05.02.2012

MSC Booklet Paper: Cybersecurity

Security issues emanating from cyberspace and their potential impact on critical infrastructures, such as energy or telecommunications infrastructures, have been pushed upon the agenda of security policy-makers in recent years. The crucial importance – the criticality of these infrastructures – is due to their vital importance to national security and the functioning of the economy, which is underpinned by the potentially debilitating impact any incapacitation of these infrastructures would have on both sectors.

This debate’s relevance to the field of security policy has become most obvious in the discussions within NATO about the Alliance’s expansion of the traditional collective defense agreement to cover issues of cyber security and the protection of critical infrastructures. The particular dimension of these new security challenges is that they defy the well-established traditional patterns of defense experts’ thinking that is still set to revolve around conventional response patterns to particular threats and respective capabilities to address and meet them. Defense elites have to find answers on how to grapple with the diffuse spectrum of potential causes of disruptions and crises that may threaten infrastructures. The spectrum of dangers from computer attacks varies, ranging from disruptive to even destructive impact qualities. Threats are not necessarily direct and imminent but often unintended. The question is not even so much whether the effects on critical infrastructures are caused by actual attacks or by component failures or accidents; the question is, rather, whether it is necessary to ensure that software systems that control critical infrastructures satisfy the highest possible security standards.

Software-based control systems are inherently insecure, and security is not always the highest priority for such systems. In general, the dependency on information systems that are insecure but vital to the functioning of industrialized societies has greatly increased; the vulnerability of computers and networks is, de facto, an in-built systemic feature – this makes them vulnerable to a variety of risks ranging from the actual destruction of infrastructure to hacker attacks. In theory, cyber attacks that, for example, inactivate parts of an electricity infrastructure can just as easily be caused by private hackers or be part of a cyber war campaign orchestrated by state-based intelligence. Usually the perpetrators will remain unknown, as the Stuxnet example clearly illustrates.

Strengthening cyber security is dependent on both cross-sectoral and cross-governmental cooperation at all levels. Attackers and their motivations will have to be identified by the comprehensive analysis of incidents, if at all, which would then divert responsibility to intelligence and law enforcement, not the defense apparatus, making them the first line of defense. In addition to institutional cooperation in government, the protection of critical infrastructure requires intensive cross-sectoral cooperation between the state and the corporate sector, not least since vital aspects of these infrastructures are in private hands. The corporate sector has a key role to play in implementing protective measures that will have to be harmonized with frameworks set-up by public authorities. Both the private and public sector have to work hand-in-hand here. Governments therefore have to win the support of the corporate sector in order to enhance critical infrastructure protection. Thus, adequate protection efforts that fit the needs of strategically important infrastructure are dependent on private-public co-operation.

Prof. Dr. Anke Weidlich is a Fellow and Dr. Petra Beenken is an Associate at stiftung neue verantwortung, a Berlin-based think tank.