Frustrated at lack of activity from the “standard setting” UK Cyber Security Council, the government wants to pass new laws making it into the statutory regulator of the UK infosec trade.
Government plans, quietly announced in a consultation document issued last week, include a formal register of infosec practitioners – meaning security specialists could be struck off or barred from working if they don’t meet “competence and ethical requirements.”
The proposed setup sounds very similar to the General Medical Council and its register of doctors allowed to practice medicine in the UK.
Officials in the Department for Digital, Culture, Media and Sport (DCMS) even linked their new professional regulation plans with future Computer Misuse Act amendments, floating the idea that people who aren’t UKCSC-registered professionals might not be able to claim any new legal defences.
Part of the new National Cyber Strategy launched late last year is for there to be a government-controlled body “at the top of the profession” in the UK.
At the moment everyone’s running with a hotchpotch of industry-created certifications for staff, with companies passing NCSC-backed audits for access to sensitive government contracts. UKCSC is intended to impose a single UK-specific structure on all of that.
Yet over the past year it appears UKCSC hasn’t achieved very much, with official disapproval of this being all but buried in a very long public consultation document titled “embedding standards and pathways across the cyber profession by 2025.”
“We have heard through engagement that providing recognition of the UK Cyber Security Council through legislative underpinning would further support its role as the standard setting body for the profession,” said the consultation, adding that UKCSC has received “grant funding for the first four years of operation to allow it to develop a business model.”
A suspicious person might think industry appears to be ignoring the self-declared “voice of the cyber security profession” to DCMS’s horror. Bemoaning the amount of money and effort poured into UKCSC so far, the consultation said:
Last year UKCSC’s launch immediately hit the rocks after it told the world to visit its official website; a website on a domain it didn’t actually own or control. Putting this kind of organisation in charge of the entire UK cybersecurity sector as a state-owned gatekeeper doesn’t seem like an auspicious move.
The consultation on UKCSC’s statutory underpinnings is open and runs until 2345 on Sunday 20 March. Have your say – or don’t, but don’t complain if you do nothing and then don’t like the outcome. ®