UK elevates datacenters to critical national infrastructure status From today, the UK is designating datacenters as critical national infrastructure (CNI). As a result, the sector is expected to get special government support designed to prevent negative economic impacts of IT outages like CrowdStrike's, cyberattacks, and extreme weather events. That special support will come in the form of a …
“From today, the UK is designating datacenters as critical national infrastructure (CNI). As a result, the sector is expected to get special government support designed to prevent negative economic impacts of IT outages like CrowdStrike's, cyberattacks, and extreme weather events”.
Then how about not connecting your critical infrastructure directly to the Internet. For each utility use a VPN running on embedded hardware. With end-to-end encryption, full auditing and with multiple routes through the Internet.
Then how about not connecting your critical infrastructure directly to the Internet. For each utility use a VPN running on embedded hardware. With end-to-end encryption, full auditing and with multiple routes through the Internet.
How low paid staff is going to know what VPN is? "Boss tried to install this VPN I saw on YouTube, but we are using something called Lanux. I don't even know where is the control panel, there is just weird text like in those hacker movies. Have we been hacked?"
If we lose the apostrophe in "CrowdStrike's" we can use it as a noun for particular type of attack or failure.
We could even quantify it in the Reg Standards. If we think of it as amount of infrastructure taken offline, sub-units could be some of: a new MCSE, Molly-guard failure, expired TLS cert, expired domain name, a MS Quality Update, NPM dependency malware, under-sea cable damage, BGP cock-up, EMP. Other suggestions welcome.
There will be some, in the forthcoming Cyber Security & Resilience bill. Reportedly to include mandatory incident report, specific rules relating to ransomware attacks, and fines for non-compliance with cyber security standards*. If it's anything like the Product Safety bill, it will also enable the rules to be made and changed through secondary legislation - which can save a lot of time compared to primary legislation, but at the expense of transparency and scrutiny.
I remain to be convinced that designating bit barns as CNI will do anything for the operators of those facilities. They'll be obliged to offer access to their systems to the security services and various other regulators, be on the hook for both new penalties and a mooted cost-recovery scheme for the "benefits" of being CNI, said regulators will have the powers for pro-actively seeking out vulnerabilities**, but what exactly is the government going to do for the operators? I'm not seeing any obvious benefits.
* Remains to be seen if the relevant security standards are up to date and relevant to the threats.
** Upcoming role of Cyberwitchfinder General. I shall apply, and insist that I'm allowed to wear boots and a cape around the office.
How so? Existing bit barns or any size aren't going to turn the MIB away if they turn up, are they? Adding a regulator or two (eg the Welsh Ambulance Service*) to the list of people who have a theoretical right of entry isn't going to make much difference to operators fo different scale.
Also, the clue is in the word hyperscaler, that the bit barn business isn't an SME opportunity, it relies on in-depth expertise and competence, the ability to shift loads, to plan big complex infrastructure builds, and find and spend huge amounts of money.
* For international readers, this is a jibe at the UK government's intrusive and unjustified cyber-snooping rules.
isn't an SME opportunity, it relies on in-depth expertise and competence
That's quite a contradiction here. SMEs usually have in-depth expertise and competence, but fail due to cards stacked against them.
Then is is either starve or work for big corporations. We shouldn't be condoning such market conditions that favour the rich and ultimately suck all the resources out of the economy and reduce diversity.
>SMEs usually have in-depth expertise and competence, but fail due to cards stacked against them.
Which is what happened a few years back with cloud.
Remember there were specialists that were serving the public sector, just that the idiots in charge decided they were too expensive, didn't have deep enough pockets etc, and got Microsoft to implement gCloud on joe public cloud infrastructure.
@abend0c4 "It would be nice to think that would come with special responsibilities for the providers."
Not going to happen, it seems the government don't think that would be nice for the providers. From the BBC's article on this https://www.bbc.co.uk/news/articles/c23ljy4z05mo.
"However there will not be any new regulations, nor is additional scrutiny of data centre operators’ existing contingency arrangements planned."
Maybe if some of these "responsible" government types put more effort into old fashioned diplomacy instead of aggressiveness, it might reduce the cyber aggression from others.
It won't make any juicy headlines in the Daily Express, but I'm all for anything that helps to tone back this inexorable talking ourselves into conflict.
If datacentres are critical national infrastructure, I wonder if this means all those businesses with datacentres - which they have been emptying by migrating systems into the cloud hyperscalers, now have to apply for government permission to close their datacentre down...
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
