The Art of CIIP Strategy: Tacking Stock of Content and

Processes

Myriam Dunn Cavelty and Manuel Suter

Center for Security Studies, ETH Zurich, 8092 Zurich, Switzerland

{dunn,suter}@sipo.gess.ethz.ch

Abstract. This chapter analyses and compares CI(I)P and cybersecurity

strategies to discover key issues, developments, and trends and to make
recommendations about strategy making in the field of CIIP. To this end, it will
first define CIP, CIIP and cybersecurity. It will then show what kind of
protection goals – statements about a desired state of security of a particular
object/asset that is seen in need of protection from one or a variety of threats –
are defined and what kind of countermeasures are foreseen. Third, it will move
from the content to the process and will make recommendations about how an
optimal strategy process in the field of CIIP should look like.

Keywords: cybersecurity policy, public-private partnerships, threat perception,

protection goals, strategy process.

1 Introduction

“[Critical infrastructures] are the foundations of our prosperity,

enablers of our defense, and the vanguard of our future. They
empower every element of our society. There is no more urgent
priority than assuring the security, continuity, and availability of our
critical infrastructures.”

(President’s Commission on Critical Infrastructure Protection, 1997: vii)

The above statement, made over a decade ago, still rings true. Critical infrastructures
(CI) are systems or assets so vital to a country that any extended incapacity or
destruction of such systems would have a debilitating impact on security, the
economy, national public health or safety, or any combination of the above. As a
consequence, critical infrastructure protection (CIP) is currently seen as an essential
part of national security in numerous countries around the world.
Not everything about CIP is new: under the heading of vital system security,
protection concepts for strategically important infrastructures and objects have been
part of national defense planning for decades, though they played a relatively minor
role during the Cold War as compared to other concerns such as deterrence[1]. Today,
however, CIP refers to a broader concept with a distinctly different flavor. First of all,

J. Lopez et al. (Eds.): Critical Information Infrastructure Protection, LNCS 7130, pp. 15–38,
2012. © Springer-Verlag Berlin Heidelberg 2012
16 M. Dunn Cavelty and M. Suter

it is no longer restricted to concrete defense against immediate dangers, but

increasingly refers to preventive security measures as well. Second, contemporary
modern societies have become significantly more vulnerable, and the spectrum of
possible causes of disruptions and crises has become broader and more diffuse. Third,
CIP is a security practice that reflects the fact that the security challenges to the state
from ‘inside’ and ‘outside’ have become blurred in the new threat environment to the
point where they have become the same. National security – traditionally dealing with
extraordinary threats and countermeasures from the outside – is now also concerned
with attempts to create resilience and redundancy in national infrastructure through
cyber-security measures and other means. This means that measures that are generally
regarded as being within the purview of information security may now also be
included among measures to ensure national security. In this new logic of security,
two formerly different notions of security are merging, as technical security and
safety and national security become one.[2]
Ever since the landmark report of the President’s Commission on Critical
Infrastructure Protection of 1997 called “Critical Foundations, Protecting America’s
Infrastructures”[3], countries around the world have focused on ways how to identify
and protect their critical assets against a variety of threats. As a result, a broad range
of political and administrative initiatives and efforts are underway in the US, in
Europe, and in other parts of the world.[4] While over the years, substantial
differences between these governmental protection policies have become apparent,
there also commonalities in the form of key challenges that almost all governments
are confronted with.
This chapter aims to take stock of these efforts and said challenges. It will identify
the key issues, developments, and trends by comparing a set of recent policy papers,
especially strategies, in the domain. These governmental policies are at various stages
of implementation – some are enforced, while others are just a set of suggestions –
and come in various shapes and forms, ranging from a regulatory policy focus
concerned with the smooth and routine operation of infrastructures and questions such
as privacy or standards, to the inclusion of CIP into more general counter-terrorism
efforts. While the chapter aims to discuss only aspects unique to critical information
infrastructures (CII) and infrastructure sectors immediately affected by CII in sync
with the aims of this book, it is not always so clear where to draw the line between
CIP and CIIP in practice. Therefore, some groundwork in terms of definitions and
concepts is necessary; in addition, a reading of the policy papers also in terms of
definitions of concepts that they provide reveals a lot about the state of the art of
CI(I)P and the topic more generally.
In an ideal world, strategies “guide the implementation of plans, programs,
campaigns, and other activities” [5]. They refer to a plan of action designed to achieve
a particular goal and should therefore be drafted before any policy action is taken.
Strategies can also be seen as a pattern, “a consistency of behavior over time”[6].
Optimally, a strategy sets direction and focuses effort and provides consistency by
sketching a path from a current state to a desired future end state. Therefore, strategic
thinking is always about thinking about the future.
 The Art of CIIP Strategy: Tacking Stock of Content and Processes 17

In a less ideal world, strategies come in a variety of forms. Very often, setting future goals and defining steps to
get there are closely interwoven or not even separated at all. In a field as diverse as CI(I)P and as populated by so
many players inside and outside of government, it is almost entirely impossible to define in theory what a strategy is
and what it is not. Therefore, rather than just selecting documents that have the word “strategy” in the title, we drew
from a broader document base. Without any claim for comprehensiveness, we looked at publicly available
documents that contain a) definitions of CI(I)P and related concepts, b) the description of (protection) goals, c)
statements about an object to be protected, d) statements about the type of threat to which these objects are subject,
and e) the means by which these objects are to be protected. In short, we were mainly interested in statements about
a desired state of security of an identifiable object that is seen in need of protection from one or a variety of threats
as well as statements about the type of countermeasures to be taken. In short, we mainly focus on protection goals.
However, the constant and sometimes rapid advancement of existing policies shows that many countries are still in
the process of defining their own “CI(I)P identity”. What we are looking at are snapshots of a dynamic policy field
with fuzzy boundaries.

This chapter is structured as follows: First, it will be analyzed how CIIP is defined – or rather not defined – and
that many countries focus not on CIIP but on cybersecurity. Second, we will identify and describe the definition of
protection goals on different levels. It will be shown that these strategies and policies differ considerably with regard
to the question what should be protected from which threat. Cyberthreats are often only vaguely defined and it
remains unclear which is the most relevant threat to critical infrastructures. In order to understand the varying
approaches in the documents, it is necessary to distinguish between different cyberthreats and to analyze which
strategy focus on which threat. Furthermore, the chapter looks at the proposed responses to cyberthreats. Even
though the policy and strategy papers on CIIP and cybersecurity differ with regard to the question who threatens
what, they usually propose similar concepts to respond to cyber vulnerabilities. Common response strategies include
the formation of Public-Private Partnerships (PPPs); efforts to strengthen coordination between the different
agencies that are assuming tasks in the field of CIIP; campaigns to increase public awareness for cybersecurity; and
attempts to improve international collaboration. It will be briefly discussed how these protection and prevention
measures are defined and which are the most relevant challenges that need to be addressed in order to implement
them. Third, we will take a step away from the content and look at the process of how these strategic elements are
defined and then point out what an ideal strategy making process could look like.