Protection of Critical Infrastructure in Cyber Space

Protection of Critical Infrastructure in Cyber Space

Introduction

Cyber War (CW) is a new and serious form of threat for states whose infrastructure is based on modern information and communication technologies (ICT). It is therefore indispensible to analyze vital infrastructures with regard to potential threats to them and to develop strategic security concepts as well as measures against possible attacks [1].

Vulnerable Information Society

The functioning of strategically relevant infrastructures to maintain vital societal functions is critical for the state as a whole. Disruptions or destructions of these infrastructures have serious consequences for the health, security, or economic and social well-being of the population as well as for the effective functioning of national installations.

Our “industrial society” is on the way of becoming an “information society”. It (still) depends on industrial production but has, meanwhile, become considerably dependent on functioning information and communication flows. But with that it has also become vulnerable to any disruptions of these flows. Information society’s increasing dependence on information and communication systems on the one hand and the vulnerability of these systems on the other, create week points which can be intentionally used to weaken or even destroy an information society or parts thereof.

A massive attack against the ICT systems of a state or a society may, under certain circumstances, have the same consequences as an attack against the industrial basis itself.

The Threat Potential of Cyber War [2]

Cyber War (CW) is “the intentional impairment of enemy information, information systems and information-supported processes, in order to gain information superiority in the theater, area of operation or on the battlefield, with the ultimate goal of enforcing own politicostrategic, military-strategic, operational or tactical goals, by avoiding or supplementing the use of traditional military means”. Likely targets of CW attacks are the basic values — availability, confidentiality, and integrity — of the strategic ICT-based infrastructures of a state.

Due to the worldwide web, an attack can be launched from any place on earth. This makes it considerably harder to trace and identify it as an external threat. The low costs of carrying out an attack extend the scope of potential perpetrators. Not only states but also terrorist groups and even individual persons can be attackers. Therefore attacks against ICT will have to be rated as “armed attack” in the sense of Article 51 of the UN Charta or as a political or general “criminal act”. The motives can be political, ideological, religious, ethnic as well as economic, anarchic or merely personal. All in all, one can imagine a broad spectrum of attackers or perpetrators and their motives.

What is useful in carrying out attacks are botnets, malicious and damage-inflicting software, the introduction of faulty hardware as well as methods to disrupt or paralyze the ICT. Advantages for the attacker are the inexpensive means, the small probability of being discovered as well as being independent of time and place. The preparation of an attack is difficult if not impossible to notice. The targets of the attacks can be hit within a very short period of time and with a view to possibly intended subsequent use the extent of the physical damage of targets can be limited.

In addition, the common means and methods of an electronic attack can be employed simultaneously with physical attacks against critical ICT structures (e.g. incendiary attacks, bombs, EMP, microwave and laser technology).

The concrete extent of potentially causable damage can only be assessed after a detailed analysis [3], since especially the extent of the networking and the respective dependencies between the strategic ICT resources are not sufficiently known.

Targets of partly coordinated attacks in the Past were the nets of the government, governmental offices, political parties, and banks. A cyber war scenario would emerge if additional attacks were launched against energy supply installations, especially electricity supply, the centers of telecommunication providers, the security instruments for internal and external security, i.e. the police and the military and against television and radio stations.

Coordinated attacks, probably combined with traditional methods, could paralyze a country not only for hours but for weeks. If embedded in a holistic offensive strategy, political interests could be enforced. All technically highly advanced states therefore have to take strategic and operational precautions to protect themselves against such potential threats.

Already today, CW presents a substantial sub-conventional risk for national security. Potentially affected government agencies and business enterprises have to provide for self-protection. Criminal acts are to be legally prosecuted. Type and extent of criminal acts could overchallenge governmental security installations and require special capabilities and forces. In many countries defense against attacks on national security from outside, using CW means, has consequently become a new task of military national defense.

Strategy for the Protection of National Cyber Space

Strategy means translating power into politics [4], while the nature of the power factors is of secondary importance. Embedded in a “strategic information war”, CW is almost identical with the strategic concept developed by Beaufre. According to that, it is the aim of every strategy to fulfill the tasks set by politics with the best possible use of the available means [5]. The decision sought in battle is to make the opponent accept the conditions imposed on him. In this dialectic of wills the decision becomes a psychological reaction to be instilled in the opponent: He should become convinced that it is useless to take up battle or continue it [6].

If CW is the offensive strategic concept, potentially threatened states — i.e. all those which, to a substantial degree, depend on a functioning critical information and communication technology-based infrastructure — have to develop and implement strategic protection concepts.

The core of the concepts must be the optimal protection of the relevant ICT basic values. What is of primary importance is all-time availability, appropriate confidentiality, and inviolable integrity (ICT basic values) of the wanted information services and communication lines of critical ICT — in particular the high-availability of critical ICT infrastructure (close to 100%).

Strategic Options

In principle, the following strategic options for the protection against a CW attack [7] are available:
1) Prevention through deterrence and precaution;
2) Preventing the attacker from reaching his political goals by permanently guarding the critical infrastructure and taking precautions for emergencies and crises;
3) Confining damage by taking fast measures to limit the extent of damage;
4) Capability to quickly restore damaged systems through crisis management.

Prevention through deterrence and precaution is, at present, not an option for small states, as the preconditions for that are not there, while options 3 and 4 allow for the infliction of great damage and should therefore not be acceptable for a self-confident state on its way into the information age. Option 2, namely to prevent the attacker from reaching his goals by permanently protecting the critical infrastructure and taking precautions for emergencies and crises should, in any case, be sought. The chances for success of this option depend mainly on the owners and operators of critical infrastructures, since the bulk of these are in private hands.

The state also has the responsibility toward society to protect it in cyber space. By creating the prerequisites, framework conditions, and providing the necessary resources, option 2 has to be pursued resolutely. In this context the objects of protection are the country’s critical ICT-dependent infrastructures.

Cyber-Attack Categories in War

If there is a future war between major world powers, the first victim of the conflict may be the Internet itself. The ultimate goal of warfare — victory — will not change, and the military strategies of Sun Tzu and Clausewitz will still apply. However, many war tactics will change in order to account for the unique nature of cyberspace and the latent power of cyber warfare. There will be two broad categories of cyber-attacks during the war.

Military forces

The first category of cyber-attacks would be conducted as part of a broader effort to disable the adversary’s weaponry and to disrupt military C2 systems. In the event of a major regional or world war, it is wise to assume
that these kind of attacks would pale in comparison to the sophistication and scale of cyber tools and tactics that governments likely hold in reserve for a time of national security crisis.

Critical infrastructure

The second category of cyber-attacks would target the adversary’s ability and willingness to wage war for an extended period of time. The targets would likely include an adversary’s financial sector, industry, and national morale [8]. Critical Infrastructures [9] are those infrastructures, or parts thereof, which are of substantial relevance in maintaining important societal functions. Their disruption or destruction has serious effects on the health, security or the economic and social well-being of the population or on the effective functioning of governmental installations.

On the basis of the European Program for Critical Infrastructure

Protection [10] a master plan was elaborated also for Austria on the national level — the Austrian Program for Critical Infrastructure Protection (APCIP). It describes the principles of the program, includes listings of those sectors that have priority to be investigated, defines the criteria for rating critical infrastructures, identifies the risk factors and the actors, lists the measures for the protection of critical infrastructures, and develops an action plan with detailed sub-goals.

The European program lists 11 sectors of critical infrastructures [11]: energy, nuclear industry, ICT, water, victuals, health, finances, transport, chemical industry, space travel and research institutions. For Austria not all of these sectors have the same relevance as for the EU. Nuclear industry and space travel are of no specific national relevance. Conversely, in Austria’s national critical infrastructure emphasis is also put on constitutional installations, the maintenance of the social system and the defense systems as well as on first responder organizations.

The centers, communication nodes and steering systems of these critical infrastructures at the disposal of a modern society are based on information and communication technology or are of considerable importance for the ICT and can only be operated in certain locations.

Consequences

The state should help maintain the capability to protect strategic ICT infrastructure against cyber attacks by means of permanently available and up-to-date estimates of the situation on the basis of periodic analyses and assessments of the security risks, an early warning system, complemented by emergency/incident functionalities, as well as by the ability to react appropriately.

Intensive cooperation on national level between industry, science, administration, and citizens (Private — Public — Partnership) is indispensible and has to be initiated and promoted by the state. On the European level states would have to cooperate particularly in prevention, threat identification, and defense.

The owners and operators of critical infrastructures have to create the preconditions for the secure operation by comprehensive protection measures against attacks from outside and from inside, exchanging information, cooperation between the operators, maintaining high security standards and certified training of their personnel. To develop and use “intrusion-tolerant” systems, redundant design, automated critical processes with super-imposed manual steering are approaches that promise success.

For security-critical areas one should exclusively use accredited, or respectively, certified hard and software, organizations, procedures, and reliable personnel. Protection-worthy data and locations according to the criticality of the ICT and the extent of the threat are to be protected in conformity with the law.

Critical infrastructures require permanent basic protection with active and passive measures, personnel, and material. The protection has to be set up in a way that in the event of assumed danger through catastrophes, terrorist attacks, or war operations it can be quickly reinforced.

Emergency plans have to be kept up-to-date through periodic exercises and everybody involved has to be forced to maintain high security awareness about the risks and necessary countermeasures. As a principle, the security measures are to be established according to the motto “protect, identify, react” and be divided into defensive and offensive measures. It is clear that ICT systems play a special role with regard to own information and support in critical and obscure situations.

Need for Legal Adaptations

On the national level, the competent authorities in the area of preventive defense and the fight against attacks from cyber space launched against “critical ICT structures” have to be clearly established, and those organs are to be vested with appropriate authority. To prevent misuse and raise the acceptance of these necessary measures, effective legal protection and a control mechanism would have to be established.

Relating to international law, an attack with means of information technology may probably qualify as “armed attack” in the sense of the UN statutes [12]. The qualification of “armed attack” is not primarily a matter of the means used as such but rather of the intention to inflict harm and the extent of the actual damage. Since particularly also with means of information technology substantial damage can be done, which does not fall short of that incurred by an armed attack, attacks from cyber space could certainly be considered “armed attacks” in the sense of article 51 of the statutes of the United Nations, which legitimizes the attacked to exercise his right of self-defense. In addition, it would have to be clarified what obligations a neutral state would have if, via its “national cyber space”, attacks are launched against third parties.

Conclusions

The state has to provide adequate resources for an instrument to analyze, assess, and predict developments in strategic ICT, including risk assessment, a permanent situation center for observation, estimate of the threat situation and, if necessary, for early warning, alert, and activation of reactions and emergency organizations (CERT/CSIRT=Computer Emergency Response Team/ Computer Security Incident Response Team).

What a developed state needs is a central authority which collects, analyzes, and assesses all pertinent information from federal and provincial offices as well as from private parties and which is in the position to take the necessary reconnaissance, prevention, defense, and reaction measures, or respectively, can order them obligatorily. This authority would expediently also ensure steering and coordination of national and international cooperation. The necessary legal preconditions for that would have to be established.

 

[1] This article has originally been written and published by Walter J. Unger: “Cyber War and the Protection of Strategic Infrastructure” in J. Schröfl, aO: “Hybrid and Cyber War as consequences of Asymmetrie”, Peter Lang. New York, 2011, p. 145–154. As Editor of the book I partly amended, rounded up and completed this article into the present shape. Thank You Walter!

[2] see Walter J. Unger/Heinz Vetschera, “Cyber War und Cyber Terrorismus als neue Formen des Krieges” [Cyber War and Cyber Terrorism as New Forms of War], in: ÖMZ [Austrian Military Journal] 2/2005, p. 204 ff.

[3] An analysis has to especially take into account domino effects and cascade effects as well as secondary and tertiary effects/damages. Aside from threats caused by deliberate acts, also the catastrophic damages of the strategic ICT caused by a higher power, technical or human error have to be taken into consideration.

[4] Cf. W.J. Unger/Heinz Vetschera, „Cyber War und Cyber Terrorismus als neue Formen des Krieges“, ÖMZ 2/2005, S. 203 ff.

[5] Cf. André Beaufre, Totale Kriegskunst im Frieden — Einführung in die Strategie [Total Art of War in Peacetime — Introduction into Strategy]; Berlin, 1963; p. 25.

[6] Ibid.

[7] 15 Cf.: Lukasik, Goodman, Longhurst “Protecting Critical Infrastructures Against Cyber-Attack”, ADELPHI PAPER 359, Oxford 2003, p. 5ff.

[8] See also Kenneth Geers: “Demystifying Cyber Warfare” in J. Schröfl, aO: “Hybrid and Cyber War as consequences of Asymmetrie”, Peter Lang. New York, 2011, p. 119 — 126.

[9] Common Report of the Federal Chancellor and the Ministry of the Interior Concerning the Austrian Program for Critical Infrastructure Protection; Master Plan APCIP; Ministerial Council Resolution of 02 April 2008, p. 1.

[10] EPCIP = European Program for Critical Infrastructure Protection.

[11] Cf.. loc cit, Common Report of the Federal Chancellor…, p. 5.

[12] Cf. W.J. Unger/Heinz Vetschera, “Cyber War und Cyber Terrorismus als neue Formen des Krieges” [Cyber War and Cyber Terrorism as New Forms of War], in: ÖMZ [Austrian Military Journal] 2/2005, p. 209 ff.

 

This speech was delivered at the 11th Scientific conference of the International Research Consortium on Information Security, as part of the International Forum on «Partnership of state authorities, civil society and business community in ensuring international information security», held on 20-23 April 2015 in Garmisch-Partenkirchen, Germany. It is published on Digital.Report with an explicit permission from the conference organizers.