CS Jul-Aug 2023
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
cyber strategy<br />
SECURITY BY DESIGN<br />
NEW CYBERSECURITY MEASURES BEING IMPOSED IN THE US WILL HIT<br />
SOFTWARE COMPANIES HARD. WHAT MIGHT THIS MEAN FOR THE UK?<br />
The US recently published its national<br />
cybersecurity strategy. Released by<br />
the Biden administration, it seeks to<br />
impose minimum security standards for<br />
critical infrastructure onto larger software<br />
makers. Equally, it means to shift responsibility<br />
for maintaining the security of<br />
computer systems away from consumers<br />
and small businesses. What impact is this<br />
likely to have on the security industry - and<br />
what implications, in particular, might this<br />
have for the UK? Does it have any other<br />
option but to follow the same path?<br />
Phil Tonkin, senior director of strategy<br />
at Dragos, says that the US National<br />
Cybersecurity Strategy aiming to move<br />
from a voluntary approach to cybersecurity<br />
in many industries to more aggressive,<br />
and mandatory, regulatory standards -<br />
a 'fundamental shift' to rebalance the<br />
responsibility to defend cyberspace -<br />
did not come as a surprise. "For months,<br />
administration officials telegraphed the<br />
intent to use regulatory and market drivers<br />
to shift the burden of mitigating cyber risks<br />
away from end users and to those best<br />
positioned to have earliest and broadest<br />
impact. This includes not just critical<br />
infrastructure owners and operators, but<br />
also technology companies, software<br />
makers and service providers," he says.<br />
However, this is not a shift that will not<br />
happen overnight. "While the US National<br />
Cybersecurity Strategy signals a stronger<br />
regulatory environment in the US, many<br />
different standards bodies and regulatory<br />
agencies oversee a patchwork of regulatory<br />
frameworks and requirements for different<br />
industries. Even as the administration has<br />
rolled out new requirements for certain<br />
industries, including railways and pipelines,<br />
others will require new authorities from<br />
Congress."<br />
REGULATORY ESSENTIALS<br />
What this means is that the US government<br />
and experts from industry have time to<br />
work together toward building regulatory<br />
requirements that achieve the best possible<br />
outcomes for securing infrastructure and<br />
the digital ecosystem, with a focus on real<br />
security and not just simple compliance<br />
advises Tonkin, who also points out how<br />
the strategy highlights the importance of<br />
international coalitions and partnerships to<br />
counter cyber threats, devoting an entire<br />
pillar to those shared goals.<br />
"The consequences of cybercrime are not<br />
geographically restricted, requiring a global<br />
approach to countering threats and managing<br />
vulnerabilities. Economies are interconnected<br />
globally as well, with many<br />
companies operating across countries<br />
and regions. So, any time a new security<br />
standard or regulation is adopted, industry<br />
has to react and this often has a ripple<br />
effect globally."<br />
He adds that the 2016 UK National Cyber<br />
Strategy has focused on developing<br />
capability with a particular focus on critical<br />
infrastructure across all areas. "In 2022, it<br />
began to consider this in the context of<br />
increasing digitisation, sustainability and<br />
reducing international dependence. This<br />
continues to mature, in particular as the UK<br />
begins to find its own direction in setting<br />
future Network Security legislation outside<br />
of the European Union. "Both the UK and<br />
EU have begun to move legislation to cover<br />
more entities, closer to the consumer,"<br />
Tonkin concludes. "However, there is a<br />
growing global recognition that the<br />
responsibility to secure digital products<br />
cannot be the responsibility of individuals.<br />
The eyes of the world will be on the US to<br />
learn how security by design is enforced."<br />
Phil Tonkin, Dragos.<br />
www.computingsecurity.co.uk @<strong>CS</strong>MagAndAwards <strong>Jul</strong>y/<strong>Aug</strong>ust <strong>2023</strong> computing security<br />
31