+Comment The British government has vowed to create a legally binding cybersecurity framework for managed service providers (MSPs) – and if you want to tell gov.UK what you think, you've only got a few weeks to act.
The supply chain review comes in the wake of high-profile events like the SolarWinds compromise and a 2018 APT campaign linked by the FBI to China that may have breached HPE, IBM, and some of their clients.
Targeted at managed service providers and firms outsourcing their digital infrastructure services alike, the review is described by the government as helping build evidence for "additional government intervention" to force businesses into formally assessing cyber risks to their supply chains. It also looks like MSPs will be subject to a legally binding security framework as a result of the review.
Matt Warman MP, whose Department for Digital, Culture, Media and Sport job title this week is "digital infrastructure minister", said in a canned statement: "There is a long history of outsourcing of critical services. We have seen attacks such as 'CloudHopper' where organisations were compromised through their managed service provider. It's essential that organisations take steps to secure their mission-critical supply chains – and remember they cannot outsource risk."
MSPs are obvious targets for criminals: if you pwn one MSP, you can potentially gain illicit access to all of its customers – or simply threaten to DoS them unless a ransom is paid.
'This could be time consuming and a difficult process'
Chris Waynforth, AVP Northern Europe at Imperva, mused: "It's interesting to see the onus the government is placing on providers of digital services, in particular those providing managed services – suggesting they may be subject to some sort of regulation for the first time.
"Depending on the level of maturity, this may be music to the ears of some, allowing them to distinguish their services and show they are equipped to protect customers from supply chain attacks. For others, this could be time consuming and a difficult process."
Formal responses to the call for views can be found on GOV.UK.
+Comment: Computer Misuse Act review
The Department for Digital, Culture, Media and Sport's review of supply chain security comes on the heels of last week's announcement of a review of the Computer Misuse Act (CMA). A formal document has now been published on GOV.UK.
While the review might have been initially welcomed, it is wise to look at it cautiously. The Society for Computers and Law summarised the purpose of the exercise as being "to identify whether there is activity causing harm in the area covered by the CMA that is not adequately covered by the offences. This includes whether law enforcement agencies have the necessary powers to investigate and take action against those attacking computer systems."
Put another way, the consultation's main target is creating new criminal offences and expanding the CMA's remit; while there's a token nod in there to protecting researchers from the threat of prosecution for legitimate infosec activities, the bulk of the call is aimed at creating new crimes.
The consultation document itself says the Home Office, owner of the CMA, is looking at "whether the legislation is fit for use following the technological advances since the CMA was introduced" and adds "we would welcome any other suggestions on how the response to cyber-dependent crime could be strengthened within the legislative context."
Individual infosec researchers El Reg has spoken to are cautious. Away from the corporate context, it seems the biggest priority for sole traders and small operators is providing concrete clarity in law about what is, or is not, a CMA crime.
It may be that individual perception of the CMA being wielded like a giant sword hanging over the necks of innocent infosec bods is wrong, but so far most public uses of the CMA in the courts has been against things that looked and smelled very much like deliberate criminal offences.
Later this month, the government will be publishing new stats on the use of the CMA over the past couple of years and The Register will be reporting on these. ®