Troy Media – by Andrew Graham
Canada’s critical infrastructure (CI) is massive, geographically dispersed, owned by many different players mostly within the private sector, and vulnerable.
However, the degree to which that vulnerability transfers into actual risk varies and is clearly in question. Our CI is dispersed yet interconnected, so applying any simple form of governance to protect it will not work.
This is a unique policy and operational challenge, not just for government but also for all stakeholders. It cannot be said that we have a fully-protected CI, but it also cannot be said that we have one under active threat. What is missing is a cohesive and sustainable approach led by the federal government with a healthy recognition that such leadership cannot carry the full responsibility for either identifying threats and risks, or doing something about it. That responsibility lies in many hands.
Vulnerable to cyber attacks
According to the National Strategy for Critical Infrastructure, CI is made up of a series of systems vital to the well-being of Canadians. It defines CI as “those physical and information technology facilities, networks, services and assets, which, if disrupted or destroyed, would have a serious impact on the health, safety, security or economic well-being of Canadians or the effective functioning of governments in Canada.”
While much is made of the physical components of Canada’s CI, there are two others connected to the physical components and key to its operation: the cybernetic and the human. There is a growing recognition that CI operators are increasing their dependence on vulnerable remote sensor and control systems. This research effort did not, however, find evidence of the recognition of the human dimensions to CI and its protection. The most notable aspects missing are the relatively small pool of experts who know how systems work and interact as well as the need for continual personal communication within CI systems to maintain a mature and balanced view of risk.
Research to date would indicate that the federal government, while trying to provide a form of general leadership and sharing platforms, lacks most of the policy and operational clout to impose solutions, even when they are known.
It therefore tries to provide leadership in partnership with many actors, a nascent effort. The conclusion is that Canada’s CI is hardly fully safe from incursion, that making it so would involve enormous costs, that the degree of real and present risk is contestable and, most concerning, that the interdependence of CI systems is developing an overlay of what might be called the meta-CI system, cybernetics, and the computer control systems that control most of the other CI systems such as energy, transportation, finance, and others.
Before jumping to conclusions about the need for more government action, serious thought has to be given to what is a reasonable level of response, especially to threats that are potentially devastating but relatively remote. Finally, while there are efforts to improve the protection of CI from attack, we know of very little effort to establish post-failure resilience of such systems.
Our report concludes with a number of suggestions for ensuring a more secure and sustainable approach to CI threats:
Understanding that this is a policy mash-up that entails many actors with dispersed responsibilities and that it will likely not change in the near future;
Accelerating the slow pace of developing the federal leadership role in information exchange and building communities of practice;
Adopting a more holistic view of the threats to CI that gives greater emphasis to actual on-the-ground threats such as theft, cyber-incursion, and domestic criminal actions, as well as developing a better understanding for all players of the real risks those threats pose;
Recognizing the emergent vulnerabilities posed by cybercontrol systems and ensuring an appropriate response; and
Developing means of sharing information, expertise, and practice that will create a culture of mindfulness shared by all players at all levels.
Some of the key elements needed to meet these objectives are:
A clear mapping of CI in the country;
A common understanding of the threats and risks that drive mitigation in both the public and private sector;
Intelligence effectively shared and applied;
Adequate reinvestment in CI to avoid increasing its vulnerability through neglect;
Adequate response capacity suited to the task;
Continuous updating, sharing of information, learning, and assessment;
Effective governance within sectors and at the broader national level;
Public awareness and education to define realistic risks ensure public engagement in the protection of structures vital to its interest and to contain alarmist or ill-informed fears and misunderstandings;
Ways to provide incentives for the private sector to invest in CI protection; and
Addressing the human dimension, in that systems can only work reliably when the personnel are equipped with the requisite skills, information, and tools to hold them together.
Andrew Graham is an adjunct professor at Queen’s University’s School of Policy Studies, where he teaches and writes on public sector management, financial management, integrated risk management and governance. He is author of Canada’s Critical Infrastructure: When is Safe Enough Safe Enough?, released by the Macdonald-Laurier Institute as part of the National Security Strategy for Canada series. In the next installment, solutions to Canada’s critical infrastructure problems will be addressed.
About the Author (Author Profile)