Comment by leipert

Is it? It would be incredible if the government didn’t have specific requirements for critical infrastructure.

Say you’re an energy company and an incident could mean that a big part of the country is without power, or you’re a large bank and you can’t process payroll for millions of workers. They’re ability to recover quickly and completely matters. Just recently in Australia an incident at Optus, a large phone company, prevented thousands of people from making emergency calls for several hours. Several people died including a child.

The people should require these providers behave responsibly. And the way the people do that is with a government.

Companies behave poorly all the time. Red tape isn’t always bad.

I'm usually first in line when talking shit about the German government, but here I am absolutely for this. I was really positively surprised when I had my apprenticeship at a publishing company and we had a routine to bring physical backups to the cellar of a post office every morning. The company wasn't that up-to-date with most things, but here they were forced to a proper procedure which totally makes sense. They even had proper desaster recovery strategies that included being back online within less than 2 hours hours even after a 100% loss of all hardware. They had internal jokes that you could have nuked their building and as long as one IT guy survived because he was in the home office, he could at least bring up the software within a day.

Considering that companies will do everything to avoid doing sensible things that cost money - yes, of course the government has to step in and mandate things like this.

It's no different from safety standards for car manufacturers. Do you think it's ridiculous that the government tells them how to build cars?

And similarly here: If the company is big enough / important enough, then the cost to society if their IT is all fucked up is big enough that the government is justified in ensuring minimum standards. Including for backups.

It’s government telling you the minimum you have to do. There is nothing incredible there.

It makes sense that as economic operators become bigger, as the impact of their potential failure grows on the rest of the economy, they have to become more resilient.

That’s just the state forcing companies to take externalities into account which is the state playing its role.

Well, given that way too many companies in the critical infrastructure sector don't give a fuck about how to keep their systems up and we have been facing a hybrid war from Russia for the last few years that is expected to escalate in a full on NATO hot war in a few years, yes it absolutely does make sense for the government to force such companies to be resilient against Russians.

Just because wherever country you are at doesn't have to prepare for a hot war with Russia doesn't mean we don't have to. When the Russians come in and attack, hell even if they "just" attack Poland with tanks and the rest of us with cyber warfare, the last thing we need is power plants, telco infra, traffic infrastructure or hospitals going out of service because their core systems got hit by ransomware.