Critical national infrastructure is one of those phrases that gets used a great deal, but is not often defined very well. When you look for definitions, you often find they differ greatly, or are rather general. Many governments include them on their websites.
There are a number of assets that are critical to the functioning of our society, like energy, water, health, transport and financial services. In fact, when you start listing them, you start to wonder what isn’t critical national infrastructure rather than what it actually is.
It would be interesting to ask some of the twenty year-olds who are part of the Occupy Movement about what in their view is critical to the functioning of society - is it the same as the government’s definition?
One of the links between differing elements of critical national infrastructure is that they each rely on networks to make them work. So the cyber threat to national infrastructure is a threat that comes across networks, through systems which people use on those networks.
The purpose of such attacks is not always very clear. Sometimes it might be a denial of service attempt or the theft of data, but not all have a malicious purpose. Some are actually intended to expose vulnerabilities in order for those vulnerabilities to be closed (think First State Super). Other attacks come from individuals who simply want to make a name for themselves, they create mischief for mischief’s sake. And, of course, there are organised groups who are financially driven, as well as nation-states who may be inclined towards these practices to steal sensitive or strategic information.
I think the main groups that actually threaten us are those engaging in espionage and criminal behaviour.
When responding to an attack impacting critical infrastructure, it is important to have a regime of compulsory, yet confidential reporting of IT incidents so that the organisation under attack is informed in time and can take action in time. In late August 2011, it became known that DigiNotar, a certification authority established in the Netherlands had been hacked. DigiNotar issues certificates for government and other parties, its delayed response resulted in around 530 fake certificates being lost.
There are several challenges in policy making, including curly issues of data protection and cross border sharing of information. The numbers of challenges probably won’t increase, but in time, the complexity will.
Many of these challenges can be solved by working in a public/private coalition which defines the common interest clearly, for many organisations this will simply be business continuity. Today’s interconnected economy is not just about an organisation’s strength and resilience, it’s about the entire supply chain and the ecosystem in which it operates. This is what true national critical infrastructure protection should be about.