The real solution to minimising threats to critical infrastructure - and, indeed, to ordinary commercial systems - is quite simple: make companies responsible for the consequences of lax security, not the people who point it out. The threat of huge fines hanging over them would concentrate the minds of those whose job is to secure sites wonderfully.
So why don't governments around the world seize what is an extremely simple technical fix that addresses the problem at its root? After all, no amount of sabre-rattling or threats of long prison sentences will stop criminal attacks that originate from unknown and probably well-hidden actors overseas. The answer can be found in the EU's very own "cybersecurity plan", part of which foresees granting extensive new powers to the European Network and information Security Agency (ENISA), asexplained here by Ross Anderson, Professor in Security Engineering at Cambridge University:
ENISA and the national agencies in its network will have access to "sufficient information" from almost everyone online, in effect extending the data-retention powers from phone companies and ISPs to service providers such as search engines, webmail providers, social networks and computer game operators. That is completely unacceptable as it would violate the constitutions of Germany and other countries (and in view of the hostile report by the UK parliament's review committee in the proposed Communications Data Bill, would likely be unacceptable even in the most surveillance-friendly of the EU member states). Finally, it is extremely difficult to see how such a provision could be squared with Article 8 of the European Convention of Human Rights.
In other words, under the guise of "cybersecurity", the EU is bringing in data retention plans that go way beyond the already excessive ones in place. The US is doing exactly the same with its "Cyber Intelligence Sharing and Protection Act". This is another reason why governments around the world love using this "cyber" word - it's the new "war on terror" that is invoked as a kind of magical incantation to justify any disproportionate new powers without further explanation.
It's time we called the bluff here. Anything that uses "cyber" in its title is a con, and should be laughed out of the room. Yes, attacks take place, but the fact that they take place across the Internet is no different from those using any other technology. Trying to claim that the "cyberthreat" is somehow qualitatively different is merely a demonstration of the abiding ignorance and fear that afflicts our rulers when it comes to the digital realm. If they truly want to address the real, not imaginary, problems that exist, they should try listening to the experts, rather than throwing them in prison.
Sign up for Computerworld eNewsletters.