Dropsafe

by Alec Muffett

“Why is nobody crowing about ‘Critical National Infrastructure’?” (http://goo.gl/aSe4L at Computerworld) #cybersecurity #cni

Why is nobody crowing about ‘Critical National Infrastructure’?

O2 went dark; RBS/NatWest/Ulster Bank died. Surely the Government ought to tell us what to do? Much cybersecurity planning is couched in terms of we must protect critical national infrastructure – but when a bank goofs a software upgrade and commits transactional suicide for a week (or more, see Ulster Bank) – and when an entire phone network loses internet connectivity that is the lifeblood of modern commerce – you would think that someone in authority would be jumping up and down saying that this was evidence that the private sector could not be trusted to deliver critical national infrastructure and that banking and telco infrastructure ought to be nationalised, standardised or at least put under central government regulation to ensure that this does not happen again. But they’re (apparently) not doing that. Why not? Partly because they don’t see it that way […]

…read more, or comment at Unscrewing Security

Comments

2 responses to ““Why is nobody crowing about ‘Critical National Infrastructure’?” (http://goo.gl/aSe4L at Computerworld) #cybersecurity #cni”

  1. Dave Walker

    Mmm; the quesion of “what constitutes CNI?” is a doozy, and some old friends of mine spent a bunch of time figuring out their view.

    As well as identifying core functions as being CNI (utilities, transport, finance etc), there’s the matter of resilience and recoverability. It’s where I first found out about the “9 meals from anarchy” metric.

    With largely overlapping coverage between the mobile telcos, an O2 outage would result in customers whose need for mobile comms merited it, to swear a lot before buying a pay-as-you-go SIM from Vodafone, 3 or some other company for the duration and then perhaps sticking with them; O2 would then get a punitive kick in the wallet from their shareholders. So, recovery in this context, isn’t that hard.

    Banks are a bit different; moving a bank account could be made rather easier than it currently is (and I’d be unsurprised to see Govt initiatives proposed to make it so), but the unexpected issue with RBS / Nat West was the epic scale of the goof in terms of the scope and duration of the outage. Just like the philosophy behind resilient networking, I’d hope that RBS customers choose not to move their current accounts to another bank, but get equivalent accounts with another bank, for resilience.

    Also, there seems to be a misapprehension that “a bank”, rather than “banking” is CNI; even before Lehman’s went down, Barings was allowed to go under, and I don’t remember seeing much clamour for the Government to bail them out. Banking regulations within the industry are supposed to be robust enough that I expect to see the FSA come down on RBS like a ton of bricks, in terms of finding out how the single point of failure arose to cause the outage – something is clearly broken in the RBS infrastructure. By contrast, if SWIFT was to go down, that would definitely be a CNI issue; but with individual banks, it would probably involve a quorum of them falling over or having simultaneous outages to merit the CNI folk getting involved…

    Reply
  2. Digital Waco, Digital Jonestown? – Dropsafe

    […] Critical National Infrastructure attached to the same, e.g.: Air Traffic Control, even though such CNI seems entirely capable of taking itself down — and if “we” as a nation are not […]

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

More posts