10 May 2001
Subject: Licencing of IT security consultants revisited Date: Thu, 10 May 2001 10:12:13 +0100 From: "Q G Campbell" <Q.G.Campbell@newcastle.ac.uk> To: <ukcrypto@chiark.greenend.org.uk> Where do we now stand on the licencing of IT security consultants and practitioners given that the Home Secretary has refused to exempt them explicitly from the Private Security Industry Bill? I was wondering about how such vetting and approval might be carried out but it appears that CESG already operates an accreditation service for companies who carry out security reviews of other organisations' IT systems. Could it be that Straw has it in mind to make it compulsory for all IT security consultants to be accredited by CESG before they can work in this field? If so, how might this affect academic research, practice and publication in this area? Would the exemptions from the DPA granted by the Home Secretary to GCHQ to cover its vetting procedures mean that CESG could simply refuse to grant you a licence without proper explanation or redress, even in the courts? In an area that cries out for transparency, the situation seems to be getting murkier. Quentin -- PHONE: +44 191 222 8209 Computing Service, University of Newcastle FAX: +44 191 222 8765 Newcastle upon Tyne, United Kingdom, NE1 7RU. ------------------------------------------------------------------------ "Any opinions expressed above are mine. The University can get its own."
To: ukcrypto@chiark.greenend.org.uk Subject: Re: Licencing of IT security consultants revisited Date: Thu, 10 May 2001 13:22:14 +0100 From: Ross Anderson <Ross.Anderson@cl.cam.ac.uk> Quentin: > Could it be that Straw has it in mind to make it compulsory for all IT > security consultants to be accredited by CESG before they can work in > this field? If so, how might this affect academic research, practice > and publication in this area? I don't doubt the agencies want him to. Control by a nudge and a wink always used to be how they did things, and they're clearly nostalgic for the good old days. Their old way of doing things was eroded over a long period of time. When I came to Cambridge in 1992, I was asked whether I'd like to get a security clearance (not by anyone associated with the University, I hasten to add). I was warned by a senior local person (and by Donald Davies) against accepting this kind offer. In practice they wouldn't have told me anything interesting, as I wouldn't have got access to the juicy compartments. What I'd get from the deal was an obligation to submit research papers for pre-publication review, and to get permission before consulting for anyone overseas. I'd also be expected to betray my overseas clients by telling GCHQ about the vulnerabilities I couldn't fix, and would have come under pressure to participate in `voluntary vetting'. This is a scheme under which I'm supposed to ring a number in London before offering a research place to a foreign national. The idea is that the `Foreign Office' can use this mechanism to prevent a Chinese student coming to Cambridge to do a PhD, even if she is qualified and has funding; this saves them the diplomatic consequences of refusing her a visa. The doomsday scenario is that all this would be imposed on academic security researchers, by making it a condition of doing the consulting work without which we couldn't pay our mortgages. I don't think we'll get there immediately, because of the shift in attitudes; because most of our consulting money is from overseas, so regulation would have to prevent work abroad too; because most security advice is given as a small part of some other job (most IS consultants and even programmers specify or implement at least some protection functions), so the net would have to be case wide; and because professional registration is highly fragmented. There are many professional bodies with qualifications, codes of ethics, etc. But none accounts for a large share of infosec consultants, and many of the common qualifications are administered outside the UK. This applies both to general ones such as membership of the IEEE, and security-specific ones such as CISSP and CISA. This fragmentation is a problem for government, in that there's no-one convenient to co-opt, and for professionals in that there's no-one both able and motivated to fight for us. It's also a problem for customers - but a lot of the worst advice whose sequelae I'm called on to fix comes not from ex-hackers with criminal records (as Straw would have you believe) but from accountancy firms - who're exlcuded from the PSI bill completely and whom parliament will not want to touch. So could Straw prevent me from consulting in France on `competence' grounds despite my being a Fellow of the IEE and the IMA, and even if I can get a good reference from several French professors? Would he want to prevent a Microsoft engineer from Seattle from telling a UK plc how to fix a vulnerability, until the spooks could spend six months enquiring into her background? In effect, the Home Office wants the UK to manage by rows something that everyone else in the world manages by columns, and in a trade that's more international than any other. I do hope that they won't be so stupid. Simon? Ross