""My preference is to legislate little and often"
The reality will be too little too late.
UK government exempting itself from flagship cyber law inspires little confidence
From May's cyberattack on the Legal Aid Agency to the Foreign Office breach months later, cyber incidents have become increasingly common in UK government. The scale extends far beyond these high-profile cases: the NCSC reports that 40 percent of attacks it managed between September 2020 and August 2021 targeted the public …
-
-
Saturday 10th January 2026 10:50 GMT Like a badger
Indeed, as JLR, M&S, the Co-op and others can attest. You have to wonder what the heck our arts-n-farts graduate MPs think this new legislation will do? Any potential penalties in law as actually imposed, rather than "up to 10% of global turnover" will be utterly trivial against the other damage of a major cyber attack (£300m for M&S, maybe £1.9bn for JLR).
This is the usual shutting of the stable door after the horse has long departed, and its only effect will be additional compliance costs on business, with probably trivial improvements in cyber defences. In regard of not having the public sector in scope, I think that's fair enough - not because it lets them off the hook (which it does) but because post-breach sanctions by say the ICO are meaningless money transfers from one public body to another, and invariably simply get credited back to the Treasury.
What is perhaps more worrying is that the "legislate little and often" shows a total ignorance of how problematic that is for business to stay up to date, it invariably means that the government intend to make changes through secondary legislation (ie with no effective parliamentary scrutiny).
Useless feckers, all of them.
-
-
Tuesday 13th January 2026 09:45 GMT amanfromMars 1
Useless feckers, all of them ..... and aint that the gospel truth ‽ .
Monetary fines are pointless when dealing with local and central government.
Instead, heads should roll, mistakes should be made public, and remedies should be applied promptly, without endless inquiries dragging on for years at great cost. .... Oh No, Not Again
And whenever so evidently recognised and realised as pointless and utterly ineffective with a clear absence of necessary heads rolling, mistakes being made public and remedies being applied promptly without endless inquiries dragging on for years at great cost, is the non activity tantamount to the incitement of terrorist violence by that and those responsible but not being held accountable for failed and damaging services ‽ .
And a RAT*-like Enemy residing and presiding and spreading like a malignant cancerous tumour within its host bodies and institutions.
And all know the only possible effective successful treatment for that is a scorched earth policy of excision and incineration/removal and destruction/revolutionary civil disobedience/Troubles v2.0. And it is a perfectly normal and fully to be expected response to such an abomination whenever studiously ignored and denied life saving remediation.
* Remote Access Trojan
-
-
Saturday 10th January 2026 11:22 GMT cookiecutter
and they'll give all the work to tcs, wipro or infosys. ship it all to india or south africa & STILL get compromised
give it a few years and they'll be crying that "well we don't have the skill set here so it will be too expensive to repatriate it"
fuckers never learn. shipped off manufacturing, services & now IT. The establishment won't be happy until we're all working minimum wage at tesco & every single actual tax paying job has gone!
-
Saturday 10th January 2026 12:37 GMT Roland6
>” and they'll give all the work to tcs, wipro or infosys. ship it all to india or south africa & STILL get compromised”
That’s probably why they wish to exclude government systems, as the current host on cloud subject to US law, and implemented by Indian etc. companies means the entire IT infrastructure platform is inherently insecure in the new work order that is emerging…
-
-
-
-
Saturday 10th January 2026 16:48 GMT Dwarf
Do as I say, not as I do.
So, one rule for them and one rule for us ?
This is from the same group that want to have a National Identity database, with all our information.
Arguably, they should have MORE stringent rules applied, to ensure that things are appropriately designed, governed, implemented and operated.
What happens to the outsourced companies that deliver these services ? Are they to comply with the "for the rest of us" rule, or the "don't worry, were different, government" rule ?
-
Sunday 11th January 2026 09:07 GMT Anonymous Coward
Re: Do as I say, not as I do.
The thing that I find illogical is to fine any public body for legal breaches, as all it does is to punish the public it’s meant to be serving by reducing available funding. Surely it would better focus the minds of those in charge if they were made personally liable for their actions. I recall when the corporate manslaughter legislation was introduced: few managers I spoke to (and it was quite a large number as my job involved QHSE audits of a lot of businesses) realised it actually put then in the liability crosshairs. Their default understanding was that it made the company liable and didn’t grasp that it went a step further and made them personally liable for corporate actions that led to fatalities.
I recall when the HASAW etc act was enacted, unions representing workers of a well known engineering company managed to get an arrest warrant for the MD (for breaches of responsibility under the new legislation). They weren’t out to get him personally; rather, they were trying to get management attention and the warrant was issued when he was away from the company site. His lawyer was able to successfully challenge it before he could be detained - but it certainly got his attention and he ensured the leadership team took action to ensure the company improved its H&S response.
-
Sunday 11th January 2026 10:41 GMT Jellied Eel
Re: Do as I say, not as I do.
The thing that I find illogical is to fine any public body for legal breaches, as all it does is to punish the public it’s meant to be serving by reducing available funding. Surely it would better focus the minds of those in charge if they were made personally liable for their actions.
Indeed. JLR got hacked and it's answerable to its shareholders, so execs could get fired. Civil servants and ministers responsible may have responsibility, but not accountability. So if say, HMRC's systems get hacked, JLR might not be able to export, import or pay taxes.. And nor would any other business or individual. Or as another poster pointed out, the impending Digital IDiot system and the creeping compulsion that will insert that into UK life. Fines would as you say just mean taxpayers pay those, compensation of say, £10,000 per ID compromised might focus minister's minds a bit more. Especially if they were also personally liable.
-
Monday 12th January 2026 12:26 GMT Like a badger
Re: Do as I say, not as I do.
Civil servants and ministers responsible may have responsibility, but not accountability.
Civil servants do have accountability and can be and are sacked. Around 6% of all Civil Service leavers are dismissal, so about 1800-3000 dismissals per year. However, dismissals primarily affect lower grades, with the rate per headcount of dismissal of the most junior grades 6x that of the rate for Senior Civil Service grades (SCS), and a rough halving as each grade of grade pair goes up. I'm confident that curve is usually true in most organisations simply because by the time somebody reaches senior leader status they've demonstrated that they fit with organisational norms of behaviour. What I'm less confident about is that ENOUGH of the SCS are sacked. In a typical year the dismissal rate for SCS is around 0.05%, perhaps 3-5 people out of almost 8,000 senior leaders. Of course, some number could be told that they're going to retire, or going to take redundancy whether they like it or not, but total Civil Service redundancies in past years are a similar order of magnitude as dismissals, so I'm not sure there's many hidden dismissals there.
Whilst I'd guess we think that more SCS should be sacked when projects or performance go wrong, there's two caveats: First, if Treasury, or a minister won't sign off the resources to fix an identified problem (eg resourcing for answering HMRC telephone lines) then it's hardly fair to blame the officials who run the service. Second, if private sector approaches of greater accountability apply, then it follows that good performance is rewarded through better base pay, and performance related pay. PRP does exist, but neither extensively, nor at the proportions typical in the private sector. So in my own role there's no PRP, whereas in my previous private sector roles it varied from 20-50% bonus potential, and on a salary that was notably higher.
-
-
-
-
Saturday 10th January 2026 18:18 GMT Camilla Smythe
ISTR
Them giving themselves exemptions to legislation in the past after they were advised it would mean they were subject to it because reasons.
It seems they have learned their lesson and chosen to be proactive this time.
Perhaps someone can explain to them why this one matters but the other way around.
My memory is not as good as it used to be but it may have had something to do with them sharing tractor pictures with constituents rather than receiving polite requests for bitcoin to recover their own stash or avoid its publication.
No doubt we will still be subject to Death, Taxes and the introduction of a Surveillance State but we are getting there.
Jazz Rats FTW.
-
Saturday 10th January 2026 18:49 GMT lordminty
Department of Digital ID anyone?
If the Department that will be responsible for Digital ID will be exempt...
We'd better all start stockpiling popcorn.
I can't wait for the first breach, with the inevitable "Have you had your government Digital ID stolen? You may be entitled to compensation! Contact us at weregoingtosuethegovermentforyou.com" and the subsequent government disco dancing.
-
-
Sunday 11th January 2026 13:41 GMT Anonymous Coward
Blaming others for your own failings - government policy 101
"Labour does, at least, have some ammo to fire back if this scenario were to ever become reality, with the Conservatives having failed to enact the cybersecurity recommendations from its 2022 consultation, despite having had more than two years to do so."
Using other people's incompetence as an excuse for your own failure isn't the win you think it is.
-
Wednesday 14th January 2026 11:52 GMT Anonymous Coward
Re: Blaming others for your own failings - government policy 101
Not to defend the Tories here, but the seriousness of how fucked everything was had been raised in ISC meetings numerous times throughout the lifetime of Blair's cabinet. This football has been kicked down the road for so long the leather's all come off and it deflated a long time before even Cameron had a pop with it. At this point, it's just white noise.
-
-
Sunday 11th January 2026 14:55 GMT Anonymous Coward
Surprised? Absolutely Not!
Link: https://www.itv.com/news/london/2023-06-29/undercover-policing-findings-devastating-for-police-mi5-and-government
Quote: "UK government exempting itself from flagship cyber law...."
Police --> MI5 --> STASI (Cheltenham, Novi South)....................
Been going on FOR YEARS AND YEARS.................
Some of us Anonymous Cowards are not in the least surprised!
-
Sunday 11th January 2026 17:30 GMT amanfromMars 1
Lions led by donkeys is always going to lead nowhere good and healthy
For as long as supposed UKGBNI security and intelligence services are servants of Parliamentary Cabinet government ministers rather than the reverse is nothing going to improve and will everything get dreadfully worse.
And if one were to suggest that the reverse is actually true, but a closely guarded top secret, would the situation be even worse and also equally worthy of revolutionary rectification and fundamental activity.
-
Sunday 11th January 2026 18:41 GMT elsergiovolador
Gravy train
The obvious reason the government excluded itself from the CSR bill is the one nobody wants to say out loud: it cannot meet the standards it is trying to impose on others. Years of hollowing out in-house technical capability, not just by replacing skilled engineers, but by displacing skilled independent consultants with large consultancies billing eye-watering day rates for junior staff who could not secure equivalent roles elsewhere, has consequences. Competence was traded for slide decks, stakeholder lunches, and the comforting illusion that “strategy” can substitute for engineering.
Binding private operators with legal obligations while exempting the state is not pragmatism. It is self-preservation. Legislating minimum competence for cybersecurity would force ministers to confront the fact that much of government IT is held together by consultancies with no long-term accountability and departments that struggle to retain anyone who actually understands the systems they are meant to secure.
The Cyber Action Plan neatly completes the trick. Equal standards in theory, zero legal liability in practice. Ministers get to say the right words, publish the right PDFs, and avoid the embarrassment of statutory non-compliance when the next breach inevitably happens. Accountability is deferred, again, to some later date, some future bill, some other Parliament.
This is not a lack of awareness. It is a lack of capability. And admitting that would require paying for it properly, rebuilding internal expertise, and accepting that cybersecurity is not something you can outsource over wine and steak dinners. Until then, the taxpayer keeps funding the consequences of institutional decay, while being told to trust that this time, honestly, the intentions are serious.
The gravy train keeps going!
-
Sunday 11th January 2026 20:29 GMT amanfromMars 1
Re: Gravy train gravely to be regarded .....and avoided at all and any cost because of .....
..... the virtual and practical nature of its real live existential threat vector
Quite so, elsergiovolador. Such is undeniably all too apparently too true to be realistically argued false and fake news to be dismissed and persecuted and prosecuted as hostile state-like disinformation attacking national security.
There is no doubt the future deserves considerably more and much better of its executive IT services and public-facing publicly funded administrative servants. Anything less will always be continually destructively problematical and increasingly quickly self-defeating.
-
Monday 12th January 2026 08:55 GMT Fred Daggy
Re: Gravy train
Further to elsergiovolador, if the Govt doesn't excempt itself ... then, OMG, then The Minister would be responsible.
Might even need to fall on his/her/other sword for that failing.
If its spelt out in law, then there is no room for weasel words (well, less, anyway). There would be enough fodder to have another season of Yes, Minister. (Alas that the original case is no longer with us).
-
Monday 12th January 2026 10:12 GMT Furious Reg reader John
Re: Gravy train
"Might even need to fall on his/her/other sword for that failing." - Yes, but the incompetent/corrupt civil servants in the department involved, who are actually the ones responsible for managing the systems involved, would carry on without any censure and continue looking forward to an early retirement on a gold plated pension, with a gong or two thrown in to reward them for their service.
-
-
-
Sunday 11th January 2026 18:55 GMT LucreLout
Outrageous
Private enterprise cannot compel me to provide it with my data, yet the public sector can and regularly does. I can easily avoid Amazon losing my data by shopping elsewhere, but unfortunately I have to engage with HMRC, for example.
If there is to be a tightening of security requirements, and there should be, it must begin in the public sector first. There need to be real consequences for days loss.
-
Monday 12th January 2026 10:35 GMT TrickParadox
The EU "chat control" propositions have all been the same, too. And they keep trying and trying every time it gets rejected by the more privacy-savvy countries in the EU. These surveillance rules always have exemptions for the ones making the rules. Funny, that. Rules for thee but not for me.
-
Monday 12th January 2026 11:48 GMT ComicalEngineer
Cyber Essentials ----
... is a virtual impossibility for a small company.
I do work for several large companies in the nuclear, aerospace & defence sectors. I have recently been asked to comply with the cyber essentials guidance.
https://getreadyforcyberessentials.iasme.co.uk/questions/
Enjoy trying to work through this.
I was quoted £6,000 to have an "adviser" get me through the process. The job I was quoting for was worth £5,000.
As I work from home and my "work" network is also my home network I was told that I could not let my children or any visitors access the network without their devices also being assessed. I have 2 kids who both have laptops and smart phones.
The whole thing is another government sh!t show.
-
Monday 12th January 2026 16:42 GMT MashedPotato
Re: Cyber Essentials ----
IASME does not help. They want all devices to have supported operating systems. So ... the canonical MRI scanner that can't be updated without spending £££? Sorry hospital, computer says no"
"but we have ISO 27001 which trumps CE+ and is risk-based, not stupid-based" ... "computer says no"
"but we are not an SME, we are a huge company so CE can't apply to the whole enterprise" ... "I say it can (despite being stupid) and if you can't then computer says no"
"big old UK company was hacked even though they had CE+" ... "let's force HMG to require it still because ... reasons"
"we use O365 or Google as email " ... "never heard of cloud ... penetration test please"
-
Monday 12th January 2026 16:47 GMT Anonymous Coward
Re: Cyber Essentials ----
What everyone else does, have a seperate CE+ laptop that only comes out of the cupboard to be patched before undergoing an 'indepth' CE+ vulnerability scan.
Then when you've passed the test got your silly little cert you put it away again and use your normal kit.
CE+ is the box tickiest of box ticking exercises.
It should never have been allowed to creep beyond it's initial aim of being a basic asessment for small non-technical businesses.
But ISAME could smell the money and minsters could see themselves next to a shiny 'Cyber' label (back when they thought Cyber was a cool word and they made everyone stop saying Infosec).
-
Monday 12th January 2026 16:51 GMT Anonymous Coward
Politics had a run in with reality?
I guess someone has had a quiet word with government and explained how much it will cost them to get over the technical debt they've allowed over the last 20yr in order to meet this standard and how much the consultancy will cost them since they've pushed all their infosec guys and gals into retirement or the private sector through shit money and worse conditions.
Biting the hand that feeds IT
