back to article Not only MSPs: All cloudy firms are in line for UK security law crackdown

A government crackdown on British MSPs' security practices is drawing ever closer after the Department for Digital, Culture, Media and Sport (DCMS) floated plans to make Cyber Assessment Framework compliance mandatory. Digital Minister Julia Lopez said in a canned statement: "We are taking the next steps in our mission to help …

  1. wolfetone Silver badge
    Coat

    "A government crackdown on British MSPs' security practices is drawing ever closer"

    What have the Manic Street Preachers done to deserve that?

    1. Anonymous Coward
      Anonymous Coward

      no no... the Scottish Parliament...

    2. monty75

      If you tolerate this, your children will be next

  2. Anonymous Coward
    Anonymous Coward

    "difficult to obtain the necessary cyber security assurance from providers who are reluctant to provide information on their cyber security measures or standards they adhere to"

    erm... if they claim to support cyber security then surely they should be able to say (and show) whose standards they are working to.

    If I set myself up as 'Harry's Burglar Alarms' then I should be expected to show I'm a member of the Burglar Alarms Trade Guild and that my team are trained to BATG and relevant BS standards, otherwise trade will go elsewhere

    1. martyn.hare
      Facepalm

      Many security standards are broken anyway

      Cyber Essentials Plus includes a vulnerability assessment which only cares about High or Critical rated vulnerabilities and the targets scanned only have to include those where end users log into them interactively. So you can have an unpatched domain controller which results in the next big WannaCry-style incident and still be certified as compliant by your assessor. Or even worse, you can patch your stuff but use HTTP with plain authentication or have a PPTP VPN without PEAP to secure the authentication packets and be fine for both self assessment and verification! Heck, feel free to NOT use full disk encryption while you’re at it!

      But if you dare to have Windows Insider Preview on any of your computers you will fail, as it doesn’t meet the criteria of being supported by the software vendor, preventing IT from getting clued up about what’s around the corner in a meaningful way.

  3. bronskimac

    It took to the third paragraph for me to figure out that it wasn't Members of the Scottish Parliament (MSPs) being singled out.

  4. Anonymous Coward
    Anonymous Coward

    .....more misinformation.......

    .....along the lines of "LOOK....WE ARE DOING SOMETHING!!!"

    *

    So called "certification" won't stop things like the Equifax hack....or the SolarWinds farago....or the torrent of ransomware incidents......or government actions to export medical records (see below).

    *

    On the same misinformation trail is the ongoing joke called GDPR......"LOOK.....YOUR PERSONAL INFORMATION IS SAFE!!!"

    *

    Sad so say, but Scott McNealy got it absolutely right (in 1999): https://www.wired.com/1999/01/sun-on-privacy-get-over-it/

    *

    And today the UK government is in bed with people like Peter Thiel: https://www.bloomberg.com/features/2018-palantir-peter-thiel/

    *

    Quote: "We are taking the next steps in our mission to help firms strengthen their cyber security and encouraging firms across the UK to follow the advice and guidance from the National Cyber Security Centre to secure their businesses' digital footprint and protect their sensitive data."

    .....and at the same time the government is planning to turnover 60 million individual UK medical records to someone like Peter Thiel!!! Talk about facing both ways at once!! Does the word "hypocrisy" come to mind???

  5. Eclectic Man Silver badge

    I remember

    when a Cabinet Minister stood up in the House of Commons and announced that all government departments would be certified to BS7799 / ISO 17799 / ISO 27001.

    Happy days.

    Then I went to HMRC and discovered that they had 24 (twenty-four) 'key' systems, and they wanted know how to get ISO certification for them all. Then the Chancellor announced that HMRC would not, in fact, become 'certified'.

    Hello, Good Intentions, can I introduce you to Reality?

    ;o)

  6. Doctor Syntax Silver badge

    Expect to find mandated back doors for spooks your local council.

  7. Ian Mason

    I am so pleased that the government, that is clearly world-leading in the arena of setting computer standards, and consummate at delivering computer systems that are on-time, on-budget and hugely successful, is going to create mandatory frameworks that we will all have to use and pay for - NOT!

    If they go down this route there is a genuine risk that after you've paid all various minister's mate's companies for your audits, certifications, mandatory training and so on that there won't be any money left in the budget to pay for any actual security.

    1. stiine Silver badge
      Coffee/keyboard

      Even if you use a registered auditor, judging by past events, even the auditors aren't to be trusted.

  8. Anonymous Coward
    FAIL

    Certifications

    Certifications aren't worth the paper they're printed on ($164 per ton or about $0.0008 per sheet in September).

    This is a poster child for a paper tiger.

    Without the teeth of penalties it does nothing but enrich the consultants who arr writing it.

    1. gerdesj Silver badge
      Childcatcher

      Re: Certifications

      "the consultants who arr writing it."

      Pirates the lot of them - us lot.

      Cyber Essentials is quite a decent standard, short and to the point and relatively easy to understand. It is self-cert though but if you claim it and crap out then you will have real snags in a court. CE+ is again quite easy to follow but needs a bit more discipline and is externally evaluated.

      CE is a great first start to aim for now with CE+ about two to five years later for any org of any size.

      If you own a (UK) business, please get CE accredited and mean it (a bit). It's not hard and doesn't cost the earth.

  9. Anonymous Coward
    Anonymous Coward

    NSCS: "security, we've heard of it"

    > "appears to mean MSPs and other cloud service providers will have to comply with the NCSC-backed Cyber Assessment Framework (CAF)".

    This would be the same NCSC whose website only displays a blank page with just "You need to enable JavaScript to run this app." when you try and view any of its pages with JavaScript disabled? On whose website you cannot even view either their Privacy Notice or Cookie Policy without Java Script enabled? (where the Privacy Notice therefore cannot inform you in advance of any processing actions that may have privacy implications if the JavaScript you actually need to enable in order to see the Privacy Nortice may already have performed those processing actions)

    As security "professionals" you would expect that the majority of their website would either consist to completely of static pages or with only sparing use of Javascript to "enhance" the pages.

    Is there any way to see their "standards" documents without enabling JavaScript?

    I did find a link to a "Cyber Essentials Requirements for IT Infrastructure" PDF document and a 3rd party IASME Cyber Essentials Self-Accessment Preparation Booklet. From looking at that preparation booklet some of the questions don't seem to relate well to the Linux world, e.g. regarding their questions around updates/auto-updates of applications I'm not sure what they'd make of answers like "the applications run as read-only docker containers so a new version of the container is built using newer version of the application, the old container is stopped and the new one is started".

  10. Santa from Exeter
    FAIL

    CE+ No thank you

    CE+ is an absolute joke.

    It's squarely aimed at Small Enterpise where the 'Security Team' is also the teamaker.

    Working for a reasonably sized endeavour, where we have seperate Networks and Platforms Teams we *really* don't need it explaining to us that our "BT Home Hub is a router"

    Additionally, the definition of 'supported software' used is complete bollocks, as apparently RHEL6 is unsupported, even if you can provide evidence that you have bought the Extended support package!

    Load of old Crap

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like