Security News > 2021 > May > The UK loves cybersecurity so much, it's going to regulate managed service providers' infosec practices in law
The British government has vowed to create a legally binding cybersecurity framework for managed service providers - and if you want to tell gov.
Targeted at managed service providers and firms outsourcing their digital infrastructure services alike, the review is described by the government as helping build evidence for "Additional government intervention" to force businesses into formally assessing cyber risks to their supply chains.
Matt Warman MP, whose Department for Digital, Culture, Media and Sport job title this week is "Digital infrastructure minister", said in a canned statement: "There is a long history of outsourcing of critical services. We have seen attacks such as 'CloudHopper' where organisations were compromised through their managed service provider. It's essential that organisations take steps to secure their mission-critical supply chains - and remember they cannot outsource risk."
"Chris Waynforth, AVP Northern Europe at Imperva, mused:"It's interesting to see the onus the government is placing on providers of digital services, in particular those providing managed services - suggesting they may be subject to some sort of regulation for the first time.
The Society for Computers and Law summarised the purpose of the exercise as being "To identify whether there is activity causing harm in the area covered by the CMA that is not adequately covered by the offences. This includes whether law enforcement agencies have the necessary powers to investigate and take action against those attacking computer systems."
It may be that individual perception of the CMA being wielded like a giant sword hanging over the necks of innocent infosec bods is wrong, but so far most public uses of the CMA in the courts has been against things that looked and smelled very much like deliberate criminal offences.