UK Considers Penalizing Operators of Essential Services for Lax Cyber Security

After the high-profile WannaCry ransomware attack of May 2017 that crippled its National Health Service, the United Kingdom (UK) government is keen on preventing such disastrous cyber incidents from happening again. And, as if internal motivation was not enough, now there is pressure from the European Union to prevent such incidents; i.e., the UK must comply with a new European Union Network and Information Systems (NIS) Directive that will go into effect in May 2018.

Similar to the EU’s General Data Protection Regulation, which aims to protect the personal data of EU residents, the NIS legislation aims to protect the health and safety of EU residents. For its part, the UK is considering imposing fines against critical infrastructure organizations (healthcare facilities, electricity, water, energy, digital and transportation utilities) whose lax security standards result in loss of service. UK organizations that provide critical infrastructure could soon face penalties of up to £17m, or 4% of global turnover, if they suffer a loss of service due to having lax cyber security standards. ZDNet reports:

“According to the NIS Directive, the fines would be a last resort — and they won’t apply to organisations that have put proper cybersecurity protections in place and still suffered a system outage as a result of a cyberattack. At this stage, the government isn’t clear about exactly what constitutes taking proper precautions.”

The UK government’s Department for Digital, Culture, Media, and Sport is spearheading the consultation, which aims to force companies to adopt systems and policies to accomplish the following:

  • Prevent cyberattacks;
  • Detect attacks;
  • Develop security monitoring;
  • Raise staff awareness;
  • Report incidents immediately;
  • Ensure that systems are in place for recovery.

The big question is, what actually constitutes proper cyber security protections? If an organization can’t provide a service because it is under a distributed denial of service (DDoS) attack, will it be subject to fines?  According to this new directive, the answer is yes. Critical infrastructure organizations will be obliged to proactively mitigate DDoS to ensure service availability, or face hefty fines (in the event of an attack that results in loss of service).

DDoS Defense is Crucial

Until there are firm guidelines about what represents adequate cybersecurity, it may be difficult for the UK government to enforce the legislation. To date, no UK legislation has been carved in stone; the government is seeking input on the proposal from industry members, infrastructure providers, regulators and other interested parties. If legislation is enacted, organizations will face some questions, such as which types of cyber threats pose the greatest risk to a critical infrastructure provider? Organizations face multiple threats, and it is difficult to defend against all threats, all the time.  Regardless, one thing is certain; DDoS mitigation is an important because 1) volumetric DDoS attacks are becoming more common, and can effectively cripple networks and 2) low-threshold, sub-saturating DDoS attacks often mask more surgical security breaches, such as malware and ransomware attacks. So, it is very possible that both personal data breaches and network disruptions will occur at the same time.

DDoS attacks can come from lone-wolf actors or nation-states, and several government agencies in Europe have already been victimized by DDoS attacks. When considering the best cybersecurity tools and layers of defense to deploy, critical infrastructure organizations should put automated DDoS protection high on the priority list.

Corero is the leader in real-time DDoS defense, if you need expert advice, contact us.

Leave a Reply