Government intervention will be 'very effective' in reducing MSP supply chain attacks, finds DCMS
The government lays out how it will respond to findings on whether new measures are needed for MSPs and firms procuring digital services
The UK government has concluded that it will work with industry experts to develop policies that will increase the cybersecurity of digital solutions, after it called for views on whether it should enforce new cybersecurity measures on MSPs.
The Department for Digital, Culture, Media and Sport (DCMS) issued a call for views in May on the existing advice for supply chain risk management, and said it was considering asking MSPs to meet new cybersecurity measures to make the UK more resilient against cyber threats.
In response to the proposal, MSPs gave mixed views to CRN on increased cybersecurity measures though largely supported the idea of greater security.
And the DCMS has now published the findings from the 214 respondents which gave their feedback to the call for views, and set out how the government plans to respond based on the information it has received…
What did the call for views find?
The call for views found that the key barriers to effective supply chain cybersecurity risk management are "low recognition of supplier cybersecurity risk, limited visibility into supply chains, insufficient tools to evaluate supplier cybersecurity risk and limitations to taking action due to structural imbalances".
Only two per cent of respondents to the question over barriers to effective supplier risk management said limited visibility into supply chains did not form some sort of barrier, while 90 per cent saw low recognition of supplier risk as either a severe barrier or somewhat of barrier.
New areas of risk not currently covered by the existing guidance of the National Cyber Security Centre's (NCSC) Supply Chain Security Guidance and Supplier Assurance Questions were also discovered in the call for views.
These include shortages of key skills and experience, the lack of a common assurance standard, the inadequacy of assurance questionnaires, a lack of prioritisation of supply chain risk management among boards or senior management and supply chain shortages.
It found that there is a "growing market" for technology platforms which support organisations to manage supplier risk, and that respondents viewed these as the most effective commercial tool for managing supply chain cybersecurity risk.
And it also indicated a need for further government support to "improve supply chain cyber security risk management outcomes". This includes in the "provision of additional advice guidance", and by adopting "a more interventionist approach to improve resilience across supply chains".
Ninety-five per cent of respondents to a question asking which government actions would be the most effective said additional support to help organisations to know what to do would be somewhat or very effective, while 93 per cent said providing a specific supplier risk management standard would be effective in some form.
Regulation, meanwhile, was perceived to be ‘very effective' by more respondents than any other suggested intervention at 58 per cent.
The DCMS asked respondents to vote on six potential areas where the government could intervene - developing education and awareness campaigns, establishing a certification or assurance mark, setting minimum requirements in public procurement, developing new or updated legislation, creating a set of targeted regulatory guidance and developing joined-up approaches internationally.
All of the six options suggested for promoting a future managed service provider cyber resilience framework were considered to be at least somewhat effective by a minimum of 82 per cent of respondents.
There were also calls for customers to have better access to information about MSP cybersecurity, while respondents agreed that an assurance framework providing a minimum standard of cybersecurity requirements would be beneficial to the cybersecurity of both customers and suppliers.
The majority of respondents, the DCMS said, deemed the NCSC's Cyber Assessment Framework principles to be applicable to cybersecurity resilience of MSPs, but agreed that there was a need to go further…
What does the government plan to do?
The DCMS said the findings have "reinforced the need for a range of interventions".
"Therefore, the government will, as part of the forthcoming National Cyber Strategy, continue to work with industry experts to develop a set of policy solutions aimed at increasing the cyber security resilience of digital solutions," it added.
"The interventions prioritised by the government will include legislative work to ensure that managed service providers undertake reasonable and proportionate cyber security measures.
"In recognition of the global nature of digital supply chains, the government will prioritise engagement with international partners and organisations to foster a joined-up international approach to securing providers of digital services such as managed services, cloud and software."
When it came to encouraging investment among senior management and boards, the government said it will "seek to harness influential market agents to drive supply chain cyber security risk management up the agenda" while ensuring they have "access to appropriate guidance and information about the costs and impact of cyber incidents".
In response to the lack of common assurance approach identified by respondents, the government said it would "consider ways of increasing the uptake of Cyber Essentials across the wider economy so that it becomes a more universally adopted minimum security requirement in supplier contracts"
In addition, it will also consider "what can be done to clarify and consolidate the standards landscape above this minimum in order to make it a more effective tool for supply chain risk management".
It will address the lack of visibility into the supply chain and will "continue to support innovation and the growth of new startups in the cybersecurity sector through initiatives such as NCSC for Startups".
And the DCMS says it will address the challenge of cybersecurity skills shortages "through funding mechanisms, working in partnership with further and higher education providers, and establishing formal accreditation for cyber skills through the UK Cyber Security Council".
Following the support expressed for regulation, the DCMS said it will "explore more interventionist approaches" but will target these "in sectors that are most critical to the resilience of the UK, or which have the potential to pose most supply chain risk across the economy".
It said that many submissions, however, voiced concerns regarding the government's intention to place additional requirements on an entire UK digital sector and stressed that "some providers of digital solutions should offer greater levels of assurance" than others.
Moreover, the DCMS said that alternative principles could be incorporated into, or become a supplement to, the NCSC's Cyber Assessment Framework to "help address cyber security risks associated with digital providers and their customers".
Examples of these principles include formal certification with auditing, obligation to report incidents as well as customer transparency and cooperation specification.