UK to fine critical organizations up to $24M if they fail to put in strong cyber security

As companies gear up to make themselves complaint with upcoming data protection regulations in Europe around GDPR, those doing business in Member States will also be facing another wave of requirements around cyber security, as part of the NIS Directive covering network and information security that must be put into place across Member States by May 9, 2018.

In the UK, the government has announced that organizations working in critical services like energy, transport, water and health can be fined up to £17 million ($24 million) as a “last resort” if they fail to demonstrate that their cyber security systems are equipped adequately against attacks.

Major requirements for organizations will include having the right people and organization in place to handle a cyber attack; having the right software in to protect against attacks; having the right capabilities in place to detect if an attack has taken place anyway; and having the right systems in place to minimize the impact of an attack if a system is breached (despite the other three being in place).

More detailed guidance includes how to secure other aspects of your network, such as your supply chain and how your data in the cloud.

Private and public organizations in each sector will be evaluated by new regulators, which will not only vet existing infrastructure and fine those who are deemed to have not had good enough security in place, but help set up systems for reporting breaches and responding to them quickly.

The fines will only be applied after organizations are notified of where they are still required to improve their systems. They will be applied, the Department of Culture, Media and Sport (which is tasked with implementing the directive, as part of its overall responsibility on the digital economy) said, as “a last resort and will not apply to operators [that] have assessed the risks adequately, taken appropriate security measures and engaged with regulators but still suffered an attack.”

The NIS Directive and managing how organizations and the government will comply are being overseen by the National Cyber Security Centre, which is part of the GCHQ. The government has earmarked £1.9 billion, and a host of partnerships with the likes of Microsoft, for developing a more concerted response to cybersecurity threats in the country.

“Network and information systems give critical support to everyday activities, so it is absolutely vital that they are as secure as possible,” said Ciaran Martin, National Cyber Security Centre CEO, in a statement.

The wood versus the trees

The decision to focus on mandating better performance from existing, legacy organizations to comply is an interesting contrast to developments in the US, where the focus appears to be widening to include newer infrastructure.

Yesterday, Axios reported on a leaked document from the National Security Council, which proposes that the US government build the country’s 5G mobile network. The argument goes that China’s dominance in wireless networking means that private carriers building their own 5G networks are often buying equipment from Chinese manufacturers to do so.

But this poses a security threat because of China’s reputation for state-sponsored hacking. Therefore, starting from the ground up — with the government controlling the vendor deals, the build and the operation — could help ensure a more secure pathway for the network itself, as well as for the critical services in transportation, energy and other areas that will be built on it.

Back in the UK, the warning of the fine comes from the DCMS, which had originally put out the consultation in 2017 to determine how best to implement the directive.

Its inquiry came in the wake of a wave of cyber attacks that have impacted those working in essential services, including the 2017 WannaCry ransomware attack (which had a big impact on the UK’s National Health Service), the 2016 attacks on US water utilities, and more than one attack on Ukraine’s electricity network.

While the GDPR is a set of regulations that have been set down by the European Commission (the executive body of the European Union) for all 28 Member States, the NIS Directive has been open to more interpretation by individual countries.

But the UK, regardless of its ongoing process of leaving the EU (so-called “Brexit”), has been complying with both because its businesses and the country itself has many data-dependent and business-dependent links with Europe, and it will have to comply for those to continue.