Data and infrastructure contractors, it's time to tell officials about security and resilience

Some in the contractor sector have got ‘consultation-fatigue’ and perhaps understandably so, but there’s one ‘call for views’ from the government that freelancers in the IT sector – perhaps let down by poor infrastructure or responsible for data storage, might want to answer, writes Evane Alexandre of digital law firm Gerrish Legal.

On May 26th 2022, the culture department asked both individuals and organisations for their responses to the issue of storage and processing infrastructure security and resilience, as part of the UK’s National Data Strategy.

Greater dependency

Considering the UK is increasingly reliant on large-scale data storage and processing services to deliver essential public services, such as banking and energy, the government is understandably looking for new ways to boost the resilience and security of UK data infrastructure. To that end, the government announced that its goal is to both ensure that our country’s IT infrastructure remains able to cope with continued growth and prevent cyber threats and other disruptions. Achieve both those, and the economy can thrive while being protected as possible.

In particular, the Department for Culture, Media and Sport (DCMS) highlights in its policy paper that data is “strategically important at a national and global level”, thereby making the infrastructure where large volumes of data accumulate “an attractive target to those who may have the intention or capability to threaten the UK’s national security, economy or ways of life”.

Cloud outages are telling

Moreover, we believe concerns other than malicious attacks should be taken into account. You only need look at the different cloud services outages happening within the last year or so, due to problems with the infrastructure itself, to realise it’s not just all about keeping the hackers at bay.

Quite rightly, the government is seeking to obtain views and evidence to understand the current landscape and potential options to strengthen the security of local data centres and cloud services. And this consultation aims to develop the government’s evidence base and collect contributions from the industry prior to developing a policy. So a government in ‘listening mode’ seems to fit the circumstances.

Three parts, 14 questions, one big sharing request

Tied to that, the hope is that data centre operators, their customers, cloud providers, equipment suppliers and cyber security experts come forward to answer the three-part consultation’s 14 questions, to help the government better understand and assess the potential risks that data storage and processing services face. To really help, those parties should be ready and willing to share the types of measures they have in place, right now, to address and mitigate vulnerabilities.

But the government also would like feedback on processes seen in other regulated sectors to establish new processes, such as incident management plans, mandatory notifications, and notification periods to a regulator when infrastructure or services are affected, or the establishment of an accountability principle for someone at board or committee level for security and resilience of the infrastructure.

Serious and seminal

Fortunately, there’s time to collate your response to these serious and seminal issues. The consultation is open until July 24th 2022, following which the government will review the feedback provided and publish a response, determining whether any additional government support or management is required to minimise the risks to data storage and processing infrastructure.

At the time of writing, it has not been determined which form this extra government support might take. However DCMS says the new protections will “build on existing safeguards for data infrastructure” including the Networks and Information Systems (NIS) Regulations 2018, which cover cloud computing services, and the National Cyber Security Centre and Centre for the Protection of National Infrastructure, which offers regular guidance for data centres and online assets.

Ultimately, the new provisions will be aimed at safeguarding the economy through the protection of small and medium-sized businesses, while keeping consumers safe from online harms. As both businesses and consumers, independent (PSC) contractors should be doubly compelled to come forward to contribute.

Lastly, where to respond (and how much you should say)

As to your own work if you’re an IT-business or data expert, both you and us will have to wait for the results of the consultation to find out what the practical implications of such new provisions will be ‘on the ground.’ Yet it seems certain this will be an exciting space to monitor, and we can all look forward to contributing, even possibly shaping the policy which will be adopted. Just make sure you note the consultation request if you’re a particularly keen bean – ‘no more than 10 pages or 5,000 words,’ to be submitted to the consultation response page here.