Cyberspaces elicit long debates among academics and diplomatic communities. One of the major concerns is to find common ground to forge consensus in the international community, given that deep-rooted conceptual differences arise from different countries.
In this sense, National Cyber Security Strategies (NSCS) are documents that can be very helpful. These documents can display a national vision to reach many strategic objectives regarding security in cyberspace. The strategies are political demonstrations of the subscribing nation to a domestic audience and the international community.
One of the frequent themes in NCSS is Critical Infrastructure Protection (CIP). In fact, from 82 strategies published between 2003 and 2017, 58 (67,4%) of them addressed this subject as a strategic objective to be pursued.
There are three main similarities in NCSSs approaches:
- The definitions of Critical Infrastructures (CI)
- The CI’s criteria for damage
- The concern of cyber threats acting upon them
From the expression “critical infrastructure,” one can derive its two constituent elements in conceptual terms. The first is that of services and facilities used by society (infrastructure). The second refers to its relevance (critical) measured by the negative consequences that its disruption or malfunction would generate for the public.
In the concept’s first part (the definition of what services are deemed relevant to the public), 20 categories were classified as a CI by 77 NCSSs. The model adopted by most NCSSs was the elaboration of a list of productive and/or economic sectors to be considered to be CIs. The lists are primarily illustrative, which would make them dynamic and would allow for the inclusion of other services if the relevance criteria (criticality) is present.
The productive and/or economic categories that were most commonly deemed CI by the NCSSs are listed below:
- Electrical Energy (27)
- Telecommunications (26)
- Transportation (25)
- Finance (21)
- Water / Sewage (19)
- Public Health (19)
The second common aspect observed in the definitions of CI regards criticality measures for those services and facilities. The method to assess the relevance of the essential services is similar among most of the NCSSs. They mostly converge toward consequences related to economic aspects, security, Loss of human lives, society well-being, operation safety, serious social or political impact.
The most common methods for assessing the criticality of productive or economic sectors identified in the NCSSs are presented below:
- Economic (21)
- Security (20)
- Physical Integrity and/or Loss of human lives (16)
- Social well-being (10)
When measuring the negative consequences of the disruption or the malfunctioning of essential services, the NCSSs reveal the central values that the strategies intend to preserve. Similarities in such valuation represent a convergence point among the countries since they show similar motives to maintain services and facilities for the general public.
The combination of services and facilities (electrical energy, telecommunications, transportation, finance, water/sewage and public health) and the values they wish to preserve (economy, security, physical Integrity, Loss of human lives, and social well-being) show that there is a clear conceptual convergence among the countries regarding what is considered a CI.
A third fascinating aspect concerns the reference that 57 NCSSs made to cyber threats. Though the framing of threats differs slightly, there is a consistent taxonomy regarding cyber threats to CI.
- Cyber criminality,
- Cyber espionage,
- Cyber terrorism,
- State actors
Moreover, 24 NCSSs perceive that CIs are attractive targets for cyber threats (following the taxonomy mentioned above) since the consequences of a successful attack could be catastrophic to the targeted country.
In 12 NCSSs, however, the relationship between threats and CIs was rather generic, based on the assertion these CIs are typically an attractive target for such threats.
The most frequent association between threats and attacks against CIs was reported to cyber terrorism. The relation was based on the desire for media repercussions that terrorist groups seek and the fact that they could gain publicity through a cyber attack against a CI with kinetic effects.
Furthermore, there was an overt association to cyber attacks by nation-states against CIs. For example, Spain’s NCSS cites “that there is evidence that State actors have offensive capabilities to attack CIs,” and the UK’s NCSS mentions the detection of “attacks carried out by states or sponsored by them.”
The evidence presented supports the idea of CIP as a transnational initiative or a positive agenda for Nation-States.
There is a growing collective perception that cyber threats are especially interested in CIs. This could support an ambitious cooperation point: creating trust-building mechanisms to limit the development of cyber weapons specifically aimed at CIs. The proposal would be analogous to control of chemical weapons, which are quite consensual in the international community.
It is essential to notice that offensive cyber artifacts built to attack CIs demand expertise since protocols applicable to a programmable logic controller (PLC) are not (yet) commonly available. Because of this, they are historically the objective of state actors (i.e., CrashOverride, Dragonfly, Industroyer, and Stuxnet).
Based on the shared understanding of what constitutes a CI and the concern that they are the object of cyber threats, it is feasible to propose measures for creating mechanisms among the countries to regulate the use of cyberweapons with this particular intent.
Following the Stuxnet case (2011), new malware samples were discovered (dubbed Duqu, Flame, and Gauss). They closely resembled Stuxnet, but the last two were not attributed to the same threat actor. That illustrates that, once the campaign is in motion, it is impossible to guarantee that other actors will not use part of its code for new attacks against different targets.
An additional argument to limit the use of cyberweapons against CIs can be derived from the Principle of Necessity, Distinction, and Proportionality from International Humanitarian Law (IHL), which demands that acts of war be directed strictly against combatants and military objectives of the enemy to avoid unnecessary or excessive damage to civilians.
Since a country’s CIs, in general, serve simultaneously civilian and military purposes, an attack against traffic transfer hubs or against power plants, for instance, could be considered a disproportionate attack on civilians.
Finally, the UN GGE 2015 Report stressed that States should not damage or impair the use and operation of critical infrastructure to provide services to the public. This norm should be interpreted in light of the NCSSs broad consensus, where several CIs are nominated and what consequences are not accepted by nation-states.
In conclusion, CIs should be considered as a potential convergence point to cyberspace. It is a concern that several countries explicitly addressed in their NCSSs. Further, they share a common perception of what constitutes a CI and what kind of consequences should be avoided.