The Network and Information Systems regulations are to be updated to include MSPs and outsourcers, following a spate of supply chain attacks
- Alex Scroxton,
Published: 20 Jan 2022 13: 00
Security professionals have given a warm welcome to the UK government’s proposed measures to improve security standards in the UK through legislation to protect users of managed IT services, by imposing new rules on the providers of these services.
A consultation on the proposals was launched by the Department for Digital, Culture, Media and Sport (DCMS) on Wednesday 19 January, in the middle of Prime Minister’s Questions. It comes after a torrid year for IT security teams, with surges in cyber attacks at all levels, and in the wake of the £2.6bn National Cyber Strategy published in December 2021.
The government is now seeking to make a series of updates to the 2018 Network and Information Systems (NIS) regulations, which were initially designed to protect the security of providers of critical national infrastructure (CNI), in this case, utilities, transport, healthcare and communications – backed by multimillion-pound fines for non-compliance.
These regulations will be expanded in their scope to include managed service providers (MSPs) and providers of specialised online and digital services, including managed security services, workplace services, and general IT outsourcing.
Julia Lopez, minister of state for media, data, and digital infrastructure, said: “Cyber attacks are often made possible because criminals and hostile states cynically exploit vulnerabilities in businesses’ digital supply chains and outsourced IT services that could be fixed or patched.
“The plans we are announcing today will help protect essential services and our wider economy from cyber threats. Every UK organisation must take their cyber resilience seriously as we strive to grow, innovate and protect people online. It is not an optional extra,” said Lopez.
Such companies will in future be required to undertake more thorough risk assessments and implement “reasonable and proportionate security measures” to protect their networks. They will also be mandated to report significant incidents; to have dynamic, executable recovery plans in place; and to be able to demonstrate their compliance to the Information Commissioner’s Office (ICO). The new laws will also give the government powers to future-proof the NIS regulations by updating their scope if needed.
All relevant costs incurred by regulators for enforcing the new regulations will be transferred from the taxpayer to those organisations, i.e. the MSPs, covered by the legislation, which the government said would create a more flexible finance system and reduce the burden on general taxation.
DCMS said its own research had found only 12% of UK organisations currently review the cyber risks that their immediate suppliers might expose them to, and only 5% take steps to address the vulnerabilities in their wider supply chain.
National Cyber Security Centre (NCSC) technical director Ian Levy said: “I welcome these proposed updates to the NIS regulations, which will help to enhance the UK’s overall cyber security resilience. These measures will ensure that cyber security risks are properly managed by organisations and those on whom they rely.”
Tim Mackey, principal security strategist at the Synopsys Cybersecurity Research Centre, added: “Most modern organisations are, in reality, distributed operations where online storefronts, payment processors, inventory management and even staff management occur using third-party services for even the smallest of businesses.
“Since management of these services is often outside the areas of expertise for a business, it’s not uncommon to find business using MSPs as outsourced providers of digital services. Extending NIS regulations to include MSPs will assist smaller businesses in attaining a higher level of cyber resilience, where the recent Log4Shell vulnerability illustrated that cyber resilience is a function of how well software supply chains are understood.
“Unfortunately, few organisations review the cyber security risks within their immediate software supply chain. By requiring larger companies to report all cyber attacks they experience, the proposed NIS regulations are effectively encouraging risk assessments within software supply chains as software risk is business risk,” he said.
Oliver Smith, a cyber litigation lawyer at Keystone Law, also voiced his support for NIS expansion: “The law has recognised the threat to essential services, such as water, power and transport, but recent cyber attacks, such as the Colonial Pipeline attack in the US in which the petrol pipeline supplying 45% of East Coast oil was shut down, have illustrated the vulnerability of essential service companies to having their computer systems attacked.
“Whilst these companies are covered by regulations and pro-active oversight by the ICO to ensure they maintain high standards of physical and cyber security, the outsource companies many of them use to manage their computer networks have not been regulated. These changes to the law will bring those outsourced companies under the regulation of the ICO.
“Given that these outsourcing companies could be responsible for hundreds of companies’ IT services, any compromise of their security could have a massive impact on the services those client companies provide and result in many different services being disrupted at the same time. This could be from criminal ransomware attacks or from state sponsored cyber terrorism.
“The new law will also require greater reporting of attempted attacks to include unsuccessful attempts and low-level incursions as well as disruptions to services. This should enable the ICO to spot risks earlier before they lead to serious disruption of critical services,” said Smith.
The government said additional laws are needed to improve security across the board and, to this end, it has launched a separate consultation covering proposed powers for the UK Cyber Security Council – the new professional regulator for the cyber ‘trade’ – around security qualifications and certifications.
It said that as the UK’s tech sector continues to expand, more people are being drawn into cyber security careers, and it can be difficult for organisations – whether hiring or contracting – to know what skills and qualifications are desirable.
The UK Cyber Security Council was set up last year to address this issue by spearheading the creation of new professional standards and accreditation, bringing cyber in line with other established professions such as accounting or engineering.
The new proposals will give it the ability to define and recognise cyber job titles and link those to existing qualifications and certifications. Cyber pros will in future have to meet specific, council-set competency standards across a range of security specialisms before they can use a specific job title. Also on the table is an official Register of Practitioners, as exists in the medical and legal professions, setting out those security pros recognised as ethical, suitably qualified, or senior.
DCMS said this will make it easier for employers to identify what skills they need to recruit appropriately, and give prospective and existing cyber pros more clarity on career pathways.
Simon Hepburn, CEO of the UK Cyber Security Council, said: “The UK Cyber Security Council is delighted that these proposals recognise our cyber workforce lead role that will help to define and recognise cyber job roles and map them to existing certifications and qualifications.
“We look forward to being involved in and contributing to this important government consultation and would encourage all key stakeholders to participate too.”