UK Electronic Communications (Security Measures) Regulations 2022 – What is “Browse Down”?

Henry Harrison

By Henry Harrison

Commercial

The UK’s (relatively) new Electronic Communications (Security Measures) Regulations 2022 come with an associated Code of Practice (CoP). Between them, they provide some pretty clear and specific rules about how UK telecommunications companies must up their game on cybersecurity. It’s quite a radical departure from the sort of principle-based regulation found in the EU’s NIS or in other sectors (banking, for example).
But not all of the CoP is entirely clear. In particular, the CoP requires telecoms companies to use the architecture in the diagram below (reproduced from the CoP). It’s reasonably self-explanatory – but what is “Browse Down”?

The CoP talks a bit about “Browse Up” (and, that “Given the risks, it is not appropriate for public telecoms providers to be using a ‘browse-up’ architecture”). But Browse Down is not defined (except, implicitly, as the opposite of “Browse Up”).

The CoP does provide some clues by referring to “Cross‑domain working and browse‑down” – stating that “administrative users will require some form of cross-domain solution” and that “general advice on the use of cross domain solutions…can be found on the NCSC website”. On the National Cyber Security Centre (NCSC) website, Browse Down is defined as “when you trust your device just as much, or more, than the system you are administering.”1 The NCSC website further provides “an example of a ‘browse-down’ pattern, where riskier activities are isolated using a separate processing context.”2

But the real detail emerges from NCSC when we look for details on “cross-domain working” and “cross-domain solutions”. There are two key pieces of NCSC guidance:
1. Security Principles for Cross Domain Solutions3
2. Pattern: Safely Importing Data4

NCSC has sponsored specific assurance activities to assess and test Browse Down product compliance against this guidance. It is notable that many well known technologies that might seem suitable for Browse Down do not in fact meet the guidance – for example, Remote Desktop or VDI technologies from mainstream IT vendors.

Garrison supplies “Browse Down” technology to both commercial organisations such as Lloyds Banking Group and to UK Government customers including the Ministry of Defence. This technology has been extensively assessed by the NCSC, to the extent that it is trusted to provide Browse Down even from classified devices that wish to access the Internet.

Learn more about our Browse Down technology – or indeed, about Browse Down and Cross Domain Solutions (CDS) via our Privileged Access and “Browse Down” whitepaper.

1 https://www.ncsc.gov.uk/collection/secure-system-administration/gain-trust-in-your-management-devices
2 https://www.ncsc.gov.uk/collection/cyber-security-design-principles/examples/study-operational-tech
3 https://www.ncsc.gov.uk/collection/cross-domain-solutions
4 https://www.ncsc.gov.uk/guidance/pattern-safely-importing-data

About
Henry Harrison
Henry is a seasoned technology industry executive and serial entrepreneur who has spent the last ten years focused on cyber security both as an independent consultant and as Technical Director for Cyber Security at UK defence and security company BAE Systems. Henry’s previous ventures include a desktop videoconferencing startup, and he has been responsible for developing and selling advanced electronics solutions into governments, telecommunications companies and financial services organisations amongst other sectors.