RSS FeedBlogs

Unscrewing Security

Alec Muffett

RSS FeedSubscribe to this blog
About Author
Alec Muffett

Alec Muffett is a veteran security geek who believes strongly in common sense, full disclosure, defence in depth, privacy, integrity, simplicity and open source. He is an independent consultant, writer, and speaker specialising in security education.

Why is nobody crowing about 'Critical National Infrastructure'?

O2 went dark; RBS/NatWest/Ulster Bank died. Surely the Government ought to tell us what to do?

Article comments
Much cybersecurity planning is couched in terms of we must protect critical national infrastructure - but when a bank goofs a software upgrade and commits transactional suicide for a week (or more, see Ulster Bank) - and when an entire phone network loses internet connectivity that is the lifeblood of modern commerce - you would think that someone in authority would be jumping up and down saying that this was evidence that the private sector could not be trusted to deliver critical national infrastructure and that banking and telco infrastructure ought to be nationalised, standardised or at least put under central government regulation to ensure that this does not happen again. But they're (apparently) not doing that. Why not? Partly because they don't see it that way; some cognitive dissonance separates thoughts of banks, telcos and powerstations becoming unavailable by their own hand, versus the same happening because some obscure foreign teenager pushes a button; the former will not easily result in the Government being brought to task but the latter will be mortified-about in case it's an act of war. But also it's because the CNI brigade do not want to become mundane, unsexy, poorly-funded regulators - it's the political version of other peoples' children are so much fun, you can play with them all day and then give them back to the parents for the messy bits, and the CNI community is not invested in the messy bits of outages, misappropriation of funds, fraud, daily IT operations outages, backups, etc. Instead they only want to be involved when there is a foreign button-pushing teenager. Some journos have spotted that this is a mini-cybergeddon but I believe they also instinctively know that a state-mandated cure would be worse than the disease; the reason we're all still here post-microgeddon is that there are several banks and several telcos, and the politicians are starting to realise that perhaps there ought to be more of all of these by some means or other - although (say) artificially requiring all residents of Rutland to use a local bank simply means that Rutland will starve when RutlandBank™ crashes. I suppose this only matters if Rutland is a marginal constituency. Perhaps some of them will discover the shocking thought that the CNI approach to security is only one step away from actually taking responsibility for other peoples' mistakes and only one more step away from creating a security monoculture. They might not be so much in favour of it after that.


Send to a friend

Email this article to a friend or colleague:

PLEASE NOTE: Your name is used only to let the recipient know who sent the story, and in case of transmission error. Both your name and the recipient's name and address will not be used for any other purpose.

We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
* *