Critical

Information

Infrastructures:

What Lies Ahead?

Giampiero Giacomello

EIB Seminar

November 6, 2013

What are Critical Information

Infrastructures?

• Critical Infrastructures (CI) are the “arteries and veins” of Western urbanized societies (and, increasingly, not only them).

• I think “blood and nerves” is more accurate, because information flows in there and it is essential for managing them.

• And when CI are managed via information flows, they become Critical Information Infrastructures (CII).

CII Today

• There are some differences between the EU and the US on some specific definitions and typologies, but they basically include:

• Energy (production and distribution); information technology (IT); telecommunications (all); health care (including emergency services); transportation (all); water; government and law enforcement; banking and finance

Why Critical?

• Because any major disruption of any of these would have serious consequences on the well-being and wealth of the people affected

• Think of power outages or airport delays to have a (mild) idea

• Plus our societies tend to become more dependent on CII and increasingly risk-adverse (Beck 1992), thus pretending that no major disruption will ever happen!

Worst Case Scenario

Two Sweeping Events

• CI have always been vulnerable (e.g. WWII strategic bombing)

• There were however 2 sweeping events, both in the 1990s, that, unintentionally, converged to make today the CI the most vulnerable

• The first, when CI have become CII, relying on the Internet (late 1990s). Why?

• Because to their own inherent vulnerability, CI have added the “birth defect”, “the original sin” of Internet, namely the (almost) total lack of security

Imperfection, all the way down

• When networks were proprietary, we had “security through obscurity”

• For the Internet, security was never a priority, because its nature was to be open, easy, adaptable (and to be used by academics and engineers, who else?)

• But when businesses discovered that it was free and, by remote monitoring, they could cut cost, it seemed (almost) too good to be true (SCADA and all the rest…)

But it gets worse… • Such situation was problematic but

manageable and then came the second event, namely the 1990s liberalization/deregulation/privatization frenzy

• Infrastructures that had been public, became the “public-private partnership” (PPP)

• Business logic was applied, hence cut costs to increase profit (bring in the Internet and SCADA even here)

• But “security” as a public good is subject to market failure…a lot

Now the good news…

• Organizational theories (such as “Normal Accident”; Perrow, 1999) tell us that institutional fragmentation (too many stake-holders) negatively affect the ability to reliably manage the CI

• Indeed, evidence shows that the CI operate “closer to the edge” than before the restructuring

• And yet, the (so far) performance of restructured CI and even CII is far better than expected/predicted. Why?

End of the good news…

• One study (de Bruijne & van Eeten, 2007) identified the “real-time, information-rich communication and coordination” as the answer

• Namely “guts”, instincts, coup d’oeil and familiarity and informality of communication among the experts, in real-time

• We are anxious, risk-adverse societies, however, and we would never trust this protocol to work…

The (Un)Balance

• Thus we (societies) demand that a “balance” of anticipation and resilience policies are applied to protect CII

• Effective anticipation, however, requires precise assessment of the risk, which was difficult (not impossible) when every CI was separated

• Today, with networks, webs and grids all interconnected, cascade effects make effective anticipation a next to impossible

Resilience? Market Failure!

• Resilience too is dreamland, as it demands redundancy

• Redundancy is the duplication (and more) of controls, of monitoring and safety devices

• But the private sector, which heftily benefitted from the “fragmentation” (liberalization??), has no intention whatsoever to start paying for duplication (a clear market contradiction)

• The state, which benefited too, is also reluctant, but in case of CII failure, it will be it to have to “pick up the pieces”…

Last but not least…

• In all this, we considered natural events and “normal accidents”, not evil deeds. If evil comes, just in cyberspace (the information domain)

• Cyberterrorism: possibly, but for now, more of a myth (Conway, 2002; Lewis, 2002; Giacomello, 2004; Weimann, 2004)

• Cyberwarfare: this is serious stuff (US, Russia, China, Israel, UK, France, Germany, but also Pakistan, India, North Korea and some others) and it’ll be part of an “all out” war

Conclusions

• The picture is bleak, very much so!

• Internet is unsecure and transition to a secure Internet (v.6) will be costly and (probably cumbersome)

• CII will grow, interconnections and SCADA will grow and so will cascade effects and multiple vulnerability

• Plus, none of the stake-holders wants to bear the costs (business, state) or is aware and willing enough to pay more (consumers)

• Any good idea??