Dave Clemente
(Former Chatham House Expert)

Critical everyday infrastructures sectors such as food, water, finance and energy are heavily dependent on cyberspace. Yet as critical services become more densely interconnected, it is harder for governments and companies to know what to protect.

In a new Chatham House report, I look at how policy-makers can more effectively identify what is critical in a globalized world, and how risk management strategies can be adapted accordingly.

In the UK, a recent Defence Committee report noted that, 'the Government needs to put in place – as it has not yet done – mechanisms, people, education, skills, thinking and policies which take into account both the opportunities and the vulnerabilities which cyberspace presents'.

Yet efforts are being made to improve the resilience of critical infrastructure. The UK government will soon launch a private-public sector cyber-threat information-sharing environment known as the Cyber-security Information Sharing Partnership (CISP) that, 'will be open to companies within Critical National Infrastructure sectors, but membership will be made available more broadly, including to SMEs, in a second phase’.

This is a positive step, particularly as the private sector owns and operates the vast majority of critical infrastructure. However these are still early days, and the lingering financial crisis means that progress is most likely in areas where efficiency savings can encourage (rather than discourage) possibilities for cooperation.

Conflicts of interest between the public and private sectors have hindered similar mechanisms in the US, prompting a recent White House executive order on 'Improving Critical Infrastructure Cybersecurity'. This directs government departments to share unclassified cyber threat information more freely with the private sector, and expands a programme of sharing classified information with pre-approved organisations in critical infrastructure.  

In the report, I look at what can be done to improve the cyber security of critical infrastructure, namely: adaptation, prioritization, incentivization and resilience.

Adaptation requires embracing new concepts of what is critical. This includes elements of cyberspace, which can be visualized as a thin layer or nervous system running through all other sectors. Does widespread dependence on Google mean that it is now an essential, even critical element of daily life in many countries? Distinctions between 'infrastructure'and 'information infrastructure' are increasingly irrelevant, as data become as valuable as physical infrastructure. Adaptation also demands better shared understanding of what is critical between those who protect an organization and those who set its strategic direction.

Prioritization is essential, so that broad sectors such as energy, food or transport and can be narrowed down to a manageable set of truly critical sub-sectors. This is even more essential now that dependencies are spreading ever further beyond borders. At the highest level of prioritization (e.g. critical nodes in government networks) this information will be confidential, but far more of the discussion surrounding critical infrastructure can take place in more open environments.

Better understanding is needed of the economic and political incentives that guide behaviour in the public and private sectors. The commercial world prioritizes speed over security, for reasons of competitive advantage, while governments focus more on delivering services in a manner that maintains political advantage. A more nuanced understanding of these differing incentives can reveal the scope for potential collaboration.

Resilience is important at both national and international levels because digital interconnections create efficiency but also increase dependency. The fragile equilibrium that maintains these dependencies can be disrupted in unexpected ways. For example accidental damage to submarine cables frequently causes internet disruption in countries with poor infrastructure resilience, and localized power failures can cascade rapidly due to inadequate communication or contingency planning.

Bolstering societal resilience is an important component of managing risk in this uncertain environment. An open and transparent process of risk management can help to build public confidence in protection of critical infrastructure. Ultimately this is just as important as building physical resilience.

Despite fears of impending cyber-doom, the opportunities offered by cyberspace are far greater than its dangers and uncertainties. Cyber security is a means to an end. It facilitates the advancement of a multitude of social, political and economic goods. The task facing policy-makers is to walk a fine line, and design security measures that can achieve societal consensus while preserving the ability of cyberspace to thrive and provide these benefits.

If you would like to comment on this article, please contact [staff 178707 0] 

Read more:

Cyber Security and Global Interdependence: What Is Critical?
Programme Report
Dave Clemente, February 2013