnerable. Finally, it should continue to share threat intelligence with our global partners and increase awareness of cybersecurity risk in recognition of the fact that cybersecurity risk is no longer a film plotline but a business reality.
