UK Publishes Minimum Cyber Security Standard for Government Departments
28.6.18 securityweek Cyber
The UK government's Cabinet Office has published the first iteration of its Minimum Cyber Security Standard, which will be incorporated into the Government Functional Standard for Security. The standard is mandatory for all government departments (which includes 'organizations, agencies, Arm’s Length Bodies and contractors'); but provides an excellent security checklist/framework for all commercial organizations.
It is a surprisingly short document (PDF); just seven pages comprising 10 sections under five categories: Identify, Protect, Detect, Respond and Recover. It largely follows the wider European approach of mandating outcomes rather than specific means to achieve those outcomes -- but is not entirely devoid of specific instructions.
For example, Section 6_d _iv includes, "You shall register for and use the NCSC's Web Check service." Web Check is part of the NCSC's Active Defense program. It is designed to check public sector websites for common vulnerabilities, and by this time last year was quietly scanning more than 1,200 government sites every day.
Other requirements include support for TLS v1.2, and the implementation of Domain-based Message Authentication Reporting and Conformance (DMARC) "to make email spoofing difficult".
Another requirement (6_d_i) is that departments must, "Ensure the web application is not susceptible to common security vulnerabilities, such as described in the top ten Open Web Application Security Project (OWASP) vulnerabilities." How that is ensured, like all requirements, is not specified.
For example, MFA is required (where feasible), but no specific factors or methods are described (7_b). It therefor allows for, but does not mention, evolving behavioral biometric factors.
This is by design. The document itself says, "As far as possible the security standards define outcomes, allowing Departments flexibility in how the standards are implemented, dependent on their local context."
This lack of detailed prescription is welcomed by Sanjay Kalra, co-founder and chief product officer at Lacework. "This is especially important for organizations that operate workloads in the cloud," he told SecurityWeek. "Where change is rapid and continuous; the appropriate cloud security measures require flexibility in their approach. In some ways, the Standard is similar in structure to GDPR, where the emphasis is on the outcome, but the guidelines for implementation allow for a common-sense approach that is flexible enough to allow for what works best for the organization.”
The publication is largely well-received by the security industry. Ilia Kolochenko, CEO of High-Tech Bridge (which offers its own web scanning service for both public and private industry), told SecurityWeek, "Simplicity and efficiency are successfully combined in the document. Today, many governmental entities don’t even know where and how to start cybersecurity, and this document will certainly help them structure and manage their digital risks and implement proper cybersecurity processes."
It’s also exciting to see, he added, "some simple, but clear and effective, technical requirements such as proper TLS encryption and obligatory testing of web applications for OWASP Top 10."
Matt Lock, director of sales engineers at Varonis, fears its simplicity is deceptive. "The minimum standards may sound simple on paper," he told SecurityWeek, "but even large organizations may struggle putting these steps into practice." Joseph Carson, Chief Security Scientist at Thycotic, adds, "As always, the questions for all of these standards will depend on the ability to enforce them.”
Carson also notes that securing the supply chain includes insistence that suppliers meet the UK Cyber Essentials level 6. H is somewhat concerned that the whole process could be "an indication that as the UK government prepares for the imminent Brexit, it is taking its own direction when it comes to cybersecurity. However, past incidents reveal that a cybersecurity strategy that does not extend beyond the country’s borders is doomed for failure as it assumes all cybercrime only occurs from within."
Matt Walmsley, EMEA director at Vectra, notes the document is focused on the detection of known and common threats and attacks. "The really advanced attackers are well-resourced and highly motivated. They will use previously unseen innovative attacks that use both legitimate tools and zero-day vulnerabilities and exploits which will bypass traditional signature-based defense and detection approaches."
By definition, he suspects that government departments will be targets for advanced attackers. "Given the UK government departments are likely targets for cyber-espionage, and politically motivated hacktivists as well as broader cyber-attacks, it is vital that they have the ability to detect and respond to advanced hidden attackers in short order, and with high efficacy.”
Mark Adams, regional VP, UK&I at Veeam Software, believes it is a great start for government, but government needs to do more to sell the standard across private industry. "What hope does a minimum cyber security standard have of being adhered to, outside of the government departments where it is made mandatory? Precious little, unfortunately... more must be done by the UK government to educate the private sector and make it realize that data protection and more secure data management is a necessity."
U.S. security experts have been quick to see the parallels between the UK standard and NIST's Cybersecurity Framework. “If you look at the HMG Security Policy Framework (SPF), referenced by the Minimum Cyber Security Standard," Anupam Sahai, VP product management at Santa Clara, Calif-based Cavirin told SecurityWeek, "you’ll see that the overall structure is almost identical to the US NIST CSF -- and for good reason. The five primary functions – Identify, Protect, Detect, Respond, and Recover – are universal. Where the HMG SPF needs to go next is to map the high-level guidance to the more detailed UK-specific references, as they are mapped in the CSF. In parallel," he adds the UK has launched an Active Cyber Defense program, which in fact could serve as a template for the US.”
Lock also makes a comparison with the NIST framework. "The NIST Framework emphasizes the protection of data, provisioning access to a least-privilege “eyes-only” model, and continuous improvement among other key areas. And like the U.S. model, the Standard calls for continuous improvement, as organizations must be ready for the next attack.”
All told, the general consensus is favorable. The Minimum Security Standard is mandated for government, but also provides a valuable framework of private industry -- paralleling NIST in the U.S. Kolochenko sees even further value. "The UK," he said, "serves a laudable example on how cybersecurity can be and should be managed on a governmental level, that many other European countries can follow.”