back to article UK government opens consultation on medic-style register for Brit infosec pros

Frustrated at lack of activity from the "standard setting" UK Cyber Security Council, the government wants to pass new laws making it into the statutory regulator of the UK infosec trade. Government plans, quietly announced in a consultation document issued last week, include a formal register of infosec practitioners – …

  1. Valeyard

    so how does this work if you're a regular bounty contributor but not working for peanuts for a professional organisation? will they insist on some of those ridiculously expensive box-ticking certs?

    1. Al fazed
      Unhappy

      Ditto

      The legal/justice industry has taken a similar step recently. Which means as you guessed, in order to continue providing Advocacy for disadvantaged and disabled people, I now need to be a legal professional of some qualification first. So it looks like the end of disadvantaged people having an Advocate with them when they are being grilled by DWP, or the Housing Benefit people, or those very nice Personal Independence Payments Assessors.

      Maybe it is time to get me coat ........

      ALF

      1. ClockworkOwl
        WTF?

        Re: Ditto

        Is it not a legal right to advocacy?

        If it is then this is just another bullet meets foot situation for the gov.

        If not, then I'm more than slightly sickened by the judicial implications...

        1. Wellyboot Silver badge

          Re: Ditto

          Courts are impartial and have rules.

          Govt run committees are not courts and use any devious trick they can think off to meet targets.

    2. sten2012

      From the sounds of things: if you want protection from prosecution because the company you are hunting for gets embarrassed about a finding, yes.

      1. Valeyard

        ah I'm very careful in that regard; I only hunt from programs either with an open invitation or where I've been explicitly invited on a bounty platform.

        No point doing the work if there isn't a 100% chance there'll be a process and an agreement for payment laid out at the outset.

        The chancers that do otherwise and target random companies usually threaten blackmail within 3 steps of the email chain so I don't want to introduce myself to that annoyed company contact who more often that not is probably correct to assume bad intent

  2. fnusnu

    "I'm from the government and I'm here to help"

    1. Anonymous Coward
      Anonymous Coward

      ..Continued

      ''and I'm here to help myself and my friends"

      1. Abominator

        And I need to take some money, my take of your money that is.

  3. Anonymous Coward
    Anonymous Coward

    Probably not a bad idea

    Some sort of relevant recognised accreditation would be good for those in the industry.

    Better still if it wasn't some sort of pyramid scheme like IISSCC run...

    I guess though the trouble is that "security" encompasses many many different specialities. We'll either end up with the shallow depth of CISSP or something so multi domain that nobody will ever want to try to learn all of it. It probably needs a modular approach with certs for particular domains.

    The one fear of course is not the quality of the piece of paper nor whether it costs time and large amounts of money to "maintain" it but that you could be struck off...

    Struck off for what? Your network gets penetrated? (highly likely even if you are "good") You are found with hax0r tools? You get a speeding ticket?

    1. Roger Greenwood

      Re: Probably not a bad idea

      It's unlikely you will be struck off as long as you keep paying the fees. After all, those folks who wrapped buildings in flammable plastic for decades still seem to be doing OK. Some of them must have belonged to a professional body, not heard of any being struck off yet. Even doctors and nurses have to be REALLY bad before that happens.

      1. Wellyboot Silver badge

        Re: Probably not a bad idea

        How about being struck off for not agreeing with govt policy / next bright idea say (plucking randomly out of the air) E2EE?

        1. Chris G

          Re: Probably not a bad idea

          @Wellyboot

          That was my thinking, your work depends on approval to remain in the association and if you clash with government agendas, you may be out of work.

          Governments are not infallible or necessarily right or ethical.

          1. Anonymous Coward
            Anonymous Coward

            Re: Governments are not infallible or necessarily right or ethical.

            Goodness! Anyone might think they were made up of people or something.

          2. ctd

            Re: Probably not a bad idea

            Ethical... Haha

            That is one thing I think everyone can agree on here.

    2. Anonymous Coward
      Anonymous Coward

      Re: Probably not a bad idea

      Serious question, how is ISC2 a pyramid scheme? Current members don’t have to recruit new members to maintain their membership as far as I know.

      1. Anonymous Coward
        Anonymous Coward

        Re: Probably not a bad idea

        It's a certificate scam, that the more people get their cert, the more demand there is for certified people. The certs however don't mean you know crap, just that you are good at remembering pages from a book for test. Not that someone is skilled in IT. It's like making a new god, the more that support it, the more people want it.

    3. Anonymous Coward
      Anonymous Coward

      Re: Probably not a bad idea

      It is a good idea, but maybe start by enforcing standards. Even basic 27001 all controls would improve security 10 fold.

      Some orgs have no standards and certainly no outside governance.

      Imagine a surgeon using computer aided tech maintained by a graduate with no experience or qualifications

      Would you want to fly in a plane if the pilot was not qualified. Or fly in a plane that uses autopilot tested by unqualified engineers

      IT is in our lives which presents a risk to our lives. I would like to think there is at least some governance of compentency and standards.

      1. Ben Tasker

        Re: Probably not a bad idea

        > IT is in our lives which presents a risk to our lives. I would like to think there is at least some governance of compentency and standards.

        The problem is, taken to it's extreme, this might well result in a reduction in security.

        There are lots and lots of little issues that get reported to companies by independent researchers - none on their own are particularly ground breaking, but each of those reports helps fix products/systems in little ways.

        If we consider two points together

        - Those independent researchers don't generally bring in much in the way of bounty money, so they're not going to be up for paying fees of a professional organisation.

        - The Govt has already hinted that they'd like to tie this to CMA protections, so in effect, if you haven't paid your fee you could end up being prosecuted (not unlike someone practising medicine without paying their dues to the GMC).

        it's hard not to reach the conclusion that more than a few of those researchers just won't bother any more.

        Bigger companies might have some "certified" people on-board, but there's plenty that slips past in-house teams (it just the nature of the beast).

        This is no less dumb an idea than the idea ages back (christ, it has been a while) to require a license to possess "hacking tools" (which ended up encompassing Perl, if you read it literally enough).

        What's actually happened, is the UKCSC has failed in one of it's core missions - driving engagement. They've failed to win the trust of organisations and professionals. Rather than doing that hard work of investigating why, and how to do better, they're instead pushing for legislative capture as a "quick fix".

  4. Dante Alighieri
    Black Helicopters

    GMC : a warning

    Perhaps a look at the history of the GMC would help.

    It started as an independent professional body, concerned with standards and issues of its members, and charging fees to the membership to help maintain itself as an independent regulator.

    Fast forward a few decades...

    It is now an arm of government with no input from the members as to its composition or policies - it even pays for private medical cover for its employees despite having some oversight of the provision of public healthcare.

    The fee is now outrageous - it is a stealth tax on the profession which has no option but to be registered to practice. You even have to pay a release fee at the end of your career to come off the register. As a government body it should be paid out of general taxation.

    The record on fairness, pre-determined decisions, protected characteristics (race, religion, gender, age) is open to the public.

    Those following my previous posts will already know I am in the trade. And have just had the annual bill.

    1. Secondrule

      And lets not forget the NMC

      The Nursing Medical Council.

      Exorbitant yearly fees just to wipe arses and put hands into chests to keep fat, old blokes who smoke too much, drink too much and dodge salads, alive for another year until their fatberg heart gets replaced.

      In the long list of ideas, this is as ridiculous as the Betamax!!

    2. Cederic Silver badge

      Re: GMC : a warning

      Is it cheaper to get disbarred than pay to come off the register? Feels a perverse incentive there.

      1. Dante Alighieri
        FAIL

        Re: GMC : a warning

        Just don't pay - you are then kept on the register in *bad standing* and *not licenced to practice* (like 99% of UK public). It will save me >£500 in a few years.

        ICO still not acting on removing details - it is a list of those WITH a licence and any restrictions that are currently in place.

  5. Howard Sway Silver badge

    security specialists could be struck off or barred from working

    Great idea, that'll really attract more people into the job, knowing that they could permanently lose their livelihood if some flaky software or configuration option has an unknown flaw and gets exploited whilst they're in the hotseat, and a blame game ensues rather than a mitigation response and subsequent review.

    The route to being a qualified doctor takes about 10 years of study and practice, and has been developed for over a century. That's why the process of being struck off is so thorough and serious. I can imagine the process for being a certified security specialist will probably be some online multiple choice tests, like some other certifications I have had in the past. The two professions just aren't comparable, and I could certainly see a lot of people looking at all the bureaucracy, inflexibility and risk it will bring and think "hmmm, maybe I should just go back to being a sysadmin or programmer".

    1. Anonymous Coward
      Anonymous Coward

      Re: security specialists could be struck off or barred from working

      A better analogy that medicine might be accountants or civil engineering

  6. amanfromMars 1 Silver badge

    Blissful Ignorance is No Viable Noble Base for ProACTive Novel Progress.

    As long as the UKCSC, MIC* and .gov wonks stay well clear of any notion that would have them thinking to bar competent security specialists from working with any universal entity of the specialists' choosing, they should be quite safe and secure from any resultant unpleasantness much worse than anything akin to a right royal old Etonian boys mess.

    And one prime way of avoiding such a conflict is not to be so backward in coming forward to positively engage with that and/or those they may quite rightly be quite wrongly concerned about. Such does though require some of those phantom official gatekeepers to practise more competently some of their quantum leaping skills, should they have any, for they aint going anywhere special and beneficial to them without falling off/jumping over that particular fence and into right proper virgin fields of investigation and exploration/exploitation and monetisation/powerful command and almighty control.

    * ... Military Industrial Complexes

    1. amanfromMars 1 Silver badge

      Forewarned is forearmed .... and the smartest freely available option is to take good heed.

      There be new kids on the block who aint skiddies or anything like any other hoods in the environment. And they’re flying high, far and wide and real deep down into the nitty gritty of what everything is about. Don’t misunderestimate either them or overestimate anyone else’s ability to mitigate their facility and utility. Such would be a fabulous folly all would just love to regret and forget.

      amanfromMars [2201250712] ...... commenting on an enigmatic prime dilemma on https://www.nationaldefensemagazine.org/articles/2022/1/25/pentagon-shakes-up-ai-digital-bureaucracies

      Pick the right soul for the job, and they will have no problem at all with Congress, which will be only too pleased to provide for what they are advised is needed for the role in order to ensure all of the vital and viral practical and virtual jobs get well done. It should not be misunderestimated that the survival of Congress can also be at stake if they are not as one in offering unhindered timely full support to the right candidate demonstrating unprecedented successes with novel deployments in all the major influential theatres of universal engagement and pan-global power, for such unwarranted resistance may be gravely regarded .

      IT’s getting busy out there in the infinite vastness of cyber space but I wouldn’t say it’s getting crowded whenever there be so many colossal vacant places in which to perform practical miracles and virtually play ... and vice versa.

      Oh dear, a dumb downvote for "Blissful Ignorance is No Viable Noble Base for ProACTive Novel Progress."? How very unproductive and unhelpful is that.

      1. Allan George Dyer
        Terminator

        Re: Forewarned is forearmed .... and the smartest freely available option is to take good heed.

        When did amanfromMars 1 start replying to their own comments, and adding links to previous comments? This could be the next step towards the Singularity!

        OTOH, could we get amanfromMars to respond to the consultation document? That could keep them tied up for years.

        1. Fruit and Nutcase Silver badge

          Re: Forewarned is forearmed .... and the smartest freely available option is to take good heed.

          He makes more sense than some of the policy coming out of No. 10

  7. Anonymous Coward
    Anonymous Coward

    Outraged!

    This government is so transparent! I suspect this is part of the previously reported campaign to end encryption: https://www.theregister.com/2022/01/20/no_place_hide_campaign_anti_e2ee_ukgov/

    Let's put together a government database of everyone that knows anything about security, encryption, and such things. Now let's make it so that we can prevent them getting employment, earning a living, feeding their children. What could possibly go wrong...

    The bit about legal protection is a particularly devious ploy.

    I wouldn't recommend anyone publicly admitting any knowledge of encryption going forward. That might soon be enough to get you a polonium-laced tea service courtesy MI5 and Saatchi & Saatchi.

    anonymously signed,

    a Spluttering Curmudgeon

    1. Fruit and Nutcase Silver badge

      Re: Outraged!

      Priti Patel will lock you up for possession of dangerous information

      1. Cederic Silver badge

        Re: Outraged!

        She already can. Check how many people are in prison for a conviction of literally nothing more than ' possession of material likely to be of use to a terrorist' - section 58 of the Terrorism Act 2000.

        1. adam 40

          Re: Outraged!

          Why, how many is it?

          Oh sorry, gotta go, there's someone at the front dooooooooooooooooooooooooooooooooooooooooooooo

  8. Eclectic Man Silver badge

    The new system

    A medical doctor takes 7+ years of training before being allowed out on their own*. This is a serious amount of study. OK so computer security is nowhere near as complicated as the human body, but the career of IT (or Information) security specialist is also several distinct disciplines - setting up firewalls and designing network topologies is different to cryptography, different to Disaster Recovery / Business Continuity Planning, different to GDPR / Personal Information Security and ethics, etc. If people are expected to be managed by something similar to the GMC, with examinations and a disciplinary process backed by law, then this is a serious investment in time and money. And frankly, I reckon that most people who become medical doctors know before they start, whereas most people who go into Information Security go there after entering the IT world (I did).

    When the now defunct CESG Listed Advisors Scheme (CLAS) started, all you needed was a history of working on HMG secure systems and contracts. Then it morphed into something more formal where you had to state your level of competence in several different areas of InfoSec and have experience of them each year. Then you had to 'keep up' your experience each year. It became impossible for most people who, for example, worked on bids for HMG contracts, to demonstrate experience of coping with malware infestations, or utilising BCP / DR plans. So people could not maintain the senior level and eventually dropped out of CLAS entirely, despite being actually very good at their jobs.

    If it is to be based on the GMC, the the 'profession' of InfoSec needs something like a GP - General Practitioner, as well as the specialists. I am a doctor - Ph.D. in Mathematical Logic (small infinite numbers, if you must know)**. I was lucky and my Ph.D. took only 3 years, but show me a Fourier transform and I'm lost. Likewise, there needs to be a distinction between expertise in the specialists and the general expertise of consultants in InfoSec, and you shouldn't need to be a world level expert in any area to be considered an adequate consultant. This requires careful and sensible thought, but I have to say that the history of the organisations trying to manage this does not inspire me with much confidence.

    *https://www.gmc-uk.org/education/becoming-a-doctor-in-the-uk

    ** Representations of countable ordinals with recursive arithmetic functions starting with the least alpha such that w (little omega, the ordinal of the natural numbers) to the power alpha = alpha (think of alpha as the limit of the sequence of w, w to the w, then w to that power, etc. You 'end up' with an infinite stack of w's.)

    1. Fruit and Nutcase Silver badge
      Joke

      Re: The new system

      ** - I've not had a coffee yet this morning. The post from amanfrommars, now, I understood more of that

    2. sten2012

      Re: The new system

      10 years in one small subset of computer security, after a 3 year (only bachelors) degree, and 10 further years of self taught learning, and there's still far more about that one specific area that I don't know than I do.

      I don't see it as that different to other professions, at all.

    3. that one in the corner Silver badge

      Re: The new system

      > computer security is nowhere near as complicated as the human body

      At least the human body isn't changing every few months and you can generally rely on finding the same parts at the same locations (maybe some bits missing) all made of the same materials as in the next patient. Version changes are quite predictable over time (puberty).

      1. Dante Alighieri

        new humans

        well we've found some "new" glands recently in the head and neck thanks to PET scans.

        And while the anatomy may not change much, the treatment options and our understanding of disease processes accelerates in change.

        All medical text books are out of date on the day they are published, and almost none are valid after 5 years. Even our approach to anatomy is changing in the principles and methods of learning and relevancy to new (last 40 years) scanning.

        Gastric ulcers used to have surgery to cure them. Now it is triple therapy with antibiotics. And the man who filed the CVE was laughed at. but only for a while. awards followed.

        The current groupthink always has to change

  9. damocles

    Warning

    If you do fill out the "survey" just keep an eye on the double and triple negatives.

  10. bazza Silver badge

    As a properly chartered engineer, doing actual engineering, I wish that they'd pass a similar law about who can and cannot call themselves "Engineer" (see the legal codes of Germany, France, most of the rest of Europe, etc.

    1. Cederic Silver badge

      A brave admission amongst so many software engineers.

  11. xyz123 Silver badge

    In unrelated news, little johnny (whose mom describes him as 'a whiz with those computery things') may be only 12yrs old, but he he's had to take out £40 million in malpractice insurance before being allowed to connect his Xbox to the family TV.

  12. AdamWill
    Coat

    errr

    "Are you competent? Ethical?"

    see icon.

    1. Fruit and Nutcase Silver badge

      Re: errr

      It is ironic that those terms cannot be applied to the members of the current government

  13. Anonymous Coward
    Anonymous Coward

    Obligatory Marx quote

    "I refuse to join any club that would have me as a member."

  14. that one in the corner Silver badge

    There are plenty of medical procedures you can perform without needing to be GMC registered - everything in the First Aider's course for starters - and including sticking people with needles.

    What counts as First Aid level for security? Something easy that anyone can learn that will help patch up a simple hole, such as running a port scan? Somehow, that doesn't seem likely.

    The comparison to the GMC is ridiculous. My wife, the doctor, was not impressed.

    1. Dante Alighieri
      Paris Hilton

      procedures

      as long as you do not call yourself a doctor or surgeon (technically registered medical practitioner) you can do what you like to any human with their consent (canabalism not so much) re operations or procedures. You would be responsible for the outcomes in law.

      Except ear piercing where you have to be registered. there's a law for that (other piercings not covered!).

      Touch an animal if you are not a registered vet - you are in trouble!

      Icon for the absence of protections for humans that animals have...

      1. tiggity Silver badge

        Re: procedures

        @Dante Alighieri

        "Touch an animal if you are not a registered vet - you are in trouble!"

        Might have changed, a long time since I worked in labs, but when I did some of my (non vet) colleagues who worked with animals (I didn't) had various animal handling qualification's that allowed them to do lots of things to animals.

        An actual vet had to accredit the procedures for health & welfare - animals get appropriate care etc. But some non vet researchers (with suitable certification) would perform experimental practices that were essentially procedures you would normally expect a vet to do. Admittedly a niche area but some people can do vet style work

        1. Dante Alighieri
          Pint

          Re: procedures

          Mea culpa, I was considering procedures on animals with a treatment effect intended and had forgotten about licensed research scenarios such as you describe.

          You are absolutely correct,

          Similar arrangement would cover abattoirs too. Thanks for the reminder.

          have one on me =>

  15. MrReynolds2U

    TLDR: no

    Unfortunately it appears it is too late to stop them using the word "cyber" like it's the Emperor's New Clothes. This all started out as marketing and is an excuse for vast sums to be spend with only the appearance of security. Most "cyber" types I've come across are clueless idiots spouting buzzwords. Just the introduction on the consultation page in the article uses the term over 200 times.

    So while defined qualifications / accreditation is an idea, it could end up restricting those who actually know what they are doing vs those who know how to pass an exam. For a related example, just think about the number of people who were walking around with MCSEs or CISCO qualifications after a 2 week course that had no actual experience.

    Nobody is denying we are facing huge InfoSec problems, but I think standards settings for optional qualifications is a better plan and this allows those in the field to fill their knowledge gaps without just putting a bunch of "qualified" imbeciles to work. You can't know everything in IT or even just InfoSec, but being better educated in specialist areas so you can work with other knowledgeable professions is a viable way to go forward.

    I'll be responding when I can make a coherent argument other than "just f**k off" and I encourage us all to do the same. Otherwise those of us in the UK may wake up to find we're no-longer allowed to perform part of our jobs without jumping through hoops and paying for the privilege.

    1. amanfromMars 1 Silver badge

      Re: TLDR: no

      I'll be responding when I can make a coherent argument other than "just f**k off" and I encourage us all to do the same. Otherwise those of us in the UK may wake up to find we're no-longer allowed to perform part of our jobs without jumping through hoops and paying for the privilege. .....MrReynolds2U

      It is one of those perplexing enigmatic mysteries, which maybe can be solved with the addition of greater education and further information, as to quite why you would not be realising that is the effective current but not successful default position for those otherwise engaged in any leading and sensitive and able to be highly disruptive but also overwhelmingly creative and exceedingly destructive PACT* activities which can inspire and aspire and conspire to enquire, encourage and engage with exceptional talents in ........ well, to reveal further of the workings of the future from here on in, if the truth be told, does the narrative naturally necessarily fork and morph into quite distinctively different but similarly surreal and almost equally powerful quantum divides which easily present themselves in one guise as MkUltra TS/SCI Cyber Space Missions for Spooky Pirate Paramilitary and Publicly Politically Funded and Private Military Contractor Use and Abuse and in another elite crack hacker team cloak, Stealthy AWE**some Instruments of and in a Collaborative Future Augmented Virtualised Reality JOINT*** AIdventure.

      And delving ever deeper into and enquiring much further of the divide can reveal quite obviously so much more of a previously totally unknown conditioning/program than anyone/anything can presently handle, and thus can all be too easily absolutely terrified and thoroughly terrorised by it.

      And if you feel that you just must, and there will surely be those who cannot stop themselves from helping themselves to the open invitation, step sprightly along that path with the utmost of caution and care for there be many an unforgiving pitfall on the journey to capture and eliminate the deservedly worthy and unwary of their designated fate.

      *......... Persistent Advanced Cyber Threat/Treat

      ** .......Almighty Weaponised Environment

      *** ......JOINT Operations Internetworking Novel Technologies

      [I suppose there be those who would say, for all that they might understand of the above, that it could have been written in Chinese or Russian or Arabic for all that they understood, which is an interesting thought to explore and discover what other places/space are able to see and comprehend/extropolate. Methinks though, the likes of a Google Translate or a DeepL machine might struggle too long and too hard to make any great of sense of it. :-) That though may be just the arrogance/ignorance of humanity speaking there, struggling as it does to not completely lose the plot to A.N.Others :-)]

  16. johnrobyclayton

    Not to worry, its a long consultation

    20th March 2345 is a long way away. Not much to worry about for a few centuries.

  17. Eclectic Man Silver badge
    Coat

    Existing Security Consultants

    How will Amber Rudd respond, I wonder?

    "Amber Augusta Rudd (born 1 August 1963) is a British energy and cyber security consultant. "

    (https://en.wikipedia.org/wiki/Amber_Rudd)

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like