Government to press for operators of 'critical national infrastructure' to adopt new cyber security standard

Out-Law News | 12 Dec 2013 | 3:16 pm | 2 min. read

Businesses involved in the operation of "critical national infrastructure" in the UK may be required to adopt a new voluntary organisational standard the Government is building on cyber security.

The Cabinet Office has said that it will require Government departments to insist that suppliers they contract with conform to the new standard "where proportionate and relevant". However, it said it would also "work with regulators to drive adoption among those companies that own and manage the UK's critical national infrastructure". Late last month the Government announced that it would create a new voluntary organisational standard on cyber security that is based on the existing ISO27000-series of standards.

The measure is just one action the Cabinet Office has set out to take in the next year in a new document on how it intends to drive improvements to cyber security in the UK (15-page / 466KB PDF). The document has been published two years on from the launch of the UK's national cyber security strategy. The Cabinet Office said one of its main aims is to make the UK "one of the most secure places in the world to do business in cyberspace".

"Government will also work with the regulators to ensure that the companies that own and operate our critical national infrastructure are well protected against the cyber risks they face, as part of their responsibilities to ensure resilience and availability of supply," the Cabinet Office said in its document. "A number of regulators are already very active in driving cyber security, including the Bank of England where a recommendation from the Financial Policy Committee has led to a wide programme of work across the financial sector."

"Government remains committed to supporting this agenda, and is developing an enhanced offer of support on cyber to regulators and infrastructure owners and operators through GCHQ and CPNI. The Secretary of State for Business will host a summit in February for regulators and Government to agree next steps," it said.

GCHQ is the UK's main intelligence agency and CPNI is the Centre for the Protection of National Infrastructure (CPNI). The Cabinet Office said GCHQ is due to issue new guidance for businesses next year on security in the context of cloud provision and mobile.

The Cabinet Office also said it wants to raise greater awareness of cyber security issues and that it hoped that its Cyber Security Information Sharing Partnership programme would double in size to include more than 500 members by the end of 2014. The initiative involves the sharing of "cyber threat information in real time" between companies.

Amongst the other measures the Cabinet Office announced it would take was a drive to introduce further 'kite marking' of "cyber security professionals, products and services". It said such certification can "stimulate supply, drive up standards and help customers access and navigate the market".

"Over the last year GCHQ has launched its Commercial Product Assurance scheme to certify commercially-available cyber security products for use in the public and private sectors," the Cabinet Office said. "The first products have now completed certification with more to follow in 2014. At the same time GCHQ is expanding its Service Assurance capability to cover a broad range of cyber services."

"A number of commercial cyber incident response providers have been certified to provide clean-up services to organisations that have fallen victim to cyber attack; in the coming year certification will be extended to other services including security monitoring services. The CESG Certified Professional scheme has already awarded over 1000 certificates to cyber security professionals," it said.

CESG is the information assurance arm of GCHQ.