Government calls for views on software resilience and security for businesses and organisations

The much-anticipated Call for Views document published on 6 February sets out government’s current assessment of the cyber security risks from software; and seeks views on those risks in order to better understand them, as well as on where government’s focus should be when it comes to mitigating them. The context, of course, being that software is one of the fundamental building blocks of digital environments, and so improving the security of its development, distribution and maintenance – as well as that of the organisations that make up the software ecosystem – is critical to strengthening organisational cyber resilience more widely and reducing the cyber threat to the UK’s economy, citizens and customers.

The scope of the Call for Views is broad as it considers where the government should prioritise its efforts to address software risks across the entire software lifecycle and direct resources to the areas where they will have the most impact. Its focus on software also contributes to both Technology and Resilience pillars of the government’s National Cyber Strategy, and builds upon other work in this area such as the PSTI Act and NCSC’s Device Security Guidance.

The Call for Views is broken down into three parts:

1. The cyber risks associated with software: what is their impact on organisational resilience; and which of these risks need to be addressed most urgently?

To facilitate this area of discussion, government has developed a framework to better understand the various parts of the software risk landscape with six risk areas:

• Development: (1) software development security; and (2) barriers in the open source community
• Distribution: (3) security and resilience in the distribution of software; and (4) transparency and communication of software materials, vulnerabilities and incident management
• The role of the customer: (5) procurement, supplier assurance and supplier management; and (6) maintenance, configuration and use of software by the customer

2. What measures does industry already have in place to manage software security risks; or what could it be doing better in this regard?

This section is to help government understand to what extent organisations are using existing resources, guidance, frameworks or standards; or following best practice to improve their cyber resilience.

3. What future action could government take to support/incentivise UK companies to better address software security risks?

The final part of the Call for Views seeks input on the actions the government could take to address the concerns outlined in Part 1, and to fill any gaps left by existing support and industry practices addressed in Part 2. Key to the assessment of where there is the greatest need for further action will be understanding the likely impact of this action compared to any implementation challenges and resources required.

Due to the diversity and complexity of software risks in digital supply chains, government states in the document that it will not be possible to pursue all of the policy options tested in the Call for Views. However, the responses to the Call will help to inform which policy options would have the biggest impact in addressing software risks within the resources available. Government plans to publish its formal response in the summer and then work on ensuring those options are aligned with other priorities such as the proposed changes to the Network and Information Systems regulations.

Have your say! techUK is hosting D-SIT (formerly DCMS) for a roundtable on 6 March. This briefing and open discussion with members will help government to formulate its response to the Call for Views, as well as helping to inform the future direction it should take in this area. The session will also inform techUK’s response to the Call for Views. Book your place at this roundtable now.

You can read the full Call for views on software resilience and security for businesses and organisations document here. Note: The deadline for responses is 11.45pm 1 May 2023.

If you’re interest in contributing to techUK’s response to this Call for Views, please contact Dan Patefield ([email protected]) or Jill Broom ([email protected]) as soon as possible.

Dan Patefield

Head of Cyber and National Security, techUK

×

Dan Patefield

Head of Cyber and National Security, techUK

Dan leads the techUK Cyber Security programme, having originally joined techUK in August 2017 as a Programme Manager working across the Cyber and Defence programmes. He is responsible for managing techUK's work across the cyber security eco-system, bringing industry together with key stakeholders across the public and private sectors. Dan also provides the industry secretariat for the Cyber Growth Partnership, the industry and Governmnet conduit for supporting growth across the sector. A key focus of his work is to strengthen the public-private partnership across cyber security to support further development of UK cyber security policy.

Before joining techUK he worked as Forum Lead for the Westminster eForum. In this role he had a focus on the technology and telecoms space, on issues ranging from Broadband and Mobile Infrastructure, the Internet of Things, Cyber Security, Data and diversity in tech. Dan has a BA in History from the University of Liverpool.

Email:

[email protected]

Phone:

020 7331 2165

Jill Broom

Programme Manager, Cyber Security, techUK

×

Jill Broom

Programme Manager, Cyber Security, techUK

Jill is techUK’s Programme Manager for Cyber Security, working across the cyber eco-system to bring industry together with key stakeholders across the public and private sectors.

Prior to focusing in on techUK's cyber security work, Jill was also part of techUK's Central Government programme team, representing the supplier community of technology products and services to Whitehall departments. 

Before joining techUK, Jill worked as a Senior Caseworker for an MP, advocating for local communities, businesses and individuals, so she is particularly committed to techUK’s vision of harnessing the power of technology to improve people’s lives. Jill is also an experienced editorial professional and has delivered copyediting and writing services for public-body and SME clients as well as publishers.

Email:

[email protected]

Twitter:

@honeybroom

Website:

www.techuk.org

LinkedIn:

https://www.linkedin.com/in/jill-broom-19aa824

Freddie MacSwiney

Programme Manager - Defence and Cyber, techUK

×

Freddie MacSwiney

Programme Manager - Defence and Cyber, techUK

Freddie MacSwiney is the Programme Manager for Defence and Cyber Security at techUK.

Prior to joining techUK, Freddie worked as a Government Adviser for a firm dealing in International Relations, where he briefed Politicians, Ministers, Heads of State, Diplomats around the world on key issues from Defence,  Security and other key issues and aligned them with the UK. 

Tracy Modha

Team Assistant - Markets, techUK

×

Tracy Modha

Team Assistant - Markets, techUK

Tracy supports several areas at techUK, including Cyber Exchange, Cyber Security, Defence, Health and Social Care, Local Public Services, Nations and Regions and National Security.

Tracy joined techUK in March 2022, having worked in the education sector for 19 years, covering administration, research project support, IT support and event/training support. My most outstanding achievement has been running three very successful international conferences and over 300 training courses booked all over the globe!

Tracy has a great interest in tech. Gaming and computing have been a big part of her life, and now electric cars are an exciting look at the future. She has warmed to Alexa, even though it can sometimes be sassy!

Email:

[email protected]

Phone:

02073312000

Twitter:

@TracyModha

Website:

www.techuk.org

LinkedIn:

https://www.linkedin.com/in/tracymodha83