Due to failures in the technology market, the UK government is considering whether legislation is necessary to ensure that IT suppliers prioritize the security of their products. Policy advisors believe that legislation is the only way to incentivize suppliers to develop products that are resilient to cyber attacks. The UK may follow the US, which plans to hold software suppliers legally accountable for delivering insecure products as part of its National Cybersecurity Strategy. Ollie Whitehouse, Chief Technology Officer at the National Cyber Security Centre (NCSC), expressed concern about the market’s failure to encourage technology suppliers to prioritize software security. While software suppliers possess the technical ability to build secure technology, they fail to address the basics. The number of security vulnerabilities has been rising, with over 40,000 new vulnerabilities registered between 2022 and 2023. Adversaries are also stockpiling vulnerabilities, leading to claims that do not match reality. The market for software and security products prioritizes value and cost, which undermines cybersecurity efforts. Board directors are increasingly experiencing “cyber fatigue” and prefer short-term fixes over long-term investments. To address these issues, the UK aims to change the dynamics of the security market by being transparent about software costs, measuring effectiveness, and introducing fines for negligence by software companies. This approach would require a significant shift from the current system, which allows software companies to evade responsibility for cyber attacks due to vulnerabilities in their products. Similar ideas are being proposed in the US, where the Biden administration’s National Cybersecurity Strategy calls for software suppliers to be held accountable for releasing products with significant vulnerabilities. The strategy aims to shift liability to organizations that fail to take necessary precautions and intends to develop legislation in collaboration with the private sector. However, implementing these changes in the UK will likely require legislation as the government lacks the financial means to persuade IT suppliers to accept liability for security failures. Despite businesses and individuals being willing to pay more for secure software, there are limits to how much they are willing to invest. Therefore, adopting legislation similar to the US approach may be necessary to address the market’s shortcomings, although it is likely to face opposition from software suppliers.
The Urgent Need for the UK to Repair its Flawed IT Security Market
