The UK's Cyber Security and Resilience Bill excludes public sector organizations despite 40% of national cyberattacks targeting government systems, raising concerns about accountability and security standards.
As cyberattacks against UK government agencies continue to escalate – from May's breach at the Legal Aid Agency to recent Foreign Office compromises – a critical question emerges: Why does Britain's flagship Cyber Security and Resilience (CSR) Bill explicitly exclude both central and local government from its scope? This exemption persists despite National Cyber Security Centre (NCSC) data showing 40% of managed incidents between 2020-2021 targeted public sector organizations.
Former Digital Secretary Sir Oliver Dowden confronted this contradiction during the bill's parliamentary debate: "I would urge the minister to look again... there is a case for putting more stringent requirements on the public sector to force ministers' minds." His concern stems from firsthand experience with cybersecurity's tendency to be "deprioritized quickly in government" without legislative pressure.
In response, Minister Ian Murray pointed to the newly launched Government Cyber Action Plan, promising equivalent security standards for departments without legal obligations. This non-binding approach fails to convince experts like Neil Brown, director at decoded.legal: "If the government is going to hold itself to equivalent standards, it has nothing to fear from being included in the bill since, by definition, it will be compliant."
The exemption appears increasingly untenable when juxtaposed with the National Audit Office's January 2025 assessment of government systems. Auditors found security flaws in all 58 critical systems reviewed, noting "staggeringly slow" remediation rates. With public sector breaches occurring monthly, the government's stance provides easy ammunition for critics.
Proponents suggest alternative approaches might emerge, including separate public-sector-specific legislation modeled on telecom security laws. Brown acknowledges potential merit: "Smaller bills responding to clearly articulated problems seem more sensible than one piece of legislation trying to be all things to all people." However, Minister Murray's proposal to amend the CSR Bill dynamically raises questions about implementation speed given Westminster's historically slow legislative processes.
Fundamentally, the exemption creates a double standard: While private MSPs and datacenters face £100k/day fines under the new regime, government entities operate under voluntary guidance. With threat actors increasingly targeting public infrastructure, this gap between rhetoric and regulatory reality threatens both national security and political credibility. As Brown concludes, the government's reluctance to subject itself to its own standards "does not fill me with confidence" – a sentiment echoing through Westminster's corridors as cyber incidents mount.
Comments
Please log in or register to join the discussion