Geo Focus: The United Kingdom , Geo-Specific , Standards, Regulations & Compliance
UK Software Security Code of Practice Earns Mixed Reviews
Voluntary Code Could Be First Step to RegulationA draft set of recommendations published by the U.K. government promoting software resiliency received mixed reviews from British software executives who criticized a lack of specificity and overlap with existing best practices.
See Also: How Payment Service Directive (PSD2) is Changing Digital Banking - Are You Ready?
The U.K. Department for Science, Innovation and Technology earlier this month published a draft voluntary code of practice for software vendors that solicits comment ahead of final publication.
The measures consist of a 21-step framework. Among the steps are requiring organizations to test their products before being placed in the market and mandating multifactor authentication for developers and timely reporting and patching of vulnerabilities.
"The code is aimed at senior leaders in software vendor organizations to ensure that they understand the full extent of what is required for their organization to adequately put in place this security and resilience measure," the DSIT said. The measures are "flexible and adaptable rather than prescriptive."
Many cybersecurity experts Information Security Media Group spoke with said the majority of the proposed measures are vague and skip the all-important step of discussing how to effectively implement the strategies.
"For instance, the guidance says that vulnerabilities should be reported to the 'relevant parties,' but it fails to explain who the concerned parties are. Or it says that organizations should distribute software securely, without providing adequate information," said Kevin Robertson, chief operating officer at Glasgow cybersecurity firm Acumen Cyber.
Robertson said what is needed instead is a practical step-by-step solution akin to the U.S. National Institute of Standards and Technology frameworks, which contain specific cybersecurity controls.
Neatsun Ziv, founder of Israeli software supply chain solution firm OX Security, said proposed measures such as calling for timely security updates and patching are standard industry practices that date back decades and that stringent enforcement of the recommendations is needed.
"The recommendations are good for everybody, and it is actually referencing a lot of the existing standards in the market. But unless you're saying there is a penalty that is associated with it, the companies that do not do it right now - it will not convince them to do it. The companies that already follow 'secure by design' practices will not gain any additional benefit from this document," Ziv said.
The reviews are not all bad. The government is attempting to reduce the probability of disruptive cyberattacks stemming from vulnerable third-party software seen in the SolarWinds and MoveIt incidents, said Katharina Sommer, group head of government affairs at U.K.-based NCC Group.
Existing U.K. regulations such as the Product Security and Telecommunications Infrastructure Act, which came into force in April, fail to undress the inherent supply chain risk tied to larger software ecosystem, she said.
"The software supply chain code is very much going beyond the hardware to look at the underlying software, where there isn't currently regulatory requirements," Sommer said. "So I think the government came to the view that actually that was something that required more action to try and shore up the resilience of that particular part of the technology supply chain."
The U.K. initiative mirrors similar policy efforts from the European Union and other governments that have been working to shift the accountability for software security to more a vendor concern through "secure by design" policies.
These include the recently passed European Union Cyber Resilience Act that makes it obligatory for all connected software vendors operating in the trading bloc to report hacks in a timely manner and issue patch updates. The updated Network and Information Security Directive, set to come into force in October, sets baseline cybersecurity expectation for all software vendors.
Since the U.K currently lacks a policy framework akin to the NIS2 Directive, Sommer said that it is likely possible for the government to adopt the final voluntary codes as a regulation or enforce some provisions of it.
"I think that model is probably very much one that government is looking at and that industry should look at in terms of how that might play out in the future," she said.