Critical infrastructure needs more 21qs6Q#S$, less P@ssw0rd, UK.gov security committee told

Quote One: "Under a government crackdown, national critical infrastructure companies could be liable for a £17m fine if they are found to have inadequately protected themselves from cyber attacks."

Quote 2: In addition, last week the National Cyber Security Centre (NCSC) and the Federal Bureau of Investigation warned that Russian state-sponsored cyber actors are targeting network infrastructure."

[Quote 2] Pure misdirection, hypocrisy and lying. The biggest source of cyber attacks from mainland UK is.....guess...GCHQ, which is spying on the sixty million citizens who are paying for this anti-democratic outrage. GCHQ is also spying on our EU "partners" -- see:

- https://theintercept.com/2014/12/13/belgacom-hack-gchq-inside-story/

....and that's one we know about....there are likely many others.

[Quote 1] "....government crackdown..." is a similar piece of s**t to the over-used "keeping us safe". If the government wants to do something about "cyber attacks", it should start by shutting down GCHQ in Cheltenham...and save billions of pounds which could usefully go elsewhere....say to the NHS!

Huawei

Huawei is a threat to Cisco and Apple, not the governments of the US and the UK.

Plus: No one will say whether Huawei, ZTE are the baddies

I will!

Add Alcatel and Blu to the "baddie" list as well.

Any phone or app that communicates with TenCent is suspect.

But don't take the governments word or my word on this, educate yourself with the tools available to examine them for yourself.

One thing about large banks and building societies is that instead of educating customers to recognise and delete phishing emails they're training them to respond by sending out emails, or having 3rd parties send out emails which is even worse, with lots of links to click.

It's bad enough that this trains customers to be phished but even worse one must assume that whoever send out such emails sees nothing wrong in them, would see nothing wrong in receiving one and would happily click on a link to expose their employer's system to whatever nasty was lurking there. It doesn't matter how good their passwords are if they've just installed a key-logger.

Read History

We're all familiar with the tales of Bletchley Park and 'cracking Enigma'. The perception is that the teams broke Enigma but the reality is that they didn't break the machine as such but used flaws in the system used to distribute the machine settings to make educated guesses at likely passwords. Most of the flaws were due to operator error, not following procedures exactly, so even though the Germans had a team looking out for problems it was like trying to sieve water.

Humans and their passwords are always the weak link. The very characteristics that make a password something we can remember are those that make it weak.

As for combating the Red Menace, its the kind of nonsense that discredits our government. I fear the problem isn't secrets but credulous lawmakers with Cold War hangovers induced by marketing pressure from companies feeling the competitive heat. Since we're always being scammed by government, politicians with agendas that aren't necessarily in our best interests, I'd tend to dismiss this as just anti-competitive noise, the sort of stuff that's going to condemn us long term to second rate status.

First, Huawei's cyber security centre, no doubt in my mind that the people there I have spoken with don't care who pays their wages when it comes to finding and getting discovered issues fixed. Their stuff has got a lot better in recent years as a result.

My concern comes from ways that other variants of the tested firmware and software might end up in the field and I think that Huawei UK and Huawei CN are different beasts in terms of trustworthyness, and I'm pretty sure the latter don't tell the former everything. Yeah they do crypto signed builds and other niceties now, but that's relying on the staff on the ground to be policing the build and checking its signature through their end to end into live process. Which I strongly suspect still doesn't happen nearly enough.

The other poster saying "hey this isn't just China", yes, absolutely, there's equipment in the CNI from Israel (mossad?), Cisco (USA) and a whole host of other nation state companies. Lets not just make this about bashing China covertly, due diligence and investment in good practice should be spread across the board.

Final point, we're all missing because we're jumping into the China vs the West debate only, passwords and credential management. We're not doing enough. Things are STILL making it out to the CNI as defaults. Either the deployment process doesn't change them, or the kit stops working if you change it, but nobody modelled that in test, or your staff don't know how to change them. I'm not just talking web page logins, or default users, I'm talking cli interfaces, jmx consoles, everywhere. And even if they are changed, credential management is a massive overhead, its unlikely that every cli or machine credential is going to work with a remote password solution, some of these are passwords of last resort designed to work when the device is out of comms from the password management solution, etc etc. But nobody really wants to invest in the engineering work towards putting together a proper solution that scales, because everyone just wants to buy a solution in that claims to do it, but in reality will only cover 10% of credentials in a large multi vendor system.

You could probably finish half the technical people in your org, and spend that money on just changing passwords and applying some patches and be in a better place security wise. That's the sad truth of things.

ZTE

I would say no to ZTE for no other reason that they CBA to provide android updates for lots of their phone models.

Wnen you have your fingers in lots of pies, irritating someone at trivial level of a mobile phone may impact other purchases (irrespectivof security issues) - just like Sony CD rootkit made lots of people boycott Sony hardware

Banks could start by rolling out 2FA for all their internet backing users. Not just business users.

they know it's best they just don't want to spend the money.