Not only MSPs: All cloudy firms are in line for UK security law crackdown

Now's a good time to read up on Cyber Essentials Plus


A government crackdown on British MSPs' security practices is drawing ever closer after the Department for Digital, Culture, Media and Sport (DCMS) floated plans to make Cyber Assessment Framework compliance mandatory.

Digital Minister Julia Lopez said in a canned statement: "We are taking the next steps in our mission to help firms strengthen their cyber security and encouraging firms across the UK to follow the advice and guidance from the National Cyber Security Centre to secure their businesses' digital footprint and protect their sensitive data."

Some form of NCSC-accredited certification for managed service providers (MSPs) and cloud firms seems likely to become mandatory in the medium term. They follow on from a government consultation run over summer asking for views about regulating MSPs alone.

In a sign that the regulatory sands are shifting, however, the government said in a public response this week that "any future policy should consider this broader range of digital technology providers, moving away from an exclusive focus on managed services."

Better security in UK.gov's eyes appears to mean MSPs and other cloud service providers will have to comply with the NCSC-backed Cyber Assessment Framework (CAF) "or a framework based on it," industry feedback to the government-sponsored survey said.

That feedback continued: "Many submissions voiced concerns regarding the government's intention to place additional requirements on an entire UK digital sector. Developing definitions and establishing clear boundaries between various providers of digital technology solutions, including cloud and managed services, remains a challenging task for this government."

Industry is said to have told DCMS it wants more "prescriptive requirements" than the CAF provides for, however, including "formal certification with auditing" and an "obligation to report incidents".

If these are accurate reflections of what DCMS was told, it points the way towards Cyber Essentials Plus potentially becoming the baseline MSP/cloud security standard for British businesses – if DCMS adopts these calls for compliance monitoring of whatever security framework it picks.

Cyber Essentials (without the plus) is already the baseline security standard for government suppliers, though in essence it's a self-assessment checklist.

Meanwhile, existing UK security questionnaire advice isn't really being used:

Graph showing half of UK cloud service buyers aren't using supplier security questionnaire

Graph showing half of UK cloud service buyers aren't using supplier security questionnaire

As for buyers of MSP services, they were all in favour of more regulation (or so the would-be regulators at DCMS said) with an interesting caveat about Big Tech:

Many respondents argued, for example, that they cannot make fully informed procurement decisions because it is increasingly difficult to obtain the necessary cyber security assurance from providers who are reluctant to provide information on their cyber security measures or standards they adhere to. This poses a number of business and operational challenges for customers who ultimately bear the risk of cyber security incidents.

Government focus on supply chain security was galvanised by high-profile MSP attacks such as Kaseya in the US. The MSP was compromised by attackers targeting its VSA endpoint and network management tool, giving instant visibility into most of its customers. Similar recent attacks saw firms such as US network management outfit SolarWinds targeted by a Russian espionage agency, among large numbers of smaller attacks.

Not all UK MSPs are as dedicated to good security practices as one might hope, however, as a lighter (but cautionary) ransomware recovery tale from 2019 showed. ®

Similar topics


Other stories you might like

  • Meg Whitman – former HP and eBay CEO – nominated as US ambassador to Kenya

    Donated $110K to Democrats in recent years

    United States president Joe Biden has announced his intention to nominate former HPE and eBay CEO Meg Whitman as Ambassador Extraordinary and Plenipotentiary to the Republic of Kenya.

    The Biden administration's announcement of the planned nomination reminds us that Whitman has served as CEO of eBay, Hewlett Packard Enterprise, and Quibi. Whitman also serves on the boards of Procter & Gamble, and General Motors.

    The announcement doesn't remind readers that Whitman has form as a Republican politician – she ran for governor of California in 2010, then backed the GOP's Mitt Romney in his 2008 and 2012 bids for the presidency. She later switched political allegiance and backed the presidential campaigns of both Hillary Clinton and Joe Biden.

    Continue reading
  • Ex-Qualcomm Snapdragon chief turns CEO at AI chip startup MemryX

    Meet the new boss

    A former executive leading Qualcomm's Snapdragon computing platforms has departed the company to become CEO at an AI chip startup.

    Keith Kressin will lead product commercialization for MemryX, which was founded in 2019 and makes memory-intensive AI chiplets.

    The company is now out of stealth mode and will soon commercially ship its AI chips to non-tech customers. The company was testing early generations of its chips with industries including auto and robotics.

    Continue reading
  • Aircraft can't land safely due to interference with upcoming 5G C-band broadband service

    Expect flight delays and diversions, US Federal Aviation Administation warns

    The new 5G C-band wireless broadband service expected to rollout on 5 January 2022 in the US will disrupt local radio signals and make it difficult for airplanes to land safely in harsh weather conditions, according to the Federal Aviation Administration.

    Pilots rely on radio altimeter readings to figure out when and where an aircraft should carry out a series of operations to prepare for touchdown. But the upcoming 5G C-band service beaming from cell towers threatens to interfere with these signals, the FAA warned in two reports.

    Flights may have to be delayed or restricted at certain airports as the new broadband service comes into effect next year. The change could affect some 6,834 airplanes and 1,828 helicopters. The cost to operators is expected to be $580,890.

    Continue reading

Biting the hand that feeds IT © 1998–2021