Nine cyber attacks affecting the British transport sector were missed by the UK’s mandatory reporting laws and were only disclosed to the government on a voluntary basis, Sky News has learnt.
A law introduced three years ago was intended to boost Britain’s ability to defend itself from foreign state and criminal hackers by obliging critical infrastructure organisations to report incidents.
However, the thresholds set for reporting incidents across the energy, transport, health, water, and digital infrastructure sectors are so high that no reports are being made under the legislation.
These thresholds are based on the impact hackers have on the continuity of service – for instance water and energy supply, or freight movement – but this continuity isn’t an indication of the sectors’ security capabilities, just of the hackers’ activity when inside the network.
The nature of an implant within a computer system means that it can be used both for spying on the system’s workings and to potentially disrupt them, but up until the moment of disruption the fact an organisation has been hacked wouldn’t meet the threshold for reporting.
The lack of reports being made under Britain’s mandatory reporting laws risks leaving government departments under-informed about their sectors’ security outside these voluntary disclosures, which potentially do not cover the full range of hostile activities taking place.
Source: Sky News