DCMS opens supply chain security consultation

MSPs may have to prove they have basic security measures in place

The Department for Digital, Culture, Media and Sport (DCMS) is opening a consultation on options to tighten the security of digital supply chains and third party IT services, which are frequently used as an attack vector by cyber criminals and state actors.

With organisations rapidly moving services online, new vulnerabilities in supply chains and partner networks have emerged, and yet research carried out by DCMS found that only 12 per cent of organisations review the cyber security risks from their immediate suppliers and only one in twenty address the vulnerabilities in their wider supply chain.

"There is a long history of outsourcing of critical services," said Digital Infrastructure Minister Matt Warman in a press release.

"We have seen attacks such as CloudHopper where organisations were compromised through their managed service provider. It's essential that organisations take steps to secure their mission critical supply chains - and remember they cannot outsource risk."

Perhaps the best-known supply chain attack was that of US retailer Target, which suffered a serious data breach in 2013 when attackers hacked an air conditioning supplier which had privileged access to parts of Target's networks. More recently attackers compromised the SolarWinds network monitoring software used by thousands of companies and US Government departments and used that access to steal sensitive data over many months.

The DCMS is seeking views of firms that both procure and provide digital services to see if the rules and guidance need tightening.

Among measures under consideration are more stringent requirements on managed service providers (MSPs), including that they meet the NCSC's Cyber Assessment Framework, with policies in place to protect against intrusions, protect data at rest and in transit and to provide adequate training for staff.

The call for views was launched yesterday and will run until 11 July 2021.

Commenting on the announcement, Ilkka Turunen, field CTO at software security vendor Sonatype, said that while the announcement is welcome, it does not mention vulnerabilities in the software supply chain.

"Eighty to 90 per cent of the code in modern applications consists of open source components downloaded from online repositories, yet these components are subject to little, if any, regulation," he said.

"If the UK is serious about improving supply chain security, it needs to follow the lead of the Biden administration, which last week announced an Executive Order requiring companies to produce a software bill of materials.

"Only by tackling the security of the software supply chains themselves, together with supplier cyber risk management, will companies be able to truly secure their supply chains."