It has been reported that the NCSC has launched a new Vulnerability Research Initiative (VRI) to collaborate with external researchers on software and hardware vulnerabilities. In response to the news, Kevin Robertson, CTO of Acumen Cyber, gives his views.
“This initiative sounds promising in theory, but given the NCSC’s track record of largely ineffective and self-serving programmes, it could end up as another flop that delivers little real value.
Cyber is often described as a community sport, which explains the recent proliferation of vulnerability research initiatives.
However, independent researchers typically have little incentive to collaborate with bodies like the NCSC, as they stand to gain far more recognition and impact by publishing their findings themselves, rather than handing them over to a government agency.
Organisations recognise that having more vigilant eyes on their networks – constantly scanning for vulnerabilities that could be exploited maliciously – can contribute to a safer internet. Yet, this is more like a fragmented neighbourhood watch where participants prioritise their own interests, and agencies like the NCSC often fail to foster genuine cooperation.
The NCSC appears to be seeking researchers to participate in this initiative, potentially hiring them to examine specific products for weaknesses. Details on which products are involved remain unclear, but they might include widespread technologies in critical sectors or emerging ones tied to the government’s Plan for Change.
Software and hardware vulnerabilities remain one of the most prevalent avenues for criminals to attack organisations, and we have seen high-profile actors exploit them in major supply chain breaches affecting UK businesses and citizens. While the NCSC claims to be proactive in addressing these threats and mitigating supply chain incidents, its efforts frequently fall flat.
The fundamental issue is that the NCSC must not only launch this initiative but sustain it effectively – something it has struggled with in the past, where well-intentioned schemes routinely fail to yield tangible benefits.
It is essential that this does not become yet another example of wasted potential in a field where independent action often proves more meaningful.”
For more cybersecurity news, click here
