The attacks were only disclosed to the government on a voluntary basis, despite the reporting laws, according to a story revealed today by Sky News.
It is thought the reason for this is that the thresholds set for the mandatory reporting of cyber incidents across the energy, transport, health, water, and digital infrastructure sectors are so high, that few, if any, incidents are actually being reported to the government.
A law introduced three years ago was intended to boost Britain's ability to defend itself from foreign states and criminal hackers by obliging critical infrastructure organisations to report such cybercrime incidents.
High reporting thresholds in the sector based on service continuity
However, as the thresholds set for reporting incidents across the energy, transport, health, water, and digital infrastructure sectors are so high, this means no reports are being made under the legislation.
The thresholds are based on the impact hackers have on the continuity of service. For instance, in water and energy supply, or freight movement, but this continuity isn't an indication of the sectors' security capabilities, only of the hackers' activity once inside the network.
The nature of an implant within a computer system means that it can be used both for spying on the system's workings and to potentially disrupt them, but up until the moment of disruption the fact an organisation has been hacked wouldn't meet the threshold for reporting.
Risk of ill and under informed security
The lack of reports being made under Britain's mandatory reporting laws risks leaving government departments under-informed about their sectors' security outside these voluntary disclosures. This means they potentially do not cover the full range of hostile activities taking place.
In response to a request made under the Freedom of Information Act, the Department for Transport (DfT) confirmed that it received nine voluntary disclosures about cyber incidents in the past three years.
The department in the FOI response said that none of these disclosures "relate to reportable incidents as required under the Network and Information Systems (NIS) Regulations 2018". At the time of reporting, a spokesperson for DfT declined to comment.
Earlier this year, it was also reported that the same mandatory reporting regulations hadn’t resulted in a single report from the gas and electricity sectors, despite the government stating Russian hackers had successfully breached the computer networks of the UK's energy grids, but without disrupting them.