WEF looks at identifying systemically important critical infrastructure, public-private cooperation models for cyber protection
The World Economic Forum (WEF) recognized that critical infrastructure protection is vital to keep essential services running and often relies on public-private cooperation models. The wide-scale and prolonged failure of critical infrastructure are sometimes considered the worst-case outcome of a political conflict – exactly ‘what we would do as a society if the power fails for days, let alone weeks, is a matter of widespread speculation.
Additionally, the cost of failure of critical infrastructure is often considered a worst-case scenario, as there is often a question over who pays for its security, a WEF post raised on Tuesday. The agency suggested that identifying ‘systemically important critical infrastructure’ could help open up new cooperation models and unlock new funding mechanisms.
“It is far from clear if critical infrastructure protection programmes would be sufficient in dealing with the effects of such a worst-case act – one that could even rise to the level of an actual cyberwar if committed by states,” the WEF post said. While the government efforts to engage in critical infrastructure protection are hardly new, the “mission seems clear: to set up comprehensive public-private cooperation models that help assure the provision of essential services to the government, the economy, and the public,” the post added.
The agency said that a significant challenge of critical infrastructure protection programs is “simply that the societal needs are not the same as many industry needs. For instance, the emergency services in many countries depend on the same mobile phone infrastructure as everyone else. Cellular base stations are critical, but only few have standby generators in case of a wide-scale power blackout, and only for a day or two at most. The government can (and sometimes does) force these companies to build more redundancy into these networks, but overall telecom companies work under tight profit margins making investors wary of any additional burdens.,” it added.
It also raised that “while government might also just purchase, subsidize or otherwise reward the purchase of such equipment, there may remain a legal question: if such subsidies were to apply to all critical infrastructures – and in the US these are likely to be many thousands of companies – would it not represent a major anti-competitive act, especially where being ‘critical’ was hardly an exceptional situation anymore?”
Similar concerns were raised in the WEF’s Global Cybersecurity Outlook 2022 report, which surveyed 120 senior cyber leaders to understand their concerns, both for their enterprises but also for themselves personally. When asked what they worried about personally, infrastructure breakdown due to a cyberattack emerged as the number one concern, substantially ahead of identity theft.
At this juncture, the WEF backed the concept of systemically important critical infrastructure, which was floated in the U.S. Cyberspace Solarium Commission’s 2020 report as “the entities, responsible for the most important critical systems and assets in the US, that would be granted special assistance from the federal government as well as assume increased responsibility for additional security and information security requirements that are vital to their unique status and importance.”
In its 2021 report, the U.S. Cyberspace Solarium Commission said that codifying the concept of systemically important critical infrastructure and establishing a Joint Collaborative Environment continue to be complex, challenging, and high-priority goals.
“After gathering input from government and industry groups in 2020 and the first half of 2021, the Commission expects to focus in the coming months on supporting a legislative proposal that would require the Secretary of Homeland Security to define a process for designating entities as Systemically Important Critical Infrastructure, with coordination from Sector Risk Management Agencies and relevant regulatory authorities,” the report said. “Entities so designated would be subject to higher security standards; they would also receive increased intelligence and protection to prevent disruption or compromise,” it added.
“In other words, it encompasses only the ‘critical of the critical’ enterprises – those like power and telecoms that are needed to make the others run,” the WEF post said. “In the US there is a clear move to adopting the concept wholesale, and the legislation pushed forward might represent the start of a very new idea of critical infrastructure. However, the exact deliberations of what may constitute systemically important critical infrastructure and how it can be enacted are still very much at the start,” it added.
In addition to collaboration between governments and critical infrastructure organizations, there is a need to establish improved cost-sharing models and co-regulatory models that ensure the resilience of the basic underpinnings of daily life.
A new legal category of systemically important infrastructure may provide the government with the ability to unlock new funding mechanisms that were previously unavailable. This is clearly needed for some infrastructure, while the sums needed to ensure business continuity and disaster recovery at the level that society may need clearly exceeds the budgets the operators can spend on this.
Citing data released by ABI Research, the WEF post said that in the U.S., the government programs involved in critical infrastructure protection “have led to a huge increase in cybersecurity spending just in the entities directly affected – over $105 billion in 2021 alone.”
“However, despite well over two decades of experience, getting critical infrastructure protection right still seems to be a challenge,” the post highlighted. “The recent Colonial Pipeline attack paralysed the gas supply on the east coast of the US. Similar impacts were witnessed as a result of the Amsterdam-Rotterdam-Antwerp attack in February 2022, and the Florida water plant incident in February 2021,” it added.
While full-scale outages in the electricity sector have yet been relatively contained, for instance, the 2015 power grid hack in Ukraine, several cyber powers have reportedly prepositioned malware in each other`s power grids, WEF added.
At this year’s WEF event, industrial cybersecurity company Dragos‘ founder and CEO Robert M. Lee called for executive-level understanding of the cyber risk to operational technology (OT) by government and business on the ‘Cybersecurity Outlook’ panel.
Over the last 20 years, several Organisation for Economic Co-operation and Development (OECD) governments have experimented with various carrots and sticks to increase private sector collaboration. “More recent discussion in Europe and the US has concentrated on the ‘sticks’ – in particular, new legal requirements by governments that operators of critical infrastructure must report serious breaches in their networks. These regulations – like the EU Cybersecurity Act and the very recent U.S. Cyber Incident reporting for Critical Infrastructure act of 2022 – were seen as relatively low-cost options and were supposed to incentivize private companies to invest more in security,” the post added.
Last October, U.S. legislators introduced a legislative bill that intends to authorize the director of the Cybersecurity and Infrastructure Security Agency (CISA) to designate certain elements of critical infrastructure as ‘systemically important,’ and for other purposes. The bill has since been referred to the Subcommittee on Cybersecurity, Infrastructure Protection, and Innovation.
A complimentary guide to the who`s who in industrial cybersecurity tech & solutions
Free DownloadRelated
