The UK government plans to impose a “baseline” level of security competence on its suppliers through a new cyber-security standard that will eventually become mandatory for firms looking to win contracts.
Announced as a headline element of the government’s two-year progress report on its National Cyber Security Strategy (NCSS), details of the security standard are currently being finalised by a range of stakeholders before its publication at the end of March 2014.
Although being described in some quarters as a ‘kitemark’ it seems likely that in year one the ISO27000-derived standard will be presented as more of an aspiration than a hard requirement for at least some parts of the supply chain.
The Cabinet Office briefing paper on the NCSS said only that larger suppliers will be asked to spread its adoption among partners and that the government will “mandate the preferred standard in government’s own procurement where proportionate and relevant”.
Ministry of Defence (MoD) suppliers that have already signed up to the standard include BAE Systems, BT, QinetiQ, Rolls Royce, HP and Thales UK, among others.
The adoption of ISO27000 as a minimum begs some questions for the government’s supply chain. Large suppliers would be expected to have adopted international standards of this ilk already while smaller outfits would find the complexity and cost of demonstrating adherence potentially difficult.
A lot will depend on the government’s hope that the standard will be quickly adopted as a requirement by auditors, investors and insurers and also that it can be dovetailed with influential US government standards.
Separately, the Cabinet Office confirmed that spending on cyber security is being expanded from the allocated £650 million ($1.04 billion) total for 2011-2015 to £860 million ($1.38 billion) to the end of 2016.
Launched in 2011, the government was making steady progress towards it NSCC objectives according to Minister for the Cabinet Office, Francis Maude.
“Two years of solid work by government, in partnership with the private sector and academia, has seen the UK’s cyber resilience, awareness, skills and capability continue to increase across the board. Partnership across sectors remains as crucial today as it has ever done as this is a shared responsibility,” he said.
“Our initiatives are ensuring the UK is one of the safest places to do business in cyberspace as well as providing a solid platform for economic growth.”
Maude said he wanted to double security technology exports to £2 billion by 2016 by allowing suppliers to advertise their commercial relationship with the UK government through a new Cyber Security Suppliers’ scheme.
Other initiatives include the launch of a Third Research Institute to develop better industrial control security, the development of a free ‘Massive Open Online Course’ (MOOC) for domestic and overseas students to be run by the Open University from summer 2014, and funding to expand the Cyber Security Challenge (CSC) for schools.
"The cyber crime threat facing the UK is increasing. We are working closely with business and universities to ensure the country has the skills and knowledge it needs to meet the cyber challenge,” commented Science minister David Willetts.
"We want to show students and businesses that cyber security does not simply pose a threat. It gives those who take it seriously an opportunity to gain new expertise, or even a commercial advantage.
"With a new £2 billion target for cyber exports, we will also be helping the UK cyber sector to grow and keep the UK ahead in the global race,” he said.