- Critical infrastructure protection is vital to keep essential services running and often relies on public-private cooperation models.
- But while failure of critical infrastructure is often considered a worst-case scenario, there is often a question over who pays for its security.
- Identifying ‘systemically important critical infrastructure’ could help open up new cooperation models and unlock new funding mechanisms.
Government efforts to engage in critical infrastructure protection are hardly new. In the United States, the first efforts were codified all the way back in 1998 in the Presidential Decision Directive 63, which reads:
“Critical infrastructures are those physical and cyber-based systems essential to the minimum operations of the economy and government. They include, but are not limited to, telecommunications, energy, banking and finance, transportation, water systems and emergency services, both governmental and private.”
This mission seems clear: to set up comprehensive public-private cooperation models that help assure the provision of essential services to the government, the economy and the public.
In the US, the governmental programmes in this regard have led to a huge increase in cybersecurity spending just in the entities directly affected – over $105 billion in 2021 alone, according to one estimate.
Challenges of critical infrastructure protection
However, despite well over two decades of experience, getting critical infrastructure protection right still seems to be a challenge. The recent Colonial Pipeline attack paralysed the gas supply on the east coast of the US. Similar impacts were witnessed as a result of the Amsterdam-Rotterdam-Antwerp attack in February 2022, and the Florida water plant incident in February 2021.
While full-scale outages in the electricity sector have yet been relatively contained, for instance the 2015 power grid hack in Ukraine, several cyber powers have reportedly prepositioned malware in each other`s power grids.
It is far from clear if critical infrastructure protection programmes would be sufficient in dealing with the effects of such a worst-case act – one that could even rise to the level of an actual cyberwar if committed by states.
The wide-scale and prolonged failure of critical infrastructure is sometimes considered the worst-case outcome of a political conflict – exactly what we would do as a society if the power fails for days, let alone weeks, is a matter of widespread speculation.
Cyberattack on critical infrastructure ‘prime fear’
But the concern is not only one of overexcited journalists or filmmakers. For the Global Cybersecurity Outlook 2022 report, the World Economic Forum surveyed 120 senior cyber leaders to understand their concerns, both for their enterprises but also for themselves personally. When asked what they worried about personally, infrastructure breakdown due to a cyberattack emerged as the number one concern, substantially ahead of identity theft.
Over the last 20 years, virtually all Organisation for Economic Co-operation and Development governments have experimented with various carrots and sticks to increase private sector collaboration.
The World Economic Forum’s Centre for Cybersecurity is leading the global response to address systemic cybersecurity challenges and improve digital trust. The centre is an independent and impartial platform committed to fostering international dialogues and collaboration on cybersecurity in the public and private sectors.
Since its launch, the centre has driven impact throughout the cybersecurity ecosystem:
- Training a new generation of cybersecurity experts
Salesforce, Fortinet and the Global Cyber Alliance, in partnership with the Forum, are delivering free and globally accessible training through the Cybersecurity Learning Hub.
- Building a global response to cybersecurity risks
The Forum, in collaboration with the University of Oxford – Oxford Martin School, Palo Alto Networks, Mastercard, KPMG, Europol, European Network and Information Security Agency, and the US National Institute of Standards and Technology, is identifying future global risks from next-generation technology.
- Improving cybersecurity in the aviation industry
Through the Cyber Resilience in the Aviation Industry initiative, the centre has been improving cyber resilience in aviation in collaboration with Deloitte and more than 50 other companies and international organizations.
- Making the global electricity ecosystem more cyber resilient
The centre and the Platform for Shaping the Future of Energy, Materials and Infrastructure have been bringing together leaders from more than 50 businesses, governments, civil society and academia to develop a clear and coherent cybersecurity vision for the electricity industry.
- The Council on the Connected World agreed on IoT security requirements for consumer-facing devices to protect them from cybers threats, calling on the world’s biggest manufacturers and vendors to take action for better IoT security.
- The Forum is also a signatory of the Paris Call for Trust and Security in Cyberspace, which aims to ensure global digital peace and security.
Contact us for more information on how to get involved.
More recent discussion in Europe and the US has concentrated on the “sticks” – in particular, new legal requirements by governments that operators of critical infrastructure must report serious breaches in their networks.
These regulations – like the EU Cybersecurity Act and the very recent US Cyber Incident reporting for Critical Infrastructure act of 2022 – were seen as relatively low-cost options and were supposed to incentivize private companies to invest more in security.
But it didn’t answer the question that is really on many critical infrastructure operators’ minds – more security and operational resilience would be great, but who was going to pay for it?
Who pays for critical infrastructure protection?
A significant challenge of critical infrastructure protection programmes is simply that the societal needs are not the same as many industry needs. For instance, the emergency services in many countries depend on the same mobile phone infrastructure as everyone else.
Cellular base stations are critical, but only few have standby generators in case of a wide scale power blackout, and only for a day or two at most. The government can (and sometimes does) force these companies to build more redundancy into these networks, but overall telecom companies work under tight profit margins making investors wary of any additional burdens.
And while government might also just purchase, subsidize or otherwise reward the purchase of such equipment, there may remain a legal question: if such subsidies were to apply to all critical infrastructures – and in the US these are likely to be many thousands of companies – would it not represent a major anti-competitive act, especially where being “critical” was hardly an exceptional situation anymore?
Defining systemically important critical infrastructure
The solution to this conundrum is an entire new type of critical infrastructure, which potentially may even result in an entire new type of corporation: the “systemically important critical infrastructure”.
The concept of systemically important critical infrastructure was floated in the US Cyberspace Solarium Commission’s 2020 report as “the entities, responsible for the most important critical systems and assets in the US, that would be granted special assistance from the federal government as well as assume increased responsibility for additional security and information security requirements that are vital to their unique status and importance”.
In other words, it encompasses only the “critical of the critical” enterprises – those like power and telecoms that are needed to make the others run.
In the US there is a clear move to adopting the concept wholesale, and the legislation pushed forward might represent the start of a very new idea of critical infrastructure. However, the exact deliberations of what may constitute systemically important critical infrastructure and how it can be enacted are still very much at the start.
Rethinking regulation models to ensure resilience
In addition to collaboration between governments and critical infrastructure organizations, there is a need to establish improved cost-sharing models and co-regulatory models that ensure resilience of the basic underpinnings of daily life.
A new legal category of ‘systemically important’ infrastructure may provide government with the ability to unlock new funding mechanisms that were previously unavailable. This is clearly needed for some infrastructure, whereas as mentioned previously, the sums needed to ensure business continuity and disaster recovery at the level that society may need clearly exceeds the budgets the operators can spend on this.
Infrastructure is one of the least technologically transformed sectors in the entire economy, with crucial components like construction ranking second to last in digitization according to industry rankings. Technologically-enabled infrastructure has the potential to change the way we plan, design, finance, build and operate our infrastructure systems and, more importantly, help achieve broader goals around sustainability, social cohesion and inclusive economic growth.
The World Economic Forum’s Infrastructure 4.0 initiative, supported by the Global Infrastructure Hub, is working to improve the adoption of emerging infrastructure technologies across asset and system lifecycles.
By creating recommendations for decision-makers and providing best-practice case study examples to the Global Infrastructure Hub’s G20 Infratech Use Case library, this initiative aims to refocus the infrastructure development conversation around how infrastructure as a tool to provide better outcomes in people’s lives and technology’s role in enabling this people-first future.
Beyond even capital expenditure-related measures, it could even include operational expenditure-related issues – such as the costs associated with maintaining sufficiently large cybersecurity organizations and similarly to deal with the threats at hand. The concept opens the door for creative thinking.
The new concept of systemically important critical infrastructure organizations may be the best way to cut the Gordian knot that has bedevilled public-private cooperation in critical infrastructure for decades: how to properly share the cost burden of modern societies’ reliance on certain life-essential industries. Getting this right will be a huge step in the Fourth Industrial Revolution.