The National Cyber Security Centre (NCSC) has signalled a commitment to a principles based approach to providing assurance for digital technologies.
It has outlined its thinking and said it plans to publish the principles during the autumn, and has produced a white paper that summarises its thoughts on the next steps for assurance.
Helen L, head of the technical assurance group at NCSC, said the new “principles based assurance” approach emphasises the overarching aim rather than a checklist in working towards assurance.
“This checklist based approach only goes so far and work best when we know exactly how something is going to be used, in a static environment, where threats don’t change much,” she said in a blogpost.
“In cyber security we don’t have the luxury of an unchanging world. Technologies are connected to each other, and people.
“Cyber attackers are developing new techniques and capabilities all the time. What is a highly motivated and resourced capability today, can quickly turn into an off-the-shelf attack tomorrow.”
Contrast with standards
She indicated that the principles will be divided into three sections – design and functionality, product development and through life – and are being formed by the NCSC’s experience of working with industry and government, and that they work best at system level, in which there are many ways in which a technology could be deployed or used. This contrasts with standards that work best for more constrained use cases and technology scopes.
Helen L also pointed towards the already published assurance principles for product development that are broken down into seven areas of concern: design for user need; enable your developers; manage your supply chain risk; secure your development environment; review and test frequently; manage change effectively; and build for through-life.
The NCSC is working on ways that evidence could be provided to show adherence to the new principles and developing its internal capability to deliver the assurance.
The white paper emphasises the need for a new approach to technology assurance with the growing ubiquity of connected devices, and the desire to project the value of UK technology overseas.
Choice will vanish
Chris Ensor, deputy director for cyber skills and growth at the NCSC, commented in a second blogpost: “If we come up with an approach that tries to make all technology resilient against the former then timescales will extend, costs will rocket, and choice will vanish.
“We need to be able to cater for the variety of risk environments in which people operate and provide the information that will allow them to identify resilient technologies that meet their needs.”
Image from iStock, George Rudy