Modern life in Britain today is dependent on the ability of increasingly complex infrastructures to function reliably. While sectors such as food, water, health and transport have always been critical, their delivery is increasingly enmeshed with information and communications technologies.
Individual countries approach the shared benefits and problems of globalised infrastructure in different ways. However, critical infrastructure is generally understood to include the essential elements of commercial, social and political systems, whose loss could critically affect public health, economic security or national security. In the UK, the Centre for the Protection of National Infrastructure lists nine sectors including communications, emergency services, energy, financial services, food, government, health, transport and water.
Cyberspace holds these sectors together, and although is sometimes categorised as a discrete sector, in practice it is so deeply embedded into sectors such as energy and transport as to make any separation meaningless. It can be visualised instead as a thin layer running through all other sectors, enabling them to communicate and function.
This goes beyond physical infrastructure to include data, which can be considered a form of logical infrastructure or critical information infrastructure. Securing this cyber layer is hugely important, yet the complex interconnections between sectors – facilitated by cyberspace – make it harder to know what to protect.
This issue is addressed in a forthcoming Chatham House report entitled Cyber Security and Global Interdependence: What is Critical? which looks at changing interpretations of what is critical, and how divergent interests make cyber security an exceptionally hard problem to address.
As transportation interconnects with food distribution and energy transmission with telecommunications, and as these and many others sectors are sustained by the finance and energy sectors, it is becoming more difficult for UK policy-makers to draw clear boundaries between critical areas. The UK is fully engaged in this debate. It ranks highly in internet users, with 82 per cent of the population online, users who consume more data via mobile devices than any almost any other country in the world.
The discussion over critical infrastructure is inherently international, however. With 2.4 billion global internet users, and tens of billions of connected devices communicating and exchanging unprecedented amounts of data, it is harder to identify the nodes and connection points whose protection must be prioritised.
One major issue is that the public debate over protecting critical infrastructure tends to be very broad, with the sectors encompassing almost every aspect of daily life. Broad sectors such as food, water and transport are labelled as important, but this leaves ambiguity as to what needs to be prioritised within these sectors. In addition, assessments of infrastructure risk are often conducted with only vague metrics for threats, vulnerabilities or potential impacts. The problem, therefore, is that when everything is “critical”, nothing is.
At this point two observations will be made by many readers. The first is that the majority of UK infrastructure is owned or operated by the private sector. The second is that many of these companies are international, with one example being EDF, a French-owned company which operates the majority of UK civil nuclear infrastructure.
It is true that privatisation of national infrastructure is a regular source of controversy, as is international ownership of national infrastructure. When done with prudence and sufficient oversight both can be a source of significant economic benefit. Yet the efficiencies that are gained from privately – and internationally – owned and operated infrastructure are counterbalanced by equally significant challenges.
This tension between the public and private sectors is focused primarily on questions of liability. Who should pay to protect infrastructure that is privately owned but which is essential for the smooth functioning of a national economy? And what is the liability of corporations which are considered part of a country’s critical infrastructure, but that are headquartered abroad?
Traditional categories of critical infrastructure do not fully capture the complexity or speed of the modern ecosystem. In addition, many countries depend increasingly on infrastructure and assets over which they have little or no control. For this reason it may be increasingly irrelevant to refer to “critical national infrastructure”. While the assets in question, such as factories, power plants or telecommunication nodes, may be critical at a national level, they may be completely outside the geographical or jurisdictional control of a state or its citizens.
This reflects a process of interconnection that has recently been super-charged by the spread of digital communications, and demonstrates the extent to which a country can be dependent on infrastructures around the world. What is the cyber equivalent of a UK fuel tanker strike, where a critical service could be disrupted with immediate consequences? This disruption could be based on both sentiment, such as panic buying, and tangible loss of service.
This ambiguity makes it difficult to counter emerging cyber threats, which are growing along with dependencies. Risk management has also become more difficult, and interdependencies have multiplied to the extent that it is difficult to define defensive perimeters. Indeed, such a concept has little meaning when connectivity is valued above security.
So what can be done to address these issues? A significant first step is recognition by senior decision-makers that cyber risk is a policy issue worthy of sustained engagement. The UK government is getting better in this regard, and is devoting more resources to information sharing between infrastructure sectors in a trusted environment. In spring 2013 the government will launch the Cyber Information Sharing Partnership, which will begin to address these issues among a wider circle of participants.
Second, adaption is necessary. There is a need to acknowledge the uncertainty inherent in the complex systems that sustain the UK. This will require better shared understanding of what is critical between those who protect an organisation and those who set its strategic direction. In addition, distinctions between “infrastructure” and “information infrastructure” are increasingly irrelevant, as data become as valuable as physical infrastructure.
Prioritisation is essential. Cyber risks in critical infrastructure and related supply chains should be closely inspected, and dependencies restricted where uncertainty is high and risk is opaque. Given the increasing rate of dependence between critical infrastructure and cyberspace, ambiguity in prioritisation and protection is counterproductive. This is particularly true in sectors that are critical at a societal level, and the discussion should be a public one in order to gain widespread consensus on the use of resources to protect critical infrastructure.
A better understanding of the economic and political incentives that guide UK stakeholders will help to avoid unwanted surprises. The commercial world tends to prioritise speed over security in cyberspace, for reasons of competitive advantage such as speed to market. Governments place more emphasis on delivering society services at a level adequate to sustain political advantage. Nuanced understanding of these differing incentives can reveal opportunities for behavioural change.
Finally, resilience requires investment. Cyber risk management can be accomplished more swiftly in areas that enhance both commercial and societal resilience. One possible example is alternative energies, which are increasingly viable commercially (but may require subsidies initially), but which also make the grid and users more resilient to disruptions in energy generation and transmission. A transparent risk management process can also build public confidence in protection of critical infrastructure, and ultimately this may be equally as important as physical resilience.
These recommendations can help to improve the situation faced by governments and companies. They should also remind us security is a means to an end, and many of the hardest cyber security problems have arisen as a result of the social, economic and political changes afforded by greater online connectivity. These problems are neither intractable nor impossible, but they will continue to challenge us for years to come.
Dave Clemente is an international security research associate at Chatham House