I saw this blog from Allan Hirt and I wish the US would adopt something strong like this. I'd actually like this to apply to all organizations, but certainly critical services need to be secure. If you follow the link, you'll see that the UK government has warned their critical industries that if they do not have effective measures or safeguards against cyber attacks, they can be fined up to £17 million. That might not seem like a lot in some industries, but it should get some attention from executives. I'm not sure how many CxOs would keep their jobs if they incur that level of fine because they didn't implement strong security measures.
For now the requirements apply to the energy, transport, water, and health industries. These are deemed essential by the UK government. The UK government is expecting that along with data privacy changes to ensure GDPR compliance, that these industries need to implement better cyber security to prevent or limit attacks. This is part of guidance from the European Parliment, and it's overdue. I just wish the US were as focused on pushing organizations to adopt security as a priority rather than an afterthought.
Not that I want government to dictate specifics, but I do think that having a government authority that can stay up to date and evolve their view of what constitutes good security is a good idea. This could be similar to some sort of review and feedback situation that we have for auditing. Ultimately, I'd like there to be some group that can weigh in on good security practices for platforms and systems, probably with research and industry feedback, on what constitutes valid patch levels for systems and software. It would be valuable to know that your version of Windows or Debian or PHP or the database platform is insecure. Not that I want to create more of an upgrade treadmill, but using software means patching it.
Perhaps this would drive more organizations to move to open source software, or perhaps more vendors to issue patches rapidly and lower their prices to compete. Maybe more importantly, it would press vendors of third party software to ensure they continue to develop security patches, perhaps even spelling out support lengths in contracts. The pressure to perform better would be useful in raising quality in the security area. One thing to note is that the intent isn't to fine companies, but ask them to make valid risk assessments and take appropriate measures (with input from regulators).
For now, I'd say that most UK organizations ought to start taking security more seriously. Making changes in platforms to prevent attacks and limit downtime will require some planning and foresight. You might not be in an industry affected today, but in two or three years that could change.