Government calls for views on software resilience and security for businesses and organisations
The much-anticipated Call for Views document published on 6 February sets out government’s current assessment of the cyber security risks from software; and seeks views on those risks in order to better understand them, as well as on where government’s focus should be when it comes to mitigating them. The context, of course, being that software is one of the fundamental building blocks of digital environments, and so improving the security of its development, distribution and maintenance – as well as that of the organisations that make up the software ecosystem – is critical to strengthening organisational cyber resilience more widely and reducing the cyber threat to the UK’s economy, citizens and customers.
The scope of the Call for Views is broad as it considers where the government should prioritise its efforts to address software risks across the entire software lifecycle and direct resources to the areas where they will have the most impact. Its focus on software also contributes to both Technology and Resilience pillars of the government’s National Cyber Strategy, and builds upon other work in this area such as the PSTI Act and NCSC’s Device Security Guidance.
The Call for Views is broken down into three parts:
1. The cyber risks associated with software: what is their impact on organisational resilience; and which of these risks need to be addressed most urgently?
To facilitate this area of discussion, government has developed a framework to better understand the various parts of the software risk landscape with six risk areas:
- Development: (1) software development security; and (2) barriers in the open source community
- Distribution: (3) security and resilience in the distribution of software; and (4) transparency and communication of software materials, vulnerabilities and incident management
- The role of the customer: (5) procurement, supplier assurance and supplier management; and (6) maintenance, configuration and use of software by the customer
2. What measures does industry already have in place to manage software security risks; or what could it be doing better in this regard?
This section is to help government understand to what extent organisations are using existing resources, guidance, frameworks or standards; or following best practice to improve their cyber resilience.
3. What future action could government take to support/incentivise UK companies to better address software security risks?
The final part of the Call for Views seeks input on the actions the government could take to address the concerns outlined in Part 1, and to fill any gaps left by existing support and industry practices addressed in Part 2. Key to the assessment of where there is the greatest need for further action will be understanding the likely impact of this action compared to any implementation challenges and resources required.
Due to the diversity and complexity of software risks in digital supply chains, government states in the document that it will not be possible to pursue all of the policy options tested in the Call for Views. However, the responses to the Call will help to inform which policy options would have the biggest impact in addressing software risks within the resources available. Government plans to publish its formal response in the summer and then work on ensuring those options are aligned with other priorities such as the proposed changes to the Network and Information Systems regulations.
Have your say! techUK is hosting D-SIT (formerly DCMS) for a roundtable on 6 March. This briefing and open discussion with members will help government to formulate its response to the Call for Views, as well as helping to inform the future direction it should take in this area. The session will also inform techUK’s response to the Call for Views. Book your place at this roundtable now.
You can read the full Call for views on software resilience and security for businesses and organisations document here. Note: The deadline for responses is 11.45pm 1 May 2023.