We welcome this guest post by Des Ward, director at Innopsis, the trade association for suppliers of digital infrastructure and services to the UK public sector?
The recent announcement from the National Cyber Security Centre regarding the closure of the security assurance standard CESG Assured Service (Telecommunications) or CAS(T) scheme over the next six months may have slipped under the nose of many, but it is a defining point in the assurance of telecoms networks within the UK.
What is CAS(T)?
The CAS(T) scheme (CESG Assured Service (Telecommunications)) is an information and service assurance standard based on ISO/IEC-27001:2013. It’s built on the principles of good commercial practice for cyber security and adding service assurance for meeting stringent availability requirements of the public sector for 99.95%.
Its origins are from the legacy NHS N3 standard, and it’s now in its second iteration to meet the needs of the current ISO/IEC-27001:2013 standard (it adds some additional service assurance controls to maintain the service assurance aspect that aren’t in the current ISO standard).
CAS(T) is used as the assurance to underpin a wide range of government network procurements (such as regional local authority WANs, WANs used for central government and the PSN itself). The most recent uplift of the Annex A controls within CAS(T) came within the delivery of the HSCN compliance operating model from NHS Digital, which effectively has delivered an in-life update for healthcare connectivity providers (CPs).
What is happening to CAS(T)?
The CAS(T) scheme is being closed, with no new entrants to the scheme nor renewals. At present, CPs with existing CAS(T) certificates will be allowed to run until their expiry.
What is replacing CAS(T)?
This is unclear at present, although The Department for Digital, Culture, Media & Sport (DCMS) telecoms supply chain review does provide some views on where assurance might head. The review discusses a new security framework, with following key areas:
- New Telecoms Security Requirements (TSR). The foundation for the framework is a new set of security requirements, which will be finalised in conjunction with industry. The TSR will raise the height of the security bar and require telecoms operators, overseen by Ofcom and government, to design and manage their networks to meet these new requirements. The TSR will provide clarity to industry on what is expected in terms of network security.
- Establishing an enhanced legislative framework for security in telecoms. In addition to putting the TSR on a statutory footing, the new legislation will provide Ofcom with stronger powers to allow for the effective enforcement of the new requirements and will establish stronger national security backstop powers for government.
- Managing the security risks posed by suppliers. The new framework will ensure that telecoms providers are managing the security risks posed by all suppliers. The government will make a final decision on the additional controls to be applied to individual high-risk vendors in due course.
The ultimate stated goal of the report is to increase regulatory oversight and enforcement, and “ensure a competitive, sustainable and diverse supply chain” for communications’ providers (CPs). The review also talks about enforcing the use of Ofcom’s threat intelligence-led penetration testing scheme (TBEST).
What are the challenges as a result of this approach?
At present, CAS(T) has provided a pathway for CPs of all sizes to deliver assured network services to government. Indeed, the adoption of CAS(T) as the foundation for healthcare CPs within the Health and Social Care Network (HSCN) allowed a range of new entrants (of varying sizes) to provide evidence of their network assurance and bring the number of CPs with services aligned to CAS(T) to 40 in total.
In the event of mandating TBEST, we will see the baseline cost of assurance rise to at least £200,000 per annum and this will constrain the CPs within the marketplace. Certainly, very few SMEs could contemplate that kind of investment for speculative business. This will undoubtedly lead to an increase in the cost of network services and impede growth in a market that already requires significant stimulus to deliver the aspirations of full-fibre and 5G.
Coupled with the uncertainty around certification, standards and costs for compliance, we should also take into consideration the government’s drive to Internet First. Perhaps there is no need to establish that a network is available, secure, tamper-proof and free from insider attack if the user does not trust the network anyway? If the majority of public sector traffic is to be carried over the internet, then the cost of upholding the remaining networks to a non-generic standard may be seriously out of line for the benefit.
Addressing the user need
Whilst CAS(T) did require maintenance (evidenced by the approach taken by NHS Digital), removing it without replacement when it underpins a large number of contracts, will place CPs in breach of contracts and increase the cost of procurements for customers until the new compliance regime is implemented.
With an increased move towards the internet as the network platform and the threat of no-deal Brexit looming (which will result in all personal data transiting outside of the UK being reliant on EU countries allowing it to return as we will be a third country), the end-to-end assurance of network services is more important than ever.
Working as an industry to evolve the network platform
Innopsis has always supported the stated views of the NCSC and government in the principles to be undertaken in the delivery of network services. We believe that the needs of the application should define the needs of the network, and that a diverse CP market is crucial to deliver full-fibre, IoT and 5G.
TBEST in its current form provides a high cost of entry for very little benefit beyond satisfying the compliance needs of regulators. We would like to work with government to ensure that the outcomes of TBEST are met with a cost that is more realistic and provides useful assurance to CPs as well as the regulators.
Innopsis is encouraging dialogue on this issue with an aim of providing a useful certification that reduces cost for both procurer and supplier whilst raising the bar for security, availability and integrity of the networks in the UK used for sensitive and crucial data transport.
We look forward to working on the evolution of the network platform.