8 Min Read

Software next on the agenda for UK cyber resilience

Read More

By Hans Allnutt & Stuart Hunt

|

Published 28 February 2023

Overview

Following the publication of the National Cyber Strategy in late 2021, the UK government has placed cyber resilience at the forefront of UK digital and cyber strategy. As a continuation of that work, the Department for Digital, Culture, Media and Sport (“DCMS”) recently issued a call for views aimed at all organisations with an interest in software and digital supply chains.

High profile incidents such as the attacks against SolarWinds (2020) and Kaseya (2021) and the emergence of vulnerabilities affecting software components such as Log4j (2021), demonstrate the range of resilience risks linked to software.

Closing on 1 May 2023, this call for views will draw on existing work and legislation on the provision or use of software in the context of resilience; this includes the recently enacted Product Security and Telecommunications Infrastructure (“PSTI”) Act.

The consultation “goes further in taking a holistic and systematic approach that focuses on software risks across the breadth of the software lifecycle - that is, the full range of processes involved in the development, distribution, use and maintenance of software packages.” 

The broad scope of the consultation takes into account the wide range of risks associated with software, with a focus on software used for business and enterprise purposes to reflect the complex nature of supply chains, which generates the “most impactful cyber incidents”. The government acknowledges the challenges considering such a broad scope of issues, but this should ensure that resources are directed to areas carrying the maximum effect.

Risk areas

Six major areas of risk associated with software are identified, banded under three headings.

  • Development: Software development security and barriers in the open source community
  • Distribution: Resilience in distribution, and transparency and communication
  • Customer: Procurement and use of software by the customer

Possible policy interventions from the government to support or incentivise stakeholders are also proposed, with respondents asked on their expected efficacy. In addition, respondents are expected to answer a series of questions on existing industry measures, regarding to what extent organisations are using existing resources or following best practice.

Development

The security of software development practices and ensuring the integrity of software code is perhaps the most important element of software resilience. Accidental vulnerabilities and intentional compromises of software code can occur during the initial build or subsequent updates. Insecure development environments can create vulnerabilities if malicious actors are able to breach the those environments.

The government proposes a range of interventions aimed at reducing these types of risks, such as the accreditation of organisations using best practice, and similar accreditation for those software packages and components known to be secure. In addition, the use of international standards for software development practices is suggested, along with the provision of guidance and financial support to encourage organisations to comply.

The above would apply not only to proprietary software but also open source software, posing its own unique issues. DCMS correctly highlights that resourcing in relation to open source software (“OSS”) can be inconsistent due to the often-voluntary nature of development; this leads to the introduction of vulnerabilities and a lack of maintenance of code. Suggested government interventions include funding for industry-led initiatives and mapping those open source components which are most critical.

By way of interesting comparison, the draft European Union Cyber Resilience Act (“CRA”) provides some insight into the EU position on OSS, with it suggested that OSS “developed or supplied outside the course of a commercial activity should not be covered” by the CRA. This makes a clear distinction between non-commercial and commercial use. Additional wording within the draft CRA suggests that OSS developers could be held liable if their software is used for commercial use. Bearing this in mind, it will be intriguing to see the policy proposals advanced by the UK government on this issue.

Distribution

The resilience of software distribution is key to supply chains. Networks breaches involving the software distributors can affect customers, as they may be used as the entry point for an attack. As might be expected, the government proposes best practice and accreditation primarily, but also suggests regulation. This regulation would involve the application of minimum standards, such as notifying customers of incidents. The contents of the PSTI Act relating to distributors may offer guidance how these regulations would apply, considering the stated duties to remedy failures and notify the customer and other interested parties of compliance failures.

The transparency of communication around subsequent vulnerabilities and incident management also poses issues for organisations using software. Downstream end-users are often at the mercy of the organisation developing or selling the software when it comes to notification of vulnerabilities or incidents. This can affect how the end-user is able take informed steps on their own measures.

Regulation similar to that stated above is proposed, along with the possible development of secure information-sharing mechanisms on vulnerabilities and malicious code. In addition, a central database of software materials could also be created.

Customer

A major risk issue within many organisations is a lack of knowledge on the part of procurement teams on how to properly manage cyber risk. This can lead to cyber security not being referenced during procurement processes, subsequently reducing the incentives for software vendors to deliver better security. Training and industry guidance are proposed as tools to support business with these issues, including recommended clauses in contracts to help secure supply chains.

Incorrect customer use also creates risk following the acquisition of a software product or licence. Customers can be expected to configure products, apply patches in a timely manner and manage user privilege, all without proper assistance. Of most interest are proposals that software vendors help minimise the actions customers complete to secure software products, such as building in prompts to change default passwords.

Next steps

Once the consultation is completed, the government expects to publish a formal response in summer 2023. The call for evidence emphasises that any policy options advanced will align with the overarching UK Digital Strategy, PSTI Act and the proposed changes to the NIS regulations. 

Authors