back to article Critical infrastructure needs more 21qs6Q#S$, less P@ssw0rd, UK.gov security committee told

Banks could plug their security vulnerabilities by simply improving password protections, the deputy CEO of the Prudential Regulation Authority has told the House of Lords in England. Asked by the Joint Committee for the National Security Strategy what kept him awake at night, Lyndon Nelson named shared infrastructure and …

  1. This post has been deleted by its author

    1. Pier Reviewer

      Re: Hmmmm, Was This a Tongue In Cheek Comment....

      Out of interest, what sway do you imagine Huawei hold over the staff at the cyber security centre by virtue of paying their wages?

      And what sway do you think HMG has over those same staff without paying them a penny? Would that change if they paid them their wages? Would those wages be the same, higher of lower, and what effect would that likely have on who is attracted to that work?

      A lot of questions I know, but I think it’s important to look at more than simply who pays the wages. That’s a little tabloid I feel (I know, I know, I can see the red banner :)

      1. This post has been deleted by its author

        1. Pier Reviewer

          Re: Hmmmm, Was This a Tongue In Cheek Comment....

          “I agree that it is an easy statement, but then, why would Huawei (China) tell Huawei (UK) all the secrets if the people employed at the cyber security centre are UK nationals ?”

          I think that’s a very good point, but I respectfully disagree with the other concerns you raise.

          There is one balancing fact that will help to reign in any of Huawei’s riskier ideas should they ever be tempted to execute them - they want to make money. The U.K. market not only lets them sell a good chunk of very expensive kit, it may also open up other markets. Ok, not the US or Aus (who are to all intents and purposes the US’s bitch), but countries in Europe might look at the U.K. model and think “hey, maybe it can work after all? Let’s look at buying Huawei kit”.

          The point to remember here is that a lot of the rhetoric is just ppl finding different words to express the sentiment of “reds under the bed!!!11!1”.

          We hear a lot of hand wringing* about Chinese carrier gear, but who here remembers the Voda/Ericsson debacle in Greece? No Chinese involvement there. Which country was the finger pointed at again?.. Why is it never mentioned when there’s talk of the dangers of foreign carrier gear peddlers?

          I think it would be crazy to outright trust the Chinese firms in the U.K. CNI, and that cyber security centre looks to be a good way of managing the risk. I also think it’s crazy to focus solely on the Chinese...

          —-

          * can you hear hand wringing?

          1. This post has been deleted by its author

  2. mbiggs

    Quote One: "Under a government crackdown, national critical infrastructure companies could be liable for a £17m fine if they are found to have inadequately protected themselves from cyber attacks."

    Quote 2: In addition, last week the National Cyber Security Centre (NCSC) and the Federal Bureau of Investigation warned that Russian state-sponsored cyber actors are targeting network infrastructure."

    [Quote 2] Pure misdirection, hypocrisy and lying. The biggest source of cyber attacks from mainland UK is.....guess...GCHQ, which is spying on the sixty million citizens who are paying for this anti-democratic outrage. GCHQ is also spying on our EU "partners" -- see:

    - https://theintercept.com/2014/12/13/belgacom-hack-gchq-inside-story/

    ....and that's one we know about....there are likely many others.

    [Quote 1] "....government crackdown..." is a similar piece of s**t to the over-used "keeping us safe". If the government wants to do something about "cyber attacks", it should start by shutting down GCHQ in Cheltenham...and save billions of pounds which could usefully go elsewhere....say to the NHS!

  3. Anonymous Coward
    Anonymous Coward

    Huawei

    Huawei is a threat to Cisco and Apple, not the governments of the US and the UK.

  4. Anonymous Coward
    Anonymous Coward

    Plus: No one will say whether Huawei, ZTE are the baddies

    I will!

    Add Alcatel and Blu to the "baddie" list as well.

    Any phone or app that communicates with TenCent is suspect.

    But don't take the governments word or my word on this, educate yourself with the tools available to examine them for yourself.

    1. Doctor Syntax Silver badge

      Re: Plus: No one will say whether Huawei, ZTE are the baddies

      "But don't take the governments word or my word on this, educate yourself with the tools available to examine them for yourself."

      But I don't own either so unless I buy them I wouldn't be able to examine them for myself. Have you done so?

  5. Doctor Syntax Silver badge

    One thing about large banks and building societies is that instead of educating customers to recognise and delete phishing emails they're training them to respond by sending out emails, or having 3rd parties send out emails which is even worse, with lots of links to click.

    It's bad enough that this trains customers to be phished but even worse one must assume that whoever send out such emails sees nothing wrong in them, would see nothing wrong in receiving one and would happily click on a link to expose their employer's system to whatever nasty was lurking there. It doesn't matter how good their passwords are if they've just installed a key-logger.

  6. bombastic bob Silver badge
    Devil

    Correct Horse Battery Staple

    obligatory

    https://www.xkcd.com/936/

  7. martinusher Silver badge

    Read History

    We're all familiar with the tales of Bletchley Park and 'cracking Enigma'. The perception is that the teams broke Enigma but the reality is that they didn't break the machine as such but used flaws in the system used to distribute the machine settings to make educated guesses at likely passwords. Most of the flaws were due to operator error, not following procedures exactly, so even though the Germans had a team looking out for problems it was like trying to sieve water.

    Humans and their passwords are always the weak link. The very characteristics that make a password something we can remember are those that make it weak.

    As for combating the Red Menace, its the kind of nonsense that discredits our government. I fear the problem isn't secrets but credulous lawmakers with Cold War hangovers induced by marketing pressure from companies feeling the competitive heat. Since we're always being scammed by government, politicians with agendas that aren't necessarily in our best interests, I'd tend to dismiss this as just anti-competitive noise, the sort of stuff that's going to condemn us long term to second rate status.

  8. Anonymous Coward
    Anonymous Coward

    First, Huawei's cyber security centre, no doubt in my mind that the people there I have spoken with don't care who pays their wages when it comes to finding and getting discovered issues fixed. Their stuff has got a lot better in recent years as a result.

    My concern comes from ways that other variants of the tested firmware and software might end up in the field and I think that Huawei UK and Huawei CN are different beasts in terms of trustworthyness, and I'm pretty sure the latter don't tell the former everything. Yeah they do crypto signed builds and other niceties now, but that's relying on the staff on the ground to be policing the build and checking its signature through their end to end into live process. Which I strongly suspect still doesn't happen nearly enough.

    The other poster saying "hey this isn't just China", yes, absolutely, there's equipment in the CNI from Israel (mossad?), Cisco (USA) and a whole host of other nation state companies. Lets not just make this about bashing China covertly, due diligence and investment in good practice should be spread across the board.

    Final point, we're all missing because we're jumping into the China vs the West debate only, passwords and credential management. We're not doing enough. Things are STILL making it out to the CNI as defaults. Either the deployment process doesn't change them, or the kit stops working if you change it, but nobody modelled that in test, or your staff don't know how to change them. I'm not just talking web page logins, or default users, I'm talking cli interfaces, jmx consoles, everywhere. And even if they are changed, credential management is a massive overhead, its unlikely that every cli or machine credential is going to work with a remote password solution, some of these are passwords of last resort designed to work when the device is out of comms from the password management solution, etc etc. But nobody really wants to invest in the engineering work towards putting together a proper solution that scales, because everyone just wants to buy a solution in that claims to do it, but in reality will only cover 10% of credentials in a large multi vendor system.

    You could probably finish half the technical people in your org, and spend that money on just changing passwords and applying some patches and be in a better place security wise. That's the sad truth of things.

  9. tiggity Silver badge

    ZTE

    I would say no to ZTE for no other reason that they CBA to provide android updates for lots of their phone models.

    Wnen you have your fingers in lots of pies, irritating someone at trivial level of a mobile phone may impact other purchases (irrespectivof security issues) - just like Sony CD rootkit made lots of people boycott Sony hardware

  10. 0laf Silver badge

    Banks could start by rolling out 2FA for all their internet backing users. Not just business users.

    they know it's best they just don't want to spend the money.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019