The UK government will work with industry experts to develop policies that will increase the cybersecurity of digital solutions and has asked if it should enforce new cybersecurity measures on MSPs.
The Department for Digital, Culture, Media and Sport (DCMS) issued a call for views in May on the existing advice for supply chain risk management and said it was considering asking MSPs to meet new cybersecurity measures to make the UK more resilient against cyber threats.
In response to the proposal, MSPs gave mixed views to CRN on increased cybersecurity measures though largely supporting the idea of greater security.
And the DCMS has published the findings from the 214 respondents which gave their feedback to the “call for views” – read opinions – and set out how the government plans to respond based on the information it has received.
The consultation found that barriers to effective supply chain cybersecurity risk management are “low recognition of supplier cybersecurity risk, limited visibility into supply chains, insufficient tools to evaluate supplier cybersecurity risk and limitations to taking action due to structural imbalances”.
Only two percent of respondents to the question over barriers to effective supplier risk management said limited visibility into supply chains did not form some sort of barrier, while 90 percent saw low recognition of supplier risk as a barrier.
The government found that there were shortages of key skills and experience, the lack of a common assurance standard, the inadequacy of assurance questionnaires, a lack of prioritisation of supply chain risk management among boards or senior management and supply chain shortages.
There is a “growing market” for technology platforms that support organisations to manage supplier risk, and those respondents viewed these as the most effective commercial tool for managing supply chain cybersecurity risk, the report found.
There was a need for further government support to “improve supply chain cyber security risk management outcomes”. This includes in the “provision of additional advice guidance”, and by adopting “a more interventionist approach to improve resilience across supply chains”.
Ninety-five percent of respondents to a question asking which government actions would be the most effective said additional support to help organisations to know what to do would be somewhat or very effective, while 93 percent said providing a specific supplier risk management standard would be effective in some form.
Regulation, meanwhile, was perceived to be ‘very effective’ by more respondents than any other suggested intervention at 58 percent.
The DCMS asked respondents to vote on six potential areas where the government could intervene – developing education and awareness campaigns, establishing a certification or assurance mark, setting minimum requirements in public procurement, developing new or updated legislation, creating a set of targeted regulatory guidance and developing joined-up approaches internationally.
All of the six options suggested for promoting a future managed service provider cyber resilience framework were considered to be at least somewhat effective by a minimum of 82 per cent of respondents.
The DCMS said the findings have “reinforced the need for a range of interventions”.
“Therefore, the government will, as part of the forthcoming National Cyber Strategy, continue to work with industry experts to develop a set of policy solutions aimed at increasing the cyber security resilience of digital solutions”, it added.
“The interventions prioritised by the government will include legislative work to ensure that managed service providers undertake reasonable and proportionate cyber security measures.
“In recognition of the global nature of digital supply chains, the government will prioritise engagement with international partners and organisations to foster a joined-up international approach to securing providers of digital services such as managed services, cloud and software.”
In other words, nothing will happen.
When it came to encouraging investment among senior management and boards, the government said it will “seek to harness influential market agents to drive supply chain cyber security risk management up the agenda” while ensuring they have “access to appropriate guidance and information about the costs and impact of cyber incidents”.