The National Cyber Security Centre (NCSC) have recently released a White Paper outlining a new approach to technology assurance and plans for its implementation.
In a world that is heavily reliant upon technology and in particular connected devices, it is imperative that devices and systems can be trusted, not just to perform their main function, but with regards to cyber security as well. Any internet-enabled device poses a potential security threat to its users and, with techniques used by attackers becoming ever more sophisticated, it’s essential that the security of all devices is assessed and assured as comprehensively as possible.
The NCSC have, for over 30 years, been involved in assurance work of the security of technology and now have plans to adapt its processes of assurance testing and expand its remit to include a wider range of technologies than ever before, moving beyond security-focused technologies to include technologies ranging from smart meters to quantum technologies.
In the White Paper, the NCSC announces a new approach to its security testing which moves away from the ‘one size fits all’ check-list based approach used previously and towards a more ‘principles-based approach’ for the future. There are many issues with existing product assurance schemes including immediate legacy technical debt, lack of testing leading to vulnerabilities, misplaced consumer confidence in badges past their expiry date, security focus on products rather than system approach, etc.
The new approach will focus on overarching aims rather than specific tasks, therefore enabling it to be flexible, consider context and risk, and keep up with the needs of the ever-advancing multi-use technologies under development. This new holistic approach has the following objectives: achieve more by enabling others; gain confidence in a broader set of technologies; support Secure by Design to have impact at scale; talk in terms of risk, not compliance; seek more continuous assurance.
The principles outlined in the White Paper are:
- Product Design and Functionality: which will describe the features a product needs to implement.
- Product Development: which will describe how a product should be designed, implemented and tested
- Through-life Principles: which will describe the security measures that need to happen beyond development.
These principles will mean that security of devices is considered from the beginning of the design and development phase and throughout the product lifetime, giving users confidence that security of technologies is always being considered and maintained. The NCSC will be making these principles available to all on its website, enabling others to assess, with confidence, whether the security of a particular technology meets their needs.
It is recognised by the NCSC that the implementation of this new approach will take time and necessitates a timeline including short, medium, and long-term actions to make this happen. The organisation has also stated that it will continue to develop principles as required.
During 2022, the Quantum Communications Hub will be considering the implications of this new approach for the quantum communications sector, and the applications of the principles to the assurance of quantum communications technologies and systems in the future.