Policy paper

Call for views on software resilience and security for businesses and organisations

Published 6 February 2023

Ministerial foreword

Digital technologies play a crucial and ever-increasing role in the UK economy and in the day-to-day lives of citizens. Increasing digitisation brings huge economic and social opportunities and the UK is well placed to take full advantage of this. Embracing digital technologies across our economy is crucial to delivering the ambitions we set out in the National Cyber Strategy and UK Digital Strategy to secure the UK’s prosperity, national security, global competitiveness and geo-political standing in the world.

To achieve our aims, we must ensure consumers and businesses feel confident in digital technologies, which means the foundations of our technology must be secure. Software is one of the fundamental building blocks of digital environments: it underpins the operational function of all of our devices, and how they interact with each other in connected environments. Recent incidents such as the 2020 SolarWinds attack and the discovery of the Log4j vulnerability, have demonstrated the widespread impact which insecure software can have on businesses, charities, educational institutions and other organisations operating across the UK - and globally. Strengthening the resilience of software is an important part of strengthening organisational cyber resilience more widely. This will help reduce the cyber threat to the economy and prevent harm to businesses, UK citizens and the UK’s worldwide customers.

The UK government has already made significant progress protecting the nation online through legislation, guidance and the work of law enforcement and the National Cyber Security Centre. Whilst these efforts continue to improve the UK’s cyber and digital resilience, technology continues to rapidly evolve and the cyber threat evolves alongside it. It is therefore crucial we take action to ensure the government and industry stays ahead of the threat and has the building blocks in place for a secure digital economy.

I am pleased to introduce this call for views as an important first step in understanding how to address software risks and help create a more resilient digital environment. The government cannot do this alone, so collaboration with partners will be crucial. Please give us your views on where we can share expertise and resources to address the cyber risks posed by software, as well as where the responsibilities should lie. We will also need to collaborate closely with our international partners, given that software and our digital environment is global and many cyber attacks have occurred outside the UK. This is an important debate, and I am looking forward to continuing discussions on which actions would be most effective and where government and industry should prioritise efforts.

I encourage all organisations with an interest in software security and digital supply chains to take part in this consultation, including those who procure, use, develop, maintain or resell software, as well as academics, international stakeholders and other interested parties.

Julia Lopez

Minister of State for Media, Data and Digital Infrastructure

Department for Digital, Culture, Media and Sport

How to respond

Please take this opportunity to shape our future work by responding to the online survey. To help us analyse the responses, please use the online consultation system wherever possible.

If you are unable to submit your response using the online survey, you can also submit an email response to cyber-review@dcms.gov.uk or a hard copy by post to:

Software Call for Views
Cyber Security Team - 4/48
DCMS
100 Parliament Street
London
SW1A 2BQ

The call for views will be open for 12 weeks, from the 6th February 2023. The closing date for responses is 11.45pm 01 May 2023.

When providing your response, you are also able to provide contact details if you are open to the department seeking further information or clarification of your views.

Should you require access to the consultation in Welsh or in an alternative format (e.g. Braille, large font or audio) please contact us at cyber-review@dcms.gov.uk.

The information you provide will be used to shape future policy development and may be shared between UK government departments and agencies for this purpose. Personal information will be removed in such instances. Copies of responses, in full or in summary, may be published after the call for views closing date on the Department’s website. You can also read the privacy notice associated with this call for views.

Freedom of information

Information provided in the course of this call for views, including personal information, may be published or disclosed in accordance with access to information regimes, primarily the Freedom of Information Act 2000 (FOIA) and the Data Protection Act 2018 (DPA).

The Department for Digital, Culture, Media and Sport will process your personal data in accordance with the DPA and, in the majority of circumstances, this will mean that your personal data will not be disclosed to third parties. This consultation follows the UK government’s consultation principles.

If you want the information you provide to be treated confidentially, please be aware that, in accordance with the FOIA, public authorities are required to comply with a statutory code of practice which deals, amongst other things, with obligations of confidence. In view of this, it would be helpful if you could explain to us why you wish that information to be treated confidentially. If we receive a request for disclosure of that information, we will take full account of your explanation, but we cannot give an assurance that confidentiality can be maintained in all circumstances.

Introduction

The impact of software

The impact of rapid digitisation has been felt across all sectors of our economy and society, and it is essential that this digital world in which we live and work is resilient to cyber threats and disruption. Part of this resilience is ensuring that the technology we use - the digital products and services - are secure by design. But we must also look at the organisations involved in the development, distribution, maintenance and use of these products and services, and help them to better manage the risks associated with digital technologies. These organisations bear a responsibility to protect themselves, other organisations in their supply chains, and end customers from cyber harm and disruption.

Within the digital landscape, software is a ubiquitous and valuable resource and has become fundamental to how we do business. It has become essential to the UK’s economy and individual businesses rely on software and the digital opportunities it provides to support growth and innovation as well as continuing day to day business operations. Software is critical to all digital interactions - every digital service or product is based on software code of some variety. It is so fundamental that it is often taken for granted. Software enables improved functionality and new opportunities for digitisation to organisations of all sizes and sectors. This creates major opportunities for all organisations using digital technology in some form.

The software market itself is also a key driver of growth in the UK economy: revenue in the software market is projected to reach £27.09bn in 2023, and is expected to show an annual growth rate of 3.92%, resulting in a market volume of £31.06bn by 2027. Supporting the software market and its customers to improve the security of the development, distribution, maintenance and use of software will help to protect the growth of the software industry. It will also enhance the UK’s reputation as a place to develop software and support the growth and innovation of UK businesses who rely on software for their day-to-day operation.

With these opportunities, however, come considerable risks. Many organisations simply trust that the software on which they rely (whether knowingly or unknowingly) is secure and safe to use, but the complexity of software and how it is produced and integrated is so great that vulnerabilities are inevitable. Where security and resilience is not adequately considered, software development, distribution and use can be exploited by malicious actors. In this call for views, we are not only seeking views on the resilience of software used in enterprise settings as a form of technology, but also on the resilience, practices and behaviours of organisations that make up the software ecosystem, from its initial development through to its end use.

The risks linked to software are particularly difficult to manage given the extent to which software packages, as well as the systems they enable, depend on multiple software components. Because of this, there is a wide range of individuals and organisations involved across the lifecycle of a software package from development to distribution and use. Software developers generally build on software components built by others. Many of these third party components are open source, which is a key driver of innovation and efficiency in the software market, but these components may lack ongoing maintenance due to resource constraints. This means that a vulnerability in one software component could indirectly impact thousands, if not millions, of users. Likewise, the complex nature of the software lifecycle and digital supply chains - including software developers, vendors, resellers, service providers and customers - mean that those who would be worst impacted by a breach are often limited in how much they can directly manage the risk. These factors create a complex system which is exploited by those who wish to cause harm.

Several recent high profile cyber incidents linked to software, as well as concerning trends in less sophisticated attacks, have highlighted how important it is to address these risks in a systematic and timely manner. In the last 3 years, there has been a 742% global average annual increase in observed software supply chain attacks. This includes tens of thousands of smaller scale incidents, as well as attacks that become well-known due to the scale or nature of their impacts. High profile incidents such as the attacks against SolarWinds (2020) and Kaseya (2021), the emergence of vulnerabilities affecting the Log4j software component (2021), and the recent disruption to our National Health Service’s IT Systems caused by an attack against one of its software suppliers (2022) demonstrate the range of risks linked to software. These and other attacks demonstrate that incidents occur due to a range of issues. These could be a breach of a software vendor’s networks, use of compromised open source code or a lack of visibility of software components preventing timely patching. Addressing these risks is critical to creating a stable and secure digital environment for our businesses and citizens.

To effectively address the range of risks that affect software, the government cannot work alone. As outlined in the National Cyber Strategy, a whole-of-society approach is required to effectively address cyber risks. Developers and suppliers of software, those who procure and use it, and senior leaders in those organisations, all have a role and responsibility in helping to secure software. Throughout this work, we want to work closely with industry to leverage their expertise and resources while focusing the government’s efforts where they are needed most.

Purpose and scope of the call for views

Through this call for views, we want to better understand the nature of software risks as a whole to UK organisations, and where government should focus on mitigating them. This work builds on a number of other pieces of work led by DCMS and other government departments which touch on software and are outlined in detail below. This call for views goes further in taking a holistic and systematic approach that focuses on software risks across the breadth of the software lifecycle - that is, the full range of processes involved in the development, distribution, use and maintenance of software packages and associated systems up until, and including, the time at which it is no longer used or maintained. This includes the development and use of individual software components and embedded software. This also includes software developed by both open source and proprietary software developers. This means considering (1) the technology itself, (2) organisations’ interactions with this technology, and (3) how organisations work together, will all be needed to understand and address the risks linked to software.

To enable this holistic approach, the scope of software for consideration in this call for views includes any code, instructions or programs used to operate computers or execute specific tasks. As such software sold independently and software sold alongside hardware or as part of a digital service are considered in scope at this stage. This includes software written for Information Technology (IT) as well as Operational Technology (OT) and Software as a Service (SaaS) operated from the cloud as well as software stored on premises. At this stage, this work also considers all levels of software from cloud-based and application software through to firmware and embedded software used in hardware components. This includes, for example, software used in chips in motherboards, processors or graphics cards that are crucial elements of the technology we use but that end customers may not be conscious of using.

This work focuses on software as used in an enterprise setting rather than in general use by consumers. This includes the development and distribution of software specifically for use in an enterprise or business environment, as well as the use of any software by businesses and organisations. This focus on the enterprise context is because many of the most impactful cyber incidents linked to software exploit the complex nature of digital supply chains, in which businesses and organisations play much greater roles than individual consumers.

We understand that there are challenges with considering such a broad scope, however, the breadth and variety of issues associated with the development, distribution and use of software require this systematic approach, and will ensure that government is directing its resources to the areas where it will have the most impact.

Many terms used in relation to software have come to mean different things for different audiences, or come with assumed knowledge. To ensure clarity of scope and responses, definitions of key terms for the purposes of this call are outlined here.

Digital supply chains are defined as the chain of organisations involved in the production, distribution, maintenance, use and reliance on digital products and services. Within these supply chains, companies are also typically linked to each other by digital connections which may include the transfer of data between organisations or the sharing of access to networks and systems. These connections facilitate day-to-day operations, but they also provide a route for attackers to move from one entity to another.

Software vendors are defined as organisations that make and sell software, either as an independent product or as part of another product such as a piece of hardware or a digital service.

Software resellers are defined as businesses that offer software products, systems, and services to other businesses. Resellers do not typically develop the software and would usually sell licences that limit use for certain purposes, rather than the underlying code, which is retained by the software vendor or developer.

A range of concurrent policy interventions will be required to promote the improvement of organisational resilience to software security risks and comprehensively raise the bar of software security. This call for views will inform our work to prioritise the most critical issues relating to the resilience of software developed, distributed and used in the UK, and identify where specific interventions may have the greatest impact in addressing these issues. These interventions will be developed to complement other related work on digital and cyber security policy.

Links to other UK government work

There is a wide range of existing work that the UK government is conducting to help to build cyber resilience across the UK, as set out in the National Cyber Strategy. Much of this work supports or has an impact, either directly or indirectly, on the development, provision or use of software, whether in a consumer or enterprise environment. However, there remain gaps in this provision and there is a need to develop a stronger systematic understanding of risks across the full software lifecycle and ensure they are adequately mitigated. We can then better understand where further action is needed to build on previous work and reduce the software risks experienced by businesses and other organisations.

Software development

A number of pieces of work look at software development and its security, albeit used for certain purposes. DCMS recently published the Code of Practice for App Store Operators and App Developers which aims to ensure that consumers are better protected from malicious and poorly developed apps. DCMS and the Department for Business, Energy and Industrial Strategy also published a policy paper in 2022 on a pro-innovation approach to regulating AI. AI is a technology which is underpinned and driven by software, and the paper set out early proposals for 6 cross-sectoral principles which will underpin a regulatory framework for AI, including the need to ensure that AI is technically secure and functions as designed. An AI white paper is due to be published in 2023 which will expand on and develop these principles. Both of these pieces of work are designed to address specific types of software or software that is used primarily by consumers rather than organisations. The focus of this call for views on all software used in an enterprise setting, at all stages of its life cycle, takes a broader perspective. As we consider our next steps and develop policy interventions further, we will ensure that insights across government are considered together.

Software is also closely interrelated with product development and use. The government is taking major steps to require manufacturers to develop more secure technology products for use in the UK. To better protect consumers at scale the Product Security and Telecommunications Infrastructure (PSTI) Act, which received royal assent in late 2022, places legal responsibilities on manufacturers to ensure that internet-connectable consumer products and embedded software are secure by design, with security features built in to make it easier for consumers to operate and maintain devices securely. This legislation stems from the 2018 Code of Practice for Consumer IoT which also provides further guidance on both developing secure products and the secure use of embedded software.

Building on our work to protect consumers, DCMS and the NCSC are working to ensure better protection of connected devices used in enterprise settings. NCSC, in collaboration with DCMS, has produced relevant guidance including the Enterprise Device Security Principles and NCSC’s technology assurance principles, which support manufacturers and end users to better protect themselves. DCMS published research in May 2022 detailing cyber security issues and other significant concerns about the security of such products. We are currently conducting further research into this area and plan to launch a call for views later in 2023, the insights of which will be analysed alongside input from this call for views.

Together, these interventions contribute to improving the secure development of technology in enterprise and consumer environments, and focus on software specifically distributed with, or designed for particular hardware devices. However, the interventions to date are not currently designed to address issues related to hardware- or platform-agnostic software, nor software developed for OT devices. Questions in this call for views relate to all software, including software developed and distributed with specific hardware or services, and software developed and distributed separately. Independent software development comprises a major part of the enterprise technology ecosystem, and is an area where we continue to see software supply chain attacks proliferating.

This call for views aims to explore how we can build on these existing interventions to address other risks affecting the development, distribution and use of software across the software lifecycle. More work is needed, for instance, to define best practice in how software code is written securely while still enabling innovation.

Software distribution and procurement

We recognise the need to address issues linked to how organisations beyond the development stages distribute and manage software. The actions of those who sell, maintain, procure, use or integrate software into other products equally impact the likelihood and severity or software risks. Existing government interventions on cyber security in supply chains will capture some, but not all, entities responsible for selling and distributing software. Specifically, this call for views draws from the findings of the 2021 Call for Views on Cyber Security in Supply Chains and Managed Service Providers and is complementary to DCMS’s Proposal for legislation to improve the UK’s cyber resilience in which we propose to update the Network and Information Systems (NIS) Regulations 2018 to bring managed services into scope and better manage cyber risk to critical national infrastructure. These proposals are an important step in ensuring that providers of digital products and services take proportionate steps to protect themselves and their customers from breaches, but they will not capture all organisations who develop, sell and resell software. Industry feedback, including from the 2021 call for views, has indicated that software supply chains, and the way software and associated systems are developed, sold, and procured, remains a cause for concern. The proposed updates to the NIS regulations are not designed to address these concerns, so this call for views marks an exploratory stage for us to assess what further action is needed from government to address software security issues.

As reflected in the proposed updates to the NIS regulations, ensuring the security of supply chains of critical sectors has been a high priority for the UK government. DCMS’ proposals for new telecoms security regulations and code of practice, and the Financial Conduct Authority’s proposals for additional measures to regulate the finance sector’s critical third parties also take steps to ensure the security of critical national infrastructure sectors. These interventions would place obligations on critical entities and their suppliers (including suppliers of software) to take steps to protect end users from disruption to critical services. This is an important step in protecting UK supply chains from cyber risks, but this call for views looks beyond critical sectors to consider how we can best protect the economy at large and businesses of all sizes across all sectors.

From the customer perspective, the public sector is in a powerful position to be able to set a positive example of how to appropriately manage supplier risk when procuring software. To this end, Cabinet Office plays an important role in providing guidance and direction for public sector procurement of digital technologies in the Digital, Data, and Technology Playbook and ongoing work to refine government procurement practices. Although this call for views does not focus on government procurement practices, we will continue to work closely with teams across government to ensure that we can share best practice and learn from each others’ findings.

Software use

For private sector organisations using software, NCSC plays a key role in advising organisations of all sizes and sectors on how to manage supplier risk, and ensure their own resilience by using digital technologies such as software securely. This includes guidance on topics such as vulnerability management, cloud service procurement and supplier management and broader organisational resilience initiatives such as Cyber Essentials and the board management toolkit. Likewise, the Centre for Protection of National Infrastructure (CPNI) has also produced guidance on supply chain security. Many of these are not specific to software security but are influential in building cyber security competency across UK organisations, and can be built on as we look at what more is needed to help organisations prevent software attacks.

These pieces of guidance and other initiatives are vital to help clarify what ‘good practice’ looks like. However, we recognise that more may need to be done to help organisations implement these principles and guidance. In Part 3, we ask for feedback on what types of future government action would be most appropriate.

Finally, we need professionals throughout organisations to be more skilled in cyber security and good practices to ensure that security considerations are embedded at all stages of development, distribution, procurement and end use. This includes non-cyber specialists such as project management and commercial teams as well as IT and cyber security teams. The work led by DCMS, NCSC and industry partners such as the UK Cyber Security Council to help develop cyber skills and professionalisation would have a positive impact on how various issues linked to software resilience are managed.

Work is also ongoing to address the role that data storage and processing infrastructure plays in ensuring the security and resilience of our essential services and economy. The Call for Views on Data Storage and Processing Infrastructure in July 2022 sought feedback on the risks and responsibilities associated with large-scale data storage and processing services. This work complements our focus on software in that the aim of both is to create more secure and resilient technology which organisations feel confident in using. The two pieces of work simply focus on different parts of the technology ecosystem.

To comprehensively address cyber security risks across the software lifecycle and prevent malicious actors exploiting weaknesses where they can, we must take a systematic, holistic and forward-looking approach to understanding the risks. It is clear that software supply chains still contain weaknesses that attackers are exploiting. This call for views builds on the existing UK government work mentioned above to scrutinise the resilience of the different stages of the software lifecycle and the organisations involved in these stages and pinpoint the greatest areas for concern. Then we can identify where best to focus our efforts to boost the cyber resilience of software as a whole.

International context

In order to address software risks to UK organisations, we cannot look only at what is happening in the UK. Digital supply chains are international and are impacted by the work of developers and vendors around the world and many of the largest software companies operate in multiple countries. Furthermore, other international partners are also taking action to address risks linked to software.

Notably, both the US and the EU are actively working to address similar issues linked to software. In 2021, the Biden administration published an Executive Order on Improving the Nation’s Cyber Security and the US government has since developed NIST’s Secure Software Development Framework which is being used to implement new federal procurement and attestation requirements. The aim of this is to improve visibility of software components and to ensure greater security in the development of software. Many organisations who operate in the US are already taking action to meet these requirements.

More recently, the European Commission has published proposals for the Cyber Resilience Act which proposes to regulate products with digital elements which includes both hardware and software products that are not captured by other EU legislation. The aim of this is to create more secure hardware and software products and ensure that they are placed on the market with fewer vulnerabilities.

This active international context creates great opportunities as well as some challenges, particularly for those organisations that operate under multiple jurisdictions. We will work closely with like-minded countries to share best practice and take a coordinated approach where appropriate.

Structure of the call for views

Part 1 of this call for views seeks input on cyber risks associated with software. The purpose of this section is to help government understand the impact of these risks on organisational resilience and the subsequent urgency and priority in addressing them.

Part 2 looks at the steps organisations are already taking, or could take, to better manage risks relating to software. In this section questions are more targeted to different types of organisations, with some directed specifically at software developers, vendors, or procuring organisations. This will give us an indication of the maturity of software risk management in the UK and highlight best practices that government could promote.

Part 3 then aims to gather views on potential policy interventions targeting the 6 different risk areas. The objective of this section is to gain input on how government could further support and/or incentivise UK companies to better address security risks associated with the development, distribution, procurement and use of software.

Taken together, responses to these 3 parts will inform our work to help improve cyber resilience linked to software. These will help us to prioritise policy interventions that will have the greatest positive impact. The parts are equally important and are not in priority order.

We encourage participation from a range of organisations and individual respondents. Some questions are targeted to specific types of respondents, such as procuring organisations, software vendors or software developers, but there are also a range of more general questions. It is unlikely that any single respondent will be able to answer all questions, but we encourage you to participate in as many questions as are relevant to you or your organisation. As well as industry participation from any sector, we are also interested in hearing from subject matter experts, including those from academia, NGOs and the public sector (national or international).

Organisational demographic questions on those responding to the call for views:

1. Are you responding as an individual or on behalf of an organisation?

a. Individual

b. Organisation

2. [if selected “individual” to question 1] Which one of the following statements best describes you? (Select all that apply)

a. Software developer

b. Software and/or system vendor

c. Software and/or system reseller

d. Cyber security professional

e. Consumer of software services, products or systems

f. Employer of software or cyber security professionals

g. Professional in another sector

h. Academic

i. Student

j. Interested in a career in software and/or cyber security

k. Interested member of the general public

l. Other [Free text]

3. [if selected “organisation” to question 1] Which of the following statements best describes your organisation?

a. Software developer

b. Software and/or system vendor

c. Software and/or system reseller

d. Managed service provider^{[footnote 1]}

e. Cloud service provider^{[footnote 2]}

f. A business that uses software developed or maintained by others

g. Organisation that employs, contracts or uses software and/or cyber security professionals

h. Software and/or cyber security training provider or certification/qualification provider

i. A software, cyber security and/or digital professional organisation

j. An academic or educational institution

k. Organisation with an interest in software and/or cyber security

l. Non-cyber security specific professional body or trade organisation with an interest in software and/or cyber security (please specify your sector) [free text]

m. Other [Free text]

4. [if selected “organisation” to question 1] Including yourself, how many people work for your organisation across the UK as a whole? Please estimate if you are unsure.

a. Under 10

b. 10–49

c. 50–249

d. 250–499

e. 500-999

f. 1,000 or more

g. Not sure

5. [if selected “organisation” to question 1] What is the name of the organisation on whose behalf you are responding? [Free text]

6. Are you happy to be contacted to discuss your response and supporting evidence? Yes / No

7. [If selected “yes” to question 6] Please provide a contact name and email address below. [Free text]

Part 1 - Software risks

Our understanding of software risks

The impact of inadequate security across the software lifecycle has been of increasing concern to industry and government alike, especially in the context of high profile cyber incidents that have occurred in recent years. These attacks highlight the systemic risk that software can pose to both national security and business continuity across the economy. These risks are exacerbated when security is not adequately considered across the whole software lifecycle including the development, distribution, procurement, maintenance, and use of software, as is often the case.

Cyber incidents linked to software can occur when malicious actors exploit weaknesses across any part of the software lifecycle. Recent high profile incidents demonstrate some of the ways in which the complexity of software and digital supply chains can be exploited. At the end of 2021, the Log4Shell vulnerability affected software using the commonly used Log4j open source software component. Once the vulnerability was reported, over 800,000 attacks took place over only 72 hours, underlining how known vulnerabilities quickly become easy targets for attackers. This incident was due to a vulnerability created in the development of the code, but the biggest challenges were due to a lack of visibility of software components in wider software packages. Many companies struggled to identify and fix the bug in their software estates or remained unaware that they were affected by the vulnerability.

The SolarWinds attack in 2020 was one of the most high profile attacks spread through software distribution. This attack showed how attackers were able to move through digital supply chains unnoticed, reaching critical customers in industry and government. The attackers were then able to inject malicious code which spread automatically to customers through software updates. This allowed the attackers to extract sensitive information before being detected more than nine months later. The US government estimated that around 18,000 entities downloaded the malicious update, leading to the compromise of 9 US federal agencies and approximately 100 private sector organisations.

In 2021, an attack on Kaseya VSA leveraged software updates as a mechanism for spreading ransomware through supply chains rapidly. The attack hit a number of key managed service providers using the software and spread via these providers to vast customer bases around the world, many of whom were smaller organisations operating in the UK. In total, between 800 and 1,500 businesses are thought to have been affected by this attack globally. Whereas SolarWinds saw the extraction of sensitive information from high power customers including government, the Kaseya attack emphasised the operational disruption and financial ramifications that such attacks can have on businesses. The impact on the many small businesses affected by this attack was particularly severe.

The range of attacks reiterates the need for a systematic and proactive approach on behalf of both industry and governments. There is a need to ensure we understand the full picture of risk across the software lifecycle which will help to structure the discussion of where to prioritise our efforts to address risks linked to software in this call for views and more broadly as we move towards developing interventions.

To facilitate these discussions, we have developed the following framework to better understand different parts of the software risk landscape. This comprises 6 risk areas which highlight issues linked to different parts of the software lifecycle. Risk areas 1 and 2 primarily relate to the development of software; risk areas 3 and 4 relate mostly to the distribution of software and visibility across digital supply chains; and risk areas 5 and 6 relate to the role of the customer. These risk areas are not mutually exclusive, instead they help to characterise different types of issues that impact the resilience of organisations to software risks as a whole. Future policy options may help address issues in more than one risk area at once.

Software risk areas

Development

Type	Category
1. Software development security	This category relates to the security of software development practices and ensuring the integrity of software code. The integrity of software code is underpinned by secure build environments, secure development processes and secure and trusted vendors. Associated risks include: ● Accidental vulnerabilities in software code (during the initial build and subsequent updates). This can consist of vulnerabilities introduced whilst writing new code, or vulnerabilities introduced from third party code due to inadequate vetting of that code. Security also needs to be accounted for and prioritised in development tools and processes such as those included in software development kits. ● Intentional compromises of software code (during the initial build or subsequent updates) by the software developer or individuals working for the developer. This includes code being deliberately designed with backdoors to allow the developers or others to access data, alter code, or inject malicious code later. ● Insecure development environments that are vulnerable to attack. If malicious actors are able to breach the development environment they can inject malicious code into the software that can then spread through software supply chains via the distribution of software by software suppliers. This includes breaches due to human errors, such as insecure passwords, as well as more technical issues. This risk area applies to the actions of those who develop software, including many who also sell software (vendors). This applies to the development of both open and closed source (proprietary) software. These issues are exacerbated by inconsistent levels of secure software development skills across the developer community, with security usually only playing a small part in training. There are currently limited market incentives for software developers and vendors to improve their software development security. This issue is further compounded by the complexity of digital supply chains, limited transparency and challenges in communication (see risk 3). For example, this often leads to a disconnect between end users and software developers which can make it hard for end users to ensure they use software from developers that follow security practices appropriate to their risk posture.
2. Barriers in the open source community	The open source software community is an important source of innovation, with contributions bringing new ideas, flexibility and agility to the tech sector. Placing additional burden on open source developers could restrict this innovation, yet the open source community faces challenges in the development and maintenance of secure code, which takes time, tools and skills and could require further support. The levels of resourcing across the open source community are often inconsistent, particularly as participation in open source development and maintenance is predominantly on a voluntary basis. It is not unusual for frequently used code components to be maintained by a single person. This means the maintainer might not have the resources to update and maintain the package properly and in a timely manner, or adequately review and quality assure code. There is also a risk of the code becoming unmaintained. Due to the broad adoption of open source software both as stand alone solutions and as components in commercial offerings, the effects of these resourcing challenges permeate digital supply chains. This can result in the introduction of vulnerabilities or prevent vulnerabilities being fixed once identified. Open source software is a fundamentally critical aspect of the software ecosystem, and the reliance on these open source components within digital supply chains is increasing. Many open source software packages depend on other open source components, and it is standard practice for proprietary software developers to import open source software code into the software that they sell.

Distribution

Type	Category
3. Security and resilience in the distribution of software	This risk area concerns the resilience of those who distribute software to cyber attacks and how they manage cyber incidents when they occur. Customers can be introduced to cyber risks by those who sell or resell software or software licences or those who manage software services, if the vendor, reseller or provider does not appropriately secure their own systems and networks. This should be done in a way that is proportionate to the distributor’s risk posture. Ensuring entities who distribute software are appropriately resilient to attack would reduce the likelihood of them being used as an entry point in software supply chain attacks. If the networks of those who provide software or software services are breached, customer data stored on these networks could be exposed. Customers could also face disruption if the software code or software service provision on which they rely is affected or if an attack that starts on a provider’s networks spreads to the customer’s own networks and systems. This risk area focuses on those who distribute software. These can be the same organisations as those who develop software but in many cases they are different. Where an organisation both develops and sells software the risks outlined in risk area 1, software development security, and here in risk area 3 equally apply. This includes risks linked to insecure build environments if those selling or reselling the software have the ability to develop or amend the code.
4. Transparency and communication of software materials, vulnerabilities and incident management	Often customers have limited or no visibility of the contents or provenance of the software they procure, its components, or updates to this software. Furthermore, sometimes customers are not made aware of incidents affecting the software they are using. Likewise, the security of software is impacted when there are not effective mechanisms for disclosing vulnerabilities to those who maintain the software, or when customers are not aware that they are using software that requires updating or is no longer being maintained. These issues make it particularly difficult for customers to resolve incidents, manage risks affecting them and make informed decisions about the software they purchase. Some organisations developing and/or selling software react slowly or inadequately to notifications of vulnerabilities or incidents. This leaves those in their downstream supply chains exposed and unaware of risks or threats they may be facing. As a result, customers are often unable to make informed decisions about their own security measures or take steps to mitigate any additional risk. These issues of transparency and communication apply across the software lifecycle and relate to how those who develop, maintain, distribute, procure and use software interact with one another. This risk, therefore, has links to each of the other risk areas and the actions that should be taken by those involved across the software lifecycle.

The role of the customer

Type	Category
5. Procurement, supplier assurance, and supplier management	Customer organisations that procure and use software should take action to manage risks linked to software but can face challenges in doing so. This often results in cyber security not being referenced during procurement processes nor included in contracts. This reduces the incentives for software vendors or others to deliver better security and means that an organisation may acquire software that is not appropriate to their company’s security requirements. Customers may also receive less support than they would expect from their suppliers if an incident occurs as a result of software security not being referenced in contracts. Low awareness of customer responsibilities linked to software is a major factor in these risks. This is particularly an issue for non-cyber specialists such as procurement teams, or organisations without any cyber specialists. Many organisations, and procurement teams within organisations, are unaware of how to properly manage suppliers’ cyber risk. When organisations fail to do so, they not only expose their own organisations to potential business disruption, but they could also expose their supply chains or end users to harm or data breaches. Furthermore, the resources required by both customer organisations and suppliers is a further barrier to customers following appropriate cyber security assurance practices for potential suppliers and their products or services. This may lead to them being excluded or overlooked in procurement processes and contracts. This reduces the extent to which the supplier can be held accountable to good security practices, including those linked to software, and exposes the customers to further risks.
6. Maintenance, configuration and use of software by the customer	Once an organisation acquires a software product or licence, incorrectly configured settings could create security risks. This includes the configuration of the software itself or networks and cloud settings. If the software is not configured appropriately, any security features agreed in the procurement process may not function as they should. Errors in network or cloud configuration may also leave an opening for threat actors even if the software itself has appropriate security features. Customers often bear some responsibility to ensure that software is properly maintained, for instance, by applying patches in a timely manner and managing user privileges appropriately. Customers should ensure that software is consumed and used appropriately alongside wider organisational resilience considerations.

The questions below are designed to gather views on the outlined 6 risk areas. We are seeking input on which of these risk areas need to be addressed most urgently, and which risk areas should become a policy priority for government to address. While all 6 of these risk areas are a concern, responses to the questions in this section will help government to identify which are having the biggest impact on companies in the UK and therefore should be prioritised. Existing and potential solutions to addressing identified challenges are explored in later sections.

Questions on risk areas:

8. To what extent do you think issues in each of the software risk areas outlined above impact the security and resilience of your organisation? [No impact / low impact / medium impact / high impact / very high impact / don’t know]

a. Software development security

• Accidental vulnerabilities in software code
• Intentional compromises of software code
• Insecure development environments

b. Barriers in the open source community

c. Security and resilience in the distribution of software

d. Transparency and communication of software materials, vulnerabilities and incident management

e. Procurement, supplier assurance and supplier management

f. Maintenance, configuration and use of software by the customer

g. Please explain your answers to the above: [free text]

9. To what extent do you think issues in each of the software risk areas outlined above impact the security and resilience of the wider UK economy? [No impact / Low impact / medium impact / high impact / very high impact / don’t know]

a. Software development security

• Accidental vulnerabilities in software code
• Intentional compromises of software code
• Insecure development environments

b. Barriers in the open source community

c. Security and resilience in the distribution of software

d. Transparency and communication of software materials, vulnerabilities and incident management

e. Procurement, supplier assurance, and supplier management

f. Maintenance, configuration and use of software by the customer

g. Please explain your answers to the above: [free text]

10. Which, if any, of these risk areas do you see as the biggest problem?

a. Software development security

• Accidental vulnerabilities in software code
• Intentional compromises of software code
• Insecure development environments

b. Barriers in the open source community

c. Security and resilience in the distribution of software

d. Transparency and communication of software materials, vulnerabilities and incident management

e. Procurement, supplier assurance, and supplier management

f. Maintenance, configuration and use of software by the customer

g. Don’t know

11. Please explain your answer to the above [Free text]

12. Are there other risks that are linked to software but not covered in the risk areas above?

a. Yes

b. No

c. Don’t know

13. [if “yes” on question 12] What other risks are you referring to? [Free text]

14. How long could your organisation continue its day-to-day operations if any of the essential software or IT services on which you directly depend could not be used?

15. How long could your organisation continue its day-to-day operations if one of your most critical suppliers could not operate due to issues with their software?

Part 2 - Existing industry measures [if responding as an organisation]

In order to better understand where government support and interventions should be prioritised, we need to understand the actions already being taken by organisations to address software security. Industry is already producing some valuable contributions to improving the resilience of software, most notably in establishing best practice for software development security through a range of frameworks and suggested processes. Formal standards are also a useful tool in guiding industry on best practice and providing customers with a tool for supplier assurance. Some organisations are already following best practice, perhaps without recourse to specific frameworks, by implementing different processes and controls as standard within their organisations.

This section will help us to understand to what extent organisations are using existing resources or following best practice. We invite feedback on what measures industry is already taking to improve the security of software development, provision and use, and where there may be market failures in need of government action in future. These questions will focus on existing interventions from government and industry, as well as controls and processes that companies can implement as part of their day-to-day organisational resilience practices.This includes implementation of existing guidance or standards, such as the security principles published by NCSC or ISO 27001, or other industry-led frameworks. This also includes implementation of specific technical or organisational measures to either reduce the likelihood or severity of a breach or improve the organisations’ ability to respond and recover from one.

Questions on existing industry initiatives:

Filter: Questions for organisations who develop and/or sell software

16. a. Do you or your organisation follow specific standards, guidance, frameworks or accreditation schemes for software development?

• Yes

• No

• Don’t know

b. Which of the following standards, guidance and frameworks do you/your company already refer to when developing software? (Select all that apply)

• NCSC guidance, e.g. secure development and deployment guidance
• Secure development frameworks or guidance developed by industry
• Formal standards (national or international)
• Secure development frameworks produced by international governments/agencies
• Other [provide details]
• None

c. If you use standards, which standards do you refer to? [free text]

17. Which of the following security controls and processes does your organisation implement?

a. Controls for general cyber security posture and organisational resilience: (Select all that apply)

• Cyber security certification (e.g. Cyber Essentials or ISO 27001) for organisational resilience
• Basic cyber posture controls for organisational resilience (to include at least the following: firewalls that cover the entire IT network, restrictions on IT admin and access rights, up-to-date malware production, and a policy to apply software updates within 14 days)
• Cyber security training for staff and/or mock phishing exercises for staff

b. Vulnerability management controls and processes (Select all that apply)

• Software development standard to minimise the risk of vulnerabilities in code development (i.e. use of memory safe language)
• A vulnerability detection stage included in the software development lifecycle
• A vulnerability disclosure policy and process which allows researchers to notify you of vulnerabilities in your organisation’s products or systems and sets a standard for responding to such notifications
• A process for efficiently and securely updating products and deploying patches to customers
• Produce a component inventory of software you develop (a Software Bill of Materials (SBOM) or other forms of component inventory)
• Share a component inventory of software you develop with customers
• Share a vulnerability exploitability alert (e.g. VEX)

c. Controls for software development (select all that apply)

• Apply a cyber security standard or framework to securing the development environment
• In-house controls and processes for securing the development environment
• Have a policy to restrict the kinds of components, including open source projects, that can be used in software development (e.g. to not use projects with installation scripts, or avoid projects that have been inactive for a certain period of time)
• Use a standard or set assurance process to assess the security of third party libraries used in software development
• A process for monitoring third party libraries for new vulnerabilities and patching or mitigating vulnerabilities in a timely manner.
• Implement security testing of software at the development stage

d. Controls for selection of suppliers (including software vendors and resellers) to your organisation (Select all that apply)

• Require suppliers to hold certification (e.g. Cyber Essentials)
• A questionnaire to assess supplier risk
• A requirement for suppliers to implement some or all of the controls listed above.
• Cyber security requirements and/or responsibilities included in contracts with suppliers
• A requirement for software suppliers to adopt good development practices

Filter: Questions for organisations who consume software

18. a. Does your organisation refer to existing guidance, frameworks, standards or certifications when procuring software?

• Yes
• No
• Don’t know

b. If any, which of the following do you or your organisation already refer to when procuring software? (Select all that apply)

• NCSC and/or CPNI guidance
• Certification (i.e. requiring suppliers to hold specific certifications, or considering certifications in procurement process)
• Formal standards (national or international)
• Frameworks/ guidance/ standards produced by industry
• Other
• None

c. If you use standards, certification or guidance, which do you refer to? (e.g. the ISO 27001 series on information security, ISA/IEC 62443 on automation and control systems, the ISAE SOC 2 assurance standard, or Cyber Essentials etc.) [free text]

19. Which of the following controls or processes do you or your organisation use a. Controls or processes for selecting software suppliers (which could include any developers, vendors, service providers or resellers who have access to software code) (Select all that apply)

• A questionnaire to assess software supplier risk
• A requirement for software suppliers to implement vulnerability management controls (such as produce and/or share an inventory of software components, vulnerability response policy or vulnerability disclosure policy)
• A requirement for software suppliers to adopt good security practices during development (please provide examples)
• Other security controls or processes (please state)

b. Controls or processes to ensure that software is configured and used securely? (Select all that apply)

• A patching policy
• Vulnerability audits and/or an established vulnerability management process
• Penetration testing
• Maintain a software inventory
• Change software security settings from default as standard
• Other security controls or processes (please state)

20. What are the main reasons for your organisation not implementing further measures to secure the cyber security of your software? (Select all that apply)

a. Too expensive

b. Insufficient guidance

c. Lack of available tools

d. Lack of expertise in your organisation to identify security requirements and/or implement measures

e. Challenges in negotiating with suppliers

f. Other priorities are more important to the board

g. Organisation is in the process of implementing further measures

h. Organisation already implements sufficient measures to manage our cyber risk

i. Other (please state)

Part 3 - Future government action

As outlined in the previous sections, the cyber security risks associated with software used in enterprise settings - its development, distribution and use - are broad and varied. There is already a large amount of work being done by government, alongside industry-led efforts, to help address different parts of these risks and boost the cyber resilience of organisations across the UK. However, the complexity of the software lifecycle and development process as well as the rate at which threats linked to software are evolving means that more needs to be done.

In the introduction, we outlined some of the key pieces of existing or ongoing government work that helps to address some of the risks linked to software across its lifecycle. To be most effective in our efforts to address software risks and improve the cyber resilience of UK organisations, we must take a multifaceted approach, and one which prioritises and targets our efforts to have greatest impact. However, existing government action has some limitations, particularly in addressing risks associated with software distribution and service provision. In order areas, such as customer use of software, we need to understand how to increase the reach of the world class guidance and codes we have developed.

The previous sections of the call for views have focused on identifying which aspects of the broad software risk landscape are of biggest concern to participants and where organisations are already taking action. This final part of the call for views seeks to gather views on actions the government could take to address the concerns outlined in Part 1, and to fill any gaps left by existing support and industry practices addressed in Part 2. Through these responses, we wish to identify where there is greatest need for further action. Key to this assessment will be understanding the likely effectiveness of these options in terms of the expected impact of the options compared to the challenges of implementation and resources required.

The questions below are structured according to the risk areas outlined in Part 1 with broad policy options included for each. These policy options comprise a combination of guidance, tools, training, accreditation and regulation as is relevant for each risk area. Any future action should be based on government and industry working together and making the most of the relative roles and opportunities of both. So while most of these options are ones that would be led by government, we would work closely with industry and academic partners throughout their development and implementation. Other options may indeed be industry led. The options listed are not exhaustive and several proposed interventions could help address more than one risk area. Throughout, we invite respondents to share ideas for alternative government interventions that they deem may be effective.

Questions on future interventions:

21. In which of the risk areas do you think there is a need for greater government and/or industry intervention? [government / industry / both / neither]

a. Software development security

b. Barriers in the open source community

c. Security and resilience in the distribution of software

d. Transparency and communication of software materials, vulnerabilities and incident management

e. Procurement, supplier assurance, and supplier management

f. Maintenance, configuration and use of software by the customer

g. Please explain your answers to the above

22. Do you think further action is needed to address software risks that are not covered in the risk areas outlined above?

a. Yes

b. No

c. Don’t know

23. [if “yes” to question 23] Please explain your answer. [Free text]

24. Cross-cutting interventions

a. To what extent do you think the following interventions would be effective in addressing cross-cutting or other cyber risks linked to software? [Not at all effective / somewhat effective / very effective/Don’t know]

• International coordination on guidance
• Requirements in government procurement to encourage adoption (e.g. accredited software vendors, SBOMs)
• Accreditation of cyber security consultants specialising in digital supply chains (e.g. to support software developers in implementing secure practices and/or to support customers implement secure practices in procurement processes).

b. Please explain your answers to the above

c. What other cross-cutting government interventions do you think would be effective at addressing cyber risks linked to software?

25. Software development security

a. To what extent do you think the following government interventions would be effective in addressing risks linked to secure software development (in both open source and proprietary software contexts)? [Not at all effective / somewhat effective / very effective/Don’t know]

• Guidance on best practice (e.g. code of practice for software developers, secure software development frameworks, self-assessment tools etc.)
• International standard for software development practices
• Accreditation for organisations who adhere to software development best practice (e.g. code of practice, standard or framework)
• Support development and promotion of tools that scan software packages and components for known vulnerabilities and indicators of malicious compromise.
• Accreditation of secure software and/or systems packages and components (open source and proprietary software)
• Financial support for small businesses or start-ups that develop software according to best practice

b. Please explain your answers to the above

c. What other government interventions do you think would be effective at addressing these risks?

26. Barriers in the open source community

a. To what extent do you think the following government interventions would be effective in addressing risks specific to open source software development? [Not at all effective / somewhat effective / very effective/Don’t know]

• Guidance on how to increase secure development of software in the open source community
• Funding for industry-led initiatives (e.g. those aimed at maintaining critical open source components or those that develop security tools for use by the open source community)
• Develop government-backed teams dedicated to maintaining critical open source software components and to support remediation of incidents affecting critical components.
• Work with industry to develop mapping tool to understand which open source components are most critical

b. Please explain your answers to the above

c. What other government interventions do you think would be effective at addressing these risks?

27. Security and resilience in the distribution of software

a. To what extent do you think the following government interventions would be effective in addressing cyber risks linked to the actions of those who sell or resell software or software licences, or those who manage software services? [Not at all effective / somewhat effective / very effective/Don’t know]

• Guidance on best practice (e.g. to assure the software they sell, secure their own networks and information systems)
• Accreditation of software vendors, resellers or providers who follow best practice (e.g. certification or trusted vendor marketplace)
• Regulation requiring software vendors, resellers or providers to follow a minimum standard (e.g. attestation on security measures they implement, notifying customers of incidents etc.)

b. Please explain your answers to the above

c. What other government interventions do you think would be effective at addressing these risks?

28. Transparency and communication of software materials, vulnerabilities and incident management

a. To what extent do you think the following government interventions would be effective in addressing risks linked to visibility and communication of software materials, vulnerabilities and incident management? [Not at all effective / somewhat effective / very effective/Don’t know]

• Technical guidance on Software Bill of Materials (SBOMs) and comparable tools.
• Guidance on best practice in promoting transparency (e.g. attestation, code of practice for vendors, recommended contractual clauses etc.)
• Certification of software developers and vendors who adhere to best practice in promoting transparency
• Establish secure mechanisms to share information on vulnerabilities and malicious code between software developers, researchers and government
• Develop a secure central database of SBOMs that can be queried to inform risk or vulnerability management and responses to incidents.
• Develop regulation that requires software developers and vendors to meet a minimum standard of transparency (e.g. provide customers with a right to audit and request information, create a legal requirement to notify customers of incidents that affect them etc.)

b. Please explain your answers to the above

c. What other government interventions do you think would be effective at addressing these risks?

29. Procurement, supplier assurance and supplier management

a. To what extent do you think the following interventions would be effective in addressing cyber risks linked to software procurement, supplier assurance and supplier management? [Not at all effective / somewhat effective / very effective/Don’t know]

• Tools to help businesses implement guidance on securing their own supply chains (e.g. recommended clauses to include in contracts)
• Training resources aimed at procurement and contract management teams
• Work with industry to develop and promote tools that support businesses in securing their own supply chains

b. Please explain your answers to the above

c. What other government interventions do you think would be effective at addressing these risks?

30. Maintenance, configuration and use of software by the customer

a. To what extent do you think the following interventions would be effective in addressing cyber risks linked to the ongoing maintenance, configuration and use of software?[Not at all effective / somewhat effective / very effective/Don’t know]

• Guidance and comms campaigns to promote minimum actions businesses should take to secure the software they use
• Training resources aimed at non-cyber security specialists
• Work with software vendors to minimise the knowledge and actions required of customers to secure software products (e.g. building in prompts to change default passwords, or ensuring that multi-factor authentication is opt-out rather than opt-in).

b. Please explain your answers to the above

c. What other government interventions do you think would be effective at addressing these risks?

31. What do you think are the greatest challenges in implementing the potential interventions outlined above?

Next steps

The risks linked to software in digital supply chains are diverse and complex. It will not be possible nor would it be proportionate to pursue all possible policy options tested in this call for views. We will prioritise those policy options that would have the biggest impact in addressing software risks within the resources available to us. This prioritisation will be informed by responses to this call for views, and we will publish our formal response in summer 2023.

We will work across government to ensure these policy options are aligned with other government priorities including the UK Digital Strategy, implementation of the PSTI Act, and the proposed changes to the Network and Information Systems regulations. Throughout this work we aim to work closely with industry, academic and international partners to identify, develop and implement specific actions that will help improve the security and resilience of software development, distribution and use in the UK.

To aid this discussion, we may follow up directly with respondents on the substance of their answers to the survey questions. We will be holding a number of workshops during the course of the call for views to invite feedback and discussion on the issues addressed above with key industry and international stakeholders.

1. By managed services, the government means services which are provided by one business to another business (i.e. a third party); relate to the provision of IT services, such as systems, infrastructure, networks and/or security; rely on the use of network and information systems, whether this is the network and information systems of the provider, their customers or third parties; and provide regular and ongoing management support, active administration and/or monitoring of IT systems, IT infrastructure, IT network, and/or the security thereof. (Characteristics taken from the government response to the Government response to the call for views on proposals to improve the UK’s cyber resilience.) ↩

2. By cloud service provider (CSP), the government means entities which offer cloud computing services that enable access to a scalable and elastic pool of shareable computing resources. The typical cloud service offering includes infrastructure as a service (IaaS), software as a service (SaaS) and/or platform as a service (PaaS). ↩