NATO’s Critical Infrastructure Protection and Cyber … Paper/FP19.pdfNATO’s Critical...

NATO’s Critical Infrastructure Protection and Cyber Defence By Sr. Capt. Bart Smedts

Royal High Institute for DefenceRoyal High Institute for DefenceRoyal High Institute for DefenceRoyal High Institute for Defence

CCCCenter for Security and Defence Studiesenter for Security and Defence Studiesenter for Security and Defence Studiesenter for Security and Defence Studies

FOCUS PAPER 1FOCUS PAPER 1FOCUS PAPER 1FOCUS PAPER 9

JJJJulyulyulyuly 2010 2010 2010 2010

2

Abstract

Risk analysis and critical infrastructure protection are key issues in a changing environment threatened by asymmetrical proliferation. Starting from the NATO framework, a comparison is drawn with some EU approaches in critical infrastructure protection policy. Synergies could lead to improvements for better cooperation and interoperability between EU and NATO operations. The corollary will lead to the reinforcement of homeland security, hence national approach in its present context is analyzed. Finally recommendations are formulated to reach an integrated approach between national and NATO institutions in relation to risk analysis and protection of our critical infrastructure.

The views expressed are only those of the author.

Keywords: NATO, Risk Analysis, CIP, CIIP, Synergy, Cyber Defence.

ABOUT THE AUTHOR Bart Smedts is Sr. Capt. of the Belgian Air Force. He is currently fellow researcher at the Center for Security and Defence Studies of the Royal High Institute for Defence where he is in charge with proliferation issues.

TABLE OF CONTENTS

Table of Contents.............................................................................5

Introduction .....................................................................................6

Methodology to obtain effective CIP.............................................7

NATO-framework for Critical Infrastructure Protection (CIP)................................................................................................ 10

NATO-framework for Critical Information Infrastructure Protection (CIIP) ............................................................................ 13

Synergies between NATO and the EU? ...................................... 18

Recommendations......................................................................... 23

Conclusion ..................................................................................... 26

INTRODUCTION

Since 9/11 we witnessed disruptive conventional attacks in London, Madrid, Mumbai and Islamabad, among others. Emergency planning and critical infrastructure protection were at the forefront of all concerns. The shift of the Afghan conflict to an AfPak problem with threatened nuclear assets, underlines the importance of proper risk assessment, an essential part in the evaluation of the resources to be deployed. The possible presence of sleeping Al Qaeda cells on European soil, increases the possibility for terrorist attacks. Therefore the threat is not always to be considered outside existing borders but could also appear as “an enemy within”. Risk analysis can help determine what this means or what improvements should be made to existing plans, or what infrastructure should be better protected. Future threats will materialize in proliferation, international terrorism, unequal distribution of wealth, spreading of organized crime and pandemics. This type of threat undergoes additional pressure from globalization with as direct consequences the growing energy demand, climate change, urbanization, demographic explosion and its sociological consequences as well as the present economic crisis. Risk analysis and critical infrastructure protection are therefore key words in an environment of asymmetrical proliferation.

In a first part, the framework will clearly be defined by the explanation of relevant definitions, for concepts like risk, threat and impact are often interchangeably used: this can result in unclear contextual documents which are useless. Once these foundations laid out, the methodology for the development of a sound critical infrastructure protection planning can be detailed. The framework of NATO critical (information) infrastructure protection will be highlighted. Synergies between NATO and EU bodies or tasks will be underscored.

In the final part recommendations are made for national legislation in a supranational framework of procurement,

NATO’s Critical Infrastructure Protection and Cyber Defence

7

communications security, and market regulation of private partners. Availability of information, a network of national CERT(s), CIP and CIIP expeditionary capabilities will be addressed as EU-NATO rationalization of networks contribute to a holistic approach of CIP/CIIP for coalition forces.

METHODOLOGY TO OBTAIN EFFECTIVE CIP

Notwithstanding the creation of new national security departments in the US, such as The Homeland Security Council (HSC) and Department of Homeland Security (DHS), the situation has not really improved much since 9/11. Cooperation with other departments is not clear yet between actors and the command during an incident is a perfect ambiguity. This was once more illustrated in the attempted bombing incident the December 26th, 2009 when a Nigerian listed terrorist failed to ignite its explosive charge in the final phase of a transatlantic flight from Amsterdam to Detroit: in Europe his explosives were not detected and he was even allowed to board.

Today, we face new emerging threats. As exemplified in NATO’s Multiple Futures Project1, sources of threat can be present in super-empowered individuals, extremist non-state actors, organized crime, rogue states, confrontational powers, and nature itself. The disaster caused by the earthquake in Haïti illustrates the latter and stresses the importance of international cooperation and organization in order to overcome devastating consequences and recover to normal life. Alongside a lack of concrete planning of all necessary means to obtain effective and working risk management, clear and undisputed definitions of threat, risk and impact are still missing: 9 years after the ravaging events in the US, these basic cornerstones of risk management are not yet clearly put in place, or at least not similarly understood by different member states in the EU or the Alliance. All kinds of reasons can be cited for this: one is

1 Multiple Futures Project, Navigating towards 2030. NATO Allied Command Transformation. April 2009.


8

undoubtedly the price tag attached to R&T of detection equipment and uniformity of procedures. It is still much more expensive to rely on disaster relief than to be able to fall back on proactive risk analysis and management. The methodology could deliver a blueprint for all incidents of interest to be handled in the future. Further it could help to identify capacities needed to counter a specific threat, where to put them in operation and how to get them integrated into an effective coordinated Emergency Plan with adequate command and control at the national and supranational level. A possible sequence of steps includes:

- Identification of critical infrastructure (CI): determining a catalog based on established international criteria and definitions. The current list does not meet those requirements. A cyber infrastructure is a vital part of CI: a review may offer new solutions for the outdated national list of criteria for example;

- Threat Analysis: proactive identification of CI elements could be integrated in a strategic document including trends to be expected in the future. Adequate information analysis from intelligence resources is required at this point;

- Vulnerability Analysis: determining the impact of an incident on CI, taking into account the sensitivity of the existing facilities for a list of possible occurring incidents;

- Risk: One should mention here that a catalog of existing risks can be performed a priori. According to the definitions, this catalog should encompass the distinction between each potential risk in relation to their possible cause, nature, target and type of impact. Different models can be applied for risk classification in order to obtain priority listings. It is however crucial to understand that the obtained priorities are snapshot results and should be considered in dynamic evolution: depending on the identified trends and threats previous priorities should


9

be reassessed. Asymmetric proliferation will also adapt to the countermeasures that were put in place: an imminent or ongoing cyber attack could be the forerunner for an imminent conventional or CBRN threat. Moreover, it has to be understood that different critical domains are interdependent. Hence, a single incident can be the cause for disruption in different domains of our society due to cascade effects which are not often considered in risk assessments;

- Capture or review of actions under the CIP and CIIP. As it is obvious that Information Infrastructure is part of the CI, specific measures must also be developed in the context of CIIP. One must acknowledge that CIIP should be realized in a comprehensive approach with regard to CIP.

A large set of risk conditions were identified in the Multiple Futures Project. Amongst these are failed states, increasing ethnic tension, and challenge of conflicting values and world views. The associated security implications can be found in an asymmetric security environment, disruption of vital resource flows, negative impact on economy, exploitation of communication systems, and the issue of the right or obligation to intervene.

The definitions lead out, and risks identified, the adequate measures which could lead to the protection of critical infrastructure can be defined as follows:

- Provide means for preventive action including exercise and training (prevention, training and exercise);

- Provide immediate response to early signals (mitigating);

- Provide the capacity for rapid detection of an ongoing incident (detection and early warning);

- Coping with the consequences during the incident and display resilience competence (respond);


10

- Recovery to normal as soon as possible (recovery);

- Learning lessons from the events and feed-back to appropriate actors (lessons learned).

As definitions are agreed upon, work becomes easier. At least we can expect inconsistencies and discrepancies to be eliminated from policies and doctrines. That is why the present situation regarding CIP and CIIP was further considered in detail: possible synergy between NATO and the EU way of thinking could improve operational readiness as we gain insights from the identified security implications: the blurring image of threat will increase the difficulty to identify what constitutes an attack on the Alliance or its partners. It may therefore become necessary to act outside NATO’s traditional areas of engagement as exemplified in the AfPak conflict. In this respect improved communication with international partners and populations will give an added value to resilience policy. The technological evolution, together with the opponents' strategy will increase the need for a permanent review of policy, organization, operating concepts, capabilities and future force and command structure.

NATO-FRAMEWORK FOR CRITICAL

INFRASTRUCTURE PROTECTION (CIP)

The role for the military to play in civil protection is usually supportive (besides a few exceptions where national preventive forces deployed after the activation of a state of alert). The five scenarios in which NATO is supposed to play a role are2:

- Supporting Alliance military operations under Article 5;

- Supporting non-Article 5 crisis response operations;

- Supporting national authorities in civil emergencies;

2 For an exhaustive description of NATO’s role in emergency planning consult NATO Handbook, Public Diplomacy Division, Brussels, 2006, pp.297-302.


11

- Supporting national authorities in the protection of their populations against the effects of WMD;

- Co-operation with Partners in the field of Civil Emergency Planning.

In order to ensure a coordinated approach for Civil Emergency Planning (CEP), the key role was assigned to the Senior Civil Emergency Planning Committee (SCEPC), reporting directly to the North Atlantic Council (NAC). CEP is an important activity in the foresight of disaster relief and is aimed at coordinating national resources. In the context of natural and man-made disasters, agreements enshrine NATO's role in the emergency setting. As an example, the "NATO Policy on Disaster Assistance in Peace Time" of May 9, 1995 and the statement "Enhanced Practical Cooperation in the field of Disaster Relief" of May 29, 1998 can be mentioned. In addition, NATO’s Strategic Concept of 1999 acknowledges major disaster as a source for security and stability concerns. In the aftermath of the attacks of September 11, 2001, the NATO Prague summit3 initiated the "Civil Emergency Action Plan": a list of all available national resources was proposed, drawing the framework for assistance. In addition, exercises are planned to test and possibly improve interoperability. At the same time, the "Partnership Action Plan against Terrorism" was released. In April 2005 SCEPC adopted an adapted action plan in order to cover the efforts during and after CBRN terrorist attacks4. The plan focuses on the protection of Critical infrastructure (CI) and assistance to victims.

The operational NATO bodies activated during the response phase of disaster response are the Euro-Atlantic Disaster Response Coordination Center (EADRCC) and the Euro-Atlantic Disaster Response Unit (EADRU), both founded at the

3 21-22 November, 2002.

4 Updated Action plan for the Improvement of Civil Preparedness for possible CBRN terrorist attacks.


12

NATO headquarters (Brussels) in June 1998. EADRCC is essentially a coordinating body for the collection of information and assistance, while EADRU is a multinational crucible of soldiers and civilians made available by NATO in emergency cases attributed to natural disasters or terrorist attacks. The main responsibilities are focused on the coordination of national resources and the centralization of information.

Military operations often rely on CIP and CIIP: therefore civilian resources should in return also support military operations. One example can be found in the committees of SCEPC for the identification of available transport for the benefit of military operations. CIP and CIIP are thus crucial for the Alliance and are an essential aspect of all NATO missions.

After the attacks of 9/11, the preparedness of Member States in areas of CIP (planning and infrastructure listings) was examined. The result was a Concept Paper on CIP, prepared by SCEPC. Key objectives are summarized in the exchange of information between stakeholders, assistance and development of training and education programs contributing to the identification of CI, determining research to support CIP and assistance during exercises. The "Planning Boards and Committees” (PB&Cs) of the SCEPC have started the necessary studies: national experts from government and industry, as well as military representatives are coordinating planning in eight technical domains: civil air transport, civil protection, food safety, industrial production and logistics, domestic surface transportation, medical affairs, shipping and finally civil electronic communications.

In addition to CEP, the Heads of State and Government decided in 2004 to focus on technological development for the protection of military assets and forces. CIP is one of the eleven priorities of the "Program of Work" as part of the defense against terrorism program (Defense Against Terrorism Program of Work). In 2005, Belgium proposed to add specific CIP related issues to the program. Through this initiative, Belgium became pilot for CIP related issues: military knowledge, technology and


13

capacity will be used to protect strategic sites and the territorial assets of Allies (such as airports, nuclear plants, communications etc.). The Belcoast exercise was aimed at joining civilian stakeholders and military personnel to reflect on the possible technological outcomes.

NATO-FRAMEWORK FOR CRITICAL

INFORMATION INFRASTRUCTURE

PROTECTION (CIIP)

Since the NATO Balkan operations, Distributed Denial of Service (DDoS) attacks were regularly experienced on the networks of the Alliance. As a result, a number of cyber defense tasks were developed and attributed to specific agencies within the NATO structure. Although the NATO Command Consultation and Control (NC3)-organization reports to the Military Committee, we have to mention that the NC3 Board reports to the NAC. The allocation of responsibilities has grown, along with the activities of NATO: during the NATO Prague summit it was decided to launch a technical NATO Cyber Defense program with a Computer Incident Response Capability (NCIRC) 5. The coordination of this capability is experienced at the NATO headquarters in Brussels, while the technical center is located in Mons. During the months of April and May 2007, Estonia was harassed by DDoS-type cyber attacks. The impact on Estonian society was so deep, that it proposed to set up a centre of expertise to promote cooperation and training between the NATO countries and to implement legislation for better resilience: the Cooperative Cyber Defense Center of Excellence (CCD CoE Talinn) was created with a clear framework being the NATO policy on cyber defense. Besides the CCD CoE (operational since April 2008), a Cyber Defense Management Authority (CDMA) 6 was created (operational

5 MCM-064-02 dated July 2nd, 2002 (annex AC/322-D/0056).

6 NC3 Board on NATO Cyber Defence Management Authority AC/322-D(2008)0012-AS1 dated March 13, 2008.


14

since April 2008, accredited since October 2008). Unlike the CCD CoE, which constitutes an intellectual platform and forum, the CDMA embodies the operational capacity responsible for the initiation and coordination of immediate and effective cyber defense action where needed. In practice, this authority is responsible for the tasking of the aforementioned NCIRC, organically dependent from the NATO Communications and Information Systems Services Agency (NCSA).

The NAC controls both cyber defense policy and activity. In January 2008, the cyber defense policy was adopted7. The NATO Consultation, Command and Control Agency (NC3A) and the NATO Military Committee (MC) have the responsibility to implement it8: to this purpose a working concept was developed9. NCIRC will take appropriate action in case of confirmed attack. Monthly reports are published by NCIRC, describing observed cyber incidents or attacks on the NATO-network in the form of an incident report. The terms of the adopted policy are classified, but one should expect that the tasks of the CCD CoE listed below, are in full compliance with the established policy10:

- Providing cyber-related doctrines and concepts;

- Hosting and conducting training workshops, courses, and exercises for NATO member states;

- Conducting research and development activities;

7 C/M(2007)0120 dated December 20, 2007.

8 NATO Cyber Defence Concept MC0571 dated February 21, 2008.

9 CDMA Concept of Operations AC/322-D(2008)0042-Rev 1 dated December 18, 2008.

10 NATO and Cyber Defence (027 DSCFC 09 E), NATO Parliamentary Assembly, 2009 Spring Session, p.6.


15

- Studying past or ongoing attacks to draw up lessons learned;

- Providing advice, if asked, during ongoing attacks

NATO has also developed the capacity to protect its communications systems under the umbrella of the NATO Communications and Information Systems Services Agency (NCSA). The tasks of the agency can be listed into four priorities11:

- Priority 1: CIS support to NATO operations;

- Priority 2: CIS support to NATO exercises;

- Priority 3: CIS support to NATO’s major headquarters;

- Priority 4: Support for new CIS systems and projects.

NCSA comprises a headquarters staff co-located with Allied Command Operations at the Supreme Headquarters Allied Powers Europe (SHAPE) in Mons, Belgium. The staff coordinates the work of the Agency by working closely with the political authorities of NATO with various bodies within NATO’s military command structure. The staff also provides advice to ensure the efficient and effective use of NATO’s CIS resources.

Under the Civil Emergency Planning (CEP) umbrella, dialogue and cooperation in the context of CIIP is encouraged through the Civil Communications Planning Committee (CCPC). This committee, which depends on SCEPC, is empowered to make recommendations to national authorities in order to meet the CIS requirements, postal and other services during an emergency. CCPC can be said to be responsible for communications planning in case of civil Emergency within

11 http://www.ncsa.nato.int


16

NATO12. This applies to both military and non-military users. In addition, a contribution to the Action Plan on NATO Cyber Defense, primarily for NATO support in Civil Emergency Planning was provided.

With regard to cyber attacks, it should be stated that such an incident falls under Art. 4 of the Washington Treaty which states that13:

“The Parties will consult together whenever, in the opinion of any of them, the territorial integrity, political independence or security of any of the Parties is threatened”.

In contrast with Art. 5 which states that:

“The Parties agree that an armed attack against one or more of them in Europe or North America shall be considered an attack against them all.…”

One can now argue about compromised operability if, in the process of determining that an attack is taking place on a NATO country, "consultation" is required. Obvious forms of aggression against vital infrastructure and information infrastructure tolerate no waste of time. It is not an easy task to determine whether a cyber attack falls under the conditions detailed in Art.4 or Art 5 of the Washington Treaty. In the Estonia case, evidence could not trace without reasonable doubt the origin of the attacks. Before the NATO Bucharest Summit, the Secretary-General Jaap de Hoop SCHEFFER specified that no aggressive attitude could be adopted in relation to cyber defense and assumed that actions within this domain would fall within the terms of Art. 4. In this respect, clear agreements are

12 The Draft CCPC compendium dated November 7, 2005 explains the evolution of definitions as for example civil communication evolved due to convergence of telecommunications, media and information technology. As explained in EAPC(CCPC)WP(2003)2, civil communication encompasses civil networks and services as well as postal services.

13 The North Atlantic Treaty, NATO Public Diplomacy Division, Brussels.


17

requires to shape definitions as "hostile act" and "hostile intent" in the cyber environment. Consequently, the Rules of Engagement (ROEs) of the NATO response capacity should clearly be defined.

One of the elements that require special attention is NATO’s capacity in support of its Member States. An essential part of the capacity of the Alliance is a network of national CERTs. NATO therefore considers the cyber defense as a national responsibility. Though almost 250 CERTs are operational worldwide, some NATO countries are lagging behind in the development of this capacity14: national CERTs, responsible for the exchange of information and capacity during an attack are essential for a coordinated response.

A particular aspect, not yet addressed in the context of technological applications is the C4ISR15 issue: critical in operational field applications, there is no formal NATO definition covering the acronym. However there are clearly defined requirements for air and ground forces, both in the provision of "situation awareness" as possibilities for selection and destruction of targets. To protect networks and increase the interoperability of forces, a "Roadmap for C4ISR Air" was compiled in 2007 aiming the 2017 horizon16. In the document, C4ISR was defined as follows17:

“The provision of information and intelligence to commanders that enables decision superiority necessary to execute the Commander’s Intent, along

14 Belgium created a national CERT in September 2009 alongside a military capacity.

15 Command, Control, Communications, Computers, Intelligence, Surveillance, Target Acquisition and Reconnaissance.

16 The Joint Air Power Competence Centre (JAPCC) Roadmap for Air C4ISR in NATO, version 1.0, Nov 2007. 17 Op.cit., p.3.


18

with the appropriate level of situational awareness, to the point of achieving the desired effect”.

The deficiencies identified, recommendations made in the document read as follows18:

“Comprehensive governance, force development, alignment to the NNEC principles, sound programme management, improved information management and better concept development and experimentation.”

Especially the emphasis on comprehensive governance underscores the importance of the needs of the users, to meet operational requirements of interdependence, interoperability and integration, and to monitor particularly the capabilities of new Member States. We can only conclude that the operational management of ICT and derived systems is no easy task in practice. NATO should therefore be vigilant to maintain the operational capability of the Alliance: it should not be split in a group of top players and less capable Member States. In the long term, NATO requirements have also focused on "cyber warfare", whatever the interpretation of this term may get in the future.

SYNERGIES BETWEEN NATO AND THE EU?

The communication between the EU and NATO seems not always to be running smoothly. During his farewell speech in The Hague, Jaap De Hoop Scheffer, NATO’s Secretary-General, called the poor relationship between the EU and NATO "one of my greater frustrations”. The political leaders have too little attention to the fact that this relationship does not work, he announced19. This is a hurdle to be overcome, both internally and externally before one can argue about synergy at all.

18 Op.cit., p.36.

19 De Hoop Scheffer : « NAVO moet ingrijpen » in Het Parool, Amsterdam, Juli 7, 2009.


19

Interoperability is also a critical issue for coordination between NATO and EU. This applies not only for operational deployment (for example during emergency planning) but also in the field of cyber defense: both NATO and the EU are assisted by the Member States. Knowing that information networks are interconnected and interests of private and public sectors entangled, cooperation between sectors and institutions will be crucial to build a robust information infrastructure. We have already mentioned the EU's support to the creation of a national network of CERTs in accordance with the position of NATO (NATO calls for a global network to be achieved by 2010). The NATO-CERT that acts as a coordinating body during the operations of the Alliance, is embodied by NCIRC: it will however lose operational power if not all countries participate in their effort to create a national CERT. Although such a responsibility should be left to the Member States, it is to be underscored that there can only be a "global" approach to create successful cyber defence. One possibility to test the present status of resilience consists in the organization of exercises, both nationally and internationally. We observe the U.S. to be one step ahead in comparison to both NATO and the EU: in 2006 a major exercise was conducted (Cyber Storm I) to test resistance to attacks and existing procedures. Besides the U.S., Great Britain, Canada, Australia and New Zealand took part. The 2008 version of the exercise (Cyber Storm II20), assumed that the enemy could penetrate any network. Scenarios ranged from extensive degradation of Internet to attacks on SCADA systems21. The exercise also demonstrated dependence of critical infrastructure and critical information infrastructure.

20 Cyber Storm II. National Cyber Security Exercise: Final Report. Australian Government, Attorney-Generals Department, Security and Critical Infrastructure Division, August 2008. 21 Enhanced resilience against cyber attacks on SCADA systems is underscored in COM(2009) 273 final- Annex 1 to EU CBRN Action Plan (action C.9 of goal 2 : enhance the security of high risk CBRN materials and facilities-chemical).


20

The eEurope 2005 Action Plan observed that fragmentation of ICT capacity between countries occurs22: to close this gap it could be possible to distribute the tasks between NATO and the EU. Some actions partially carried out by the EU could better fit in the coordinated action plan of NATO (possibly as part of CCPC tasking). The security problem of the EU, encompasses the takings in the framework of NATO Civil Emergency Planning, hence improved cooperation and coordination on security matters of national networks by supranational bodies is recommended.

In a context of CEP, we may argue that parallel structures in NATO and the EU, could improve coordination: this could lead avoid inconsistent and duplicated responsibilities: one illustration of this is the similarity between the MIC (EU) and the EADRCC (NATO). Various bodies could organize their tasking together in overlapping CI(I)P sub-domains. Police and judicial cooperation from the EU could be an improvement to the Alliance: it is essential for a proactive approach to terrorism (CBRN) threat with impact on CI. The EPCIP program points to the same conclusion. Regarding ICT security, NATO is more advanced than the EU, because of its military experience. A large part of NATO's ICT capacity to support CEP is aimed at the deployment of civil means. Cooperation would benefit productivity: optimizing the deployment of resources in time and space can also be applied here. New structures should not be created when existing agencies can do the work, possibly in cooperative relation. For example, the heavy commitment of resources in long-distance projection could be a task dedicated to NATO, while supply of resources between neighboring countries could be assigned within the EU.

Coordination of action for the protection of Critical Energy Infrastructure (CEI) would improve the effectiveness of both organizations. Although energy constitutes one of the sectors

22 Preparing Europe’s digital future. i2010 Mid-Term Review. European Commission, April 2008, p.18.


21

supported by EPCIP program, the EU has a different definition of terms to CEI than the NATO one23: the NATO report does not only cover accidents or natural disasters, but also deliberate attack on Critical Energy Infrastructure. According to the report, the nature of criticality is determined by the impact of the damage to infrastructure and other dependent site infrastructure, services and industry: vulnerability is reduced to the physical, human and IT aspects. In that respect, NATO also underscores the importance of the dependence of systems! In addition, the Alliance, unlike the EU24, stresses the importance of its own infrastructure but also on the infrastructure outside the territory ensuring the energy supply to the Alliance (such as ports, transport routes, pipelines, terminals and the interconnection between electricity grids). Inside the EU different national approaches can be identified. The supranational approach can provide a better (overall) understanding of the problem to ensure synergy between EU and NATO efforts. If the EU emphasizes more on the protection of national infrastructure (and the coordination of national approaches), NATO could focus more on the protection of external infrastructure (through projection and intervention capacity). Moreover, collaboration between EU and NATO could improve resilience by diversification of tasking. This will inhibit duplication or dilution of deployable resources. Solutions can also be found in diversification of energy resources. Moreover, we could already pay attention to the physical protection of alternative energy resources and their infrastructure.

In view of these different approaches, increased CIIP cooperation and training between EU and NATO could

23 Energy security: Co-operating to Enhance the Protection of Critical Energy Infrastructures (157 CDS 08 E rev 1), NATO Parliamentary Assembly, 2008 Annual Session. The report underscores that physical attack demands other response than politically motivated disruption of energy resources. 24 The existence of external connections is not denied, but the organization of defence is fostered in sectoral agreements.


22

improve existing synergy. Cooperation between ENISA and the CCD CoE for example, could lead to successful results. We have to admit however that in reality there are no formal exchanges between the EU and NATO: the two organizations could be aware of each other's activities, there is no formal contact outside the NATO Capabilities Group. Yet it might have been expected for the sake of early warning enhancement that CDMA and CCD CoE should be exchanging information or work actively together to avoid duplication. The problem can be explained by the decision making process within the EU: on the basis of all decisions regarding CI(I)P, the national level is very reluctant to release sensitive information, let alone to rely on the supranational level. Worse, it is often not yet decided whether a CERT responsibility would be given to the military, a public service, an academic institution, a police department, or other private partners. Severe internal competition is at the source of the discussion: at EU level, it explains why so few CERTs are reflected in the EGC forum. The United Kingdom has circumvented the problem by including two CERTs in the organization: an intervention unit of the army exists alongside a national CERT. It remains a political decision to decentralize resources let alone denationalize them to be supervised under a supranational authority. In a purely military context with an integrated NATO command this is feasible, but in the EU, which shares CI(I)P domains with different directorates spread over the three pillars, this still appears problematic. A consistent approach to definitions related to CI(I)P as compared to CNO, would also benefit the collaboration in both organizations.

The ultimate goal to reach in a synergetic approach of the protection of CI is laid out in the aforementioned methodology: prevention, training and exercise, mitigation, detection and early warning, response, recovery and exploitation of lessons learned.


23

RECOMMENDATIONS

Looking back at the introductory Multiple Futures Project, recommendations from the Allied Command Transformations are: adaptation to demands of hybrid threats; operating with others and building institutions; conflict prevention, resolution and consequence management; counter proliferation; expeditionary and combat capability in austere environments; strategic communications and winning the battle of the narrative; organizational and force development issues. Some of these recommendations fall in the scope of the approach explained in this paper concerning the rationalization of CIP/CIIP. We may find that their implementation will very much rely an the existence of a long term vision, call it a strategic plan or a concept: in order to cope with the threats emerging from new trends, nations and international bodies have to establish the framework within which the policies will lead to tangible. The search for synergies has demonstrated that a lot of work remains to be done to settle adapted and complementary tasking issues between EU and NATO. Interoperability should therefore be pursued, between EU and NATO but also with UN partners. The observation that ICT capacity is fragmented should lead to enhanced cooperation for a holistic and integrated approach of prevention, training and exercise, mitigation, detection and early warning, response, recovery and exploitation of lessons learned. Special attention will be required for the cooperation in the security of critical energy infrastructure for which NATO and the EU have different approaches.

In a context of credit crunch and war efforts in many places of the world, it will be difficult to establish priorities. However, reduced efforts in the field of tactical and strategic security on our own territory, based on budgetary considerations are a dangerous choice to make: security is an essential part of society whether we need to ensure it several thousand kilometers from here or in the capital of Europe. Quoting A.F.RASMUSSEN, the secretary-general of NATO, "All


24

governments should be aware of the long-term impact of too deep cuts in defence budgets because we know from experience that economic growth is very much dependent on a secure international environment.… We know that instability and insecurity hamper economic growth. So if we make too deep cuts in defence budgets it might have a long-term negative impact on economic growth.25 " The loss of service in any field whatsoever will compromise the essential foundations of our society: an immediate impact on our daily lives is not excluded. We conclude that protecting our national critical infrastructure against asymmetric threat in a climate of credit crunch needs coordination and rationalization: the task of a supranational body may be even more burdensome. Therefore NATO capabilities will be put to test in the aforementioned areas, for partners of the Alliance will have difficulty to accept efforts to be made in Afghanistan, while national services and security are at stake. The ratification of the Lisbon Treaty and the new Administration in the U.S. create a new opportunity to work in the right direction to implement new strategies and optimize cooperation in these fields.

Therefore, new equipment should be submitted to internationally agreed certification standards in order to ensure interoperability and national compatibility. This implies that operators themselves, whether it is at NATO or national level, should obtain security clearances before accessing sensitive information and infrastructure. We already mentioned the urgent need to rationalize early warning systems and communications between the different EU-pillars and NATO. This is a critical item in the view of direct communication with the EU Military Staff and NATO’s headquarters: military information networks and communications can not be isolated and should therefore be resilient to cyber attacks. Expeditionary

25 Haynes, Deborah. “ Don’t cut your defence budget too deeply, Nato chief warns

Britain.” The Sunday Times, May 27, 2010.


25

forces are more and more relying on network enabled information exchange. Protection of CI(I) is crucial for the successful completion of the missions. This is one more reason to protect the information flow in order to rely on exact information. Interoperability should therefore be a priority for EU operations, in cooperation with NATO-operations or UN peacekeeping. Especially at the level of the UN a lot remains to be done in the field of interoperability.

An international body at EU level, coordinating the emerging threats and risks for the benefit of the Member States could improve the resilience on CIP and CIIP issues. Furthermore, it could benefit from national analyses for direct exploitation and dissemination in order to coordinate international help and prepare to restrict the effects of cross-border consequences of natural or man-made disasters. The Christmas bombing attempt of the transatlantic flight to Detroit, illustrates that security demands ever lasting effort and optimal coordination. A European Department of Homeland Security, could perform this task when manned by different security experts (police, customs, military, civilian security, cyber experts, intelligence agencies, etc). Such a body could also be empowered for the protection of critical energy infrastructure and the protection of supply of resources. The difference in policy between NATO and EU should therefore be revised to enable coordinated action in case of disruption. Besides differences in policy, definitions should be standardized in the view of compatibility of Rules of Engagement. Definitions and policy should therefore encompass the rationale of CI(I)P cascade effect consequences. A holistic approach of all CI(I)P related issues, should therefore be based on thorough R&T efforts with tangible return on investment: application in military operations and in daily life.

A long term vision at national level is the cornerstone for the targeted ambitions. This also applies to the EU: as NATO's strategic is concept subject to revision, the EU should also work towards a strategic vision that fits into a complementary


26

framework of cooperation, with clear agreements on respective responsibilities, without duplication of duties and continuous engagement for optimal interoperability. Duplication of efforts and dilution of resources can therefore be avoided. Pooling of capacity is one of the possible slopes. Once the strategic vision of NATO laid out, the implications for its partners and the EU will urgently be needed.

CONCLUSION

In the medium to long term we will see new emerging trends. Asymmetric threats can potentially lead to "strategic shocks", events that have a disruptive nature on the proper functioning of society. From these new trends, the definitions allow for proper risk assessment in a specific context of asymmetric threats. From this general approach, a method can be followed for decision making and policy support: examples show that many pitfalls inhibit proper conclusion. Following the outline of the applicable definitions regarding concepts as risk, threat and impact, and the chosen methodology, both at national and supranational level, adjustments should be imposed on definitions and methods: the interpretation of the CI(I)P concept has a different meaning in different institutions, which has consequences for the identification of critical infrastructure, let alone the employability of those measures would be provided for their protection.

As opportunities for synergies between the EU and NATO were examined, a defect appears to exist in the definitions, information exchange, capabilities and objectives of the two organizations. NATO’s revised strategic concept will take into account new trends materializing in emerging asymmetrical threat. Therefore CIP and CIIP will remain on the agenda. Energy security is one of these examples, but even for this issue, the EU and NATO have divergent views and interpretations.

A comprehensive policy, regardless the executive level, will have to establish the framework within which tangible results can be obtained. Therefore legislation must go beyond vague


27

texts or listings of available means. Infrastructure, the information network and related R&T need permanent rational innovation and security: these services comfort the confidence of the public vis-à-vis the national Institutions. The disruption of services or infrastructure would have a serious psychological impact on the population in addition to the physical dismantling of society. The cooperation of EU and NATO capabilities and procedures would be a great opportunity for all national partners, both public services and private companies. Particular attention should be given to certification of personnel and equipment, both for the protection of critical infrastructure in homeland security as well as for expeditionary forces. Military operations abroad are equally dependent on critical infrastructure, although other means of protection are used: preservation of supply and communication lines is essential to the success of operations for expeditionary forces.

The disruptive consequences of the earthquake in Haïti as well as the oil spill in the Gulf of Mexico, demonstrate the need for coordinated efforts in Civil Emergency Planning and CI(I)P resilience alike. Therefore, additional efforts will be needed for proper coordination of EU and NATO resources and procedures. The Copenhagen Climate Conference (December 2009) demonstrated that hitherto neither the EU, nor the UN has a role to play in global governance. However, CI(I)P issues also have security implications. Therefore the optimization of security of our society remains essential and duplication of resources with NATO assets should be avoided.

The Royal High Institute for Defence (RHID)

The aim of the RHID is to provide analysis on international trends in various fields as such as political, military, technological, socio-economical and ideological issues. The RHID has the objective to become a think tank and a center of excellence in security and strategy.

Contact

Royal High Institute for Defence Renaissance Av. 30 1000 Brussels Website: http://www.mil.be/rdc Email: [email protected] Phone: +3227426995

Access

Our offices are situated in the center of Brussels, near the Jubilee Park and the European institutions.

Subway : lines 1A et 1B (stations “Schuman” or “Merode”)

Bus (STIB) : line 63 (bus stop “Gueux”) – line 61 (bus stop “de Jamblinne de Meux”)

Map

NATO’s Critical Infrastructure Protection and Cyber … Paper/FP19.pdfNATO’s Critical...

Documents

Transcript of NATO’s Critical Infrastructure Protection and Cyber … Paper/FP19.pdfNATO’s Critical...