Geo Focus: The United Kingdom , Geo-Specific , Governance & Risk Management
UK Mulls Rollout of New Software Vulnerability Rules
Voluntary Rules Will Set Baseline Security Requirement for Software Vendors, UsersThe U.K. government is mulling the rollout of a voluntary set of rules urging software vendors to responsibly disclose vulnerabilities in their systems. The measure comes as the government continues to face criticism over poor management of legacy infrastructure.
See Also: Privileged Access Management (PAM) Buyer’s Guide and Checklist
The British government in February 2023 began soliciting comments from software vendors, government agencies and other stakeholders on shoring up the software supply chain to help avoid high-impact incidents targeting the country's infrastructure.
The effort came amid successful hacks of the Royal Mail, the National Health Service and MoveIT file transfer application, which affected hundreds of organizations worldwide, including British Airways and the British Broadcasting Corp.
About 200 stakeholders participated in the call for comments, and in a report released Tuesday, respondents said urgent government intervention is needed to encourage software vendors to responsibly disclose details of vulnerabilities that affect their systems.
"Fear of penalization, reputational damage and loss of customers can deter businesses from reporting software vulnerabilities, and 80% of respondents agreed that more should be done to ensure that organizations disclose information quickly to stop the spread of infection," according to the report.
About 23% of the respondents said vulnerabilities and malware stemming from open-source software components remain a key systemic risk to the software ecosystems, and 54% said that flaws from the open-source environment could severely hurt the U.K. economy.
The use of unmonitored third-party open-source libraries also poses major obstacles to security, and tackling issues involving software can be challenging because many organizations cannot get adequate funding during the development cycle.
The respondents said they relied on industry software secure frameworks and standards, as well as guidance released by national and international agencies, such as the U.K. National Cyber Security Center, but they said government interventions for safe vulnerability disclosure would bring more transparency into incident management, thereby allowing the organizations to tackle security issues more effectively.
The respondents also said the government should issue guidance on a software bill of materials, offer certifications for software vendors and developers, and develop regulations requiring software developers and vendors to meet minimum standards of transparency.
In response to the call, the U.K. announced it will publish its voluntary set of practices for vendors, which will build on existing national and international standards. The proposal will set "baseline expectations of software security" and aim to improve the country's cyber resiliency, according to the U.K. Department for Science, Innovation and Technology, which led the consultation.
"We must ensure that the foundations of software security are in place so that we can react quickly to challenges posed by new and emerging technologies, such as artificial intelligence," said Viscount Camrose, the U.K.'s AI and intellectual property minister.
The government's efforts to ramp up its cyber resiliency capabilities come as it continues to face mounting pressure from lawmakers over its poor management of legacy infrastructure across public offices.
Parliamentary scrutiny last year found that the British Home Office, Treasury, Defense and Ministry of Justice continued to have more than one "red-rated" system that is either outdated, vulnerable to hacks or receiving no support updates from the software supplier.
The Committee of Public Accounts lawmakers found that the inventory management systems used by the Army and Royal Navy are nearly 40 years old.
It is unclear when the U.K. government will release the software vulnerability management rules, but the agency said software vendors, users and government agencies - including the NCSC - will develop adequate cybersecurity guardrails and procurement processes for application security.