The House of Commons Select Committee on Science, Innovation and Technology recently launched an inquiry into the UK’s cyber resilience across Critical National Infrastructure (CNI). The inquiry is mainly focused on the UK’s progress towards making computer hardware architecture more secure by design to protect CNI. However, the Committee also asked for expert opinions on the UK Government’s National Cyber Strategy 2022 and Government Cyber Security Strategy 2022-2030 (the Strategies) – including strengths and weaknesses – in relation to CNI for the digital economy.
As Nominet is an ‘Operator of Essential Services’ under the Network and Information Systems (NIS) Regulations 2018, we submitted an expert opinion on aspects of the government’s Strategies where we have valuable insights to share with the Committee. Looking at how the Strategies relate to the Internet, it’s clear they would benefit from additional clarification on the Internet infrastructure’s role in cyber resilience across CNI. As they stand, they focus very much on protecting internet-connected systems and give less emphasis to protecting the Internet infrastructure that CNI depends on. Nominet has a wealth of in-house technical expertise and can provide a unique perspective on where government strategies could be further strengthened to enhance the Internet infrastructure’s resilience.
An area we felt the Committee should look at is UK leadership in developing digital standards that affect the Internet. A recent EU Parliamentary Research Service report on the splinternet 2022 points out that powerful actors (including nation states and global corporations) now ‘defend their political and economic interests through the formulation of technical standards and protocols’. It’s worth noting the Strategies rightly point to the need to uphold an open and interoperable Internet and highlight the importance government sees in participating in international fora that influence digital standards underpinning the Internet. That’s also made very clear by the government’s endorsement of the Declaration for the Future of the Internet in 2022. Having said that, explaining how the UK will develop the additional capacity required to protect the multistakeholder governance of Internet technical standards from interference by such powerful actors would strengthen the Strategies.
The Strategies make a strong argument for the need for effective multilateral organisations and partnerships to build international cyber capacity. They highlight the need to work with the United Nations, Five Eyes, NATO, G7, European Union, Commonwealth, OECD, Global Forum on Cyber Expertise (GFCE), ASEAN Forum, African Union and the World Bank. We felt the Committee should look at whether multistakeholder fora should also be part of the mix when thinking about building international cyber capacity. In particular, whether there is a need to establish an effective multistakeholder international institution bringing together nations, public and private sector organisations and civil society groups with similar democratic values that can develop international cyber capacity.
There are a swathe of different UK and international digital regulations and standards beyond those specific to cyber security that UK companies are required to comply with, or in some cases voluntarily follow, to support their value chains. For example, although it’s not something the UK has to transpose into domestic legislation, the EU’s NIS2 Directive will impact UK value chains, and therefore UK businesses will have to put in place processes to ensure they don’t adversely diverge from NIS2 in a way that would add additional burden for their business partners. In our submission, we’ve said that recognising the complexity of the regulatory and compliance landscape and the need for government to take a holistic view of how to support UK companies would strengthen the Strategies.
The Strategies rightly emphasise the importance of industry adopting Secure by Design Principles. The problem here is that those principles don’t appear to be widely followed in practice. The US Cybersecurity and Infrastructure Security Agency’s report from April 2023 on principles and approaches for Secure by Design software, which is co-signed by twenty national security agencies including NCSC, states ‘too many manufacturers place the burden of security on the customer rather than investing in comprehensive application hardening‘. That report states Secure by Design principles aren’t being adopted at the necessary scale, yet the concept of secure by design has existed for the past 20 years. Our submission states that if we want software manufacturers to make Secure by Design the default, we need to be clear on how that translates to product development, deployment and maintenance, prove the business value to organisations (particularly SMEs), and explore barriers to uptake in adopting its principles. This is an important area for the Committee to focus on in our view.
The National Cyber Strategy 2022 references that it’s complementary to the Online Safety Bill (OSB), which received Royal Assent on 26 October 2023 and is now the Online Safety Act. There’s a fundamental tension between imposing safeguarding, privacy and freedom of expression requirements on technology through the OSB whilst the Strategies expect the same technology to have stringent cyber security capabilities. Nominet is not an authority on how those tensions can be resolved, but at the same time, it’s important to highlight that they exist and will be challenging to resolve. In our submission, we said that explaining the democratic process by which inevitable policy compromises will be reached between privacy, freedom of expression, safety and security would strengthen the Cyber Strategy. In our view, this is necessary to ensure future technologies can be developed in a way that’s compliant with regulatory frameworks and still provides adequate cyber protection across CNI.
Under NIS Regulations, Nominet is required to take appropriate and proportionate technical and organisational measures to manage security risks posed to network and information systems on which our essential service relies. In our submission, we explained that we welcome the UK taking an outcomes-focused, principles-based approach to regulation, including through the NCSC’s Cyber Assessment Framework (CAF). The last comment in our submission is that we value the way in which OFCOM works with us to enforce requirements in a collaborative and iterative way. This strengthens regulator capability while ensuring our business has the strongest internal security and information management policies possible.
The Nominet formal submission to the Committee can be found here.