Critical Infrastructure: From Protection to Resilience

17 Feb 2010

In an uncertain and shifting global threat environment where complex and interconnected systems are acutely vulnerable to attack, governments face not only the enormous challenge of how best to protect their critical infrastructure but also how to most quickly rebound from inevitable attacks.

Critical Infrastructure Protection (CIP) refers to a broad and multifaceted concept that is getting a lot of attention from the national security community worldwide, largely as a result of two interlinked factors: the expansion of the threat spectrum after the Cold War and new vulnerabilities caused by society's dependency on interconnected, complex and increasingly virtual systems. Some of these systems - or infrastructures - are regarded as 'critical' by the authorities because their prolonged unavailability may result in severe consequences for society. The sectors most often listed as 'critical' include finance, government services, telecommunication, electricity, health services, transportation, logistics distribution and water supply.

The plethora of malevolent actors (presumably) willing to attack these vulnerable spots and the very high stakes make the protection of critical infrastructures a national security priority. Around the world, governments are designing, implementing and amending protection policies. One aspect they continue to grapple with is the uncertain and fluid threat environment, which renders protective measures tailored against only one type of threat cost-ineffective. Rather, there is a need for catch-all preventive security measures that are difficult to implement. In addition, the reality of a liberalized economy necessitates that governments cooperate nationally with the private sector and internationally with other governments, which is often wrought with difficulties. By far the greatest challenge yet, however, may be the fundamental shift in thinking required by the concept of resilience, which is becoming increasingly important in the field of CIP.

An uncertain threat environment

During the Cold War, threats to security were mainly perceived as arising from the aggressive intentions of states to achieve domination over other states. Following the disintegration of the Soviet Union, a variety of 'new' threats were moved onto the security policy agendas. The main distinguishing quality of these challenges is the element of uncertainty that surrounds them: Not only is there uncertainty concerning the identity, goals and capabilities of potential adversaries or the timeframe within which threats are likely to arise, there is also uncertainty about what type of challenge to prepare for.

The range of potential contingencies is exceptionally broad: Critical infrastructures can be damaged by so-called structural threats as well as by intentional, actor-based attacks. The first category includes natural and human-induced catastrophes and technical outages. The second category contains an extensive spectrum of possible attackers, ranging from teenagers, disgruntled employees, syndicated criminals, fanatics and terrorists to hostile states. An equally broad range of attack options exists, including hacker attacks as well as the physical destruction of civilian or military installations.

Most countries apply classical risk assessment approaches to provide guidance on the assets at highest risk and to devise policies and plans to ensure that these particular systems are appropriately protected. The level of risk is calculated by multiplying the probability of an adverse event with a numeric value for the resulting impact. But despite the fact that risk analysis is well established as a decision-making tool in the security sector, the approach has one significant shortcoming: There is almost no data to support objective probability/impact estimates for low-probability (high-impact) events - and this is what we are dealing with in the context of CIP.

The concept of protection connotes knowing the threat and then throwing a protective or preservative measure around a valued subject or object to thwart it. However, if the threat (and the respective level of risk) moves more and more toward the unknowable, the type of protective measure also changes.

Two points can be made. First, rather than trying to know and anticipate specific threats, response strategies are geared toward mitigating the risk of all contingencies by reducing vulnerabilities, mainly through cooperation. Second, and more recent, a shift away from the concept of protection toward resilience can be observed.

Though the two concepts overlap at times, infrastructure protection aims to prevent or reduce the effect of adverse events, while infrastructure resilience reduces the magnitude, impact or duration of a disruption. It is important to note, however, that there are certain infrastructure sectors in which there is very little tolerance for disruptions, such as the nuclear and chemical sector. In these cases, (hard) protection of critical assets is essential to prevent significant loss of life. In other sectors, in which the critical assets are networked, complex systems rather than distinct physical assets - like telecommunications - an emphasis on resilience may largely improve security.

Mitigation through cooperation

Over the years, four types of responses have become common in CIP practices worldwide. All of these can be subsumed under 'protective' measures.

First, an increase of public-private collaboration to enable a better exchange of information is pursued. A functioning partnership between the state and the corporate sector is essential: Due to the liberalization of many public sectors since the 1980s, a large part of the critical infrastructure is privately administered today. Therefore, the private sector has a key role in defining and implementing protective policies, and nation states want operators to take responsibility for the implementation of protection measures that are in accordance with the parameters or frameworks set by public authorities.

In order to win the support of the private sector without having to fall back on heavy regulation, governments must strive to create a mutual win-win situation. For example, nation states can provide financial assistance, coordinate the intervention of law enforcement services regarding criminal matters, and provide advice, guidance or oversight concerning measures taken by other infrastructure operators to protect their facilities.

A second measure is to better coordinate a more integrated approach on the domestic front. Often, there are too many governmental agencies involved in CIP matters. In consequence, it has often been impossible to attribute clear responsibilities, which hindered effective response. In a move to centralize CIP, many states develop new structures or offices that are responsible for overseeing the activities of all the agencies that deal with CIP-related issues.

Third, CIP can only work if society as a whole becomes more aware of public vulnerability and the importance of public participation in building CIP policies, prompting the need for public-awareness campaigns. In addition, there is also a need for enhanced support of cyber education from elementary schools to colleges and universities; training of a capable and technologically advanced workforce; as well as research in the rapidly evolving field of cyberspace.

Fourth, the efficacy of national efforts remains limited: The vulnerability of modern societies has global origins and implications. Therefore, despite the fact that international cooperation is in many ways already taking place, expanded and more efficient cooperation is needed. To create some kind of added value to national efforts, international organizations can help develop and promulgate (information) security standards or disseminate recommendations and guidelines on best practices. International law enforcement institutions and mechanisms, like Interpol, can be used for information exchange and investigations, with the aim of providing early warning of cyber attacks by exchanging information between the public and private sectors. Enhanced cooperative policing mechanisms can be created. Multilateral conventions on computer crime, such as the Council of Europe convention, can be expanded and built on.

From protection to resilience

Resilience is commonly defined as the ability of a system to recover from adversity, either returning back to its original state or to a new, adjusted state. It is related to post-disruption conditions and response and not pre-disruption activities to reduce potential losses through mitigation.

Of course, resilience is not a new concept; but its current rise indicates a significant shift in thinking: While protective measures aim to prevent disruptions from happening, resilience accepts that certain disruptions are inevitable. If resilience is a core concept, security does not refer to the absence of danger but rather the ability of a system (including society) to quickly and efficiently reorganize to rebound from a potentially catastrophic event.

The implications are considerable. First, the state openly admits that it can no longer guarantee security for its citizens because it can no longer anticipate the threat. Second, due to interdependencies and the fear of cascading spill-over effects throughout the entire system, resilience becomes the aspired characteristic for the entire society. Third, rather than aiming for reduction of the complexity of critical infrastructure systems, the resiliency paradigm accepts and even embraces complexity because it makes systems more adaptable and flexible. Fourth, dealing with complex systems and aiming for resilience means rethinking the role of governments. Static, state-centric models of government are poorly equipped to handle a complex environment.

CIP in the age of resilience must increasingly rest on self-regulating and self-organizing networks. In accordance, the government's role no longer consists of directing and monitoring but of coordinating networks and identifying instruments that can help motivate networks to meet the task of CIP. The huge challenge facing governments is thus to maintain their role in protecting critical infrastructures where necessary, while determining how best to encourage market forces to improve the resilience of companies and entire infrastructure sectors and to ensure that cooperation among private actors operates smoothly even without constant oversight.

JavaScript has been disabled in your browser