10 May 2001

See also: http://cryptome.org/cissp-who.htm


Subject: Licencing of IT security consultants revisited
Date: Thu, 10 May 2001 10:12:13 +0100
From: "Q G Campbell" <Q.G.Campbell@newcastle.ac.uk>
To: <ukcrypto@chiark.greenend.org.uk>

Where do we now stand on the licencing of IT security consultants and
practitioners given that the Home Secretary has refused to exempt them
explicitly from the Private Security Industry Bill?

I was wondering about how such vetting and approval might be carried out
but it appears that CESG already operates an accreditation service for
companies who carry out security reviews of other organisations' IT
systems.

Could it be that Straw has it in mind to make it compulsory for all IT
security consultants to be accredited by CESG before they can work in
this field? If so, how might this affect academic research, practice and
publication in this area?

Would the exemptions from the DPA granted by the Home Secretary to GCHQ
to cover its vetting procedures mean that CESG could simply refuse to
grant you a licence without proper explanation or redress, even in the
courts?

In an area that cries out for transparency, the situation seems to be
getting murkier.
   
Quentin
--
PHONE: +44 191 222 8209    Computing Service, University of Newcastle
FAX:   +44 191 222 8765    Newcastle upon Tyne, United Kingdom, NE1 7RU.
------------------------------------------------------------------------
"Any opinions expressed above are mine. The University can get its own."


To: ukcrypto@chiark.greenend.org.uk Subject: Re: Licencing of IT security consultants revisited Date: Thu, 10 May 2001 13:22:14 +0100 From: Ross Anderson <Ross.Anderson@cl.cam.ac.uk> Quentin: > Could it be that Straw has it in mind to make it compulsory for all IT > security consultants to be accredited by CESG before they can work in > this field? If so, how might this affect academic research, practice > and publication in this area? I don't doubt the agencies want him to. Control by a nudge and a wink always used to be how they did things, and they're clearly nostalgic for the good old days. Their old way of doing things was eroded over a long period of time. When I came to Cambridge in 1992, I was asked whether I'd like to get a security clearance (not by anyone associated with the University, I hasten to add). I was warned by a senior local person (and by Donald Davies) against accepting this kind offer. In practice they wouldn't have told me anything interesting, as I wouldn't have got access to the juicy compartments. What I'd get from the deal was an obligation to submit research papers for pre-publication review, and to get permission before consulting for anyone overseas. I'd also be expected to betray my overseas clients by telling GCHQ about the vulnerabilities I couldn't fix, and would have come under pressure to participate in `voluntary vetting'. This is a scheme under which I'm supposed to ring a number in London before offering a research place to a foreign national. The idea is that the 'Foreign Office' can use this mechanism to prevent a Chinese student coming to Cambridge to do a PhD, even if she is qualified and has funding; this saves them the diplomatic consequences of refusing her a visa. The doomsday scenario is that all this would be imposed on academic security researchers, by making it a condition of doing the consulting work without which we couldn't pay our mortgages. I don't think we'll get there immediately, because of the shift in attitudes; because most of our consulting money is from overseas, so regulation would have to prevent work abroad too; because most security advice is given as a small part of some other job (most IS consultants and even programmers specify or implement at least some protection functions), so the net would have to be cast wide; and because professional registration is highly fragmented. There are many professional bodies with qualifications, codes of ethics, etc. But none accounts for a large share of infosec consultants, and many of the common qualifications are administered outside the UK. This applies both to general ones such as membership of the IEEE, and security-specific ones such as CISSP and CISA. This fragmentation is a problem for government, in that there's no-one convenient to co-opt, and for professionals in that there's no-one both able and motivated to fight for us. It's also a problem for customers - but a lot of the worst advice whose sequelae I'm called on to fix comes not from ex-hackers with criminal records (as Straw would have you believe) but from accountancy firms - who're exlcuded from the PSI bill completely and whom parliament will not want to touch. So could Straw prevent me from consulting in France on 'competence' grounds despite my being a Fellow of the IEE and the IMA, and even if I can get a good reference from several French professors?  Would he want to prevent a Microsoft engineer from Seattle from telling a UK plc how to fix a vulnerability, until the spooks could spend six months enquiring into her background? In effect, the Home Office wants the UK to manage by rows something that everyone else in the world manages by columns, and in a trade that's more international than any other. I do hope that they won't be so stupid. Simon? Ross
From: Owen Blacker <owen.blacker@wheel.co.uk> To: "UK Crypto list (E-mail)" <ukcrypto@chiark.greenend.org.uk> Subject: Silicon.com: Geeks need a licence: Official Date: Thu, 10 May 2001 11:32:46 +0100 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 HEADLINE: Geeks need a licence: Official PUBLISHED: 5:01pm on Wednesday 9th May 2001 CHANNEL: Contractors AUTHOR: Sally Watson ARTICLE: http://www.silicon.com/a44296 TEXT OF STORY FOLLOWS: The information security industry has lost its battle to duck out of a new security licensing scheme set up by Home Secretary Jack Straw. Home Office minister Charles Clarke pushed the Private Security Industry Bill through its final stages yesterday afternoon, shortly after the breakup of Parliament was announced. Opposition MPs backed a last ditch attempt to exempt the IT industry from the Bill's proposals to license all security contractors, but in a packed chamber, Labour backbenchers remained loyal -- rejecting the amendment 315 to 111. Despite the defeat, Clarke acknowledged the fears raised by industry associations including the CBI, the CSSA and the Foundation for Information Policy Research. "It is our fundamental principle to ensure the Bill is targeted at those specialist providers of security services who we have indicated we want to regulate, and that we do not inadvertently catch groups that are not relevant to our policy aims," Clarke told MPs. The Bill is primarily aimed at rogue wheelclampers and nightclub bouncers, but according to Clarke the definition of security consultant is deliberately broad. "We want it to remain usable in the face of changing security systems," he said. Once the Bill becomes law the government has pledged to hold a full consultation via the Department of Trade and Industry before it could be applied to information security consultants. But the assurances are unlikely to satisfy the Bill's opponents. A spokesman for the CBI promised to continue lobbying to see the legislation corrected. "Consultation on secondary legislation creates more problems than it solves," the CBI said in a statement. "It simply obliges the DTI to carry out a consultation in which all affected parties - the industry itself and users - are likely to say that regulation is unnecessary. "Given that there has been no demand for regulation in the first place, is this a worthwhile use of the DTI's and industry's time and resources?" For related news, see: Q. Who are the biggest election losers so far? A. Foxes and security workers http://www.silicon.com/a44302 Have you got a licence for that geek? http://www.silicon.com/a44191 IT pros may need licences to work http://www.silicon.com/a43615 STORY ENDS For more information on silicon.com go to http://www.silicon.com. silicon.com - the who, what, when, where and why of ebusiness -----BEGIN PGP SIGNATURE----- Version: PGP 7.0.4 Comment: Due to RIP, pls check for revocation before using this key! iQA/AwUBOvpt6lVeQSYAA2h0EQL+VwCdGvAyESyUc1HXBJ40hUWx3zp3c8kAn3bC s6r6dT12ULsUBXjC5yApfF0W =4051 -----END PGP SIGNATURE-----