back to article Revamped UK cybersecurity bill couldn't come soon enough, but details are patchy

The introduction of fresh UK cybersecurity legislation, though delayed, is timely. The Cyber Security and Resilience (CSR) Bill announced in the King's Speech follows a series of high-profile attacks affecting critical national infrastructure (CNI), and with current cross-sector rules heavily outdated, the regulations will …

  1. Anonymous Coward
    Anonymous Coward

    Misinformation - Sweet Talking Citizens - While Doing Nothing......

    (1) "mandatory security incident reporting"

    How does this make any difference at all? In the Equifax hack, Equifax had no idea they were being hacked for months, maybe years.

    So months (or years) down the pike....they report a hack!!

    (2) "massive teeth like GDPR"

    https://www.theguardian.com/technology/2017/jul/03/google-deepmind-16m-patient-royal-free-deal-data-protection-act

    What "massive teeth"?

    Google/Deepmind slurped 1,600,000 citizen medical records. Not one citizen consented to the slurp. Google/Deepmind were not sanctioned at all.

    Where are those citizen records today? Were they sold to Palantir? Has Google/Deepmind used them in some fancy Large Language Model?

    Why no fine? Can the Information Commissioner answer these quesions?

    .....no I did not think so.

    (3) What about those organisations NOT COVERED by all this fancy legislation? I'm thinking about places like Cheltenham and Fort Meade.

    More misinformation from London SW1....more "doing something" in Westminster....and absolutely no effective enforcement after the fact!!

    1. Yet Another Anonymous coward Silver badge

      Re: Misinformation - Sweet Talking Citizens - While Doing Nothing......

      It also doesn't say anything about the government publicizing the reported incidents.

      Gov depts A, B, C are all hacked in the same way on the same day and report it - their report is then classified and the information comes out 10 years later in a public inquiry as a result of a Private eye story, slightly too late to warn all the companies targeted by the same flaw.

    2. sten2012

      Re: Misinformation - Sweet Talking Citizens - While Doing Nothing......

      (2) "massive teeth like GDPR"

      Equifax sprung to mind here for me when reading it. The threat of massive fines was somewhat effective at forcing compliance in advance in many many companies. Sunk costs mean many boards are still carrying on with complying. But the lack of follow through means that "trick" will never be effective again for new legislation.

      Equifax are the worst. They should have been nailed to the wall seeing as modern society forces you to have your data held by these agencies.

    3. Missing Semicolon Silver badge

      Re: Misinformation - Sweet Talking Citizens - While Doing Nothing......

      Never mind Google. Equifax, TalkTalk, the kind of hack that should (according to the law) resulted in company-ending fines, actually turned into nothingburgers, with the hapless users responsible for the resulting scams 366 days after the event.

  2. Doctor Syntax Silver badge

    "patching is a painful process that requires rounds of testing and monitoring to ensure it's safe to push"

    With recent events in mind perhaps the bill neds to include sanctions for issuing patches which are not adequately tested and for not issuing them at all. The first part of that would be to encourage and enable faster patching by organisations and the second would be to prevent evasion of the first.

    1. t245t Silver badge
      Boffin

      Bill needs sanctions for patches not adequately tested

      Doctor Syntax:

      > "patching is a painful process that requires rounds of testing and monitoring to ensure it's safe to push"

      > With recent events in mind perhaps the bill neds to include sanctions for issuing patches which are not adequately tested and for not issuing them at all. The first part of that would be to encourage and enable faster patching by organisations and the second would be to prevent evasion of the first.

      How about the innovators designing a patch that tests itself and falls back to a previous version, if it fails.

      1. TonyJ

        Re: Bill needs sanctions for patches not adequately tested

        Remember when Windows had a last known good configuration boot?

        It's a long time ago, so my memory is hazy, but I seem to recall it would boot sans newly installed software/drivers. I have vague memories of it being a bit hit-and-miss, but surely it's not beyond the realms of ability to add this [back] in?

        Also I note with interest that the persistent desire to reduce/weaken/ban end-to-end encryption seems to be missing from the list. Have they finally woken up to how catastrophic that would be?

      2. Anonymous Coward
        Anonymous Coward

        Re: Bill needs sanctions for patches not adequately tested

        > How about the innovators designing a patch that tests itself and falls back to a previous version, if it fails.

        You mean a patch that is self-aware? I knew AI was going to be mentioned lol

  3. Anonymous Coward
    Anonymous Coward

    Talking about "recent events".................

    There's a major risk to everyone when the IT landscape features one huge supplier and what I believe is now called "monoculture".

    In the old days (....not I hasten to add "the good old days") this landscape feature was called "monopoly".

    And in the old days there were laws about monopoly, notably The Sherman Act in the USA.

    How come "monopoly" was bad, and when it became "monoculture" it became OK?

    I think we should be told!!!

    1. Hubert Cumberdale Silver badge

      Re: Talking about "recent events".................

      Maybe "monoculture" is better as the word "monopoly" has negative connotations for me because it mostly refers to the incredibly dull game that I don't recall anybody ever actually winning unless you count the person who's got the most money at the point when someone gets bored and gives up.

      [Or, on the more fun occasions, does a full-on board flip (╯°□°)╯︵ ┻━┻ . That can be the most entertaining part of the whole exercise.]

    2. Irongut Silver badge

      Re: Talking about "recent events".................

      Crowdstrike can hardly be accused of being a monopoly. I'd never heard of them before last week and still think they sound like a strain of malware.

      Not that I'd ever buy anything from a bunch of former McAfee suits.

      1. Anonymous Coward
        Anonymous Coward

        Re: Talking about "recent events".................

        @IronGut

        ....did you notice that Microsoft shared access keys to the Windows kernel....shared the keys with anyone (e.g. Crowdstrike) who asked?

        ....did you notice that this action by Microsoft was one of the roots of the disaster?

        ....did you notice that in certain markets Microsoft has a near monopoly?

        .....no....you didn't notice much at all?

        1. Yet Another Anonymous coward Silver badge

          Re: Talking about "recent events".................

          But Microsoft explained that - it was all the fault of the Eu being woke

  4. Irongut Silver badge

    So how long before this bill gets encryption back doors, monitoring of comms and all the rest of the shite the Polis and security services want to help them think of the children?

    1. BartyFartsLast Silver badge

      papieren bitte

      And mandatory ID cards etc. Etc.

      Especially as Wacqui Jacqui has been seen near the levers of power again

  5. Anonymous Coward
    Anonymous Coward

    The Cyber Security and Resilience Bill :]

    Is there a clause in there to not use Windows anywhere on your critical infrastructure.

    UK government signs new three-year MOU with Microsoft

  6. andy the pessimist

    how about this

    If a company does not represent intrusion incidents,signature,fixes. Fine them loads.

    A forum of willing companies share (real time) we got this intrusion, defended by this. Used this to alleviate issues. Mutual support and defence.

    Potentially a group request to supplier for p1 support.

    I don't know if this could be made into a law.

    Metal defense by companies ought to be better.

    1. Anonymous Coward
      Anonymous Coward

      Re: how about this

      @Andy_The_Pessimist

      Quote: "...share (real time) we got this intrusion...."

      Re: Equifax (and a myriad others)......they don't know about the intrusion till months after the fact.

      Yup....I like the idea of sharing......but by then IT IS MONTHS TOO LATE!!

      ....and the bad guys are probably long gone...........

      ....and MY PERSONAL INFORMATION is being traded on the dark web for months before anyone knows the data has gone.

      Do you have any other suggestions?

  7. vulture65537

    >. idea is that if more organizations have to keep their security controls in line with government-set standards,...

    When I worked in the private sector to government standards about 10 years ago they weren't all that sensible.

  8. IGotOut Silver badge

    Fines and Ransomware payments...

    don't make it illegal to pay ransomware, just apply a simply rule.

    Any fines or ransomware payments must come directly out of the Directors pockets.

    There, easy

  9. harrys

    forget this complicated remedies that will never work but are sorely needed and will just make lawyers richer

    theres a very simplazy answer....

    Reverse all the watering down of corporate responsbility laws over the years then make it a corporate criminal offence with mandatory executive jail time ffor the most serious breaches

    Everything wil be okey dokey after that :)

  10. amanfromMars 1 Silver badge

    Damned if you do, damned if you don't ... one Hell of an Enigmatic AI Conundrum

    Softly, softly, catchee money keys?

    Whenever it is clearly recognised and accepted that the weakest link in the cyber defence team is the compromised/phished/tricked human component, simple common sense would suggest its/their omission from future sensitive and critical command and control systems and replacement by an entirely different, intelligently designed entity and/or attractive trustworthy AI phorm, an entirely logical vital next step essentially to be taken.

    You may not like to know it, but it currently most surely is an inescapable, presently true fact, as virtual systems become ever more ubiquitous and complex and internetwork connected in order to deliver all that the future promises the human condition for a better live experience of decisions taken making an impact upon the nature of your evolving existence, the smarter those virtual systems admins themselves become, rendering the likelihood of any possible cyber defence or attack against such entities and their proposed solutions and activated decisions increasingly vanishingly small.

    Such is perfectly natural and unavoidable ..... so prepare yourselves for that much vaunted and oft formerly promised, Great Reset ...... although not necessarily in any guise you might have been formerly expecting. I Kid U Not.

  11. Ian Johnston Silver badge

    Does the IT world really need to be forced by law to be competent?

    1. Bebu Silver badge
      Windows

      "Does the IT world really need to be forced by law to be competent?"

      Pretty obviously a resounding YES!

      But I cannot imagine any feasible sanction that could achieve this desirable end.

      Even a KGB (or BOFH) basement type solution is unlikely to work.

      1. Anonymous Coward
        Anonymous Coward

        Re: "Does the IT world really need to be forced by law to be competent?"

        @Bebu

        Chevrolet Corvair: Unsafe At Any Speed (1965)

        Ford Pinto: rear collision safety (197x)

        Lancia Beta: reputation for rust (197x)

        So.....in the 1970's there came to be strict safety rules for the manufacture of motor cars.

        Result.....safer and more maintainable cars.

        Please tell me why a similar outcome cannot be accomplished for software products.

      2. Anonymous Coward
        Anonymous Coward

        Re: "Does the IT world really need to be forced by law to be competent?"

        "But I cannot imagine any feasible sanction that could achieve this desirable end"

        Vendors could be forced to take legal liability for their products - as happens in other industry sectors: pharma, cars, construction, aviation, etc.

        Most licences for software disclaim liability for everything. It's about time these clauses got struck down by the courts because they're unreasonable.

    2. Anonymous Coward
      Anonymous Coward

      Hey, I am on the IT side. I have been on about a system we use going out of support for over a year. The beancounters are still arguing about whose budget the extended support payments come from.

  12. Anonymous Coward
    Anonymous Coward

    Tax ransomware payments

    Double or treble them, if companies fund crime they need to be made to pay.

    Also classifying incidents as terrorism will add more powers for tackling the source of the problem, particularly if it's against public infrastructure.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like