UK cyber agency pushes for 'strategic policy agenda' as government efforts stall

Following years-long delays in the United Kingdom bringing forward new cybersecurity legislation, what seems to be an increasingly exasperated National Cyber Security Centre (NCSC) called on Monday for the country to adopt a strategic policy agenda to tackle the growing risks.

Although the NCSC — a part of the cyber and signals intelligence agency GCHQ — is not a policymaking body in the United Kingdom, its latest blog post is explicit in setting out the need for more political attention on cybersecurity.

It was co-written by Ollie Whitehouse, the agency’s chief technology officer, and Paul W, its principal technical director. Whitehouse has repeatedly warned that the technology market is broken and failing to incentivize building resilient and secure technology, and argued that regulation and legislation are not keeping pace with technology change.

The same arguments had been made under the Biden administration in the United States, where software manufacturers were being urged to ship products that are secure by design. As Jen Easterly, then the director of the U.S. Cybersecurity and Infrastructure Security Agency (CISA), told the Oxford Cyber Forum last year: “The only way to deal with this problem is to demand more from our vendors.”

It is not clear whether the Trump administration shares those views on vendors, although last week the president signed an executive order scrapping requirements for software companies who sell to the government to attest to CISA that their products are secure.

Despite the apparent sympathy for regulation in the U.K. Labour Party’s 2024 manifesto — which stated that “markets must be shaped, not merely served” — there has been no indication this government will take any market-shaping actions, despite cyberattacks continuing to hit the country.

Amid attacks during last year’s U.K. election campaign, experts told Recorded Future News, that silence about the issue from politicians was indicative of how the topic of cybersecurity is “de-politicised” in Westminster and seen as something technical experts are expected to resolve rather than an issue politicians think they should be held accountable for.

The snap election itself delayed the Home Office launching a consultation proposing a major overhaul of how the country responds to ransomware attacks. While the consultation is underway, the government has not yet published its response — expected to include announcing new primary legislation to tackle the growing threat. The government has also not yet introduced its Cyber Security and Resilience Bill to Parliament, despite its predecessor prematurely describing the country’s cyber laws as already “updated” three years ago. 

However, even these bills — focused on critical infrastructure resilience and ransomware payments respectively — are unlikely to address the systemic shortcomings Whitehouse highlighted on Monday: “The reality is that in 2025, we know how to build secure products and services. … Unfortunately, the business and commercial incentives to encourage adoption and sustainment of secure solutions are not sufficient.”

Joe Jarnecki, a research fellow at think tank RUSI, told Recorded Future News he didn’t regard the Cyber Security and Resilience Bill as “a legislative instrument meant to answer many of these questions with regards to the quality of cybersecurity in technology products generally used by consumers.

“Instead it concentrates and focuses on a relatively select group of providers with a view to ensuring infrastructure security at a national systemic level,” he said.

The problem, according to Jarnecki, is that the way the United Kingdom has approached cybersecurity issues for several decades has been to impose “a very low regulatory burden on vendors” which “hasn’t created the market conditions that we would like with regards to secure technologies.”

The NCSC has “limited to no policy-making power,” said Jarnecki, who highlights how the many efforts included in its latest blogpost were effectively “lots of carrots” rather than any regulatory sticks.

“From the outside, it seems as though the NCSC is growing somewhat frustrated by companies which arguably could be doing a lot better at making secure technology, but aren’t,” Jarnecki said.

The RUSI researcher noted how even the relatively simple task of having internet of things (IoT) vendors stop creating products with easily guessable default passwords was only achieved after the government passed legislation to ban them.

Up until that point, he said, the industry did not think it was “within its gift or competency or responsibility to do that. Given the plethora of baseline cybersecurity measures we know work, and we know have persistently worked over decades, it’s astonishing that they haven’t been more widely adopted. As a result it’s not surprising there are some calls, potentially from within the NCSC as well, to explore legislation pursuant to that.”

Jarnecki said it was “incredibly novel” for the Biden administration’s national cybersecurity strategy to place an onus on large technology vendors to be responsible for the security of their technology in a different way they had been previously, describing the move as the U.S. “dipping its toe in the liability agenda” which Whitehouse has put forward more forcefully.

But, said Jarnecki, that approach appears to be in doubt in the United States given the apparent reticence of the Trump administration to regulate or legislate on the matter.

A spate of cybersecurity laws in the European Union suggests that there isn’t as much reticence on the other side of the pond, but amid concerns over growth — and particularly heavy lobbying over the potential economic benefits of AI technologies — those laws and the complications around translating Brussels regulations into national contexts means those efforts have been delayed.

“The cost of underinvestment in cyber security is ultimately borne not by the vendors, but downstream by customers, insurers, the government and wider society,” wrote the NCSC. “It is these market fundamentals that need to be addressed if we are to prevent software and hardware vulnerabilities being exploited.”