24 Jan 2024
by Steve Knibbs

The on-going pursuit of the perfect policy landscape

Guest blog by Steve Knibbs, Director of Vodafone Business Security Enhanced (VBSE), and Chair of techUK's National Security Committee #NatSec2024

It is now widely accepted that digital technologies hold the key to transforming the UK economy and society for the better, but we must make sure we have the right policy environment to facilitate this.

Much work has been done over the last decade to bring UK legislation and regulation in line with the ever-evolving technology world, for example, Ofcom’s review of Net Neutrality and Product Security & Telecoms Infrastructure Bill. We are fully supportive of the recommendations and look forward to a new framework which better encourages innovation.

Keeping up with the exciting, but relentless, pace of technology is an incredibly complex task, one I am very proud to be a part of as the current Chair of techUK's National Security Committee. It is a cycle of evaluation, planning and action, before starting again. We are making progress, and while there are several areas which need attention, I would like to address three.

Firstly, Artificial Intelligence (AI). Secondly, management of supply chains. And finally, secure-by-design.

The new frontier of Artificial Intelligence

Whether it is a new product or service hitting the market, or references to the Government’s AI Summit, AI is a hot topic for good reason.

AI is a concept that could have a revolutionary impact on the world. It will change how we view data and transform how companies operate at a foundational level. But it needs to be carefully managed.

Although the future of AI might not be as bad as some in Hollywood would have you believe, there are risks. However, the risk will not outweigh the potential of AI if it is managed in a sustainable and responsible way.

We would like to see AI managed by Governments and regulators on a risk basis.

At Vodafone, our network team is trialling new ideas to determine how AI to better manage data traffic on our infrastructure to maintain customer experience. Machine learning-based AI uses the performance data of the network to autonomously adjust how the network operates to improve customer experience. We would consider this low risk.

At the other end of the scale, technologies which make use of personal data to have material impacts on people’s live, such as medical devices, should be considered higher risk.

We would like greater clarity on legislation and regulation pertaining to AI. It is important to understand how and where data can be used before technology developments accelerate and we become entrenched. Any new policies should be built on a foundation of risk analysis, as to ensure we don’t unnecessarily inhibit technology developments.

Only as strong as your weakest link

Another area where we believe there needs to be greater clarification is how risk is managed in a company’s supply chain. A company is only as strong as its weakest link, and this is especially the case as we further digitise the business and move towards a cloud-orientated foundation.

The new digital era is largely being facilitated by cloud-based technologies, with Software-as-a-Service (SaaS), Infrastructure-as-a-Service (IaaS) and Platform-as-a-Service (PaaS) technologies becoming more commonplace. There are certainly operational and financial benefits to this way of working, but because it relies on shared infrastructure, we need to take a new approach to cybersecurity.

Many companies are already taking a more comprehensive approach to cybersecurity. We have spoken before about a cybersecurity strategy needing to be fluid and adaptable to the ever-changing threat landscape, but is this approach ubiquitous? No, it certainly is not.

Future policies need to emphasise the need for more comprehensive cybersecurity strategies which consider the procurement process and on-going management of supply chains. This will include training and awareness for those companies who are starting to engage with digital more comprehensively, and those who are considering the migration of business-critical applications to the cloud.

Work has already begun, but as with every area of cybersecurity, we need to evaluate and reconsider how we can further improve. This virtuous cycle will only be to the benefit of society and business, especially to those who would not be considered early adopters of technology.

A secure foundation

Secure-by-design is not a new concept, but it is one which probably does not receive the attention it deserves.

The idea is to set out a framework to follow when building new digital services, products and platforms. The ten-step framework outlines all the areas for consideration at the beginning of a project to ensure cybersecurity is not considered as an afterthought, but is embedded into the foundation of any new digital technology.

When Parliament passed the Product Security and Telecommunications Infrastructure Act 2022, secure-by-design was included in the rules. This means that any consumer IOT service, product and platform sold in the UK must be built under the guidance of this framework. This can only be good news for consumers, who can now have a higher level of confidence in these digital technologies.

We would like to see all policies relating to digital security based on the secure-by-design framework.

To be clear, secure-by-design does not make a digital technology 100% secure. That is an impossible task. However, secure-by-design introduces the best possible approach to cybersecurity, minimising risk.

The on-going pursuit of the perfect policy landscape

In reality, technology will always move faster than those who create the policies to govern it. There is little we can do to change this as innovators are naturally curious, exploring the unknowns the majority give no consideration to.

However, it is critically important we create a policy environment which is flexible and adaptable enough to enable innovation while protecting fundamental rights. The three areas highlighted are by no means an exhaustive list, but they are crucial to enable to technology industry as we see it today.

techUK’s National Security Week 2024 #NatSec2024

The National Security team are delighted to be hosting our annual National Security Week between Monday, 22 January 2024, and Friday, 26 January 2024.

Read all the insights here.

National Security Programme

techUK's National Security programme aims to lead debate on new and emerging technologies which present opportunities to strengthen UK national security, but also expose vulnerabilities which threaten it. Through a variety of market engagement and policy activities, it assesses the capability of these technologies against various national security threats, developing thought-leadership on topics such as procurement, innovation, diversity and skills.

Learn more

National Security updates

Sign-up to get the latest updates and opportunities from our National Security programme.




Related topics


Steve Knibbs

Steve Knibbs

Director of Vodafone Business Security Enhanced, Vodafone