Sergey Nivens - Fotolia
The UK government has published a minimum cyber security standard for all departments, which some members of the information security community have welcomed as a step in the right direction, while others have said it does not go far enough.
This is the first technical standard for cyber security developed by the government in collaboration with the National Cyber Security Centre (NCSC) and will be incorporated into the Government Functional Standard for Security.
According to the document, it defines the minimum security measures that government departments are required to implement to protect their information, technology and digital services to meet their Security Policy Framework and National Cyber Security Strategy obligations.
“The standard presents a minimum set of measures and departments should look to exceed them wherever possible,” the standard states.
The document also indicates the measures will be incremented over time to continually “raise the bar”, address new threats or classes of vulnerabilities and incorporate the use of new Active Cyber Defence measures that departments will be expected to use and where available for use by suppliers.
The Active Cyber Defence programme is being developed by the National Cyber Security Centre (NCSC) to implement measures across government departments aimed at tackling – in a relatively automated way – a significant proportion of the cyber attacks that hit the UK with a view to rolling them out across UK industry once proven.
These measures include blocking bad emails pretending to be from government by adopting the Dmarc (domain-based message authentication, reporting and conformance) protocol which helps authenticate an organisation’s communications as genuine.
The standard outlines a set of cyber security outcomes for government departments to achieve in the areas of identification, protection, detection, response and recovery.
The outcomes-based approach is aimed at allowing government departments flexibility in how the standards are implemented, “dependent on their local context”, the document states, adding that “compliance with the standards can be achieved in many ways, depending on the technology choices and business requirements in question.”
Some of the key requirements include clear lines of responsibility and accountability to named individuals for the security of sensitive information, training and guidance for senior accountable individuals, strict access control, use of secure configurations, regular patching, attention to email and web application security, developing an incident response and management plan and the testing of contingency mechanisms to ensure continued delivery of essential services.
One of the few prescriptive uses of technologies is the use of Transport Layer Security version 1.2 (TLS v1.2) to protect email and data in transit. This is one of the things that could be updated as TLS v1.3 becomes more widely deployed after being recently approved by internet standards body, the IETF.
However, that may not happen any time soon because shortly before the IETF published the NCSC technical director Ian Levy said in a blog post that TLS v1.3 will make the enterprise security model “much, much harder” because it will make it impossible to whitelist sites anymore because server certificates are encrypted and because once you proxy a connection, you have to proxy it until it’s done, means that that enterprises will have to proxy each and every TLS 1.3 connection – whether they need to or not – and for the entire duration of the connection.
“This reduces the privacy of the employees in that enterprise, massively increases equipment and power costs, and probably increases overall technical risk for the enterprise and its employees. Clearly, that’s not a great outcome,” he wrote.
A few days later, Levy added the following clarification of his postion: “I’m not saying TLS 1.3 is bad. I’m not saying it should be stopped. I’m not saying that the changes aren’t all rooted in good technical security. I’m merely saying that it’s going to make a bunch of enterprise related security stuff harder. So, given that, we need to do work collectively to work out how to adapt in regulatory, technical and policy worlds.”
Publication of the standard demonstrates that the governments understands that data security should never be an afterthought, said Mark Adams, regional vice president for the UK and Ireland at backup, recovery and data management firm Veeam Software.
“With GDPR [EU General Data Protection Regulation] and the NIS [Network and Information Systems] Directive now in force, the cost of cyber attacks, breaches and network outages is now nothing short of eye-watering.
“The new standard demonstrates that the government is aware any other alternative simply isn’t worth the risk to their operations, and sets a great example for other industries to follow,” he said.
Adams praised the document for its emphasis on recovery, which he described as often being the “unsung hero” of data management.
“No matter who you are or where you work, it has never been more important to ensure that your digital lives are permanently ‘on’. The ability to seamlessly move data to the best location across multi-cloud environments is now crucial for business continuity, compliance, security, and optimal use of resources for business operations,” he said.
According to Adams, this “hyper-availability” not only helps us ensure data and applications are always there when we need them, but it also helps maintains reliability, reduces costs of manual processes, minimises downtime, ensure the continuous delivery of production IT services, and satisfy compliance requirements.
“All of these are essential for the public sector. We’re happy to see the UK government has recognised the need to prepare for all of this today, to avoid the fines or threats of tomorrow,” he said.
Mike Trevett, director for UK and Ireland for Mandiant at FireEye, also welcomed the publication of the standard.
“Over the past decade, UK government has been aiming to simplify security – moving away from proscriptive mandatory requirements in security standards, towards describing the minimum security outcomes that need to be achieved. This standard helps do exactly that.
“For mature organisations it provides a solid framework for managing their information risk. For less mature organisations, it will help them structure how they manage information risk and guide their cyber security process development,” he said.
Having a clear incident response plan
According to Trevett, organisations need to have a really clear understanding of what to do in the event of a breach. “Every organisation needs to have a clear incident response plan that’s well tested and regularly rehearsed,” he said. “Following this standard will take an organisation a long way towards a goal of becoming cyber-resilient.”
However, Andy Norton, director of threat intelligence at Lastline, said the new standard misses the mark in terms of the requirements for detection and response.
“These requirements are focussed only on ‘common’ threats,” he said. “To government departments, it is the advanced threats that pose a risk. The new standard does nothing to raise the bar within government networks to detect and respond to advanced threats.”