Much cybersecurity planning is couched in terms of we must protect critical national infrastructure
- but when a bank goofs a software upgrade
and commits transactional suicide for a week (or more, see Ulster Bank
) - and when an entire phone network loses internet connectivity
that is the lifeblood of modern commerce - you would think that someone in authority
would be jumping up and down saying that this was evidence that the private sector could not be trusted to deliver critical national infrastructure
and that banking and telco infrastructure ought to be nationalised, standardised or at least put under central government regulation to ensure that this does not happen again.
But they're (apparently) not doing that. Why not?
Partly because they don't see it that way; some cognitive dissonance separates thoughts of banks, telcos and powerstations becoming unavailable by their own hand, versus the same happening because some obscure foreign teenager pushes a button; the former will not easily result in the Government being brought to task but the latter will be mortified-about in case it's an act of war
But also it's because the CNI brigade do not want to become mundane, unsexy, poorly-funded regulators - it's the political version of other peoples' children are so much fun, you can play with them all day and then give them back to the parents for the messy bits
, and the CNI community is not invested in the messy bits
of outages, misappropriation of funds, fraud, daily IT operations outages, backups, etc.
Instead they only want to be involved when there is a foreign button-pushing teenager.
Some journos have spotted
that this is a mini-cybergeddon
but I believe they also instinctively know that a state-mandated cure would be worse than the disease; the reason we're all still here post-microgeddon is that there are several banks and several telcos, and the politicians are starting to realise that perhaps there ought to be more of all of these by some means or other
- although (say) artificially requiring all residents of Rutland to use a local
bank simply means that Rutland will starve when RutlandBank™ crashes.
I suppose this only matters if Rutland is a marginal constituency.
Perhaps some of them will discover the shocking thought that the CNI approach to security is only one step away from actually taking responsibility for other peoples' mistakes
and only one more step away from creating a security monoculture
They might not be so much in favour of it after that.