At the end of October, the US government quietly told members of the nuclear, energy, aviation, water and critical manufacturing industries that their networks may have been targeted by hackers, and their data may have been compromised. The message was delivered via a privately distributed email, which in virtual, hushed tones talked about an escalation in the targeting of infrastructure in both Europe and the United States.

Speaking to Reuters, the US’ Department of Homeland Security spokesman Scott McConnell, refused to go into specifics, but did say, “The technical alert provides recommendations to prevent and mitigate malicious cyber activity targeting multiple sectors and reiterated our commitment to remain vigilant for new threats”.

If on this occasion the US’ cloak-and-dagger approach to cybersecurity can be described as the carrot, then what the UK government wants to do, in response to similar threats, is definitely the stick.

The UK is currently in the process of implementing the European Union’s Networks and Information Systems (NIS) Directive. Under the directive, UK organisations could face fines of up to £17m, or 4% of global turnover, if they fail to take measures to prevent cyber attacks that have the potential to seriously disrupt critical services.

While the government acting to prevent significant damage to the UK's infrastructure, economy and populace has been welcomed by commentators, some have suggested the approach is too heavy-handed. But whether you support the severity of the approach or not, the bigger question may be: if organisations responsible for critical infrastructure aren’t already doing all they can to maintain cybersecurity measures, will the threat of a fine make a difference at all?

Are critical infrastructure organisations doing all they can?

The UK government has stressed that fines will only be issued as a last resort and will not be applied if organisations can prove that they have assessed risks adequately. But are the firms in control of services that directly influence daily life already doing all they can to protect against cyber attacks? Tim Erlin, vice president of product management and strategy at the cybersecurity firm Tripwire, doesn’t think so.

“The evidence in terms of cybersecurity incidents shows that most critical infrastructure organisations aren’t doing everything they can to protect themselves from attack,” says Erlin.

“Regulations and the corresponding fines are not designed for top performers in cybersecurity best practices. They’re designed to raise the bar for the industry as a whole by providing financial motivation to take specific actions. Regulations seek to establish basic best practices as common practice.”

“Regulations and the corresponding fines are not designed for top performers in cybersecurity best practices. They’re designed to raise the bar for the industry as a whole.”

Although the climate – not to mention the fact that the government feels it needs to intervene – would suggest that not enough is being done to secure the networks of critical infrastructure organisations, that isn’t necessarily the view from inside.

Speaking to Verdict Encrypt via email, a spokesperson for National Grid said: “Given our vital role in connecting people to their energy supplies, we take our responsibility very seriously. The IT systems we use to operate our gas and electricity networks are isolated from our everyday business systems to ensure our networks remain safe and reliable. National Grid has processes in place that are aligned with industry best practice and assessed by government and regulatory agencies.”

The advantages and disadvantages of fines

If, however, as Erlin suggests, critical infrastructure firms’ cybersecurity isn’t up to scratch then fines may encourage them to put adequate solutions in place and seek assistance if they need it. Erlin also says that the threat of a fine may make it easy to obtain budgets to counter the threat.

“The threat of a fine can be a powerful tool for obtaining needed budget for cybersecurity in organisations where it hasn’t traditionally been a priority, which is exactly where change is most needed. Fines provide a more concrete incentive over the often vague, imagined impacts of a cybersecurity incident,” says Erlin.

“Higher fines are going to make people find ways to not have to report that they had a breach.”

On the other hand, the threat of a fine may make it harder to secure networks, as organisations become increasingly reticent to share details about breaches for which they could be fined. Information sharing is pivotal to improving security, so could the threat of a fine actually be counterproductive? This is certainly an opinion endorsed by Steve Manzuik, director of Security Research at Duo Security’s Duo Labs, in an interview with Computer Business Review.

“Higher fines are going to make people find ways to not have to report that they had a breach,” said Manzuik. “If I know that my company will be fined because I didn’t do the basic security hygiene stuff, I’m going to be less willing to share how I got breached.”

Has the government already delivered its carrot?

In October, the government launched the National Cyber Security Centre. One of its many tasks is to work with UK industry, government departments, critical national infrastructure as well as private SMEs to offer trusted and independent advice, so having put this resource in place, the government may feel that it is justified in also having the threat of fines for companies who choose not to utilise it.

“The government is restricted in what levers it can pull to effect change in private industry.”

The introduction of fines may be a necessary counterpoint to the information and help the government has already put in place. “The government is restricted in what levers it can pull to effect change in private industry. Fines and incentives are par for the course, and can be very effective when used judiciously,” says Erlin.

Everyone has their part to play in securing the UK’s critical infrastructure organisations from cyber attacks. Given that the CEO of the NCSC, Ciaran Martin, has admitted that “many organisations need to do more to increase their cyber security,” it’s right that the government now has a stick in place, with the implementation of the NIS directive, with which to remind critical infrastructure organisations of the important role they have in maintaining the UK’s security.

Share this article