Early Warning for Critical Infrastructure Protection and the Road to Public-Private Information Sharing

• Autor: Myriam Dunn Cavelty; Manuel Suter
• Cargo: Profesora y responsable de la unidad de investigación de nuevos riesgos. Centre for Security Studies (CSS). Instituto Federal Suizo de Tecnología (ETH Zurich)/Doctorando e investigador. Center for Security Studies (ETH Zurich)
• Páginas: 85-113

Page 86

Introduction

[Critical infrastructures] are the foundations of our prosperity, enablers of our defense, and the vanguard of our future. They empower every element of our society. There is no more urgent priority than assuring the security, continuity, and availability of our critical infrastructures.

(President’s Commission on Critical Infrastructure Protection, 1997: vii)

The above statement, made over a decade ago, is still in accord with the general feeling today. Critical infrastructures (CI) are systems or assets so vital to a country that any extended incapacity or destruction of such systems would have a debilitating impact on security, the economy, national public health or safety, or any combination of the above. The most frequently listed examples encompass the sectors of banking and finance, government services, telecommunication and information and communication technologies, emergency and rescue services, energy and electricity, health services, transportation, logistics and distribution, and water supply (Abele-Wigert and Dunn, 2006: 386-389). Besides the protection of the physical assets, it is also important to ensure the continuation of the services, the physical and electronic (information) flows they deliver, and their role and function for society.

For these reasons, critical infrastructure protection (CIP) is currently seen as an essential part of national security in numerous countries around the world (Suter and Brunner, 2008; Dunn Cavelty and Kristensen, 2008). Under the heading of vital system security, protection concepts for strategically important infrastructures and objects have been part of national defense planning for decades, though they played a relatively minor role during the Cold War as compared to other concerns such as deterrence (Collier and Lakoff, 2008). Around the mid-1990s, however, the possibility of infrastructure discontinuity caused by attacks or other disruptions attracted fresh attention among security strategists. From then on, CIP as a concept and a practice was explicitly articulated and became the subject of many hearings, policy documents, and study groups worldwide.

A broad range of political and administrative initiatives and efforts are underway in the US, in Europe, and in other parts of the world in an attempt to secure critical infrastructures better against a variety of threats.

Page 87

Despite the sometimes substantial differences between these governmental protection policies, a number of key challenges that governments are confronted with have become apparent. First, the particular dependence of society on information and communication infrastructures on the one hand, and the resulting complex interdependencies between infrastructures on the other, lead to a new and still poorly understood dimension of vulnerability. This has led to a strong focus on the cyber-dimension of the problem and on critical information infrastructure protection (CIIP). Second, the majority of critical infrastructures are in the hands of private companies due to the deregulation of markets (Héretier, 2001, 2002; Andersson and Malm, 2006). Thus, ownership, operation, and supply of infrastructures and services that are considered vital to national security are in the hands of a largely private industry, which is diverse, intermixed, and relatively unregulated. Collectively, this industry has far more technical resources and operational access to the infrastructures than the government does (Baird, 2002). In order to ensure the security of their citizens, governments are thus forced to find ways to cooperate with the private sector in so-called public-private partnerships (PPP). It follows from the first point that states have a distinct interest in improving the information security of companies, as the security of the entire society depends on a functioning information infrastructure. Third, the concept of information-sharing, which refers to the exchange of information among large companies and between large companies and the state, is singled out by governments and researchers as one of the most promising PPP measures.

In this article, we will address all three aspects in more detail. In the first section, we look at why and how CIP has been framed as a national security issue. This will help us better understand the key characteristics and core difficulties of CIP. In the second section, we point to the difficulties of gauging the cyber-threat. This, so we argue, is mainly due to a severe lack of threat information all around. In a third section, we look at one promising remedy to the problem: information-sharing. In particular, we focus on public-private collaboration in the field of early warning and also point to the challenges of such a partnership. In section four, we identify three factors that help to overcome these challenges.

Page 88

1. CIP Becomes a National Security Issue

The establishment of CIP as a focal point of the contemporary national security debate is the result of two interlinked factors: a) the expansion of the threat spectrum after the Cold War, especially in terms of malicious actors and their capabilities, and b) a new kind of vulnerability due to modern society’s dependency on inherently insecure information systems. Understanding this context is useful for grasping the specific difficulties that CIP presents.

1.1. Asymmetric Vulnerabilities

During the Cold War, the two superpowers combined global political objectives with military capabilities that included weapons of mass destruction and the means to deliver them at intercontinental range. Security threats were thus directly linked to military capabilities and arose for the most part from the supposedly aggressive intentions of the other powerful actor in the international system. The end of the Cold War brought the end of the clear nature of threats: Following the disintegration of the Soviet Union, a variety of «new» threats were moved onto the security agendas (cf. Buzan et al., 1998) that seemed to be distinctly different from Cold War security threats.

The components of the post-Cold War security paradigm are more diverse and diffuse than they were during the Cold War. This is especially true in terms of the sources of threats: Traditional threats originating from great powers and rogue states are accompanied by transnational threats that focus on non-traditional targets and cannot be easily dealt with by traditional means. Regional issues have proliferated and threaten wider international peace and security. Non-state actors —such as terrorist groups— have taken advantage of regional conflicts and insecurities. We are faced with «more dynamic geostrategic conditions, more numerous areas and issues of concern, smaller and more agile adversaries» (Cooper, 2005: 24).

Any combination of threats involving non-military —or asymmetric— means and/or non-state actors poses significant difficulties for traditional approaches to intelligence collection: Linking capability to intent works well when malefactors are clearly discernible and intelligence agencies can focusPage 89 their collection efforts to determine what capabilities their targets possess or are trying to acquire (Davis, 2002). Now, however, there is a lot of uncertainty surrounding the identity and goals of potential adversaries, the time-frame within which threats are likely to arise, and the contingencies that might be imposed on the state by others. Further, there is uncertainty concerning the capabilities against which one must prepare, and also about what type of conflict to prepare for (Goldman, 2001: 45).

Due to the difficulties in locating and identifying enemies in this new threat environment, part of the focus of security policies has shifted away from actors, capabilities, and motivations towards the general vulnerabilities of the entire society. The US military was a driving force behind the shaping of this threat perception in the early 1990s: The US as the only remaining superpower was seen as predestined to become the target of asymmetric modes of warfare. In specific, it was assumed that those likely to fail against the highly superior US war machine would plan to bring the US to its knees in other ways, e. g. by striking vital points at home that are fundamental not to the military alone, but to the essential functioning of industrialized societies as a whole: critical infrastructures (Berkowitz, 1997). Fear of asymmetrical measures against such «soft targets» was aggravated by the second factor: the so-called information revolution.

1.2. .. and the Inherent Insecurity of the Information Infrastructure

The information revolution, characterized by the marriage of computer and telecommunications, the integration of these technologies into a multimedia system of communication that has (at least theoretically) «global» reach, and the fact that they are available at low cost (Dunn Cavelty and Brunner, 2007), has been a defining moment that changed the overall scope, aim, and shape of older forms of CIP. With the growth of computer networks and their proliferation into more and more aspects of life, the object of protection changed. Whereas...