There's a new government in the UK. What can we expect from it on cyber?
Sir Keir Starmer, a former human rights lawyer who became one of the most senior public prosecutors in England and Wales before entering politics, was on Friday appointed the prime minister of the United Kingdom by Charles III and asked to form a government.
The Labour Party party now holds a large majority in the House of Commons, at least 412 of the chamber’s 650 seats, and possesses all of the political capital it needs to bring forward the laws and policies to implement its vision for the country.
Set out in the Labour manifesto, that vision includes a commitment to “build a National Health Service fit for the future.” Despite this, when two significant cyber incidents affecting the health service occurred during the course of the election campaign they received no attention at all from the party’s candidates.
Halfway through June, every single household in the Scottish region of Dumfries and Galloway received a letter warning residents that their data was likely to have been accessed by cybercriminals and published online following a ransomware attack. Labour did not comment.
Another ransomware incident earlier that month, this time affecting a pathology company, led to a critical incident being declared across several hospitals in London. The disruption has to-date caused the postponement of more than 5,000 acute outpatient appointments, including hundreds of operations for cancer treatments. Again, Labour has not commented.
The party’s quiet over these attacks is not unique. The incumbent health minister made a single post on social media stressing her priority was patient safety. The other major parties’ election campaigns made no noise about what had happened, nor did any of them pledge to address the threat posed by ransomware gangs.
As experts told Recorded Future News, that relative silence is indicative of how the topic of cybersecurity is “de-politicised” in Westminster; it is seen as something technical experts are expected to resolve rather than an issue politicians think they should be held accountable for.
Nobody sensible would argue the topic deserves priority status over domestic issues such as government finances or above foreign policy hotspots such as Ukraine and the Middle East.
But political decisions about cyber will still have to be made. In a few areas Labour has already pledged to make them — albeit mostly subordinated to other policies around defense and security. In some areas the need for political decisions could take the party by surprise.
First steps
The public won’t know about Labour’s formal legislative agenda until it is set out in the King’s Speech during the State Opening of Parliament on 17 July.
On that day Charles III will describe in broad terms the areas the legislation will focus on, and will do so in the House of Lords (the monarch has not been permitted to enter the House of Commons since a kerfuffle in 1642). It will then be up to the government itself to decide when to unveil the details of each bill by introducing it to Parliament.
But well before the ceremonial beginning of a new parliamentary session, Starmer will have to set out his stall on some key policies when he attends NATO’s summit next week in the U.S. The Washington summit has a cyber element — allies are expected to agree to the establishment of the new NATO Integrated Cyber Centre — but the most pressing matters will be around defense expenditure and assistance for Ukraine in the case of a U.S. presidency that is hostile to international aid.
Labour’s manifesto does warn that “threats from hostile states or state-sponsored groups are on the rise” and pledges to take “the approach used for dealing with non-state terrorism and adapt it to deal with state-based domestic security threats” although it is not at all clear what this means or what difference it would actually deliver. Labour is expected to continue encouraging allies to counter hostile Russian activities, including sabotage and espionage, currently being conducted throughout the continent.
Fraud and policing
The party's manifesto committed to introducing “a new expanded fraud strategy to tackle the full range of threats, including online” and pledged to “work with technology companies to stop their platforms being exploited by fraudsters.”
It follows a parliamentary committee criticizing the previous government's approach to fraud as needing “a wholesale change in philosophy and practice,” back in 2022. While the government unveiled a new strategy last year, its flagship policy of replacing Action Fraud with a "state-of-the-art system" to report cybercrime has since been delayed.
Details on Labour’s new fraud strategy are not yet clear, but working with the technology companies proved extremely difficult for the Conservative Party as it developed the Online Safety Act and attempted to balance attracting international investment with an effective regulatory regime.
Although several plans of action are already in place to tackle fraud — including new rules developed by the Payment Services Regulator that could see victims reimbursed up to £415,000 by banks — no government has yet developed a mechanism to force platform operators to accept liability for when their users are harmed.
Labour has pledged to bring forward some of the Online Safety Act’s provisions around addressing these harms, although it is not clear which. The legislation delegates much of the legwork to the regulator Ofcom, and the large technology platforms are adroitly resisting responsibility for addressing a range of harms by introducing end-to-end encryption (E2EE) in their apps — a move that effectively insulates them from many content moderation obligations.
Increasing the capacity of public services without borrowing more money is another challenge. Labour said it intends to ensure policing services are “organised so as to enable investment in specialist capabilities,” but it is not clear whether there is room for the size of reorganization needed to recruit, train and retain the number of officers needed to tackle the 3.5 million fraud offenses affecting Britain annually.
Fraud and cyberattacks impact the British economy, whether through the productivity drain caused by a large volume of financially motivated incidents, or through the growth undermined by state-sponsored intellectual property theft. Prioritizing tackling these offenses could have an economic benefit for society, but making that call requires political will.
These incidents also have a national security impact. As described by U.S. Cyber Command's Emily Goldman earlier this year, even when kept well below the threshold of catastrophe, the sheer volume of cyberattacks facing countries in the West are having “strategically consequential effects.”
While the operational capacity of the U.K.’s National Cyber Force is secret for national security purposes, the specialist unit is still not fully staffed. The National Crime Agency, which has also demonstrated its ability to disrupt online crime, has said it could do more with more resources.
Establishing the cost-effectiveness of the intelligence and security apparatus isn’t something that can be done openly, but it can be done by the Intelligence and Security Committee (ISC) of Parliament. While the ISC has been largely ineffective for the past decade — partially due to complaints by the intelligence agencies about its remit to oversee operational matters — a new Parliament offers the prime minister an opportunity to reform the committee.
More attention on vendors?
But perhaps the most significant cyber decision coming down the line can be credited to two white houses, Ollie Whitehouse, the CTO at Britain’s National Cyber Security Centre (NCSC), and the White House in the United States.
In his keynote address at the CyberUK conference in Birmingham, NCSC’s Whitehouse warned that the technology market was broken and failing to incentivize building resilient and secure technology. He said regulation and legislation were not keeping pace with technology change.
The same arguments have been made under the Biden administration in the U.S., where software manufacturers are being urged to ship products that are secure by design. As Jen Easterly, the director of the U.S. Cybersecurity and Infrastructure Security Agency, told the Oxford Cyber Forum last week: “The only way to deal with this problem is to demand more from our vendors.”
While the Labour Party hasn’t set out its policy in this area in any detail, its manifesto seems sympathetic: “Markets must be shaped, not merely served.”
Alexander Martin
is the UK Editor for Recorded Future News. He was previously a technology reporter for Sky News and is also a fellow at the European Cyber Conflict Research Initiative.