back to article China orders annual security reviews for all critical information infrastructure operators

China's government has introduced rules for protection of critical information infrastructure. An announcement by the Cyberspace Administration of China (CAC) said that cyber attacks are currently frequent in the Middle Kingdom, and the security challenges facing critical information infrastructure are severe. The announcement …

  1. Duncan Macdonald

    Unusual - a bit of common sense from governments

    And in the case of China there is even a fairly good chance of the requirements being adhered to as the government of China has shown itself willing to hurt the big bosses not just the underlings when a company goes against its wishes.

    1. Lil Endian

      Re: Unusual - a bit of common sense from governments

      IIRC for Y2K, all board members of Chinese air carriers had to be airborne at zero hour. Pretty compelling!

    2. coddachubb

      Re: Unusual - a bit of common sense from governments

      I like the incentives to help stop the myopic from sweeping bugz under the carpet.

  2. Lil Endian

    Mandatory Security Teams

    ...establish teams to monitor security constantly.

    Yes, can we have some of that please?

    If private companies are to perform public duties (water, power etc) it would be nice if they put the service before the pocket (profit). But since they don't: legislate.

    1. Pascal Monett Silver badge

      Re: Mandatory Security Teams

      And that is why unregulated capitalism cannot be accepted at a governmental level.

      Without governmental meddling, there is no industry that would, on its own, decide to implement filters to reduce the pollutants being spewed in the air.

      Without laws, no company would say "let's not dump these toxic chemicals into the river and, instead, spend millions every year on water treatment".

      None of that would happen because capitalism is "shareholder interest" and that interest is money, not the environment.

      The Internet has taken up such a space in our lives that it has reached the level of a public utility. Companies, however, are still doing whatever they want, deciding on what level of IT they are willing to pay for to make things work. The only reason there are any security protocols in place is not for the safety of customer data, it's for the safety of the company - because down time costs money and makes for lost sales.

      We do need laws to bring home to the Board that their customer data is a treasure that needs proper protection, not just good-enough-protection.

      We're getting there, but China is clearly leading the way.

      1. Lil Endian

        Re: Mandatory Security Teams

        Agreed.

        In a thread a week or two back someone asked "What's wrong with capitalism?". You've answered that nicely.

        Focussing on ICT, the unfettered reliance on information systems, specifically internetworking, by (essentially) all industries has created a house of cards. This is not only limited to capitalist states, but as you say, they inherently are not regulated sufficiently. This needs addressing by those knowledgable, ie. not politicians with a limited time in office. But parliaments create laws, so the relationship between the politicians and the "knowledgable" needs to be managed first.

      2. elsergiovolador Silver badge

        Re: Mandatory Security Teams

        None of that would happen because capitalism is "shareholder interest"

        That's rather a corporate socialism.

      3. Headley_Grange Silver badge

        Re: Mandatory Security Teams

        I disagree ever so slightly. Capitalism optimizes itself to maximize profit by delivering what customers value - i.e. what customers will actually pay for. If customers valued clean air, clean water, good working conditions, environmental policies, etc., then they would prefer companies that prioritized those things even if they had to pay more for their products. Those companies would then make more money for their shareholders, and their competitors would have to change or go out of business. That's capitalism. The reason we need regulated capitalism is largely due to the hypocrisy of us, the customer. While most of us would say, for example, that the environment is important, if it means paying more for stuff or waiting longer for it to arrive from environmentally responsible companies then principles go out the window.

        Today's customers want the cheapest thing, delivered the quickest with no delivery charges and today's capitalism has optimized itself to do just that.

        1. Doctor Syntax Silver badge

          Re: Mandatory Security Teams

          You're confusing long term and short term. As far as corporations are concerned anything that produces a benefit outside the current, or possibly the next quarter is of no consequence.

      4. sitta_europea

        Re: Mandatory Security Teams

        "... China is clearly leading the way."

        Indeed. My own personal experience tells me that China also led the way in offensive intrusions into computer systems in industry and commerce all over the planet. I can only surmise that this latest move by the Chinese government must be a response to the fact that the rest of the planet is catching up with their offensive capabilities.

        1. gandalfcn Silver badge

          Re: Mandatory Security Teams

          "China also led the way in offensive intrusions into computer systems in industry and commerce all over the planet." Really? Haven't you heard of a country called the USA?

      5. Doctor Syntax Silver badge

        Re: Mandatory Security Teams

        None of that would happen because capitalism is "shareholder interest" and that interest is money, not the environment.

        For large corporations the shareholdings are usually spread wide in pension funds and the like. The actual beneficiaries of the shares are very often unaware of their interest and have no direct means of exerting any influence even when they are.

        The effective interest is that of senior management and their bonuses - and that, as we've seen, can be the case for non-profits as well. That's what needs to be reigned in.

        1. Anonymous Coward
          Anonymous Coward

          Re: Mandatory Security Teams

          "The actual beneficiaries of the shares are very often unaware of their interest and have no direct means of exerting any influence even when they are"

          That might have been the case years ago, but I think it's less so now. Many investment companies are very active investors. Up until recently they focused on financial measures like p/e and any fund manager with a big shareholding in a company is probably on first-name terms with senior people in the companies they invest in. Recently investment funds have been in the news for voting down big director pay rises and many have started to take a climate-change stance either passively (e.g. withdrawing from petrochemicals) or actively by using their vote at shareholder meetings or stacking the boards with sympathetic non-execs.

          If, however, you mean that the final beneficiaries - e.g. people who have pensions - are unaware and don't influence: you're correct inasmuch that they can't directly influence a company's direction, but there are lots of options for ethical, green, etc. funds and if that's the direction that the money goes then it could change company behaviour. I've recently switched a chunk of my pension pot into green and renewables partly because I think it's important but also because the risk profile is good and the returns are picking up (I am not a financial advisor and past performance is not an indicator.....etc. ).

  3. Mike 137 Silver badge

    Some jolly good ideas

    "... establish teams to monitor security constantly"

    This is, and always has been, the key. However monitoring is not widely understood. Indeed international security standards contain very little guidance to date, and the almost exclusive emphasis has been "vulnerability reporting".

    In reality, monitoring must incorporate multiple threads of activity: changes to the threat landscape, changes to the organisation's external state (e.g. third party changes, customer behaviour change), changes to the organisation's internal state (e.g. new services, reorgs, acquisitions), day to day changes in operational performance (e.g. network activity, resource access) and more. Every organisation's risk management function should include all such monitoring. The problem is that it doesn't show a continuous financial reward, so it's looked on as unnecessary until after the data breach.

    1. Lil Endian

      Re: Some jolly good ideas

      Agreed.

      ...it doesn't show a continuous financial reward...

      Much like Health and Safety.

      Most H&S related incidents are limited locally, few have wide geographical impact (exceptions being core meltdowns and the like).

      Because H&S risk is observable by the "commoner" it has been addressed. Yeah, it took a while. ICT risk is not so easily understood by non-techies (cf safe backdoored encryption as desired by FUD pushers). So, not only is pushing safeguards through legislation retarded, it's unlikely (in my mind) that it'll be done correctly. I'd like to optimistic and hope I'm proven wrong.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2022