back to article The UK loves cybersecurity so much, it's going to regulate managed service providers' infosec practices in law

The British government has vowed to create a legally binding cybersecurity framework for managed service providers (MSPs) – and if you want to tell gov.UK what you think, you've only got a few weeks to act. The supply chain review comes in the wake of high-profile events like the SolarWinds compromise and a 2018 APT campaign …

  1. Mishak

    Back doors?

    Any bets that back doors* "for your own good" / "to protect the children" will come up at some point?

    * You know, just so the security services can make sure the provider is complying. Never, never to be used for interception.

  2. 2+2=5 Silver badge
    Joke

    Digital Defence Officer

    I wonder if the legislation will propose the introduction of a Digital Defence Officer in the same way that GDPR legislation required the appointment of a Data Protection Officer?

    The Digital Defence Officer (or DiDO) would be responsible for persuing the sophisticated international criminal gang 15-year old Welsh schoolboy responsible for the intrusions at your organisation.

    1. telecine

      Re: Digital Defence Officer

      DilDO perhaps

      1. Eclectic Man Silver badge
        Joke

        Re: Digital Defence Officer

        Well, Baroness Harding might need a new job soon, as privatised Test and Trace is doing soooooo well.

    2. Shadow Systems

      Re: Digital Defence Officer

      I heard "digital infrastructure minister" & realized that they were publicly acknowledging that the person was in fact paid to be dim!

      I'll get my coat, it's the one with the pockets full of dim bulbs...

    3. Anonymous Coward
      Anonymous Coward

      Re: Digital Defence Officer

      The government will also need to provide a role to communicate with office holder called the Digital Liaison Defense officer.....

  3. amanfromMars 1 Silver badge

    Some internetworking cybersecurity providers be blissfully ignorant of .gov concerns, therefore ..

    Targeted at managed service providers and firms outsourcing their digital infrastructure services alike, ....

    Until and unless there be an onus on governments to also inform and directly contact and engage with such managed cybersecurity services as may be of myriad particular and peculiar interests and/or concern to them, will any worries they may have in the field be likely to exist and persist. I suggest that a provision be allocated to mitigate and/or negate that certain risk.

    And don't forget that there may be cases which require the payment of significant compensation for loss of earnings because of other parties concerns regarding ones service provision to A.N.Others.

  4. Eclectic Man Silver badge

    Insider attacks

    Currently the Met Police is investigating possibly unjustified access to details of the murder investigation of Sarah Everard:

    https://www.bbc.co.uk/news/uk-england-london-57146622

    "Dozens of officers and staff are being investigated for looking up details of the Sarah Everard case on the police computer system, the Met has said.

    The 33-year-old marketing executive vanished as she walked home in Clapham, south London, on 3 March. Her body was found a week later in Kent woodland.

    The Met's Directorate of Professional Standards is set to question staff who accessed files on the case.

    Doing so "without a purpose" could be a criminal offence, the force said."

    It will be interesting to see what comes of the consultation, and any attempts to change the current law.

  5. Mike 137 Silver badge

    Two major omissions

    The consultation document omits two fundamentally important considerations:

    [1] how to address a prevalent culture that places security low on the corporate agenda until an accident occurs;

    [2] whether the expertise exists (or can be cultivated) within organisations to enable them to judge correctly what measures are "appropriate" or "sufficient" to protect them.

    In my long experience, the security budget is usually a sub-element of the IT budget and security is viewed exclusively as a technology issue, whereas the overwhelming majority of data breaches result from management failures - the technical aspects being only secondary. Consequently, security provisioning does not typically address root causes, merely the specifics of consequential events as they are encountered. Even international standards (which represent current common practice) exhibit this technocentric bias, so there is a huge and hazardous gap in the vision of not only businesses but the community of security professionals as well.

    This blinkered approach is typified in the software domain, where it is assumed that patching dominates over insisting on adequately engineered code. Until all of us abandon this fallacious technocentric assumption about the nature of security and insecurity, no standards or regulations will make a tuppeny hoot's difference to the appallingly fragile infrastructures we rely on , not only for mission critical, but increasingly for life critical services.

    1. Anonymous Coward
      Anonymous Coward

      Re: Two major omissions

      @Mike_137

      *

      Quote: "....the appallingly fragile infrastructures we rely on...."

      *

      Actually.......three major omissions........

      *

      Of course, the NSA and GCHQ (and other Five Eyes participants) are very happy to see these "fragile infrastructures". So one person's "fragile infrastructure" is another spook's opportunity!!!

      *

      Just saying!

    2. HildyJ Silver badge
      Boffin

      Re: Two major omissions

      One other thing missing is mandatory reporting of all cybersecuriy incidents, both to the government and the customers potentially affected. I would add to the public as well.

    3. tfewster Silver badge
      Facepalm

      Re: Two major omissions

      For [1], in theory it starts at the top with Directors duties to "Promote the success of the company" and "Exercise reasonable care, skill and diligence".

      In practice - You don't often hear about Directors taking the responsibility ;-)

  6. tip pc Silver badge

    Technology develops faster than laws

    Any new specific law risks being outdated by the time it’s become law.

    It’s best to legislate based on clear intent, yes that leaves room for debate in some circumstances but if something is serious enough to go to court then it’s right and proper for it to be properly examined, debated by peers and judged.

    An infosec angel with a gazillion years of unblemished experience can still do 1 thing wrong which still needs to be given the same due process as an absolute tyrant doing the same thing would get.

    Justice should be blind.

    1. amanfromMars 1 Silver badge

      Re: Technology develops faster than laws and leads fast cash with flash crashes

      You have revealed and realised both the problem and the opportunity in those observations, tip pc.

      The astute advanced ACTive infosec angel and hellish virtually cloaked daemon alike are many small steps and giant quantum leaps ahead and way beyond any clutching reach of the deaf, dumb and blind laws of human justice.

      And if the truth be told to Humanity, their present extant SCADA Administrations Systems fear they know that to be easily demonstrably true too, whilst they can only fiddle and fiddle about as if in command and control of a titanic novel, state of the art unsinkable, and too big to fail ship, as all thought worthy by A.N.Others of being burned and razed to the ground and turned to so much cosmic dust and new history, is practically autonomously and relatively anonymously performed around them.

      Rome wasn't built in a day, they say, but its empire collapsed in a series of 0days it never saw coming. Such though is just the natural way of all internetworking things.

  7. Will Godfrey Silver badge
    Facepalm

    A govenrment er... initiative

    What could possibly go wrong?

    1. amanfromMars 1 Silver badge
      Pirate

      Re: A govenrment er... initiative

      What could possibly go wrong? .... Will Godfrey

      Governments have no direct effective powers in the virtual communications spaces of internetworking world wide webs where a this shared here, is a that which is missing delivered elsewhere to someone else, and together are they something new altogether different never even imagined as being possible and easily realised for employment and enjoyment/deployment in AI APPlications, wherever they are trailed and trialed.

      For things not to go catastrophically wrong for them, do the wiser of governments direct and invent funding streams and justifications for publicly financed private spending on Ethereal SMARTR Projects with Advanced IntelAIgent ProgramMING ........ they recreate and again utilise that old stalwart of fiat currency magic which is always available with the seeding and feeding and resting of secretive vital national security interest slush funds in accounts which can be personally and privately and publicly used to demonstrate progress in Leading Driver Programs/AIMaster Piloted Projects.

      It is the only thing they need to do in order to guarantee future success, and it doesn't do their own future prospects any great harm either, rather than endure suffering and taste the bitterness of defeat, because of a failure to do what they can so easily do without any direct peering oversight because of vital national security interests, are they practically decimated and virtually destroyed by competition more able and agile in the field.

      That's what happens whenever they get that simple task wrong, Will Godfrey ....... and they be thoroughly deserving of it whenever it be so worthy a Being in their Gift, Gratefully and Graciously Indebted with Sublime and Surreal Award of Just Reward for Excellence to Excess.

      What do you rate their chances of getting things right, for a change, whenever the possibility of everything going wrong is always so strong in systems stuck with maintaining the past and its failures rather than celebrating in and providing for what the future holds in store?

      cc ... the MOD re AWEsome Existential Experimentation

  8. Anonymous Coward
    Anonymous Coward

    Mmmm! I thought the data owner was accountable, not the supplier of the infrastucture.

    When will we learn that suppliers will supply what they are paid to supply. If the data owner has no budget then the security features provided are likely to be low budget.

    Its a business!!!!!!

    A better idea would be to license the corporate use of the Internet for e-commerce and advertising, requiring data owners to prove they have engaged an acceptable level of service from a supplier.

  9. Anonymous Coward
    Anonymous Coward

    Honestly this is the government who ran a secure track and trace on excel 95 and failed to protect the data.

    Surely this should be the CEO should be held accountable for due diligence and due care and not the MSP who lets face do it for a price, if this were to be added to them as responsible then the cost of providing the service would increase and make it non-viable for the company.

    If this was more like the software maker was held to account to check their code before release i.e. Solar Winds then as a responsible companies they would take the burden to prove it is safe but this where is falls down as the it's safe could be proven in a controlled environment but out in the real world with everyone having different setups - not going to happen.

    Standardising would be the biggest win for the threat actors.

  10. s_simp
    Thumb Up

    Department of Justice Lions Operating System... More like Pussy Cats.

    It's no doubt slowly working it's way through the legislation - that the reason Russia has VLIW CPU's & RISC & VLIW computing is because it's then combined to produce one of the worlds finest & hardest & highest secure rated classifications and military pieces of security hardware on the planet which is public software called the UNIX Specification. Worth thinking about when your busy slandering the Russians and the Chinese accusing them of being rotters. Yes that Open Source bumph is actually the social party & general public's intellectual property and serves only one purpose. Turning a persons computer literally into FORT KNOX because it's part of an advanced Missile Defence Platform & Industrial firewall, like the IRON DOME or the S-400 Triumph designed to withstand attack.

    A great triumph as you can deduce for the US putting Intel Pentium chips in it I see, with little of no regard as to why programmers all use RISC & VLIW instructions to secure there machine and create what's called a BASTION HOST in the first place but certainly a wonderful Job at ticking everybody else all off in the process!

    Enjoy looking at those pictures of Secure Computing & Elbrus Chips - because you'll be grovelling for them later & gushing with apology, wanting to distance yourself from American Technology!

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021