A coherent Labour cyber strategy depends on consistency


Following a string of domestic cyber security incidents – from attacks on NHS suppliers, to the Ministry of Defence and the British Library – all eyes are on Sir Keir Starmer’s new government to make a positive impact on major cyber defences.

Although it is likely too early to declare concrete policy changes, Labour will have little patience from UK businesses. Many will want to see the government’s manifesto pledges regarding the rising threat from hostile states and the need for counter-terrorism strategies, turn into action. Industry bodies, such as The Chartered Institute for IT (BCS), have already called for the government to prioritise new legislation to protect the UK from attacks.

That said, we’ve had some indication of Labour’s intentions. The Cyber Security and Resilience (CSR) Bill, and the Digital Information and Smart Data (DISD) Bill were introduced in the King’s Speech, although they lacked significant detail. Particularly concerning was a lack of recognition of digital identity security and how this can help the UK keep pace with today’s evolving security challenges.

Consistency will be key to the delivery of a successful cyber policy, whether that’s alignment between new Bills or with the regulatory regimes of EU neighbours.

Labour’s current plans for cyber security

Among the 40 Bills announced during the King’s Speech were the CSR, and DISD Bills. Their introduction was timely and portrayed a commitment to cyber security by the new government, although the details were patchy at best. For example, the DISD Bill seeks to set up a regulatory framework for digital identities, but the CSR Bill fails to mention digital identity as a consideration for its cyber security strategy. This suggests an inconsistent approach to digital identity and cyber security more broadly. Given that 80% of breaches involve compromised or abused privileged identity credentials, Labour must acknowledge digital identity in its strategy to strengthen the UK’s cyber security.

Currently, the CSR Bill expands on how regulation can protect digital services and supply chains, strengthening powers for regulators and mandating increased incident reporting. It’s a step in the right direction, but there was also a noticeable lack of detail in the initial proposals.

One omission, as mentioned, was the recognition of digital identity security. In 2024, poorly managed credentials were the second-leading cause of breaches, while 90% of organisations have experienced at least one identity-related incident in the past year. To add to the matter, AI tools are further enabling the rise of identity-related fraud, enabling amateur criminals to mass-produce increasingly sophisticated synthetic attacks on demand. Our own data has shown that deepfakes soared 3000% last year, while digital forgeries were up 18%.

Although the DISD Bill provided some reassurance that the government is committed to digital identity innovation and promoting secure digital identity documents (ID) throughout the UK, it’s the lack of consistency across both Bills that is concerning. On the one hand, digital identity provides better protection against fraud – especially as the quality of deepfakes and fraudulent documents are improving with the use of AI – but, on the other, it hasn’t been referenced as a cyber security consideration in the CSR Bill. 

Moving forward, the new government must acknowledge that enabling secure digital identity verification and cyber security protection go hand-in-hand. Alongside this, Labour must continue to iterate and improve the UK Digital ID and Attributes Trust Framework (DIATF), so that it continues to provide an effective trust framework for UK identity verification providers and those who rely upon their services.

Importance of global alignment

While it’s vital for the UK to have its own set of cyber security legislations, we now live in an increasingly globalised and interconnected world. Adherence to globally recognised standards and alignment with other regulatory regimes will drive the success of this defensive cyber technology in the UK and beyond.

For instance, when it comes to the DISD Bill, Keir Starmer’s government must take the proposed European Digital Identity regulation into account to ensure that the UK’s digital identity systems are compatible with those in Europe. This compatibility is essential for facilitating cross-border activities for UK businesses and citizens. Similarly for the CSR Bill, alignment with the EU’s Digital Operations Resilience Act (DORA) is necessary to reduce additional compliance burdens on UK businesses and to establish a common level of security and trust.

Indeed, one of  Labour’s great strengths is the ability to make pragmatic, non-political choices about how to work with effective regimes already in place across Europe, to reduce friction for British business.

So what’s next?

Technology sits at the very heart of society, meaning cyber security challenges aren’t going anywhere. To that end, governments and the wider industry have a shared interest and responsibility to face these threats together.

For the CSR and DISD Bills to succeed, the new Labour government must ensure they are consistent, or risk a cyber strategy that is not unified. Leaning on the expertise of the UK’s private tech sector, and the experiences of those using these services, can support their efficacy and uptake. By engaging with industry, the government can better understand the practical challenges and opportunities in implementing robust cyber security measures – for businesses and users of digital services.

But Labour must also consider a unified and coordinated approach with the EU to safeguard the UK’s digital future. The introduction of the CSR and DISD Bills mark a step forward, but their success may well depend on how well the government can align these initiatives with broader international standards and industry needs.

Aled Lloyd Owen is global policy director at Onfido, where he leads on strategic policy to ensure the organisation remains at the cutting edge of developments in identity verification, AI, regulation and compliance. A former civil servant with a career spanning the Home Office, Cabinet Office, Foreign and Commonwealth Office and UK Health Security Agency, he also sits as an advisory board member on the All Party Parliamentary Group on AI, and is a fellow of the Royal Society of Arts.



Source link