Channel Islands Information Security Forum (CIISF)

View Original

Consultations: Let’s make time, and make the effort, to be consulted.

July 2023's monthly post sees Chairman Dave Cartwright highlights some of the positive engagements within the local cyber security community in respect to Government consultations and how this open dialogue benefits our wider communities.

Everyone likes a good whinge about governments and politicians. After all, if they didn’t exist then we’d have to find someone else to moan about.

The thing is, though, you might be surprised to read that I reckon there are some things that they do well. And in the case of the Jersey Government, one of those things is consulting people and groups about new guidelines and laws they’re considering implementing.

We in the Channel Islands Information Security Forum – and the Jersey cyber security community in general – are fortunate, in that we appear to be on the Government’s Groups That Might Have Something Useful To Say list regarding topics in and around cyber security. I look back to 2017 when the Government put out its consultation paper on the Cyber Security Strategy it was proposing to introduce. It was very enlightening taking part in group discussions about what the strategy might say, suggesting things that we thought might have been overlooked, questioning things that might have been a bit optimistic. We were similarly consulted by the Government when the newly minted UK Cyber Security Council put out its own consultation paper on the subject of obtaining a royal charter and awarding chartered certifications. And then, again, earlier this year, I sat in a packed meeting convened by the Government who wanted the opinions of CIISF members and the security community in general, this time around the new Cyber Defence Legislation that’s being drafted as I write this (and I wait with baited breath to see what the draft looks like when it arrives). And finally, the consultation that prompted me to choose this as a topic for this month’s LinkedIn feature – where I sat in a full CERT meeting room a few days ago as part of an interactive discussion about the new Telecoms Security Framework that’s being considered.

Will everything we asked for find its way into the final version of the Cyber Defence Legislation and Telecoms Security Framework? No, of course not – that’s not the way the world works. After all, if everyone listened to me the UK wouldn’t have left the EU, craft lager would be £1 a pint, and there would be on-the-spot fines for anyone who uses the term “Artificial Intelligence” without being able to define what it means. But looking back to the things that have been published over the years, it seems to me that our comments and suggestions have been listened to. And it feels like the same will apply to the Cyber Defence law – not least the bit that talks in the consultation document about mandatory reporting of any “potential security incidents/risk”, which pretty well everyone in the room had questioned and which seemed to elicit a “Hmmm, that’s a good point” response from the Government representatives.

Will the Government tweak its proposed legislation because they think that what the consultation groups have said is enlightening, better than their version, something they’d missed, and so on? Or will they do it because the meetings are minuted and if they roll out something completely daft that doesn’t work very well then those consulted can point at the minutes and say: “We told you so”? Frankly, it doesn’t matter – though of course I’d like it to be the former. What matters is that they have good reasons to accommodate the thoughts of the collective brains in the wider community, and a level of accountability should they choose not to take advantage of those thoughts.

And thus we arrive at the point of this article. Consultations can only work properly if the people being consulted turn up to the party. It’s a two-way street, and we all need to make the effort to go along to the consultation meetings, or to give our opinions electronically if we can’t be there in person. In a small community such as Jersey there’s always the risk of the loud, opinionated ones rocking up and having a good old rant while the quieter ones – who probably have equally valid opinions – aren’t heard. And it would be a shame for that to happen. Fortunately, in the cyber-related consultations I’ve been a part of, we’ve turned up in good numbers and from a good variety of sectors and specialisms, but we need to keep up the momentum.

For those who’ve not taken part in such consultations, I strongly recommend you keep an eye on the Government web site and the media. And if you see a consultation that relates to something you know about or are interested in, put up your metaphorical hand and say: “I’m in”. It’s not going to take infinite brain power or weeks of your time, and the value to the eventual result is potentially significant. Oh, and my experience is that the sessions are interesting and often provoke unexpected discussion and/or inform you of stuff that you weren’t previously aware of.

So, people, when we’re invited to do so, let’s make time, and make the effort, to be consulted.