UK government opens consultation on medic-style register for Brit infosec pros
Are you competent? Ethical? Welcome to UKCSC's new list
Frustrated at lack of activity from the "standard setting" UK Cyber Security Council, the government wants to pass new laws making it into the statutory regulator of the UK infosec trade.
Government plans, quietly announced in a consultation document issued last week, include a formal register of infosec practitioners – meaning security specialists could be struck off or barred from working if they don't meet "competence and ethical requirements."
The proposed setup sounds very similar to the General Medical Council and its register of doctors allowed to practice medicine in the UK.
Officials in the Department for Digital, Culture, Media and Sport (DCMS) even linked their new professional regulation plans with future Computer Misuse Act amendments, floating the idea that people who aren't UKCSC-registered professionals might not be able to claim any new legal defences.
Part of the new National Cyber Strategy launched late last year is for there to be a government-controlled body "at the top of the profession" in the UK.
At the moment everyone's running with a hotchpotch of industry-created certifications for staff, with companies passing NCSC-backed audits for access to sensitive government contracts. UKCSC is intended to impose a single UK-specific structure on all of that.
Yet over the past year it appears UKCSC hasn't achieved very much, with official disapproval of this being all but buried in a very long public consultation document titled "embedding standards and pathways across the cyber profession by 2025."
- UK mulls making MSPs subject to mandatory security standards where they provide critical infrastructure
- NortonLifeLock and Avast tie-up falls under UK competition regulator's spotlight
- Volunteer Dutch flaw finders bag $100k to forward national bug bounty goal
- Info-saturated techie builds bug alert service that phones you to warn of new vulns
"We have heard through engagement that providing recognition of the UK Cyber Security Council through legislative underpinning would further support its role as the standard setting body for the profession," said the consultation, adding that UKCSC has received "grant funding for the first four years of operation to allow it to develop a business model."
A suspicious person might think industry appears to be ignoring the self-declared "voice of the cyber security profession" to DCMS's horror. Bemoaning the amount of money and effort poured into UKCSC so far, the consultation said:
This level of support should send a clear signal to organisations across the economy that the government approves of UK Cyber Security Council standards and that these standards should be applied when seeking to build organisational resilience against cyber threats. We are concerned, however, that this is not a foregone conclusion. This approach has been undertaken previously in this space and has not achieved the intended objective of embedding professional standards and pathways.
Last year UKCSC's launch immediately hit the rocks after it told the world to visit its official website; a website on a domain it didn't actually own or control. Putting this kind of organisation in charge of the entire UK cybersecurity sector as a state-owned gatekeeper doesn't seem like an auspicious move.
The consultation on UKCSC's statutory underpinnings is open and runs until 2345 on Sunday 20 March. Have your say – or don't, but don't complain if you do nothing and then don't like the outcome. ®