nav search
Data Center Software Security Transformation DevOps Business Personal Tech Science Emergent Tech Bootnotes BOFH

back to article
NotBeingPetya: UK critical infrastructure firms face huge fines for lax security

Silver badge
Coat

All this EU red tape telling us that we've got do sensible things like this. The sooner we're rid of it the better.

Coat. It's not raining right now so I don't need it.

6
0
Silver badge

What Eu.

This is a near verbatim copy of the recent Russian legislation after removing criminal responsibility for the directors.

The El Reg screamed bloody murder at the time as it included DNS servers and peering points as well as the ability of the government to issue an "isolate" order. They concentrated on that particular aspect and missed the rest which is surprise, surprise nearly the same as what we hear now from HMG.

By the way the "disconnect from net to keep the country running" order is not a bad idea. It should be in the legislation.

3
0
Silver badge

...could be fined as much as £17m of 4 per cent of global turnover...

Now if it were 25-250% of the 'C' suite bonus package budget they might be on to something.

4
0

Re: ...could be fined as much as £17m of 4 per cent of global turnover...

That doesn't make sense, shouldn't the 'of' be an 'or' otherwise its just "as much as £17m", global turnover amount doesn't matter. Confused.

3
0

Re: ...could be fined as much as £17m of 4 per cent of global turnover...

TBH I don't see how anything other than C suite jail time will ever make companies take this sort of thing seriously.

"Oh dear. We got fined. What to do, what to do... I know, put them prices up for the next quarter! Problem solved. Lets all go play golf."

8
1
Bronze badge

Re: ...could be fined as much as £17m of 4 per cent of global turnover...

"shouldn't the 'of' be an 'or' "

It is 'or' according to other reports I've seen.

2
0
Anonymous Coward

Companies sign up for a consultancy service from one of the usual suspects which results in a shiny certificate they can then wave at the judge after a major incident and say "see, we followed current best practice, so we're off the hook".

2
0
Silver badge

"see, we followed current best practice, so we're off the hook"

If they've demonstrably not followed "current best practice" in actual practice that mightn't be well received.

5
0
Silver badge
Paris Hilton

How quickly standards slip. It would be OK if organisations followed what the government actually said, "assessed the risks adequately, taken appropriate security measures, and engaged with competent authorities", but already it's slipped (here in the comments) to "current best practice", which I guess means, "no-one else bothers with more than this".

Anyone want to predict how long before a court accepts, "industry standard practice" as a defence?

1
0
Silver badge

Security by cookery

I expect this'll lead to a whole lot more checklists.

And software tools to help ensure compliance.

And then blind adherence to what the tools tell you. Despite the best efforts of tool vendors to tell you that their warnings don't mean "this is wrong" but rather "this is flagged up for human attention".

Hmmm. Like ... dear me, was it really 2008 I noted this little anecdote?

4
0
Anonymous Coward

Re: Security by cookery

"And then blind adherence to what the tools tell you"

It very much depends on who you have doing your security.

Some of us care about the *reality*, rather than just paying lip-service to the latest trend. It doesn't matter a pair of fetid dingo's kidneys to me if the projects to secure things tick boxes for this or that, as long as the systems deployed actually *do* this or that.

The main issue I see is that in such a target rich environment you are closing the big doors first and you'll get to the niche areas of weakness eventually - the problem with that approach is that state actors could be using those niche areas for some time before something is deployed to detect them & you can respond.

Still, you have to try, and I see this push to motivate the big players as a positive thing. The worst thing that can happen though is that it will result in lots of knee-jerk box-ticking without any real-world benefit. Not a major issue where I am because there are people who care enough to lose their jobs rather than jfdi, especially if you know it will lead to a weaker system. It's impressive to some people that security consultants care enough about something to potentially lose their lucrative contract over, it isn't common and it raises eyebrows (as long as you are known for integrity and passion for your work :) )

5
0

Rank Hypocrisy

The biggest UK victim of the WannaCry outbreak was the NHS, when last I heard the NHS was a Government Department so the Governments first task should be punishing itself for not complying with its own rules. Ah, but the reason for non-compliance was under-investment in IT by...you guessed it, the Government. So the government intends to punish itself for not complying with its own rules by fining itself a substantial sum which will leave itself with even less budget to spend on the deficient IT systems that caused the problems in the first place. This will make them more vulnerable to future attacks which will result in even heftier fines leaving them with less cash to fix the problems making them more vulnerable.......................

1
0
Silver badge

Re: Rank Hypocrisy

@Severus, you make a fair point, but failed to develop it and present an alternative.

0
0
Silver badge

Re: Rank Hypocrisy

@severus.

"non-compliance was under-investment in IT"

Unfortunately, this particular issue wasn't caused by underinvestment. Although a lot of attention was thrown at Windows XP (and it's an issue, don't get me wrong), the reality is that Windows 7 (still supported) was the majority victim and it affected Windows all the way up to 10. The issue was patching and Microsoft making patches available and the time it takes to apply them. It was also about intelligence agencies keeping exploits to themselves and then when they suddenly get known, not enough time is available to sort things out before the exploits hit.

Of course, we shouldn't be running Windows XP machines anymore and underinvestment is a primary cause of this (although in some areas such as machines running scanners, it's very difficult), but it wasn't the cause of this particular issue.

1
0
Anonymous Coward

Re: Rank Hypocrisy

Anonymous for obvious reasons.

Problems in the NHS:

Chronic underfunding of infosec

Infosec staff not being dedicated to that role despite them being so on paper.

Capita not securing ACLs, hell not even applying them at all in some cases.

MS patching last year causing problems with clinical systems, prevening patching rapidly after release. (lots of testing required, creating a lag).

^^ This all affects trusts/boards/CCGs regardless of whether they have XP or not.

And now we've got the new directive coming, which I welcome but I know I'll still not get to do my infosec job because I'm doing 2 other peoples roles too. Meanwhile my infosec skills wither away as I can't keep them up to date. It's been over a year since I fired up any sort of pen testing tool, don't use it, you lose it!

1
0

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

The Register - Independent news and views for the tech community. Part of Situation Publishing