back to article NCSC says cyber-readiness of UK’s critical infrastructure isn’t up to scratch

The UK's National Cyber Security Centre (NCSC) has once again sounded its concern over the rising threat level to the nation's critical national infrastructure (CNI). In its annual review published at midnight Monday, it admitted that the level of cybersecurity resilience in the UK's most critical areas isn't where it needs to …

  1. ChoHag Silver badge

    > otherwise we risk China becoming the predominant power in cyberspace

    We're running this risk because they make everything, not (just) because we're shit at using it.

    1. Anonymous Coward
      Anonymous Coward

      TBF, having more STEM graduates every year than the UK has working in STEM roles in total will probably help. See also computer science

      And India isn't far behind.

      1. Steve Davies 3 Silver badge
        Childcatcher

        Quantity does not always

        equate to quality.

        India might have lots of STEM grads but their rote learning system is not that great at producing problem solvers.

        Plus their inbred fear of questioning authority even when the boss is clearly wrong does not lead to world beating behaviour.

    2. t245t Silver badge
      Terminator

      What we need is a cyberspace force /s

      >> otherwise we risk China becoming the predominant power in cyberspace

      > We're running this risk because they make everything, not (just) because we're shit at using it.

      "The sky above the port was the color of television, tuned to a dead channel"

  2. Anonymous Coward
    Anonymous Coward

    The NCSC’s observations are probably true, based on my view from the energy sector.

    However, NCSC don’t get to decide on funding activity. Staying evergreen means replacing huge numbers of complex systems repeatedly. There is not enough system access to go around the work that needs doing, to say nothing of qualified personnel.

    Regulated businesses tend not to be able to pay open chequebook rates for staff, so training new is a losing game for they will simply leave the moment they become useful to the market.

    An intelligent question to ask is how much work is planned, and how much is being delivered. Not even remotely in the same ballpark let alone page.

    I quite seriously believe a non digital solution involving staff permanently on site like we had in the 60s and 70s is more cost effective than the unhealthy obsession with digitisation.

    1. Jellied Eel Silver badge

      I quite seriously believe a non digital solution involving staff permanently on site like we had in the 60s and 70s is more cost effective than the unhealthy obsession with digitisation.

      Agreed. Sure, it costs, but it usually becomes a warm body problem when TSHTF and you need people with at least some clue in lots of places, even if it's just to turn stuff off and on again. But too much of that has been outsourced, so then when that happens, sorry, your call is in a queue, please hold. You are then one of several valued customers all trying to get stuff fixed at the same time. Plus of course there's the inevitable complexity problems that crop up when you attempt to automate stuff. Then when there are also edge cases where cost vs probability of event occuring just happen to encounter the laws of probability at the worst possible time.

      1. Anonymous Coward
        Anonymous Coward

        There are very good reasons why we evolved to have electromechanical system-wide DAR in the 60's. Digital solutions offer marginally faster reaction times at cost of short-lived computer components, inevitable security risks, etc.

        The gains are not worth the pain IMO.

        Trouble is the supply chain for good stuff is long-dead.

    2. This post has been deleted by its author

  3. Anonymous Coward
    Anonymous Coward

    "UK’s critical infrastructure" -- rather a narrow definition, don't you think?

    https://www.theguardian.com/technology/2023/nov/12/private-uk-health-data-donated-medical-research-shared-insurance-companies

    https://www.theguardian.com/technology/2019/jul/23/anonymised-data-never-be-anonymous-enough-study-finds

    https://www.ft.com/content/6954971e-5d3a-11e9-939a-341f5ada9d40

    https://www.computerweekly.com/news/252482365/Privacy-International-puts-Palantir-in-the-dock-for-NHS-data-analysis-work

    https://www.theregister.com/2021/10/11/data_guardian_police_bill/

    https://www.theguardian.com/technology/2017/jul/03/google-deepmind-16m-patient-royal-free-deal-data-protection-act

    Oh....I get it....personal privacy isn't an "infrastructure issue"!......"data security" isn't an "infrastructure issue"!.....Palantir isn't a serious threat to the NHS!

  4. Doctor Syntax Silver badge

    "They may have to prioritize profits and shareholder value rather than spending on cybersecurity resilience."

    The relevant regulators should ensure that shareholder value depends on all aspects of resilience.

    1. Jellied Eel Silver badge

      The relevant regulators should ensure that shareholder value depends on all aspects of resilience.

      But the markets can also end up doing that as well, ie major outage, reputational damage plus fines and compensation claims have bankrupted, or near-bankrupted many businesses.

    2. Anonymous Coward
      Anonymous Coward

      No CNI networks; no functioning stock market!

      Following a giant failure there would no doubt be outcry along similar lines to the failures of Railtrack leading to Network Rail, which similarly, will result in huge shareholder losses.

      So yeah, there IS an inventive to get these things right; but do activist shareholders press companies to do the right thing, or to print more money?

      And why do activist shareholders get to make the decisions that are about far more important issues than just preserving *their* cut.

  5. Mike 137 Silver badge

    Progress? Along what lines?

    "While we are making progress building resilience in our most critical sectors, we aren't where we need to be"

    And this is the organisation whose web site won't work at all without javascript enabled, despite javascript being a primary vector for malicious intrusions. I've contacted them several times over the past few years pointing this out, and that you can't even see the emergency contact details without enabling scripting, but have never even received a response.

    This typifies a fundamental problem in cyber security -- enforced trust. Trust used to arise from recognition of probity based on observation. Now it's foisted on us without offering the opportunity to verify probity, and that works well for the malicious actors.

    The root causes of successful cyber attack are really quite simple and include a large measure of negligence.

  6. amanfromMars 1 Silver badge

    As scarce as hens' teeth and infinitely more valuable and incredibly expensive to be without.

    NCSC says cyber-readiness of UK’s critical infrastructure isn’t up to scratch. And the world's getting more and more dangerous

    No shit, Sherlock, ... what would we do without you and your input/output?

    And the problem to address to have any chance of there being a marked improvement and any world leading progress in an intangible virtual field of practical and physical influence has been alluded to a tad earlier by Jellied Eel .... when TSHTF you need people with at least some clue in operating places controlling commanding spaces ..... and they be extremely rare, and one imagines also, invariably very fussy/selective about the what and the whom they would be prepared to work with and be appropriately rewarded spectacularly well for.

    And just to set the record straight before too many jump on a trumped up wagon train going nowhere great and good, there are only digital and qubit solutions to present running current future problems.

    1. Jellied Eel Silver badge

      Re: As scarce as hens' teeth and infinitely more valuable and incredibly expensive to be without.

      There's also the problems with management. Once, those managers may have come up through the business and survived the experience. Now, they may be qualified, but inexperienced. I encountered this many times. Manglers can understand 99.9% availability and 99.999% availabiliy. Eventually. Once you've explained minutes/month. Even though the orders of magnitude for availability increases, the budgets rarely follow. That last 0.1 or 0.001% can end up getting very expensive, so what's often happened is a 'five 9s' proposal will get presented knowing full well it can't be met, and the potential compensation for actual outages just gets factored into SLA credits.

  7. Tron Silver badge

    Basic errors.

    The problems are not Chinese or Russian, but failures in the UK.

    Too much stuff is connected to the public internet when it really doesn't need to be. Use intranets more. And too many basic security errors are being made.

    Brexit Britain now has a weak, undeveloping economy and lacks the money and staff to deal with this. The Tories can take credit for that.

    Why should anyone encourage their kids to do STEM courses when so many tech folk are losing their jobs?

    quote: While we don't believe, right now, that anyone has both the intent and capability to significantly disrupt infrastructure within the UK.

    Tell that to the British Library.

    1. Jellied Eel Silver badge

      Re: Basic errors.

      Too much stuff is connected to the public internet when it really doesn't need to be. Use intranets more. And too many basic security errors are being made.

      Yep. One being consolidation. Many people, including businesses probably aren't aware that the public Internet and their 'private' intranet are just different VRFs running on the same switch/router. Then we're told we want Software Defined Networks (SDN) that extend control-plane functionality down to the user layer. But the control plane is the only barrier keeping the monsters out, and vendors often want to expose elements of that so they can check your tin is correctly licensed. It's just one of those signs of progress that it's getting increasingly difficult and expensive to build truly private & secure networks.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like