Sophos Cloud Optix
The UK government minister responsible for cyber security issues, the Rt Hon Francis Maude, has released a statement and a pair of reports looking back over the first two years of the government’s Cyber Security Strategy and detailing further plans going forward.
One of the key developments expected in the near future is the unveiling of a security standard for businesses, which early reports on Maude’s statement predicted would be a requirement for firms hoping to pick up government contracts.
Variously described as a “baseline“, a “kitemark” and a “badge“, the new standard is being developed in collaboration with the British Standards Institute, the Information Security Forum and other players, and is expected to be released publicly in March of 2014.
Those expecting the “Organisational Standard” to be mandatory for firms doing business with the government may be a little disappointed though, as the statement’s wording leaves plenty of wriggle-room to allow firms to avoid conforming.
While firms in general will be encouraged to adopt the standard, in government procurement compliance will be mandated only “where proportionate and relevant” – so, if anyone wants out and has enough clout, it’s likely they’ll be able to persuade the government to continue doing business with them.
A group of firms currently supplying the Ministry of Defence (MoD), including BAE Systems, Rolls Royce and HP, have shown willingness to adopt the standard when it is released, but again there seems to be no definite requirement of the sort imposed by the US Defense Department a few weeks ago.
Hopefully once the standard is finalised and released the rules regarding its use will be made stricter and less flexible.
There’s a lot more covered by the two reports, with the retrospective overview of progress highlighting the creation of the new National Crime Agency (NCA) and its cyber sub-division the National Cyber Crime Unit (NCCU), set up a few months ago, and its successes so far.
These include a number of high-profile international operations, as well as sending out an email warning people about Cryptolocker.
A number of other initiatives are mentioned, including information-sharing partnerships, the Centre for the Protection of National Infrastructure (CPNI) and its Cyber Risk Advisory Service for businesses, and the budding CERT-UK, as well as the recent banking simulation project known as “Operation Waking Shark 2“.
Looking forward, we can expect expansions and improvements in all these areas, plus new initiatives such as “kite-marking” of cyber security professionals and products. Police expertise will be increased, with half of the NCA’s 4000 staff expected to receive training in cyber investigation.
Education in general is a major theme, with new plans ranging from primary schools to universities and on into professional training and certifications.
A “major public awareness campaign” is planned for January 2014, with Sophos namechecked alongside Facebook and BT as partners in the project.
Just how successful some of these endeavors will be will of course depend on the details, with much of the information in these reports still fairly vague and non-committal.
Nevertheless, it’s good to see government making the right noises and putting some fairly considerable effort into cyber security in all sorts of areas.
Image of school kids courtesy of Shutterstock.
As one of the writers of the previous British Standard, BS7799, on Information Security, back in 1990, I have been very disappointed over the years by the lack of improvement in security practices that should have emanated from the widespread implementation of the standard. In my view a main reason for this has been the lack of contractual necessity.
It would be an act of extreme folly if the UK government makes the same mistake again. All government contracts of substance should require certified compliance both by the contractor and their suppliers. Corporate annual reports should also note their compliance or otherwise in the same way that other standards have to be reported on. I also believe that the Head of Security should report directly to the board and not be hidden under the IT manager.
I’m not familiar with the new standard, but there was nothing onerous about the original standard – it simply pointed IT users in the right direction and encouraged common sense thinking. If more companies applied the standard we wouldn’t be seeing the same old weaknesses being reported day after day, the same password failures, the same data losses, the same virus and malware problems, that we were suffering from 25 years ago when the world first became networked.