Within just the first six months of 2023, organizations operating critical IT infrastructure services in the United Kingdom reported more incidents to government authorities in which cyberattacks had significantly disrupted their operations than in any year previously, according to data obtained under the Freedom of Information Act.
While the total count of attacks might seem low — just 13 that affected organizations operating critical technology services, such as national internet exchange points or backhaul operators — the number marks a significant increase from the four disruptions the sector recorded in each 2022 and 2021.
Essential service providers across Britain — from power plants through to businesses in the transport and healthcare sectors, as well as IT infrastructure companies — are legally required to report disruptive cyber incidents to sector-specific authorities under the country’s Network & Information Systems Regulations (NIS Regulations) which also establish minimum security standards for their computer networks.
To be reportable, the disruption caused by these cyberattacks must meet certain thresholds. For instance, an NIS incident for an electricity distribution network would have to involve an unplanned loss of supply to at least 50,000 customers for more than three minutes. An incident affecting a nationally significant DNS Resolver would see the service’s bandwidth drop by more than 25% for 15 minutes or longer.
According to the data acquired by Recorded Future News, two of the sector-specific authorities — Ofcom, which receives reports from digital infrastructure providers, and the Information Commissioner’s Office (ICO), covering digital service providers such as cloud computing services — collectively received more reports in the first half of this year than they had received in any year prior.
The other authorities contacted did not provide a breakdown by year of the dozens of reports they had received since the legislation came into effect in 2018. As such it is not clear whether the apparent record number of incidents in the first six months of 2023 occurred in sectors outside of the technology areas covered by Ofcom and the ICO.
Private sector experts consulted by Recorded Future News suggested the increase in reports is more likely driven by an improved awareness among service providers of their reporting duties and investment in detection capabilities, rather than by any increase in hostile activity from sophisticated threat actors.
Read more: UK explains likelihood of catastrophic cyberattacks — and its response plans
A government spokesperson told Recorded Future News: “As regulators and regulated organisations develop a clearer understanding of reporting requirements, we expect this to result in an increase in reported incidents. There is no evidence that any current increase is linked to an increase in hostile activity and any suggestion otherwise is without basis whatsoever.”
But the data also reveals that a large number of regulated organizations attempted to submit reports that were not recorded as NIS incidents due to the thresholds set by the legislation for whether a cyberattack is actually reportable.
These thresholds are based on the impact of a cybersecurity incident on the provision of the essential service — for instance, whether a cyberattack disrupted energy production at a power plant or prevented a train company from running a number of services.
As the thresholds do not measure the depth of the attackers’ computer network access, nor whether the threat actors had the capability to disrupt any essential services, they risk leaving government authorities without any effective visibility into how targeted their sectors are by cyberattacks.
The ICO, which began receiving reports from digital service providers in 2020 following an update to the NIS Regulations, said it had received 10 reports of service disruption (one in 2020, two in 2021, two in 2022, five in 2023) and nine attempted reports that were below the threshold (one in 2020, one in 2021, one in 2022, one in 2023).
A single NIS incident was recorded by Ofcom in 2022, but the regulator received seven attempted reports — three in 2020, one in 2021, three in 2023 — below the threshold.
The Department of Health & Social Care said that it had received two reports of NIS incidents since 2018, while the Department for Transport (DfT) told Recorded Future News it had received reports on 25 incidents since the legislation entered into effect. Neither department provided data on what year these reports were made.
DfT said it had received no attempted reports that fell below the NIS thresholds, although this contradicted a disclosure made to Sky News in 2021 in which the department said nine attempted reports had been made which did not meet the threshold. The department was unable to explain this discrepancy when asked.
The Department for Energy Security & Net Zero said it had received no reports of NIS incidents since the legislation took effect in 2018, but had received three attempted reports of cybersecurity incidents that did not meet the threshold for being reported.
The government spokesperson said: “We are committed to protecting critical UK services from cyber threats, and robust incident reporting is a key element of the NIS Regulations.”
“Last year, in response to a public consultation, we set out detailed plans to broaden the scope of reportable incidents, extending beyond those impacting the delivery of essential or digital services,” they added.
The government pledged last November that it would update the legislation “as soon as parliamentary time allows,” in a press release titled “Cyber laws updated to boost UK’s resilience against online attacks,” although no new laws have yet been announced. The government is expected to outline its final legislative agenda before the 2024 general election on November 7, in the King’s Speech marking the formal opening of Parliament.