How to address software risks and help create more resilient digital networks generally? That’s the questions posed by the Department for Digital, Culture, Media and Sport (DCMS) in a consultation it’s launched.
The DCMS’ ‘Software Call for Views’ runs until May. Julia Lopez, Minister of State for Media, Data and Digital Infrastructure at the DCMS (coincidentally, about to be broken up by PM Rishi Sunak) said in a foreword to the online consultation that we must ensure consumers and businesses feel confident in digital technologies, which means the foundations of our technology must be secure.
She said: “Software is one of the fundamental building blocks of digital environments: it underpins the operational function of all of our devices, and how they interact with each other in connected environments. Recent incidents such as the 2020 SolarWinds attack and the discovery of the Log4j vulnerability, have demonstrated the widespread impact which insecure software can have on businesses, charities, educational institutions and other organisations operating across the UK – and globally. Strengthening the resilience of software is an important part of strengthening organisational cyber resilience more widely. This will help reduce the cyber threat to the economy and prevent harm to businesses, UK citizens and the UK’s worldwide customers.”
As she acknowledged, this is not for government alone (requiring a ‘whole-of-society approach’), and not for the UK alone, as software and ‘our digital environment is global and many cyber attacks have occurred outside the UK’, she said. The consultation document noted also disruption to UK National Health Service’s IT systems caused by an attack against one of its software suppliers, last year.
The DCMS has asked about the nature of software risks as a whole to UK organisations, and where government should focus on mitigating them, ‘across the breadth of the software lifecycle – that is, the full range of processes involved in the development, distribution, use and maintenance of software packages and associated systems up until, and including, the time at which it is no longer used or maintained’. Included are software written for Information Technology (IT), Operational Technology (OT) and Software as a Service (SaaS) operated from the cloud; and AI, ‘a technology which is underpinned and driven by software’. An AI white paper is due to be published in 2023, the document noted.
As for abroad, the document pointed to the US national standards agency NIST’s Secure Software Development Framework, being used for new federal procurement and attestation requirements; and that the European Commission has published proposals for a Cyber Resilience Act.
