Licencing of IT security consultants revisited

[Ross Anderson]

Quentin:

> Could it be that Straw has it in mind to make it compulsory for all IT
> security consultants to be accredited by CESG before they can work in
> this field? If so, how might this affect academic research, practice
> and publication in this area?

I don't doubt the agencies want him to. Control by a nudge and a wink
always used to be how they did things, and they're clearly nostalgic
for the good old days.

Their old way of doing things was eroded over a long period of time.
When I came to Cambridge in 1992, I was asked whether I'd like to get
a security clearance (not by anyone associated with the University, I
hasten to add). I was warned by a senior local person (and by Donald
Davies) against accepting this kind offer. In practice they wouldn't
have told me anything interesting, as I wouldn't have got access to
the juicy compartments. What I'd get from the deal was an obligation
to submit research papers for pre-publication review, and to get
permission before consulting for anyone overseas.

I'd also be expected to betray my overseas clients by telling GCHQ
about the vulnerabilities I couldn't fix, and would have come under
pressure to participate in `voluntary vetting'. This is a scheme under
which I'm supposed to ring a number in London before offering a
research place to a foreign national. The idea is that the `Foreign
Office' can use this mechanism to prevent a Chinese student coming to
Cambridge to do a PhD, even if she is qualified and has funding; this
saves them the diplomatic consequences of refusing her a visa.

The doomsday scenario is that all this would be imposed on academic
security researchers, by making it a condition of doing the consulting
work without which we couldn't pay our mortgages.

I don't think we'll get there immediately, because of the shift in
attitudes; because most of our consulting money is from overseas, so
regulation would have to prevent work abroad too; because most
security advice is given as a small part of some other job (most IS
consultants and even programmers specify or implement at least some
protection functions), so the net would have to be case wide; and
because professional registration is highly fragmented.

There are many professional bodies with qualifications, codes of
ethics, etc. But none accounts for a large share of infosec
consultants, and many of the common qualifications are administered
outside the UK. This applies both to general ones such as membership
of the IEEE, and security-specific ones such as CISSP and CISA.

This fragmentation is a problem for government, in that there's no-one
convenient to co-opt, and for professionals in that there's no-one
both able and motivated to fight for us. It's also a problem for
customers - but a lot of the worst advice whose sequelae I'm called on
to fix comes not from ex-hackers with criminal records (as Straw would
have you believe) but from accountancy firms - who're exlcuded from
the PSI bill completely and whom parliament will not want to touch.

So could Straw prevent me from consulting in France on `competence'
grounds despite my being a Fellow of the IEE and the IMA, and even if
I can get a good reference from several French professors?  Would he
want to prevent a Microsoft engineer from Seattle from telling a UK
plc how to fix a vulnerability, until the spooks could spend six
months enquiring into her background?

In effect, the Home Office wants the UK to manage by rows something
that everyone else in the world manages by columns, and in a trade
that's more international than any other. I do hope that they won't be
so stupid.

Simon?

Ross