The U.K. government is mulling the rollout of a voluntary set of rules urging software vendors to responsibly disclose vulnerabilities in their systems. The measure comes as the government continues to face criticism over poor management of legacy infrastructure.
The British government in February 2023 began soliciting comments from software vendors, government agencies and other stakeholders on shoring up the software supply chain to help avoid high-impact incidents targeting the country’s infrastructure.
The effort came amid successful hacks of the Royal Mail, the National Health Service and MoveIT file transfer application, which affected hundreds of organizations worldwide, including British Airways and the British Broadcasting Corp.
About 200 stakeholders participated in the call for comments, and in a report released Tuesday, respondents said urgent government intervention is needed to encourage software vendors to responsibly disclose details of vulnerabilities that affect their systems.
“Fear of penalization, reputational damage and loss of customers can deter businesses from reporting software vulnerabilities, and 80% of respondents agreed that more should be done to ensure that organizations disclose information quickly to stop the spread of infection,” according to the report.
About 23% of the respondents said vulnerabilities and malware stemming from open-source software components remain a key systemic risk to the software ecosystems, and 54% said that flaws from the open-source environment could severely hurt the U.K. economy.
The use of unmonitored third-party open-source libraries also poses major obstacles to security, and tackling issues involving software can be challenging because many organizations cannot get adequate funding during the development cycle.
The respondents said they relied on industry software secure frameworks and standards, as well as guidance released by national and international agencies, such as the U.K. National Cyber Security Center, but they said government interventions for safe vulnerability disclosure would bring more transparency into incident management, thereby allowing the organizations to tackle security issues more effectively.
The respondents also said the government should issue guidance on a software bill of materials, offer certifications for software vendors and developers, and develop regulations requiring software developers and vendors to meet minimum standards of transparency.
In response to the call, the U.K. announced it will publish its voluntary set of practices for vendors, which will build on existing national and international standards. The proposal will set “baseline expectations of software security” and aim to improve the country’s cyber resiliency, according to the U.K. Department for Science, Innovation and Technology, which led the consultation.
“We must ensure that the foundations of software security are in place so that we can react quickly to challenges posed by new and emerging technologies, such as artificial intelligence,” said Viscount Camrose, the U.K.’s AI and intellectual property minister.
The government’s efforts to ramp up its cyber resiliency capabilities come as it continues to face mounting pressure from lawmakers over its poor management of legacy infrastructure across public offices.
Parliamentary scrutiny last year found that the British Home Office, Treasury, Defense and Ministry of Justice continued to have more than one “red-rated” system that is either outdated, vulnerable to hacks or receiving no support updates from the software supplier.
The Committee of Public Accounts lawmakers found that the inventory management systems used by the Army and Royal Navy are nearly 40 years old.
It is unclear when the U.K. government will release the software vulnerability management rules, but the agency said software vendors, users and government agencies – including the NCSC – will develop adequate cybersecurity guardrails and procurement processes for application security.
Adam Derewecki via Pixabay
"*" indicates required fields
Software Asset Management is a business practice that involves managing and optimising the life cycle of software within an organisation.
Software asset management is relevant to many facets of a business - take a look at some of the roles that it can form part of the focus of.
Software vendors come in all shape and sizes - all with their own set of licensing models and rules. We take a look at just a few of them.
As a constantly evolving subject, SAM is not without its challenges. We take a look at some of the most common ones.
Wondering what an investment in SAM could do for your business? Fill out a few details and find out what return you could get!
Answer a few questions about your SAM infrastructure & experience, and we'll put together a personalised recommendation for the future.
A simple health check of what's being used across your Office 365 estate in this FREE, Microsoft backed and easy to setup review.
Just like you would with your vehicle each year, get an annual check up of your software asset management programme.
Overwhelmed by the task of documenting the steps for a successful SAM programme? Get the experts in to help!
Concerned your SAM tools aren't covering your whole estate? Or on the look out for an entirely new tool? Get us in to assist.
Not content with covering all things SAM related, we've teamed up with Capital to provide a comprehensive hardware asset management review.
A simple, one-time reconciliation of the software you have deployed versus the licence entitlement you own.
A regularly scheduled analysis of your organisation's estate, specifically adapted to your needs and budget.
A full appraisal of your Microsoft 365 setup and how best to optimise it through automated recommendations.
An add-on to our SAMplicity One, MOT and Plus offerings, quickly diagnose your ability to migrate your resources to the cloud.
In collaboration with law firm Addleshaw Goddard, ensure the legality of your SAM programme and get assistance with any contract disputes.
Available as standard with SAMplicity Plus, ensure you're compliant if you're unexpectedly audited by a vendor.
We've teamed up with some of the forefront experts in licensing knowledge so you can teach yourself to be an expert too.
Stumped by the continually evolving complexities of SAM? Join us for one of our comprehensive courses, either in-person or online.
It’s chock full of useful advice, exclusive events and interesting articles. Don’t miss out!