The UK Government Announces Ambitious Proposals to Improve Software Security and Resilience

Posted

In light of the increasing organizational use of and reliance on software and the concerns raised regarding the malicious use of the same, the UK Government has published a response to its call for views on software resilience and security for businesses and organizations. (See here for details of the call for views.) The UK Government has unveiled an ambitious plan to enhance software security practices in the UK by proposing baseline security expectations for software vendors in an effort to seek more transparency and consistency for customers.

The UK Government’s call for views focused on software risks across the entire software lifecycle from development, distribution, use and maintenance of software packages until no longer used. The UK Government has now received submissions from 136 software vendors, developers, customers, academics, insurance bodies, cybersecurity experts and other industry stakeholders. Based on these submissions, the UK Government plans to undertake a number of key actions in order to help software security practices and protect the security and resilience of organizations in the UK. The government’s response highlights a range of initiatives aimed at setting clear expectations for software vendors, strengthening accountability in the software supply chain, and protecting high-risk users while addressing systemic risks with the key initiatives summarized below:

  1. Setting clear expectations for software vendors
    The most significant development is a plan to introduce a voluntary code of practice for software vendors that sell software commercially (Code of Practice), which aims to establish baseline security expectations, foster a unified approach to secure software development (e.g., in relation to the use of artificial intelligence) and set out requirements relating to transparency and communication with customers. The Code of Practice will be voluntary, but the UK Government has said that it may consider legislative backing if industry uptake is not at a sufficient level. The UK Government suggests that the Code of Practice will be helpful for organizations procuring software to indicate what levels of security such organizations should expect and reasonably demand from software vendors, for example in relation to regular vulnerability testing and reporting as part of a risk management lifecycle process.
  2. Strengthening accountability in the software supply chain
    Cybersecurity training and standardized procurement clauses are being developed to empower procurement professionals with the knowledge needed to drive improved practices in the software market. The creation of standardized procurement clauses based on the Code of Practice will provide organizations, regardless of size or sector, with a consistent framework to include clear cybersecurity requirements in their contracts with software vendors and enable those vendors to adhere to consistent requests more efficiently.
  3. Protecting high-risk users and addressing systemic risks
    As security concerns in high-risk contexts, especially in public sector software development, are a particular priority for the UK Government, the Code of Practice will require rigorous testing of third-party components, with an aim to ensure a more secure development process. The UK Government will also explore creating minimum security requirements for organizations supplying software to the UK Government to highlight the government’s aim of leading by example and setting clear expectations for software vendors. The UK Government will also explore the development of a government initiative to assess and improve the resilience of free and open-source software used in high-risk contexts.

Conclusions
Whilst the UK Government’s proposals are certainly aspirational (with no committed timeframes) given the voluntary nature of the Code of Practice, the high number of submissions in response to the call for views provides a positive indication that software vendors are at least interested in engaging with the UK Government on software security and resilience. This is all within the context of legislative reforms across the Europe Union, which certainly cannot be ignored. Resilience is at the heart of these reforms, which include: the Digital Operational Resilience Act, which aims to strengthen the IT security of financial entities to ensure that the financial sector in Europe is able to maintain resiliency in the event of a severe operational disruption; the National Information Security (NIS) Directive II, which expands the scope of the previous cybersecurity legislation seeking to strengthen security requirements, streamlines reporting obligations, and introduces more stringent supervisory measures and stricter enforcement requirements; and the Cyber Resilience Act, which aims to safeguard consumers and businesses buying or using products or software with a digital component. It will remain to be seen whether the UK Government will seek to follow the mandatory compliance approach of the European Union’s sweeping reforms, or if the focus will remain on guidance for best practices, like the voluntary Code of Practice. Regardless, we anticipate that there will likely be many further developments within the software security and resilience space.

The authors would like to thank trainee solicitor Anahita Shahrokh for her contributions to this blog.