Reflections on CyberUK in Practice – CESG’s government security conference
Ascentor went to the ‘CyberUK in Practice’ event in Liverpool on the 24th and 25th May, organised by CESG. Bringing government, industry and the wider public sector together, the event addressed how we can collectively make the UK safer online.
Over 900 delegates attended, with 60 speakers from government and industry. There was no shortage of topics covered and new developments shared. Indeed, Alex Dewdney, Director of Cyber Security at GCHQ described the event as a ‘step change in how government does cyber security.’
So, with a little time to reflect on the event, we’ve summarised what we thought were the main cyber security discussion points for government and industry.
Launch of the National Cyber Security Centre
In the keynote speech, Alex Dewdney announced the launch of the new National Cyber Security Centre (NCSC) – opening in October this year in London.
Led by Ciaran Martin, currently Director General Cyber at GCHQ, the NCSC will bring the UK’s cyber expertise together to create a single source of advice on how the UK tackles cyber security issues.
In a climate that sees a growing threat of cyber-attacks from states, serious crime gangs, hacking groups and terrorists, the NCSC will create an active cyber defence to ensure that the UK’s citizens, public and private sector organisations and critical national infrastructure are safer online.
Ascentor welcomes the NCSC establishment as a focal point for cyber security advice, including as it does CERT UK and CPNI contributions. Hopefully the planned increased communication and openness will provide fresh impetus to organisations to see cyber security as a business risk that they should actively manage rather than just a security issue.
Update on the Cyber Security Model for Defence (CSM)
CyberUK confirmed that the CSM is having a staged roll out across the summer. Risk assessment and profiles were discussed, with a risk profile for each level of risk. Suppliers will be required to complete an online questionnaire and no contracts will be awarded without completing the questionnaire.
Cyber Risk – Levels and Profiles
Responsibilities for contractors and sub-contractors were announced. The MOD will be responsible for CSM for the prime contractor. The prime contractor will be responsible for any direct sub-contractor and this responsibility arrangement is repeated down the supply chain. Any contractor in the chain with a sub-contractor will have the responsibility for completing the risk assessment, assessing the results of the questionnaire and managing any shortcomings.
List X and CSM are complementary but List X companies with accredited IT systems will still need to complete CSM. The explanation for this was that CSM is focused on the organisation and accreditation is focused on systems.
We’ve recently covered the CSM in two blogs on the Ascentor site and much of the detail on this new model can be found within each.
UPDATE: The planned roll out of CSM in August of 2016 has been delayed. We are now expecting the Cyber Security Model (CSM) to be rolled out to large suppliers from January 2017 – with a full launch by April. FATS (a commercial MOD framework) will also go live in April and it is expected to include the contractual aspects of CSM.
To be compliant with the requirements of the CSM, the MOD supply chain will need Cyber Essentials or Cyber Essentials Plusand have information security governance policies in place.
Ascentor strongly recommend that defence industry companies prepare for CSM by gaining certification to Cyber Essentials in advance – so they are ready to respond to the new contract requirements. In our experience, the larger the business, the more complex and time consuming the process. Don’t delay and put future contracts at risk.
Take-up of Cyber Essentials (CES)
We were surprised to learn that only 2,500 companies have been CES certified, not least because non-compliance puts a business at a serious commercial disadvantage. Suppliers to the MOD have been required to obtain CES certification for MOD contracts advertised from 1st January 2016. This applies where contracts involve the storage or processing of MOD identifiable information – which is going be the case for most suppliers.
We also learned that there is no requirement to renew CES annually. This has always been a loop hole caused by CESG’s reluctance to say the CES assessment is valid for any time beyond the day it is completed. As a result, most contracts specify that CES certification must be renewed every year. While this has always been the intention, it can only be phrased as “recommended recertification date” at the moment.
It looks like the CES scheme will be better supported in the future with controls for cloud and web apps, and a general agreement that it needs to be seen as relevant with effort needed to include it in all supply chains. We heard at the conference that the NHS intends to take up CES for its supply chain companies. However, we were surprised that HMG has not renewed a Cyber Innovation Voucher to encourage take-up of CES.
For further information on Cyber Essentials and the certification options, please see our free CES download .
Cyber security issues facing suppliers
There is one word that’s driving change in the cyber world – liability. It’s the stick that’s driving change, not the carrot. At the moment, rules on liability are unclear and ad-hoc but, as we heard from Tom Read CTO of GDS, change is coming.
The US Court of Appeal has set a legal precedent for what good cyber security controls look like. But how long will that set of controls be effective at deterring a cyber attack? Legal precedents tend to last a very long time, certainly longer than the lifetime for effective cyber controls.
The upshot is likely to be a change in behaviours from suppliers – and the users of their products. If suppliers are held liable for their part in any cyber attack, they will be more likely to strive for best practice, making sure cyber controls are embedded from the start of a project. If users are liable for incidents caused by them, they’ll raise their game in how they apply security measures – and demand the very best training and tools from their employer to do so.
Ascentor holds the opinion that the cyber security community needs to be a part of the conversation and develop the criteria for liability. In a related issue, we’ve developed a process for both suppliers and buyers to embed cyber security more securely in their projects , reducing the risk of future cyber attack – and thus liability.
The problems of buying cyber security
PWC ran an interesting talk on why, when buying cyber security, some organisations can get it so wrong. Despite the time that buyers put into the process, the results can sometimes be the very opposite of what was intended – leading to increased costs, reduced flexibility, slow progress and even increased cyber risk.
They presented what might be the buyer’s experience – a fragmented market with multiple vendors, a tendency to purchase without fully understanding what is needed, receiving false assurances and discovering, to their cost, that one size does not fit all.
Their tips for procurement were:
- Weigh up the risks vs the costs – and buy proportionate security
- Have a strategy and plan for joined up security – ensure integration
- Suppliers beware – make sure you are aware of your system requirements and that the supplier demonstrates their understanding of your requirements.
Cyber security challenges facing Local Authorities
A number of local authorities discussed their cyber security issues – with the main concern being maintaining service availability. There was concern expressed about the effect of ransomware and hackers being able to disrupt services and cause physical damage.
Local authorities hold data that hackers could use for financial gain and threats to service delivery would undermine confidence, causing public concern. This comes after a recent YouGov survey which found that some 81% of British citizens expect to be able to access key government services easily and securely online. In a climate of public expectation and cyber threat, local authority concerns are understandable.
Ascentor will be focusing on ransomware in a series of upcoming blogs and looking at backup strategies for organisations of varying sizes over the coming weeks.
For further information
If you have found this article of interest, the Ascentor blog regularly carries articles about IA and cyber security issues. You might also like to keep in touch with Ascentor by receiving our quarterly newsletter and following us on LinkedIn and Twitter.
If you’d like to discuss how ourconsultants could advise on any aspect of IA and cyber security, please contact Dave Jamesat Ascentor.
Office: 01452 881712
Other posts you might like
We’ve looked at a number of recent Government Information Assurance changes – and ‘cut through the confusion’ in this series of blog articles:
For Further Information
If you have any questions about the topics we've covered, or would like to have a chat about any aspect of your own cyber security strategy, please get in touch with the team at Ascentor.
Please use the contact details below - also found on our Contact Us page.