Software resilience and security: DCMS call for views

The UK economy relies heavily on software and digital technologies, with the software market projected to reach £27bn in 2023 [1]. On 6 February 2023, the Department for Digital, Culture, Media and Sport (DCMS) published a call for views on software resilience and security for businesses and organisations (see note below on recent government department changes). It aims to inform any policy interventions to improve organisational resilience to software security risks and support software security by design.

The DCMS’ focus on collaboration with stakeholders provides an opportunity for organisations who wrestle with the challenges of managing internal software ecosystems to feed directly into government policy. It is also the first formal dialogue the DCMS has sought with the open-source community and acknowledges the complexity of open-source risks within the software supply chain.

The call for views is split into three sections:

1. Software risks – outlines a holistic and systematic approach to identifying risks in the software lifecycle, from development to distribution by vendors through to final use, maintenance and configuration by customers;
2. Existing industry measures – acknowledges how industry already has some measures in place such as recognised guidance, standards, or specific frameworks and seeks greater understanding to ensure that any government support or intervention to prevent market failures fills gaps in the current landscape; and
3. Future government action – provides the opportunity for respondents to highlight the policy options that are most likely to be effective.

Software risks

The DCMS has identified three key groups in the lifecycle of a software product that it is seeking the following feedback from:

• developers of software are asked to input on accidental vulnerabilities, intentional compromises, and insecure development environments, as well as the financial and operational barriers faced by companies in ensuring that critical software is regularly maintained;
• distributors of software are asked to provide views on the  issues faced in securing networks, identify steps required to prevent passing on vulnerabilities to customers, and describe the role they play in enabling greater transparency in respect of the contents or provenance of software; and
• software customers are asked to help inform both policy and guidance by sharing details of risks to their procurement and supplier management processes along with hurdles they face ensuring software is configured correctly and properly maintained.

Existing industry measures

The DCMS has requested feedback on measures already adopted by organisations to embed security by design into their software and processes. These include guidance and standards, such as the security principles published by NCSC or ISO 27001, as well as controls, best practices, procurement questionnaires, frameworks and documentation such as software bill of materials (SBOMs). The DCMS has indicated that this will enable it to better target and prioritise government support.

Future government action

The final section of the call for views requests suggestions from individuals, businesses, and community groups on actions that the government may take to address existing and future concerns for software resilience and security. Potential actions that the DCMS has proposed include guidance, tools, training, accreditation, and regulation. At the DCMS’s software security workshop held at the "State of Open Conference" on 7 and 8 February 2023, there was shared emphasis on the need for greater education and more accessible resources, particularly for SMEs without mature IT functions. It was noted that implementing a typical top down regulatory approach could potentially stifle innovation and that in the past the UK government has introduced ‘soft’ standards by embedding them into public procurement requirements.

Next steps

The call for views closes at 11.45pm on 1 May 2023 and the DCMS aims to respond in summer 2023. Representatives from the DCMS are likely to be in attendance at software industry events and open-source conferences to ensure collaborative engagement with all stakeholders.

Note: This call for views by the DCMS was published before the changes to government departments, on 7 February 2023. We anticipate this call for views will now belong to the newly formed Department for Science, Innovation and Technology headed up by former DCMS minister Michelle Donelan.

-----------------
[1] DCMS, Call for views on software resilience and security for businesses and organisations, 6 February 2023