The Labour Party Promised Change: What Does That Mean for Cyber?

Will the new Labour Government end the erratic cybersecurity policymaking of the last five years? Mark Coates ponders this

UK policymaking on cybersecurity has been erratic at best over the past five years. But a new government always offers the chance of a reset. Indeed, the Labour government promised “change” as its big election manifesto theme. Elected on July 4^th 2024, it has plenty of work to do.

Despite spending billions on cybersecurity annually, the vast majority of medium (70%) and large (74%) UK businesses continue to suffer breaches. Critical infrastructure (CNI) is particularly exposed.

Against this backdrop, the incoming Labour government must be bold. It must lead by example in the public sector and incentivise or regulate to get more organisations to follow best practices for enhanced cyber resilience. There’s no time to waste.

Failing on cyber

Despite repeated warnings, UK organisations struggle to build sufficient resilience against a formidable combination of determined cybercrime gangs and state-backed adversaries. A powerful parliamentary committee (JCNSS) decried the previous government’s “ostrich strategy” on cyber, warning that a “catastrophic” ransomware attack on CNI is imminent. Months later, the NHS in the South East suffered a crippling blow after digital extortionists hit a critical supplier. Thousands of appointments and many life-saving operations were cancelled, and it won’t be the last breach to have such catastrophic consequences.

“43 legacy IT systems across government are at a critical level of risk, 11 of which are in the MoD”

Likely state-backed data breaches at the Ministry of Defence (MoD) and Electoral Commission show that the problem is endemic across the public sector and that the enemy is not just financially motivated threat actors. As flagged repeatedly by the intelligence services in recent years, this propels the challenge into one of national security, which should be a top priority for any new government.

What’s going wrong?

A big part of the challenge is out-of-date technology. Earlier this year, a government report highlighted that 43 legacy IT systems across government are at a critical level of risk, 11 of which are in the MoD. Complexity is also the enemy of cybersecurity, and it’s everywhere, including in supply chains, new technology systems, and point solutions, which add cost and management overheads without tackling cyber risk.

Global research tells us that 83% of global IT and security leaders believe cloud complexity is increasing their cyber risk, and 65% don’t think existing solutions can detect breaches effectively. Particularly worrying is that around a third of breached organisations only realised they’d been hit when they received an extortion threat or after proprietary information leaked onto the dark web.

Encourage and enforce

Labour’s manifesto acknowledges the threat of “hybrid warfare, including cyber attacks and misinformation campaigns which seek to subvert our democracy”. It promises to conduct a Strategic Defence Review within its first year. A commitment to spending 2.5% of GDP on defence will be welcome if part of that goes on cyber capabilities.

“A commitment to spending 2.5% of GDP on defence will be welcome if part of that goes on cyber capabilities”

Yet the truth is that most CNI is run by the private sector. So, while the government needs to take the lead on cyber where it can – building cyber capacity, skills and resources for public authorities – it must also find ways to encourage or enforce better practices outside the public sector. A good way to do this would be to promote the idea of CISOs being represented at the board level so that cyber risk gets the airtime among leadership that it needs. Over half (59%) of global CISOs say they would be most empowered by cyber risk becoming a board priority.

Visibility and control

Ultimately, cyber resilience must start with improved visibility – after all, you can’t manage what you can’t see. That means real-time, network-level intelligence that can spot suspicious activity even in encrypted traffic. No organisation is breach-proof. However, with better situational awareness, teams can spot incidents before they have a chance to spread and cause havoc. Unfortunately, today’s MELT (Metrics, Events, Logs, and Traces)-based approaches that we see in many organisations are no longer fit for purpose in a hybrid cloud world. Security teams need deep observability to truly eliminate blind spots such as those in lateral and encrypted traffic.

The resulting data can power sophisticated AI analytics for 360-degree visibility into IT networks, applications, and systems. In so doing, it can help turn zero trust into a reality by empowering teams to enforce related policies like micro-segmentation.

That’s plenty for the new government to consider. The good news is that there’s already recognition of the importance of cyber resilience to national security and economic prosperity. The tough job will be turning theory into reality.