Why defining and securing systemically important critical infrastructure is so vital

Government efforts to engage in critical infrastructure protection are hardly new. In the United States, the first efforts were codified all the way back in 1998 in the Presidential Decision Directive 63, which reads:

“Critical infrastructures are those physical and cyber-based systems essential to the minimum operations of the economy and government. They include, but are not limited to, telecommunications, energy, banking and finance, transportation, water systems and emergency services, both governmental and private.”

This mission seems clear: to set up comprehensive public-private cooperation models that help assure the provision of essential services to the government, the economy and the public.

In the US, the governmental programmes in this regard have led to a huge increase in cybersecurity spending just in the entities directly affected – over $105 billion in 2021 alone, according to one estimate.

However, despite well over two decades of experience, getting critical infrastructure protection right still seems to be a challenge. The recent Colonial Pipeline attack paralysed the gas supply on the east coast of the US. Similar impacts were witnessed as a result of the Amsterdam-Rotterdam-Antwerp attack in February 2022, and the Florida water plant incident in February 2021.

While full-scale outages in the electricity sector have yet been relatively contained, for instance the 2015 power grid hack in Ukraine, several cyber powers have reportedly prepositioned malware in each other`s power grids.

It is far from clear if critical infrastructure protection programmes would be sufficient in dealing with the effects of such a worst-case act – one that could even rise to the level of an actual cyberwar if committed by states.

The wide-scale and prolonged failure of critical infrastructure is sometimes considered the worst-case outcome of a political conflict – exactly what we would do as a society if the power fails for days, let alone weeks, is a matter of widespread speculation.

But the concern is not only one of overexcited journalists or filmmakers. For the Global Cybersecurity Outlook 2022 report, the World Economic Forum surveyed 120 senior cyber leaders to understand their concerns, both for their enterprises but also for themselves personally. When asked what they worried about personally, infrastructure breakdown due to a cyberattack emerged as the number one concern, substantially ahead of identity theft.

Over the last 20 years, virtually all Organisation for Economic Co-operation and Development governments have experimented with various carrots and sticks to increase private sector collaboration.

More recent discussion in Europe and the US has concentrated on the “sticks” – in particular, new legal requirements by governments that operators of critical infrastructure must report serious breaches in their networks.

These regulations – like the EU Cybersecurity Act and the very recent US Cyber Incident reporting for Critical Infrastructure act of 2022 – were seen as relatively low-cost options and were supposed to incentivize private companies to invest more in security.

But it didn’t answer the question that is really on many critical infrastructure operators’ minds – more security and operational resilience would be great, but who was going to pay for it?

A significant challenge of critical infrastructure protection programmes is simply that the societal needs are not the same as many industry needs. For instance, the emergency services in many countries depend on the same mobile phone infrastructure as everyone else.

Cellular base stations are critical, but only few have standby generators in case of a wide scale power blackout, and only for a day or two at most. The government can (and sometimes does) force these companies to build more redundancy into these networks, but overall telecom companies work under tight profit margins making investors wary of any additional burdens.

And while government might also just purchase, subsidize or otherwise reward the purchase of such equipment, there may remain a legal question: if such subsidies were to apply to all critical infrastructures – and in the US these are likely to be many thousands of companies – would it not represent a major anti-competitive act, especially where being “critical” was hardly an exceptional situation anymore?

The solution to this conundrum is an entire new type of critical infrastructure, which potentially may even result in an entire new type of corporation: the “systemically important critical infrastructure”.

The concept of systemically important critical infrastructure was floated in the US Cyberspace Solarium Commission’s 2020 report as “the entities, responsible for the most important critical systems and assets in the US, that would be granted special assistance from the federal government as well as assume increased responsibility for additional security and information security requirements that are vital to their unique status and importance”.

In other words, it encompasses only the “critical of the critical” enterprises – those like power and telecoms that are needed to make the others run.

In the US there is a clear move to adopting the concept wholesale, and the legislation pushed forward might represent the start of a very new idea of critical infrastructure. However, the exact deliberations of what may constitute systemically important critical infrastructure and how it can be enacted are still very much at the start.

In addition to collaboration between governments and critical infrastructure organizations, there is a need to establish improved cost-sharing models and co-regulatory models that ensure resilience of the basic underpinnings of daily life.

A new legal category of ‘systemically important’ infrastructure may provide government with the ability to unlock new funding mechanisms that were previously unavailable. This is clearly needed for some infrastructure, whereas as mentioned previously, the sums needed to ensure business continuity and disaster recovery at the level that society may need clearly exceeds the budgets the operators can spend on this.

Beyond even capital expenditure-related measures, it could even include operational expenditure-related issues – such as the costs associated with maintaining sufficiently large cybersecurity organizations and similarly to deal with the threats at hand. The concept opens the door for creative thinking.

The new concept of systemically important critical infrastructure organizations may be the best way to cut the Gordian knot that has bedevilled public-private cooperation in critical infrastructure for decades: how to properly share the cost burden of modern societies’ reliance on certain life-essential industries. Getting this right will be a huge step in the Fourth Industrial Revolution.