Romolo Tavani - stock.adobe.com

Why the UK needs to fix its broken IT security market

Ollie Whitehouse, CTO of GCHQ’s National Cyber Security Centre, says the market for secure software is broken. Are new laws required to make software companies liable for poor security?

Failures in the technology market are prompting discussions in government over whether the UK will ultimately need to legislate to force IT suppliers to secure their products.

Policy advisors believe legislation may be the only route to persuade software and hardware suppliers that it is worth their while to develop products that are resilient to cyber attacks.

This could see the UK following the US, which is proposing to make software suppliers legally liable if they deliver insecure products and services as part of its National Cybersecurity Strategy.

The problem has been exercising Ollie Whitehouse, chief technology officer at the National Cyber Security Centre (NCSC), which is part of the signals intelligence agency GCHQ.

He told a conference in Birmingham this week that the market is failing to incentivise technology suppliers to spend time, money and effort on ensuring that their software is free from security vulnerabilities.

Whitehouse described the challenge as “a market problem” in producing the level of cyber-resilient technology we want and need, adding: “We have to ask ourselves, why is it that is not being realised in practice?”

The reason is not a lack of technical ability. Software suppliers know how to build cyber-resilient technology. Take the CHERI research project, for example, which has demonstrated it is possible to contain cyber attacks in isolated compartments in computer memory to prevent their spread across computer networks. It has also made it possible to take bug-ridden code and make it operate in a secure way.

But even without advanced programs like these, Whitehouse argued that suppliers are failing to get the basics right. The number of new security vulnerabilities registered between 2022 and 2023 rose to more than 40,000, an increase of 14%. “And those are the ones we know about ... that were being responsibly disclosed,” he said.

“We know there are various adversaries who are stockpiling vulnerabilities. And this is compound growth,” he told the conference. “Similarly, security efficacy of solutions is not realised in practice – either the solution in isolation or in operations. We have claims not meeting reality,” he said.

The market for software and security products is driven by value and cost – what Whitehouse calls “the enemy of cyber security”. Even directors in the boardroom are feeling “cyber fatigue”, preferring three-year programmes to long-term investment.

“We need to ask ourselves what the incentives are when we have a risk which is highly technical, increasingly complex, ever-evolving and, more important, costly,” he said, speaking at the Cyber UK security conference.

“We know there are various adversaries who are stockpiling vulnerabilities. Similarly, security efficacy of solutions is not realised in practice. We have claims not meeting reality”

Ollie Whitehouse, NCSC

Security products are in use today that contain classes of security vulnerabilities that have been known about for decades. Part of the problem is that investors have bought up technology companies and continued to sell 15-year-old technology without investing to bring it up to date.

There are short-term fixes, such as the NCSC’s active cyber defence programme, which, among other services, provides data about malicious websites to internet service providers, managed service providers, phone companies and financial services companies, allowing them to automatically block malicious links.

Researchers say academic work is also underway to develop ways of measuring how secure software is. That would make it possible in future for software users to have a better understanding of the risks they are taking on.

The long-term goal, Whitehouse suggested, is to change the dynamics of the security market. This means being transparent about the cost of software, measuring its effectiveness and measuring technical debt – the future cost of failing to fix bugs and errors – and recording it on the balance sheet.

Then, he said, there should be fines for negligence if software companies sell insecure software. That would mean a radical change to the current system, which allows software companies to contract themselves out of responsibility for the damage caused by cyber attackers exploiting vulnerabilities in their software.

Such ideas are already being proposed in the US. The Biden administration’s National Cybersecurity Strategy, published in March 2024, envisages a future where software suppliers and publishers will be held accountable if they release products with significant security vulnerabilities.

“Too many vendors ignore best practices for secure development, ship products with insecure default configurations or known vulnerabilities, and integrate third-party software of unvetted or unknown provenance,” the strategy document states.

“Software makers are able to leverage their market position to fully disclaim liability by contract, further reducing their incentive to follow secure-by-design principles or perform pre-release testing,” it says.

The US strategy calls for a shift in liability to organisations that fail to take reasonable precautions to secure their software, while also recognising that even the most advanced software security programs cannot prevent vulnerabilities.

Under the plan, the US Congress will work with the private sector to develop legislation to create liability for software products and services. It will aim to prevent software suppliers from using their market power to enforce contracts that exclude them from responsibility for poor software design. It will also mean software companies will have to show more due diligence where software is used in high-risk applications.

Security advisors agree that the UK government does not have the financial muscle to persuade IT suppliers to accept contracts that expose them to liability for security failures.

And academic research shows that while businesses and individuals are prepared to pay more for more secure software, there is a limit to how much more they will pay.

All of this means that if the market is to be fixed in the way Whitehouse proposes, the UK will likely have to follow the US route of introducing legislation to make IT suppliers financially liable if they fail to pay enough attention to security in their products.

It won’t be quick. Such a change is probably at least a decade away, and is likely to incur serious opposition from software suppliers, but the direction of travel appears to have been set.

Read more about GCHQ and NCSC

Read more on IT risk management