U.K. Cybersecurity Plan Is Voluntary Like U.S. Framework, Has Differences

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Ali Qassim  

April 17 --The cybersecurity scheme the U.K. government plans to launch this summer shares some similarities with the U.S. government's critical infrastructure cybersecurity framework, including being voluntary and aimed at all organizations, regardless of size or sector, Nigel Montgomery, a partner at Sidley Austin LLP in London told Bloomberg BNA April 17.

But there are some differences between the U.S. and U.K. cybersecurity frameworks, including the use of their different tiered-implementation structures and the possibility that the U.K. plan will become mandatory for government procurement purposes, Montgomery said.

The U.S. framework was rolled out by the U.S. Department of Commerce's National Institute of Standards and Technology in February.

The proposed U.K. Cyber Essentials Scheme (CES) was released April 7 by the Department for Business, Innovation and Skills. Public comments on the scheme are due May 7.

U.K. Seeks to Establish Benchmark

The U.K. government hopes its scheme will “become an influential benchmark for basic cyber hygiene in the U.K., and certainly there is a feeling that lack of confidence in security is causing business to be reluctant to adopt new technology, particularly in cloud computing,” Montgomery said.

“Participation in the CES is intended to demonstrate to customers, partners and stakeholders that a business takes information security seriously,” he said.

The CES includes an Assurance Framework aimed at businesses that want to demonstrate compliance through an independent certification system, Montgomery said.

The CES and its assurance framework are the latest steps in the U.K. government's cybersecurity strategy--published in November 2011, he said.

U.K. Focus on Five Controls

The CES focuses on five critical technical controls that organizations aren't adequately applying, so as to leave them vulnerable to cyber threats:

• Boundary firewalls and Internet gateways: to protect against attacks based on capabilities and techniques that are freely available on the Internet--by restricting inbound and outbound network traffic to authorized connections;

• Secure configuration: to reduce the level of inherent vulnerabilities and provide only the services required to fulfil their role;

• User access control: to ensure that special access privileges are assigned only to authorized individuals;

• Malware protection:to monitor for, detect and disable malicious software; and

• Patch management:to identify that software running on computers and network devices is kept up-to-date.


Comparison of U.K., U.S. Plans

In addition to both being voluntary, the U.S. and U.K. cybersecurity frameworks aren't intended to replace existing cybersecurity practices but to supplement them in a way that works best for each company's particular circumstances, Montgomery said.

Although both schemes share a tiered-implementation structure, there are also differences in the use of these tiers, he said. Under the U.K. scheme, an organization may achieve bronze, silver or gold tier status depending on the level of independent certification of its cybersecurity readiness. The NIST framework includes four tiers--partial, risk informed, repeatable and adaptive--which indicate the extent to which a business meets the framework requirements, Montgomery noted.

The U.K. intends to use its scheme in the context of government procurement, whereas the U.S. government had repeatedly said the framework won't be made mandatory, he said. “That being said, cybersecurity is a significant area of contractual requirements in the defense industrial base, and the NIST-based requirements may well become mandatory in certain areas or form the basis for state negligence standards,” Montgomery said.

He also noted that in the U.S., multiple federal agencies--such as the Securities and Exchange Commission--as well as the state California, are issuing cybersecurity guidance that, although not mandatory, strongly influences what companies should do to strengthen their data safeguards, he said.


To contact the reporter on this story: Ali Qassim in London at correspondents@bna.com

To contact the editor responsible for this story: Donald G. Aplin at daplin@bna.com

Further information on the U.K. Cyber Essentials Scheme--including the Cyber Essentials Scheme summary, the Cyber Essentials Scheme requirements for basic technical protection from cyber attacks, the Cyber Essentials Scheme proposed assurance framework and the Cyber Essentials Scheme proposed assurance framework response form is available at https://www.gov.uk/government/publications/cyber-essentials-scheme-overview.

Request Bloomberg Law Privacy and Data Security