Professional Documents
Culture Documents
(Lecture Notes in Computer Science 7
(Lecture Notes in Computer Science 7
Processes
1 Introduction
The above statement, made over a decade ago, still rings true. Critical infrastructures
(CI) are systems or assets so vital to a country that any extended incapacity or
destruction of such systems would have a debilitating impact on security, the
economy, national public health or safety, or any combination of the above. As a
consequence, critical infrastructure protection (CIP) is currently seen as an essential
part of national security in numerous countries around the world.
Not everything about CIP is new: under the heading of vital system security,
protection concepts for strategically important infrastructures and objects have been
part of national defense planning for decades, though they played a relatively minor
role during the Cold War as compared to other concerns such as deterrence[1]. Today,
however, CIP refers to a broader concept with a distinctly different flavor. First of all,
J. Lopez et al. (Eds.): Critical Information Infrastructure Protection, LNCS 7130, pp. 15–38,
2012. © Springer-Verlag Berlin Heidelberg 2012
16 M. Dunn Cavelty and M. Suter
In a less ideal world, strategies come in a variety of forms. Very often, setting future goals and defining steps to
get there are closely interwoven or not even separated at all. In a field as diverse as CI(I)P and as populated by so
many players inside and outside of government, it is almost entirely impossible to define in theory what a strategy is
and what it is not. Therefore, rather than just selecting documents that have the word “strategy” in the title, we drew
from a broader document base. Without any claim for comprehensiveness, we looked at publicly available
documents that contain a) definitions of CI(I)P and related concepts, b) the description of (protection) goals, c)
statements about an object to be protected, d) statements about the type of threat to which these objects are subject,
and e) the means by which these objects are to be protected. In short, we were mainly interested in statements about
a desired state of security of an identifiable object that is seen in need of protection from one or a variety of threats
as well as statements about the type of countermeasures to be taken. In short, we mainly focus on protection goals.
However, the constant and sometimes rapid advancement of existing policies shows that many countries are still in
the process of defining their own “CI(I)P identity”. What we are looking at are snapshots of a dynamic policy field
with fuzzy boundaries.
This chapter is structured as follows: First, it will be analyzed how CIIP is defined – or rather not defined – and
that many countries focus not on CIIP but on cybersecurity. Second, we will identify and describe the definition of
protection goals on different levels. It will be shown that these strategies and policies differ considerably with regard
to the question what should be protected from which threat. Cyberthreats are often only vaguely defined and it
remains unclear which is the most relevant threat to critical infrastructures. In order to understand the varying
approaches in the documents, it is necessary to distinguish between different cyberthreats and to analyze which
strategy focus on which threat. Furthermore, the chapter looks at the proposed responses to cyberthreats. Even
though the policy and strategy papers on CIIP and cybersecurity differ with regard to the question who threatens
what, they usually propose similar concepts to respond to cyber vulnerabilities. Common response strategies include
the formation of Public-Private Partnerships (PPPs); efforts to strengthen coordination between the different
agencies that are assuming tasks in the field of CIIP; campaigns to increase public awareness for cybersecurity; and
attempts to improve international collaboration. It will be briefly discussed how these protection and prevention
measures are defined and which are the most relevant challenges that need to be addressed in order to implement
them. Third, we will take a step away from the content and look at the process of how these strategic elements are
defined and then point out what an ideal strategy making process could look like.