Unscrewing Security

RSSSubscribe to this blog
About Author

Alec Muffett is a veteran security geek who believes strongly in common sense, full disclosure, defence in depth, privacy, integrity, simplicity and open source. He is an independent consultant, writer, and speaker specialising in security education.

Contact Author

Email Alec

Twitter Profile

Linked-in Profile

Why is nobody crowing about 'Critical National Infrastructure'?

O2 went dark; RBS/NatWest/Ulster Bank died. Surely the Government ought to tell us what to do?

Article comments

Much cybersecurity planning is couched in terms of we must protect critical national infrastructure - but when a bank goofs a software upgrade and commits transactional suicide for a week (or more, see Ulster Bank) - and when an entire phone network loses internet connectivity that is the lifeblood of modern commerce - you would think that someone in authority would be jumping up and down saying that this was evidence that the private sector could not be trusted to deliver critical national infrastructure and that banking and telco infrastructure ought to be nationalised, standardised or at least put under central government regulation to ensure that this does not happen again.

But they're (apparently) not doing that. Why not?

Partly because they don't see it that way; some cognitive dissonance separates thoughts of banks, telcos and powerstations becoming unavailable by their own hand, versus the same happening because some obscure foreign teenager pushes a button; the former will not easily result in the Government being brought to task but the latter will be mortified-about in case it's an act of war.

But also it's because the CNI brigade do not want to become mundane, unsexy, poorly-funded regulators - it's the political version of other peoples' children are so much fun, you can play with them all day and then give them back to the parents for the messy bits, and the CNI community is not invested in the messy bits of outages, misappropriation of funds, fraud, daily IT operations outages, backups, etc.

Instead they only want to be involved when there is a foreign button-pushing teenager.

Some journos have spotted that this is a mini-cybergeddon but I believe they also instinctively know that a state-mandated cure would be worse than the disease; the reason we're all still here post-microgeddon is that there are several banks and several telcos, and the politicians are starting to realise that perhaps there ought to be more of all of these by some means or other - although (say) artificially requiring all residents of Rutland to use a local bank simply means that Rutland will starve when RutlandBank™ crashes.

I suppose this only matters if Rutland is a marginal constituency.

Perhaps some of them will discover the shocking thought that the CNI approach to security is only one step away from actually taking responsibility for other peoples' mistakes and only one more step away from creating a security monoculture.

They might not be so much in favour of it after that.

Email this to a friend

* indicates mandatory field

ComputerWorldUK Webcast