so how does this work if you're a regular bounty contributor but not working for peanuts for a professional organisation? will they insist on some of those ridiculously expensive box-ticking certs?
Frustrated at lack of activity from the "standard setting" UK Cyber Security Council, the government wants to pass new laws making it into the statutory regulator of the UK infosec trade. Government plans, quietly announced in a consultation document issued last week, include a formal register of infosec practitioners – …
Tuesday 25th January 2022 10:41 GMT Al fazed
The legal/justice industry has taken a similar step recently. Which means as you guessed, in order to continue providing Advocacy for disadvantaged and disabled people, I now need to be a legal professional of some qualification first. So it looks like the end of disadvantaged people having an Advocate with them when they are being grilled by DWP, or the Housing Benefit people, or those very nice Personal Independence Payments Assessors.
Maybe it is time to get me coat ........
Wednesday 26th January 2022 13:53 GMT sten2012
Wednesday 26th January 2022 15:41 GMT Valeyard
ah I'm very careful in that regard; I only hunt from programs either with an open invitation or where I've been explicitly invited on a bounty platform.
No point doing the work if there isn't a 100% chance there'll be a process and an agreement for payment laid out at the outset.
The chancers that do otherwise and target random companies usually threaten blackmail within 3 steps of the email chain so I don't want to introduce myself to that annoyed company contact who more often that not is probably correct to assume bad intent
Tuesday 25th January 2022 10:22 GMT fnusnu
Tuesday 25th January 2022 10:28 GMT Anonymous Coward
Probably not a bad idea
Some sort of relevant recognised accreditation would be good for those in the industry.
Better still if it wasn't some sort of pyramid scheme like IISSCC run...
I guess though the trouble is that "security" encompasses many many different specialities. We'll either end up with the shallow depth of CISSP or something so multi domain that nobody will ever want to try to learn all of it. It probably needs a modular approach with certs for particular domains.
The one fear of course is not the quality of the piece of paper nor whether it costs time and large amounts of money to "maintain" it but that you could be struck off...
Struck off for what? Your network gets penetrated? (highly likely even if you are "good") You are found with hax0r tools? You get a speeding ticket?
Tuesday 25th January 2022 10:54 GMT Roger Greenwood
Re: Probably not a bad idea
It's unlikely you will be struck off as long as you keep paying the fees. After all, those folks who wrapped buildings in flammable plastic for decades still seem to be doing OK. Some of them must have belonged to a professional body, not heard of any being struck off yet. Even doctors and nurses have to be REALLY bad before that happens.
Tuesday 25th January 2022 13:02 GMT Anonymous Coward
Tuesday 25th January 2022 15:21 GMT Anonymous Coward
Re: Probably not a bad idea
It's a certificate scam, that the more people get their cert, the more demand there is for certified people. The certs however don't mean you know crap, just that you are good at remembering pages from a book for test. Not that someone is skilled in IT. It's like making a new god, the more that support it, the more people want it.
Tuesday 25th January 2022 13:30 GMT Anonymous Coward
Re: Probably not a bad idea
It is a good idea, but maybe start by enforcing standards. Even basic 27001 all controls would improve security 10 fold.
Some orgs have no standards and certainly no outside governance.
Imagine a surgeon using computer aided tech maintained by a graduate with no experience or qualifications
Would you want to fly in a plane if the pilot was not qualified. Or fly in a plane that uses autopilot tested by unqualified engineers
IT is in our lives which presents a risk to our lives. I would like to think there is at least some governance of compentency and standards.
Tuesday 25th January 2022 14:35 GMT Ben Tasker
Re: Probably not a bad idea
> IT is in our lives which presents a risk to our lives. I would like to think there is at least some governance of compentency and standards.
The problem is, taken to it's extreme, this might well result in a reduction in security.
There are lots and lots of little issues that get reported to companies by independent researchers - none on their own are particularly ground breaking, but each of those reports helps fix products/systems in little ways.
If we consider two points together
- Those independent researchers don't generally bring in much in the way of bounty money, so they're not going to be up for paying fees of a professional organisation.
- The Govt has already hinted that they'd like to tie this to CMA protections, so in effect, if you haven't paid your fee you could end up being prosecuted (not unlike someone practising medicine without paying their dues to the GMC).
it's hard not to reach the conclusion that more than a few of those researchers just won't bother any more.
Bigger companies might have some "certified" people on-board, but there's plenty that slips past in-house teams (it just the nature of the beast).
This is no less dumb an idea than the idea ages back (christ, it has been a while) to require a license to possess "hacking tools" (which ended up encompassing Perl, if you read it literally enough).
What's actually happened, is the UKCSC has failed in one of it's core missions - driving engagement. They've failed to win the trust of organisations and professionals. Rather than doing that hard work of investigating why, and how to do better, they're instead pushing for legislative capture as a "quick fix".
Tuesday 25th January 2022 11:45 GMT Dante Alighieri
GMC : a warning
Perhaps a look at the history of the GMC would help.
It started as an independent professional body, concerned with standards and issues of its members, and charging fees to the membership to help maintain itself as an independent regulator.
Fast forward a few decades...
It is now an arm of government with no input from the members as to its composition or policies - it even pays for private medical cover for its employees despite having some oversight of the provision of public healthcare.
The fee is now outrageous - it is a stealth tax on the profession which has no option but to be registered to practice. You even have to pay a release fee at the end of your career to come off the register. As a government body it should be paid out of general taxation.
The record on fairness, pre-determined decisions, protected characteristics (race, religion, gender, age) is open to the public.
Those following my previous posts will already know I am in the trade. And have just had the annual bill.
Wednesday 26th January 2022 04:42 GMT Secondrule
And lets not forget the NMC
The Nursing Medical Council.
Exorbitant yearly fees just to wipe arses and put hands into chests to keep fat, old blokes who smoke too much, drink too much and dodge salads, alive for another year until their fatberg heart gets replaced.
In the long list of ideas, this is as ridiculous as the Betamax!!
Wednesday 26th January 2022 11:45 GMT Cederic
Wednesday 26th January 2022 18:38 GMT Dante Alighieri
Re: GMC : a warning
Just don't pay - you are then kept on the register in *bad standing* and *not licenced to practice* (like 99% of UK public). It will save me >£500 in a few years.
ICO still not acting on removing details - it is a list of those WITH a licence and any restrictions that are currently in place.
Tuesday 25th January 2022 11:49 GMT Howard Sway
security specialists could be struck off or barred from working
Great idea, that'll really attract more people into the job, knowing that they could permanently lose their livelihood if some flaky software or configuration option has an unknown flaw and gets exploited whilst they're in the hotseat, and a blame game ensues rather than a mitigation response and subsequent review.
The route to being a qualified doctor takes about 10 years of study and practice, and has been developed for over a century. That's why the process of being struck off is so thorough and serious. I can imagine the process for being a certified security specialist will probably be some online multiple choice tests, like some other certifications I have had in the past. The two professions just aren't comparable, and I could certainly see a lot of people looking at all the bureaucracy, inflexibility and risk it will bring and think "hmmm, maybe I should just go back to being a sysadmin or programmer".
Tuesday 25th January 2022 15:47 GMT amanfromMars 1
Blissful Ignorance is No Viable Noble Base for ProACTive Novel Progress.
As long as the UKCSC, MIC* and .gov wonks stay well clear of any notion that would have them thinking to bar competent security specialists from working with any universal entity of the specialists' choosing, they should be quite safe and secure from any resultant unpleasantness much worse than anything akin to a right royal old Etonian boys mess.
And one prime way of avoiding such a conflict is not to be so backward in coming forward to positively engage with that and/or those they may quite rightly be quite wrongly concerned about. Such does though require some of those phantom official gatekeepers to practise more competently some of their quantum leaping skills, should they have any, for they aint going anywhere special and beneficial to them without falling off/jumping over that particular fence and into right proper virgin fields of investigation and exploration/exploitation and monetisation/powerful command and almighty control.
* ... Military Industrial Complexes
Tuesday 25th January 2022 17:51 GMT amanfromMars 1
Forewarned is forearmed .... and the smartest freely available option is to take good heed.
There be new kids on the block who aint skiddies or anything like any other hoods in the environment. And they’re flying high, far and wide and real deep down into the nitty gritty of what everything is about. Don’t misunderestimate either them or overestimate anyone else’s ability to mitigate their facility and utility. Such would be a fabulous folly all would just love to regret and forget.
amanfromMars  ...... commenting on an enigmatic prime dilemma on https://www.nationaldefensemagazine.org/articles/2022/1/25/pentagon-shakes-up-ai-digital-bureaucracies
Pick the right soul for the job, and they will have no problem at all with Congress, which will be only too pleased to provide for what they are advised is needed for the role in order to ensure all of the vital and viral practical and virtual jobs get well done. It should not be misunderestimated that the survival of Congress can also be at stake if they are not as one in offering unhindered timely full support to the right candidate demonstrating unprecedented successes with novel deployments in all the major influential theatres of universal engagement and pan-global power, for such unwarranted resistance may be gravely regarded .
IT’s getting busy out there in the infinite vastness of cyber space but I wouldn’t say it’s getting crowded whenever there be so many colossal vacant places in which to perform practical miracles and virtually play ... and vice versa.
Oh dear, a dumb downvote for "Blissful Ignorance is No Viable Noble Base for ProACTive Novel Progress."? How very unproductive and unhelpful is that.
Wednesday 26th January 2022 05:10 GMT Allan George Dyer
Re: Forewarned is forearmed .... and the smartest freely available option is to take good heed.
When did amanfromMars 1 start replying to their own comments, and adding links to previous comments? This could be the next step towards the Singularity!
OTOH, could we get amanfromMars to respond to the consultation document? That could keep them tied up for years.
Tuesday 25th January 2022 17:39 GMT Anonymous Coward
This government is so transparent! I suspect this is part of the previously reported campaign to end encryption: https://www.theregister.com/2022/01/20/no_place_hide_campaign_anti_e2ee_ukgov/
Let's put together a government database of everyone that knows anything about security, encryption, and such things. Now let's make it so that we can prevent them getting employment, earning a living, feeding their children. What could possibly go wrong...
The bit about legal protection is a particularly devious ploy.
I wouldn't recommend anyone publicly admitting any knowledge of encryption going forward. That might soon be enough to get you a polonium-laced tea service courtesy MI5 and Saatchi & Saatchi.
a Spluttering Curmudgeon
Tuesday 25th January 2022 18:28 GMT Eclectic Man
The new system
A medical doctor takes 7+ years of training before being allowed out on their own*. This is a serious amount of study. OK so computer security is nowhere near as complicated as the human body, but the career of IT (or Information) security specialist is also several distinct disciplines - setting up firewalls and designing network topologies is different to cryptography, different to Disaster Recovery / Business Continuity Planning, different to GDPR / Personal Information Security and ethics, etc. If people are expected to be managed by something similar to the GMC, with examinations and a disciplinary process backed by law, then this is a serious investment in time and money. And frankly, I reckon that most people who become medical doctors know before they start, whereas most people who go into Information Security go there after entering the IT world (I did).
When the now defunct CESG Listed Advisors Scheme (CLAS) started, all you needed was a history of working on HMG secure systems and contracts. Then it morphed into something more formal where you had to state your level of competence in several different areas of InfoSec and have experience of them each year. Then you had to 'keep up' your experience each year. It became impossible for most people who, for example, worked on bids for HMG contracts, to demonstrate experience of coping with malware infestations, or utilising BCP / DR plans. So people could not maintain the senior level and eventually dropped out of CLAS entirely, despite being actually very good at their jobs.
If it is to be based on the GMC, the the 'profession' of InfoSec needs something like a GP - General Practitioner, as well as the specialists. I am a doctor - Ph.D. in Mathematical Logic (small infinite numbers, if you must know)**. I was lucky and my Ph.D. took only 3 years, but show me a Fourier transform and I'm lost. Likewise, there needs to be a distinction between expertise in the specialists and the general expertise of consultants in InfoSec, and you shouldn't need to be a world level expert in any area to be considered an adequate consultant. This requires careful and sensible thought, but I have to say that the history of the organisations trying to manage this does not inspire me with much confidence.
** Representations of countable ordinals with recursive arithmetic functions starting with the least alpha such that w (little omega, the ordinal of the natural numbers) to the power alpha = alpha (think of alpha as the limit of the sequence of w, w to the w, then w to that power, etc. You 'end up' with an infinite stack of w's.)
Wednesday 26th January 2022 11:23 GMT sten2012
Re: The new system
10 years in one small subset of computer security, after a 3 year (only bachelors) degree, and 10 further years of self taught learning, and there's still far more about that one specific area that I don't know than I do.
I don't see it as that different to other professions, at all.
Wednesday 26th January 2022 13:06 GMT that one in the corner
Re: The new system
> computer security is nowhere near as complicated as the human body
At least the human body isn't changing every few months and you can generally rely on finding the same parts at the same locations (maybe some bits missing) all made of the same materials as in the next patient. Version changes are quite predictable over time (puberty).
Wednesday 26th January 2022 19:52 GMT Dante Alighieri
well we've found some "new" glands recently in the head and neck thanks to PET scans.
And while the anatomy may not change much, the treatment options and our understanding of disease processes accelerates in change.
All medical text books are out of date on the day they are published, and almost none are valid after 5 years. Even our approach to anatomy is changing in the principles and methods of learning and relevancy to new (last 40 years) scanning.
Gastric ulcers used to have surgery to cure them. Now it is triple therapy with antibiotics. And the man who filed the CVE was laughed at. but only for a while. awards followed.
The current groupthink always has to change
Tuesday 25th January 2022 22:01 GMT bazza
Wednesday 26th January 2022 00:28 GMT AdamWill
Wednesday 26th January 2022 14:13 GMT that one in the corner
There are plenty of medical procedures you can perform without needing to be GMC registered - everything in the First Aider's course for starters - and including sticking people with needles.
What counts as First Aid level for security? Something easy that anyone can learn that will help patch up a simple hole, such as running a port scan? Somehow, that doesn't seem likely.
The comparison to the GMC is ridiculous. My wife, the doctor, was not impressed.
Wednesday 26th January 2022 19:58 GMT Dante Alighieri
as long as you do not call yourself a doctor or surgeon (technically registered medical practitioner) you can do what you like to any human with their consent (canabalism not so much) re operations or procedures. You would be responsible for the outcomes in law.
Except ear piercing where you have to be registered. there's a law for that (other piercings not covered!).
Touch an animal if you are not a registered vet - you are in trouble!
Icon for the absence of protections for humans that animals have...
Thursday 27th January 2022 16:34 GMT tiggity
"Touch an animal if you are not a registered vet - you are in trouble!"
Might have changed, a long time since I worked in labs, but when I did some of my (non vet) colleagues who worked with animals (I didn't) had various animal handling qualification's that allowed them to do lots of things to animals.
An actual vet had to accredit the procedures for health & welfare - animals get appropriate care etc. But some non vet researchers (with suitable certification) would perform experimental practices that were essentially procedures you would normally expect a vet to do. Admittedly a niche area but some people can do vet style work
Sunday 30th January 2022 22:29 GMT Dante Alighieri
Mea culpa, I was considering procedures on animals with a treatment effect intended and had forgotten about licensed research scenarios such as you describe.
You are absolutely correct,
Similar arrangement would cover abattoirs too. Thanks for the reminder.
have one on me =>
Thursday 27th January 2022 16:44 GMT MrReynolds2U
Unfortunately it appears it is too late to stop them using the word "cyber" like it's the Emperor's New Clothes. This all started out as marketing and is an excuse for vast sums to be spend with only the appearance of security. Most "cyber" types I've come across are clueless idiots spouting buzzwords. Just the introduction on the consultation page in the article uses the term over 200 times.
So while defined qualifications / accreditation is an idea, it could end up restricting those who actually know what they are doing vs those who know how to pass an exam. For a related example, just think about the number of people who were walking around with MCSEs or CISCO qualifications after a 2 week course that had no actual experience.
Nobody is denying we are facing huge InfoSec problems, but I think standards settings for optional qualifications is a better plan and this allows those in the field to fill their knowledge gaps without just putting a bunch of "qualified" imbeciles to work. You can't know everything in IT or even just InfoSec, but being better educated in specialist areas so you can work with other knowledgeable professions is a viable way to go forward.
I'll be responding when I can make a coherent argument other than "just f**k off" and I encourage us all to do the same. Otherwise those of us in the UK may wake up to find we're no-longer allowed to perform part of our jobs without jumping through hoops and paying for the privilege.
Saturday 29th January 2022 07:55 GMT amanfromMars 1
Re: TLDR: no
I'll be responding when I can make a coherent argument other than "just f**k off" and I encourage us all to do the same. Otherwise those of us in the UK may wake up to find we're no-longer allowed to perform part of our jobs without jumping through hoops and paying for the privilege. .....MrReynolds2U
It is one of those perplexing enigmatic mysteries, which maybe can be solved with the addition of greater education and further information, as to quite why you would not be realising that is the effective current but not successful default position for those otherwise engaged in any leading and sensitive and able to be highly disruptive but also overwhelmingly creative and exceedingly destructive PACT* activities which can inspire and aspire and conspire to enquire, encourage and engage with exceptional talents in ........ well, to reveal further of the workings of the future from here on in, if the truth be told, does the narrative naturally necessarily fork and morph into quite distinctively different but similarly surreal and almost equally powerful quantum divides which easily present themselves in one guise as MkUltra TS/SCI Cyber Space Missions for Spooky Pirate Paramilitary and Publicly Politically Funded and Private Military Contractor Use and Abuse and in another elite crack hacker team cloak, Stealthy AWE**some Instruments of and in a Collaborative Future Augmented Virtualised Reality JOINT*** AIdventure.
And delving ever deeper into and enquiring much further of the divide can reveal quite obviously so much more of a previously totally unknown conditioning/program than anyone/anything can presently handle, and thus can all be too easily absolutely terrified and thoroughly terrorised by it.
And if you feel that you just must, and there will surely be those who cannot stop themselves from helping themselves to the open invitation, step sprightly along that path with the utmost of caution and care for there be many an unforgiving pitfall on the journey to capture and eliminate the deservedly worthy and unwary of their designated fate.
*......... Persistent Advanced Cyber Threat/Treat
** .......Almighty Weaponised Environment
*** ......JOINT Operations Internetworking Novel Technologies
[I suppose there be those who would say, for all that they might understand of the above, that it could have been written in Chinese or Russian or Arabic for all that they understood, which is an interesting thought to explore and discover what other places/space are able to see and comprehend/extropolate. Methinks though, the likes of a Google Translate or a DeepL machine might struggle too long and too hard to make any great of sense of it. :-) That though may be just the arrogance/ignorance of humanity speaking there, struggling as it does to not completely lose the plot to A.N.Others :-)]