The UK government has unveiled plans to boost the cyber security of the country’s digital supply chains with a series of measures that could include mandating IT service providers to adhere to the National Cyber Security Centre’s (NCSC’s) Cyber Assessment Framework (CAF).
Other proposals include new procurement rules to guarantee that public sector organisations procure technology from firms with solid cyber postures and plans for improved cyber security advice and guidance campaigns.
The proposals follow a Department for Digital, Culture, Media and Sport (DCMS) consultation on the issue of digital supply chains and third-party IT services, launched in May 2021 after a spate of incidents in which IT companies – most notably SolarWinds – were used by malicious actors to target downstream customers.
“As more and more organisations do business online and use a range of IT services to power their services, we must make sure their networks and technology are secure,” said Julia Lopez, minister for media, data and digital infrastructure.
“Today we are taking the next steps in our mission to help firms strengthen their cyber security and are encouraging firms across the UK to follow the advice and guidance from the NCSC to secure their businesses’ digital footprint and protect their sensitive data.”
The government said the responses to the consultation had shown cross-industry support for developing new or updated legislation in this regard, with 82% of respondents believing that legislation could be either effective or somewhat effective.
As a result of this, policymakers will now return to the drawing board to develop more detailed proposals, alongside an ongoing review of cyber security measures that will inform the next national cyber strategy, which is due to be announced before Christmas.
The government also today released new research on the views of so-called “captains of industry”, which found that although the majority of chairs, CEOs and directors of UK enterprises – 94%, up 10% on 2020 – believed cyber security threats were a high or very high risk to their business, large numbers were not taking action to secure their digital supply chains.
A total of 17% either somewhat or strongly disagreed with the statement “our organisation actively manages cyber risks in our supply chain”, and 26% either somewhat or strongly disagreed that the board was being kept properly informed of supply chain risk. A total of 13% and 9%, respectively, neither agreed nor disagreed with those statements.
Worryingly, 2% of respondents said they did not know if cyber risk in the supply chain formed part of the written documents that help manage cyber security risk.