A UK government official has called for engagement with the cybersecurity industry on legislation, regulations and codes of practices currently being developed.
During Black Hat Europe 2022, Irfan Hemani, deputy director for cyber security at the Department for Culture, Digital, Media and Sport (DCMS), laid out the UK government’s approach to cybersecurity and how the industry can help.
Hemani acknowledged that the UK government is currently very active in cybersecurity policymaking; however, he emphasized the importance of engaging with the cybersecurity industry as “it’s really important we’re not doing that outside the real world.”
The government’s ultimate aim is to enhance the safety of digital technologies to ensure they are an “enabler.”
This approach is codified in the government’s national cyber strategy published at the end of 2021 and its cybersecurity strategy for the public sector in January 2022.
These strategies “recognize that governments can only do so much, and the responsibility and engagement needs to be much broader,” according to Hemani. This includes tech firms, the cybersecurity community, academia and individuals.
He highlighted the UK government’s five goals for cybersecurity:
Some important components of these goals include ensuring that activities are proportionate to the risk, which means government services and critical national infrastructure are prioritized above other areas of the economy.
Another is connecting with international partners to develop a coherent policy as “cyber-threats are not confined to the UK borders.”
“All governments are doing this,” added Jen Ellis, cybersecurity advocate and community convenor, who was part of the session.
Hemani described the development of legislation in this area as a “last resort” and only used “if we absolutely have to.” This is because of the substantial time and costs involved. Therefore, laws should only be used if other options, such as guidance or industry self-regulation, does not work.
Nevertheless, three major cybersecurity bills are currently in process in the UK’s legislative process. These are the Telecommunications (Security) Act, the Data Protection and Digital Information Bill and the Product Security and Telecommunications Infrastructure (PSTI) Bill. Hemani added that the latter of these, the PSTI bill, was signed into law on December 7, 2022.
Hemani and Ellis then highlighted other cybersecurity policy areas the government is looking closely at and will be inviting feedback and consultation on. These are: software security, enterprise IoT, professional qualifications, cybersecurity as part of business resilience and semi-conductor security by design. Additionally, initiatives already ongoing in areas like app security and code of practice can still be refined.
“You get to have an opinion on it – if you think it’s missing the mark in some way, the DCMS want to hear from you,” Ellis said, addressing the audience.
There are a number of ways that cyber professionals can engage with the government in its cybersecurity policy, which Ellis was keen to emphasize:
Finally, she emphasized the importance of cybersecurity professionals providing feedback in a respectful and constructive way to the government.
“They’re trying to make things better for all of us, so don’t approach them like an angry mob!” she added.