Why is nobody crowing about 'Critical National Infrastructure'?
Much cybersecurity planning is couched in terms of we must protect critical national infrastructure - but when a bank goofs a software upgrade and commits transactional suicide for a week (or more, see Ulster Bank) - and when an entire phone...
Much cybersecurity planning is couched in terms of
we must protect critical national infrastructure - but when a bank
goofs a software upgrade and commits transactional suicide for a week (or more, see
Ulster Bank) - and when an
entire phone network loses internet connectivity that is the lifeblood of modern commerce - you would think that someone
in authority would be jumping up and down saying that this was evidence that the private sector could not be trusted to deliver
critical national infrastructure and that banking and telco infrastructure ought to be nationalised, standardised or at least put under central government regulation to ensure that this does not happen again. But they're (apparently) not doing that. Why not? Partly because they don't see it that way; some cognitive dissonance separates thoughts of banks, telcos and powerstations becoming unavailable by their own hand, versus the same happening because some obscure foreign teenager pushes a button; the former will not easily result in the Government being brought to task but the latter will be mortified-about in case it's
an act of war. But also it's because the CNI brigade do not want to become mundane, unsexy, poorly-funded regulators - it's the political version of
other peoples' children are so much fun, you can play with them all day and then give them back to the parents for the messy bits, and the CNI community is not invested in the
messy bits of outages, misappropriation of funds, fraud, daily IT operations outages, backups, etc. Instead they only want to be involved when there is a foreign button-pushing teenager.
Some journos have spotted that this is a mini-
cybergeddon but I believe they also instinctively know that a state-mandated cure would be worse than the disease; the reason we're all still here post-microgeddon is that there are several banks and several telcos, and the politicians are starting to realise that perhaps there ought to be more of all of these
by some means or other - although (say) artificially requiring all residents of Rutland to use a
local bank simply means that Rutland will starve when RutlandBank™ crashes. I suppose this only matters if Rutland is a marginal constituency. Perhaps some of them will discover the shocking thought that the CNI approach to security is only one step away from
actually taking responsibility for other peoples' mistakes and only one more step away from creating a
security monoculture. They might not be so much in favour of it after that.