UK government opens consultation on medic-style register for Brit infosec pros

Are you competent? Ethical? Welcome to UKCSC's new list

Frustrated at lack of activity from the "standard setting" UK Cyber Security Council, the government wants to pass new laws making it into the statutory regulator of the UK infosec trade.

Government plans, quietly announced in a consultation document issued last week, include a formal register of infosec practitioners – meaning security specialists could be struck off or barred from working if they don't meet "competence and ethical requirements."

The proposed setup sounds very similar to the General Medical Council and its register of doctors allowed to practice medicine in the UK.

Officials in the Department for Digital, Culture, Media and Sport (DCMS) even linked their new professional regulation plans with future Computer Misuse Act amendments, floating the idea that people who aren't UKCSC-registered professionals might not be able to claim any new legal defences.

Part of the new National Cyber Strategy launched late last year is for there to be a government-controlled body "at the top of the profession" in the UK.

At the moment everyone's running with a hotchpotch of industry-created certifications for staff, with companies passing NCSC-backed audits for access to sensitive government contracts. UKCSC is intended to impose a single UK-specific structure on all of that.

Yet over the past year it appears UKCSC hasn't achieved very much, with official disapproval of this being all but buried in a very long public consultation document titled "embedding standards and pathways across the cyber profession by 2025."

"We have heard through engagement that providing recognition of the UK Cyber Security Council through legislative underpinning would further support its role as the standard setting body for the profession," said the consultation, adding that UKCSC has received "grant funding for the first four years of operation to allow it to develop a business model."

A suspicious person might think industry appears to be ignoring the self-declared "voice of the cyber security profession" to DCMS's horror. Bemoaning the amount of money and effort poured into UKCSC so far, the consultation said:

This level of support should send a clear signal to organisations across the economy that the government approves of UK Cyber Security Council standards and that these standards should be applied when seeking to build organisational resilience against cyber threats. We are concerned, however, that this is not a foregone conclusion. This approach has been undertaken previously in this space and has not achieved the intended objective of embedding professional standards and pathways.

Last year UKCSC's launch immediately hit the rocks after it told the world to visit its official website; a website on a domain it didn't actually own or control. Putting this kind of organisation in charge of the entire UK cybersecurity sector as a state-owned gatekeeper doesn't seem like an auspicious move.

The consultation on UKCSC's statutory underpinnings is open and runs until 2345 on Sunday 20 March. Have your say – or don't, but don't complain if you do nothing and then don't like the outcome. ®

Other stories you might like

  • Lenovo halves its ThinkPad workstation range
    Two becomes one as ThinkPad P16 stands alone and HX replaces mobile Xeon

    Lenovo has halved its range of portable workstations.

    The Chinese PC giant this week announced the ThinkPad P16. The loved-by-some ThinkPad P15 and P17 are to be retired, The Register has confirmed.

    The P16 machine runs Intel 12th Gen HX CPUs, but only up to the i7 models – so maxes out at 14 cores and 4.8GHz clock speed. The laptop is certified to run Red Hat Enterprise Linux, and can ship with that, Ubuntu, and Windows 11 or 10. The latter is pre-installed as a downgrade right under Windows 11.

    Continue reading
  • US won’t prosecute ‘good faith’ security researchers under CFAA
    Well, that clears things up? Maybe not.

    The US Justice Department has directed prosecutors not to charge "good-faith security researchers" with violating the Computer Fraud and Abuse Act (CFAA) if their reasons for hacking are ethical — things like bug hunting, responsible vulnerability disclosure, or above-board penetration testing.

    Good-faith, according to the policy [PDF], means using a computer "solely for purposes of good-faith testing, investigation, and/or correction of a security flaw or vulnerability."

    Additionally, this activity must be "carried out in a manner designed to avoid any harm to individuals or the public, and where the information derived from the activity is used primarily to promote the security or safety of the class of devices, machines, or online services to which the accessed computer belongs, or those who use such devices, machines, or online services."

    Continue reading
  • Intel plans immersion lab to chill its power-hungry chips
    AI chips are sucking down 600W+ and the solution could be to drown them.

    Intel this week unveiled a $700 million sustainability initiative to try innovative liquid and immersion cooling technologies to the datacenter.

    The project will see Intel construct a 200,000-square-foot "mega lab" approximately 20 miles west of Portland at its Hillsboro campus, where the chipmaker will qualify, test, and demo its expansive — and power hungry — datacenter portfolio using a variety of cooling tech.

    Alongside the lab, the x86 giant unveiled an open reference design for immersion cooling systems for its chips that is being developed by Intel Taiwan. The chip giant is hoping to bring other Taiwanese manufacturers into the fold and it'll then be rolled out globally.

    Continue reading

Biting the hand that feeds IT © 1998–2022