Championing Software Security in a Digital World
There's been a significant shift in our approach to digital resilience, signaled by the introduction of a new Cyber Security & Resilience Bill along with a Cyber Action Plan. In the midst of this shift, a voluntary initiative has been launched to tackle one of the most urgent issues we face today - ensuring the security of our software supply chain.
The Challenge Ahead
Maintaining global networks has become more intricate and challenging, exposing new vulnerabilities and highlighting the weaknesses of former methods. The infrastructure of many networks was established years ago, without the foresight of today's cyber threats.
The issue is further complicated by organizations not updating or properly maintaining their network infrastructure. This neglect leads to missed opportunities to resolve recognized vulnerabilities and implement the latest security practices. Recent research revealed that almost half of the world's network assets are aging or obsolete, which leads to more money being spent on maintenance rather than modernization.
It was noted recently that over half of the organizations surveyed have experienced software supply chain attacks. This problem not only involves the software supply chain but also the way we construct software. It's important that software is made to withstand attacks, that code is created with strong security principles, and that it's easy for customers to use securely. As part of the software supply chain, we take our role very seriously and are working hard to ensure the highest levels of security.
Fostering Stronger Infrastructure
Our role as a champion for secure software development and resilient infrastructure is an extension of our commitment to these areas. We focus on improving our products' security posture which, in turn, enhances the security of our customers' networks. Our approach is simple - get the basics right to minimize attack surfaces and raise the default security settings across our product range. We're striving to remove insecure features, introduce advanced security capabilities, and enable better detection and response.
The Implications
A single software component's weakness can compromise entire networks. In our modern digital ecosystem, layers of software dependencies could be potential entry points for attackers. Software security can no longer be an afterthought or a competitive edge, but must be a standard expectation.
Software vulnerabilities don't just pose theoretical technical risks - they can disrupt vital services that people depend on daily, from accessing healthcare to managing their businesses. When software fails to function securely and reliably, it poses a threat to public safety, economic stability, and trust in digital systems. This necessitates treating software security as a vital societal responsibility to ensure that digital infrastructure is resilient, trustworthy, and designed to protect individuals' lives and well-being.
Moving Forward
The Cyber Action Plan, backed by a substantial investment and the creation of a Government Cyber Unit, signals a serious intent to transform public sector cyber resilience. However, this transformation cannot be achieved by governments alone.
The software that fuels our economy spans across every sector. Banks, hospitals, utilities, retailers, and government agencies all rely on robust, secure software. By establishing common baseline practices through the Code of Practice, we can raise our defenses across all industries and sectors.
As champions, we'll collaborate with industry peers to share insights, address shared challenges, and promote practical methods that work in real-world scenarios. We'll offer feedback to policymakers based on implementation experience, helping to shape future iterations of the Code and potentially informing regulatory frameworks in the future.
Shared Duty
Cybersecurity has become a cornerstone of our daily life. Trust in digital services underpins everything from economic productivity to access to essential services.
Building this trust requires a collective effort. It requires software vendors to prioritize security, governments to set clear expectations and provide support, and organizations of all sizes to implement robust security practices. The Code of Practice provides a common framework for this collaboration.
We've always believed that security is a team effort. No single company, no matter its size or sophistication, can tackle these challenges alone. By serving as a champion for the Code of Practice, committing to resilient infrastructure, and pursuing projects like an open-source, model-agnostic security framework that embeds secure-by-default practices into AI coding agent workflows, we reaffirm our commitment to this principle.
The government has set an ambitious agenda for digital transformation and cyber resilience. We're proud to stand alongside them and our fellow champions from across the technology sector to make this ambition a reality.
In the end, secure software and resilient infrastructure are not just good business practices; they're the foundations upon which we build the digital services that millions of people rely on every day.