By Charles Weaver
The recent licensing framework for cybersecurity providers in Singapore is an excellent example of what not to do when enacting legislation around service providers and cybersecurity. The title of this article has “MSP” in quotations because this new framework is not exclusively focusing on MSPs, although many practicing MSPs would be covered by this framework.
While the country of Singapore may not be known as a major MSP region, the passage of this framework sets an example for the rest of the world for MSP legislation we ought to be avoiding.
Scope of Framework
In comparing the Singapore framework to other laws, including the Louisiana MSP Registration law, the framework does not come close to achieving its stated objectives of protecting consumers. The framework cites two classes of technology provider: 1) penetration test providers, and 2) security operation center (SOC) providers.
Now, leaving aside the SOC providers for a moment, I challenge anyone to explain what the licensing of a pen test provider will accomplish. Pen test providers almost never have persistent ongoing logical access to customer systems. Even if a pen tester is also an MSP (which would be incompatible with industry best practices and be of minimal value to the consumer), the pen test technology would be a short term tactical service and would not rise to the level of logical access most MSPs possess.
The framework also stops short of many other “network operation center” providers who also have persistent and ongoing logical access and yet would be omitted from this licensing framework. Such an oversight was a) done intentionally and for some unknown reason, or b) was done due to lack of understanding about the nature of MSPs and how they operate.
Framework is Neutral on Cybersecurity and Managed Services Best Practices
Another critique of the framework is the lack of any discernable standard or proscriptive behavior for the provider, other than simply getting licensed. In almost all other licensing schemes, there is an undeniable set of practices or behavioral requirements established to go along with the license. The license becomes a manifestation of the underlying knowledge and behavioral guidance set forth by the licensing body (in most cases) a legislative authority.
The lack of any “framework” to guide MSPs and pen testers subject to the licensing requirement is also interesting, as it indicates an interest solely in generating revenue or to exclude service providers from accessing the local market.
Guidance for Legislative Bodies
MSPAlliance advises legislative bodies looking to act in a cybersecurity or managed service provider manner to not emulate the Singapore CSA framework and to instead focus on desirable outcomes within the managed IT services community. Such outcomes could include registration of MSPs working with state agencies and critical infrastructure organizations. Another legitimate public policy outcome could be the regulation of ransomware payments and disclosure of cyberattacks on end-user organizations to the proper authorities.
Licensure of the MSP profession will not achieve higher standards of care for the consumer. Nor will it achieve more optimal outcomes for the consumers of managed services. Instead, licensure of MSPs will reduce overall participation in the MSP marketplace, stifle innovation, and leave many end-user organizations defenseless against persistent and ongoing cyberattacks.