UK cyber law delays 'deeply concerning,' say MPs

British opposition lawmakers said this week it was “deeply concerning” the government had still not introduced new cybersecurity laws to Parliament, warning that “gaps in our legislation” are “fuelling even greater threats against our nation.”

“Although I recognise that sound policy requires time to develop, we cannot afford to proceed at our current glacial pace,” said Bradley Thomas, the MP for Bromsgrove, on Tuesday, as he and colleagues attempted to push forward the government’s timeline.

It follows the much-delayed Cyber Security and Resilience Bill being delayed again in September, as revealed by Recorded Future News. Separate government proposals to overhaul the country’s response to ransomware attacks have also stalled since July, following a nearly year-long delay resulting from the 2024 snap election.

Using a Ten Minute Rule Motion to call for an overhaul of how the U.K. handles ransomware attacks — a rule generally seen as a tool for campaigning on an issue rather than an effective way to introduce new laws — the opposition MP said: “Delay only deepens our vulnerability, particularly in the light of recent events.”

“We must act decisively and without hesitation to safeguard British businesses and protect our national security,” he added, referencing incidents affecting widely known British companies Marks & Spencer, the Co-op, luxury store Harrods and Jaguar Land Rover (JLR) — although the latter has not been confirmed as a ransomware incident.

Read More: UK facing 'most contested and complex' threat in decades, warns GCHQ director

The British government’s three key policy ideas to tackle the most disruptive ransomware attacks include a ban on payments by organizations working in the public sector or in critical national infrastructure.

“A payment ban aims to remove the financial incentives of targeting these organisations, reduce threat actors’ revenue streams and capabilities (by limiting their ability to reinvest profits), and disincentivise attacks on UK organisations by making them financially unattractive targets,” explained the government.

The proposals also aim to introduce a requirement for victims to notify the government if they have been attacked, and again if they intend to make an extortion payment, as part of a “payment prevention regime” for entities outside of the public or critical infrastructure sectors.

However there are concerns that, if these regimes were potentially just limited to businesses with an annual turnover above £25 million ($33 million), cybercriminals and businesses themselves could attempt to exploit loopholes.

The government is still consulting on its new ransomware policy, and expects to introduce the Cyber Security and Resilience Bill shortly.

"The Cyber threats we face are sophisticated, relentless and costly. Our Cyber Security and Resilience Bill will be introduced to Parliament this year and is designed to strengthen our cyber defences - protecting the services the public rely on so they can go about their normal lives," a government spokesperson said.

"Under separate Home Office plans set out earlier this year to crackdown on ransomware attacks, public sector bodies including the NHS, local councils and schools would be banned from paying ransom demands to criminals. As you would expect, DSIT works closely with the Home Office and a range of other stakeholders as the department with responsibility for government and public sector cyber security."