SJUK Exclusive: Legislation. Security. Conversation

March 21, 2022

Philip Ingram MBE explores why there will be such a busy relationship between security and government in 2022.

There is no doubt that 2022 and 2023 will be huge years for the machinery of government’s engagement in matters relating to security. By ‘machinery of government’, I mean the whole of our political system including the House of Commons, the House of Lords as well as established oversight commissioners as new laws are debated and prepared for royal ascent and mechanisms to regulate and oversee legislation are changed. 

The security landscape is changing and the biggest piece of legislative change that will be debated in the Houses of Parliament in 2022 – and looks set to come into law in 2023 – will be the new UK Protect Duty (Martyn’s Law).

The Protect Duty legislation will have significant implications and will mandate a level of security for publicly accessible locations; this will include training for staff as well as other additional measures that will be a part of the legal responsibility. This is a first for the security industry and builds on the horrific lessons from the 2017 Manchester Arena attack.

However, convergence is the cry between physical and cybersecurity and new legislation is being introduced that will impact all installers and integrators on top of what is coming with the new Protect Duty. This additional legislation is under the new ‘Product Security and Telecommunications Infrastructure Bill.’ 

The bill still has some way to go through the legislative process in the House of Commons and the House of Lords but it is designed to “make provision about the security of internet-connectable products and products capable of connecting to such products; to make provision about electronic communications infrastructure; and for connected purposes.”

Essentially, it lays out three new rules: Easy-to-guess default passwords preloaded on devices are banned; All products now need unique passwords that cannot be reset to factory defaults; Customers must be told when they buy a device the minimum time it will receive vital security updates and patches. Security is now beginning to receive the legal underpinning that Health and Safety has had in place for multiple years.

A need for change

The pure cyber world is not getting off development free. The Department for Digital, Culture, Media and Sport (DCMS) has plans following recent high profile cyber incidents such as the cyber-attack on SolarWinds and on Microsoft Exchange Servers which showed vulnerabilities in the third party products and services. They also follow an increase in ransomware threats to organisations, including some in critical national infrastructure such as the Colonial Pipeline attack in the US.

DCMS stated: “New laws are needed to drive up security standards in outsourced IT services used by almost all UK businesses. Other proposals include making improvements in the way organisations report cybersecurity incidents and reforming legislation so that it is more flexible and can react to the speed of technological change.”

Within these proposals there are three cybersecurity challenges facing the country. These are:

  • Proposals to amend provisions relating to digital service providers
  • Proposals to future-proof the UK Network and Information System (NIS) regulations
  • Empowering the cybersecurity profession

The cyber community’s thoughts on each are being addressed through two separate consultations. The first is looking at digital service providers and NIS regulations aimed at creating a comprehensive framework for managed services and upgrading security legislation so the country can more easily manage future risks. The second is directly focussed on embedding the standards and pathways across the cyber profession, with all this happening by 2025.

On the back of empowering the cybersecurity profession, there is a question out there to see what support there would be for the UK Cyber Security Council to run and maintain a professional register, effectively making it into the statutory regulator for all those involved in information security in the UK. This could be a major step towards the wider professionalisation of a key sector within the security industry.

Simon Hepburn, CEO, UK Cyber Security Council, remarked: “The UK Cyber Security Council is delighted that these proposals recognise our cyber workforce lead role that will help to define and recognise cyber job roles and map them to existing certifications and qualifications.”

“Finding the right balance”

Regulatory and oversight change proposals are not just limited to the information security world. Another area where change is proposed is around the oversight of CCTV and biometrics and that relationship with the Information Commissioners Office.

In England and Wales, the Protection of Freedoms Act established the Surveillance Camera and Biometrics Commissioner, a position currently held by Professor Fraser Sampson. However, the Home Office has had a study out to see if and how the responsibilities of this post could be refined and possibly come under the remit of the Information Commissioners Office.

However, Professor Sampson is not in favour of the proposal and said in his formal response: “There can be no doubt that technologies using surveillance and biometric data are progressing at a rapid pace. Clearly, the use of such technologies can be intrusive to privacy and raises other human rights considerations.

“However, when used ethically and accountably, technology can also provide significant opportunities for law enforcement agencies to improve the prevention and investigation of serious crime and the prosecution of some very dangerous individuals, helping safeguard other fundamental rights such as the right to life and freedom from degrading or inhumane treatment.

“Finding the right balance between the privacy concerns and entitlements of the individual, while harnessing new technology ethically, accountably and proportionately, is proving a significant challenge for policing today; tomorrow’s technology will make it even more so.

“The functions of these two important roles are very different. The Biometrics Commissioner role is quasi-judicial and covers police retention and the use of DNA and fingerprints whereas the Surveillance Camera Commissioner role is more strategic in providing oversight of the surveillance of public space by the police and local authorities. Both functions are about much more than upholding data rights. Proposing their absorption by the ICO is to misunderstand the specific nature and importance of both.”

What is clear is that the security industry is occupying a lot of government time and is on the edge of some massive legislative developments.

This article was originally published in the March edition of Security Journal UK. To read your FREE digital edition, click here.

Read Next

Security Journal UK

Subscribe Now

£99.99 for each year
No payment items has been selected yet