UK infrastructure firms to face £17m fine if their cybersecurity sucks Infrastructure firms could face fines of up to £17m if they do not have adequate cybersecurity measures in place, the UK government has announced today. The plans follow proposals earlier this year from the Department for Digital, Culture, Media and Sport intended to comply with the EU Network and Information Systems (NIS) …
The only outfits who are "critical infrastructure" enough to warrant the full fine will either be government or sole suppliers of services to governments and able to simply add the fine to misc expenses on the next tender
The omission of any link from the article doesn't make it straightforward to find the details but I've provided a link in another comment. You can look up the criteria for yourself: they're in Annex 1 of the PDF.
Everyone copy from Putin's Russia. Hurray.
Same way as we copied the metadata collection after 9/11 from what the FSB did in circa 1999.
JUST NOT F*** ENOUGH.
When they voted this in 2016 they also made the directors criminally liable with jail terms attached. When we copy something we should do it properly. All the way.
Pity that even if it will be copied properly, it will still be too late to apply this to the UK's favourite Director and her ex-Company. We all know which one. Yes that one.
So who will be the first one to scream about this being undemocratic, inappropriate and gross overreach by a dictatorial state. ANYONE??? I can't hear ya... When THEY voted it, El Reg had a special article on the utterly undemocratic consequences of the law. We also had a lovely discussion too where we quickly found out exactly what the law actually said. So, where is the El Reg rant on how utterly undemocratic this is?
So, when a British firm wants to secure their infrastructure and implements a VPN (not Cisco or course) to control access to management. Then the company requires that all keys must be properly secured on encrypted devices... the consultants (located everywhere) will be forced by UK government policy to have phones and PCs with encryption with no back doors.
If the phones and PCs with no back doors don’t exist, then how would this work?
Would the back door be British only? I know from reading the occasional FHM that British men are completely obsessed with back doors. What happens when a foreign consultant travels to their home country where by law, their phone would have to be accessible via a back door there? Is it ok if for example a Russian contractor’s phone is accessible to the Russian government while they are in Russia?
It would of course only ever be used for altruistic reasons like crime prevention and would never be exploited by anyone other than truly trustworthy people.
I guess there could be a policy that only people who don’t travel internationally can work on the infrastructure.
It seems there could be a conundrum here.
"Any chance of a link to the guidance?"
https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/677065/NIS_Consultation_Response_-_Government_Policy_Response.pdf
And for clarity "next May" in the article isn't May next year. It's May this year which I'd be inclined to refer to as "this May" (as opposed to dismay who's currently the PM).
There's one oddity in the "guidance" (actually HMG's response to the consultation). There's a table of regulators (or "competent authorities" in the jargon - YMMV) which includes OFCOM for digital service providers. There's also a table of thresholds to determine what size of undertaking falls into scope. There's an entry in that for digital infrastructure but that only applies to domains, DNS & internet exchange points. So are all digital service providers included, however small, or are none of them included because they don't exceed the non-existent threshold?
I would love to know how one intends to achieve such lofty goals when electromechanical relays remain in routine service; yet are targetted by the NIS directive. I've seen equipment covered by NIS dating to the Battle of Britain if not before, still in service at leccy distro network level. It's not much better on the transmission networks either; which of course were started in the 1950's.
There is hardware and software from multiple other computing eras in circulation, DOS, Windows of all imaginable flavours, OS/2, VXWorks, SPARC... You name it. Given the investment in putting all this right will be grossly more expensive than replacing such equipment (not to mention the disruption involved with the latter) one can only wonder if the £17M maximum fine is just another tax to be levied instead? Also, with Spectre fully gripping the whole industry, one wonders are there any processors readily available on the market that don't undertake pre-emptive execution (the Z80 perhaps?!)
Perhaps I should get learning Z80 assembler as a career move?
Once again the lack of a co-ordinated energy / infrastructure strategy courtesy the Thatcher government and all of it's successors strikes. Bring back the CEGB; all is forgiven.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
