ADS input to Cyber Essentials Scheme

I have blogged before about the government’s new Cyber Essentials Scheme.

On 12 May 2014, ADS hosted a roundtable to provide input on the Government’s draft Assurance Framework for the Cyber Essentials Scheme (CES) to the Department for Business, Innovation and Skills (BIS).   The participants included potential certifying/accreditation bodies; vendors of cyber security products and services who view the Scheme as a way of kick-starting the UK’s cyber security market; and representatives from companies within the aerospace, defence, security and space supply chains who may have to apply the Scheme within their organisations, whether because of government procurement requirements or other market drivers.

This is a summary of the key points and conclusions from the roundtable:

1. HMG’s choice of controls within the Cyber Essentials Scheme

The participants queried why the controls within CES were all technical and highlighted the importance of: human factors; risk assessment/encouraging organisations to understand the evolving threat; and education.

Following discussion with BIS and GCHQ representatives, the participants accepted that the technical controls were based on an in-depth analysis of adversary kill chains. They also accepted that some technical controls might help counter the vulnerabilities created by human behaviour. For example, if a user opens a link in a phishing/social engineering email, a computer that has been patched will stop the malware being executed despite the human error

BIS and GCHQ should publish the analysis of adversary kill chains that underpins and has led them to select the five controls in CES. This is essential to build confidence in the Scheme.

Nonetheless, participants noted that:

• To properly implement the five technical controls on an ongoing basis, appropriate governance, management and training processes need to be embedded.
• Implementation of the controls should be supported by real-time advice from government about evolving threats (as threat vectors can change on a daily basis), possibly provided through the Cyber Security Information Sharing Partnership (CISP). Controls and assessments need to be dynamic not static.
• The controls will not necessarily apply to all current, and in particular future, technologies and ways of working such as Bring Your Own Device (BYOD), Wear Your Own Device (WYOD), the use of social media and Cloud services. This is because CES is based on an assumed architecture. A better way of identifying the architecture that needs to be protected is by linking information risk to business objectives. The Ministry of Defence has undertaken work in this area which may be useful.
• The controls do not cover the full “lifecycle” of effective cyber security –designing for failure, intrusion and breach.

An alternative approach to that proposed by CES would be to require organisations to provide a narrative response on how they are meeting the outcomes in the ’10 Steps to Cyber Security’ and related BIS guide on ‘Small businesses: what you need to know about cyber security’. This could be supported by advice from the government, including technical, on how to achieve the 10 Steps – similar to the Australian Government’s Top 35 Mitigation Strategies.

2. The two/three tier approach

From the roundtable discussion, it was clear that participants were confused about the purpose of the two/three tiers for assurance. [1]

Participants wrongly thought that each tier involved applying the five technical controls with a greater degree of rigor or to a higher level of sophistication, when in fact the tiers are actually about the different levels of evidence that an organisation provides to show that it has implemented the controls. The controls are the same for each tier of assurance – it is only the level of verification of their implementation that differs.

BIS needs to refine its messaging to ensure that organisations are not confused about what the purpose of the tiered approach is.

Even when the purpose of the tiered approach was understood, participants did not think that having different tiers would necessarily be useful when starting the Scheme. This was for a number of reasons:

• You can only have one “essential”, not two or three.
• There is a danger that only higher tier(s) will get recognised.
• If the cost between the Bronze and Silver tiers is marginal, organisations are likely only to aim for Silver.
• The tiers are about the level of confidence someone can have that an organisation has implemented the controls, but who determines what level of confidence is required? How will people know what level of confidence they should have? Will the market determine this itself? Who sets the demand? People and organisations should know what level of confidence they should have to meet or ask for in different situations.

3. The scope of assessment of an organisation’s IT

A key question is whether the controls in CES should be applied across all of an organisation’s IT or only part, and therefore whether all of an organisation’s IT should be assured (an enterprise-based approach) or only parts. This issue is important, as it could drive different behaviours. Does the government want to encourage organisations to think about the value of their information and therefore implement the controls to protect the most valuable assets, or does it want organisations to implement the controls across their enterprises without considering the value of their information? In some contrast to CES, the Defence Cyber Protection Partnership (DCPP) is focusing on protecting (valuable) information.

The scope of assessment also has a bearing on cost (see (5) below). The larger the scope, the most expensive it will be for an organisation to achieve certification.

During the roundtable, participants noted that ISO27000 series certifiers already ask organisations a number of questions at the outset of a certification process to determine the scope of assessment. Similarly, the DCPP has developed criteria for identifying ‘top risk’ suppliers, where the organisations in question will be expected to adopt an enterprise approach to implementing controls rather than a project-by-project approach.

BIS should draw upon the existing questions used by ISO27000 series certifiers and the guidance produced by the Defence Cyber Protection Partnership to advise on the appropriate scope of assessment of an organisation’s IT for CES.

Participants also noted that CES makes assumptions about system configuration. These assumptions may not hold true for SMEs. For example, while SMEs will keep responsibility for user privileges and access rights (one of the CES controls), they are likely to contract out all other controls as a service. Even larger companies are increasingly outsourcing functions through Cloud. Participants expressed some doubts that service providers might be willing to submit to an assurance regime, as this will be an additional cost for the provider. Unless all customers ask the service provider to meet an assurance requirement, the provider is unlikely to do so.

Participants were also concerned that it will not be possible for an organisation to assess and assure their Cloud services in a meaningful way; a Software as Service provider will outsource to a Platform as Service provider who in turn will outsource to an Infrastructure as Service provider.

4. Silver tier test specification

Feedback on the draft test specification developed by CREST suggested that:

• There needs to be a risk assessment behind the pen testing. Some risks can be addressed through non-technical controls – people and processes over the application of technology – and organisations should have the choice about how they address particular risks. Choice is particularly important to keep costs manageable.
• Pen testing – and the entire CES – should not simply be a pass/fail exercise, but form part of a continuous improvement process based on feedback and action plans to rectify problems.

5. Proposed approach to implementation (1): costs

On the issue of cost of assurance, it was noted that cost would be a function of three variables:

• The skills of the assessor (a CLAS consultant would be more expensive than an IT technician).
• The scope of assessment.
• The knowledge and experience of the company being assessed (an experienced company may have already have all evidence ready in the correct format).

To ensure the Scheme is affordable for SMEs in particular:

• Primes may fund CES implementation for SMEs within their supply chain, just as they provide support to SMEs to develop codes of ethics and similar in order to do business with them.
• The cost of assurance will be kept lower if BIS qualifies SMEs to be certifiers. This would create a vibrant market and avoid the risk that a handful of large organisations dominate the assurance work.
• It may be possible to fix a cost for the Bronze tier, if this tier is commoditised. One way of doing this would be to automate the assessment/certification, if suitable software can be found or developed.

6. Proposed approach to implementation (2): risks with certification proposals

A number of participants expressed concern that the certification would only be a snapshot in time when the government should actually be encouraging continuous implementation. As noted above, controls and assessments need to be dynamic not static.

The certification organisations present at the roundtable raised three particular concerns with the Bronze tier proposals in the Assurance Framework:

• There is reputational risk for certification bodies in certifying an organisation without seeing it (as suggested by the Bronze tier).
• There is some doubt as to whether non-technical SMEs will be able to self-assess themselves.
• There is a lack of clarity about what CEOs will actually be self-attesting and how one could have confidence in self-attestation.

BIS needs to review the Bronze tier proposals to reduce reputational risk and improve confidence in self-assessment. One way of doing this would be to develop professional standards for self-assessment. BIS should identify and issue guidance about what qualifies a person to undertake a self-assessment and self-attestation (for example, a member of the British Computer Society).