According to an article in The Wall Street Journal last week (sorry, I’ve only just seen it), the US electricity grid and other key parts of the critical national infrastructure have been the subject of cyber-attacks and there are real concerns about those behind the attacks being able to disrupt or even take control of the systems that have been penetrated as a result of the trojans left behind. Apparently, many of the attacks were not detected by the infrastructure provider’s own security systems. So seriously is the threat viewed and so widespread is it, that Congress approved funding for a $17 billion programme to combat it and minimise the risk to the critical national infrastructure. And in the last couple of weeks, Democratic Senators have introduced a proposal that would require all critical infrastructure companies to meet new cyber-security standards and grant the President emergency powers over the electricity grid and other infrastructure systems.
So if the threat is viewed so seriously in the United States, do we have the same concerns in this country? The answer is we certainly ought to be as worried. My understanding is that UK systems have been similarly attacked, but I have real doubts whether our detection systems are as good or as thorough as those deployed in the USA. Moreover, we do not have sufficient controls over infrastructure providers to require the highest possible standards from them. We believe in “light-touch regulation” so in many instances all the UK authorities can do is try to use moral persuasion to get infrastructure companies to instal the best systems of security. What regulatory systems there are are geared to ensuring competition and to the economic regulation of the market, rather than to protecting national security. So we ought not to be worried, we ought to be very worried.