back to article UK infrastructure firms to face £17m fine if their cybersecurity sucks

Infrastructure firms could face fines of up to £17m if they do not have adequate cybersecurity measures in place, the UK government has announced today. The plans follow proposals earlier this year from the Department for Digital, Culture, Media and Sport intended to comply with the EU Network and Information Systems (NIS) …

  1. Anonymous Coward
    Anonymous Coward

    Will the same threat also apply to the government departments overseeing those critical parts of the infrastructure?

    1. Anonymous Coward
      Anonymous Coward

      Sure it will, they'll just fine the department £17 million which gives you an overall fine amount of 0 and the government will be praised for "doing something™"

    2. Yet Another Anonymous coward Silver badge

      It will only apply to government depts.

      The only outfits who are "critical infrastructure" enough to warrant the full fine will either be government or sole suppliers of services to governments and able to simply add the fine to misc expenses on the next tender

      1. Doctor Syntax Silver badge

        The only outfits who are "critical infrastructure" enough to warrant the full fine will either be government or sole suppliers of services to governments and able to simply add the fine to misc expenses on the next tender

        The omission of any link from the article doesn't make it straightforward to find the details but I've provided a link in another comment. You can look up the criteria for yourself: they're in Annex 1 of the PDF.

      2. Anonymous Coward
        Anonymous Coward

        Wrong

        CNI covers lots of businesses. Most of the Water & Energy Companies in the UK are private and it also covers finance, transport & ISPs. Companies have a 6 month window from May to become fully compliant.

  2. Anonymous Coward
    Anonymous Coward

    Hurray.

    Everyone copy from Putin's Russia. Hurray.

    Same way as we copied the metadata collection after 9/11 from what the FSB did in circa 1999.

    JUST NOT F*** ENOUGH.

    When they voted this in 2016 they also made the directors criminally liable with jail terms attached. When we copy something we should do it properly. All the way.

    Pity that even if it will be copied properly, it will still be too late to apply this to the UK's favourite Director and her ex-Company. We all know which one. Yes that one.

    So who will be the first one to scream about this being undemocratic, inappropriate and gross overreach by a dictatorial state. ANYONE??? I can't hear ya... When THEY voted it, El Reg had a special article on the utterly undemocratic consequences of the law. We also had a lovely discussion too where we quickly found out exactly what the law actually said. So, where is the El Reg rant on how utterly undemocratic this is?

    1. Anonymous Coward
      Anonymous Coward

      Re: Hurray.

      Which company? Asking for a ... well me really.

      1. rh587 Silver badge

        Re: Hurray.

        Which company?

        I think the one we end up Talktalking about quite a bit on El Reg on account of frequent foul-ups and abysmal customer service.

        1. Anonymous Coward
          Anonymous Coward

          Re: Hurray.

          How are they still in business?

  3. Anonymous Coward
    Anonymous Coward

    Does that include not having backdoors to circumvent encryption?

    1. Anonymous Coward
      Anonymous Coward

      oh silly, companies can have encryption, it's the masses that aren't allowed encryption to stop the pedoterror armageddon that's going to unravel the fabric of society.

      1. CheesyTheClown

        But doesn’t it apply to VPN?

        So, when a British firm wants to secure their infrastructure and implements a VPN (not Cisco or course) to control access to management. Then the company requires that all keys must be properly secured on encrypted devices... the consultants (located everywhere) will be forced by UK government policy to have phones and PCs with encryption with no back doors.

        If the phones and PCs with no back doors don’t exist, then how would this work?

        Would the back door be British only? I know from reading the occasional FHM that British men are completely obsessed with back doors. What happens when a foreign consultant travels to their home country where by law, their phone would have to be accessible via a back door there? Is it ok if for example a Russian contractor’s phone is accessible to the Russian government while they are in Russia?

        It would of course only ever be used for altruistic reasons like crime prevention and would never be exploited by anyone other than truly trustworthy people.

        I guess there could be a policy that only people who don’t travel internationally can work on the infrastructure.

        It seems there could be a conundrum here.

  4. moonrakin

    Tax by another name

    Unless individuals responsible get a personal whack on their net worth - the victims will end up paying for sloppy and incompetent IT.

    I'd extend the principle to power cuts me ... I would.

  5. fnusnu

    Any chance of a link to the guidance?

    1. Doctor Syntax Silver badge

      "Any chance of a link to the guidance?"

      https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/677065/NIS_Consultation_Response_-_Government_Policy_Response.pdf

      And for clarity "next May" in the article isn't May next year. It's May this year which I'd be inclined to refer to as "this May" (as opposed to dismay who's currently the PM).

    2. Cleary1981

      https://www.itgovernance.co.uk/nis-directive is a good short description

  6. Doctor Syntax Silver badge

    There's one oddity in the "guidance" (actually HMG's response to the consultation). There's a table of regulators (or "competent authorities" in the jargon - YMMV) which includes OFCOM for digital service providers. There's also a table of thresholds to determine what size of undertaking falls into scope. There's an entry in that for digital infrastructure but that only applies to domains, DNS & internet exchange points. So are all digital service providers included, however small, or are none of them included because they don't exceed the non-existent threshold?

    1. Anonymous Coward
  7. batfink Bronze badge
    Mushroom

    Can we make it retrospective?

    Please please please.....

    Otherwise, we still won't catch Baroness Harding, unless we can reclassify the NHS as "infrastructure".

    1. EnviableOne Bronze badge

      Re: Can we make it retrospective?

      The NHS is CNI, at least accute hospitals and trauma centres are ...

      This has been worrying me a lot more than GDPR, and its just re-announcing it.

      If you read the Draft Data Protection Bill, all the provisions of NIS are in it

  8. handleoclast
    Paris Hilton

    Poorly named

    The EU Network and Information Systems (NIS) Directive should have been called the Pan-European Network and Information Systems Directive.

    Icon is of somebody who would love to come to grips with that renamed directive.

    1. Halfmad Silver badge
      Trollface

      Re: Poorly named

      Ministers already have a firm grip on this legislation. In fact you could say most of them spend all day toying with it.

  9. Anonymous Coward
    Anonymous Coward

    Infrastructure - 100 years of history

    I would love to know how one intends to achieve such lofty goals when electromechanical relays remain in routine service; yet are targetted by the NIS directive. I've seen equipment covered by NIS dating to the Battle of Britain if not before, still in service at leccy distro network level. It's not much better on the transmission networks either; which of course were started in the 1950's.

    There is hardware and software from multiple other computing eras in circulation, DOS, Windows of all imaginable flavours, OS/2, VXWorks, SPARC... You name it. Given the investment in putting all this right will be grossly more expensive than replacing such equipment (not to mention the disruption involved with the latter) one can only wonder if the £17M maximum fine is just another tax to be levied instead? Also, with Spectre fully gripping the whole industry, one wonders are there any processors readily available on the market that don't undertake pre-emptive execution (the Z80 perhaps?!)

    Perhaps I should get learning Z80 assembler as a career move?

    Once again the lack of a co-ordinated energy / infrastructure strategy courtesy the Thatcher government and all of it's successors strikes. Bring back the CEGB; all is forgiven.

  10. Pascal Monett Silver badge

    "it is absolutely vital that they are as secure as possible"

    Yes, it is.

    Pity that the government is doing fuck-all to ensure that happens.

  11. msknight Silver badge
    Coat

    So...

    When my broadband bill goes up by a chunk, I should take that as a sign that the company is saving up to pay a fine for a breach that they won't tell the regulator about for a twelve month.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019