Towards a Baltic Sea Region Strategy in Critical ... - Helsinki.fi
Towards a Baltic Sea Region Strategy in Critical ... - Helsinki.fi
Towards a Baltic Sea Region Strategy in Critical ... - Helsinki.fi
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
CRITICAL INFRASTRUCTURE PROTECTION IN THE BALTIC SEA REGION<br />
failures, attacks or accidents above a def<strong>in</strong>ed m<strong>in</strong>imum level of services<br />
and aim at m<strong>in</strong>imis<strong>in</strong>g the recovery time and damage. CIIP should<br />
therefore be viewed as a cross-sector phenomenon rather than be<strong>in</strong>g<br />
limited to speci<strong>fi</strong>c sectors. CIIP should be closely coord<strong>in</strong>ated with<br />
<strong>Critical</strong> Infrastructure Protection from a holistic perspective.”<br />
(Commission 2005b)<br />
While ICT/CII can be vulnerable <strong>in</strong> a multitude of ways, as will be discussed <strong>in</strong><br />
detail <strong>in</strong> Chapter III, <strong>in</strong> most connections when CII is discussed, it is connected to<br />
cyber attacks (see Wilson 2006), suppos<strong>in</strong>g that there are assailants attack<strong>in</strong>g from<br />
a distance through virtual channels. The object of these cyber attacks is not<br />
necessarily CII but any CI. In several EU documents deal<strong>in</strong>g with terrorism this<br />
perspective is raised. The issue becomes that of the consequences of this type of<br />
attack <strong>in</strong> terms of severity, such as loss of life. One Commission document states<br />
that the consequence of an attack on the <strong>in</strong>dustrial control systems of critical<br />
<strong>in</strong>frastructures could vary widely:<br />
“It is commonly assumed that a successful cyber attack would cause<br />
few, if any, casualties, but might result <strong>in</strong> loss of vital <strong>in</strong>frastructure<br />
service. For example, a successful cyber-attack on the public telephone<br />
switch<strong>in</strong>g might deprive customers of telephone service while<br />
technicians reset and repair the switch<strong>in</strong>g network. An attack on a<br />
chemical or liquid natural gas facility’s control systems might lead to<br />
more widespread loss of lives as well as signi<strong>fi</strong>cant physical<br />
damage.”(Commission 2004, p.3)<br />
Terrorism or all-hazards approach?<br />
The United States, NATO and EU approaches on CIP are clearly dom<strong>in</strong>ated by and<br />
closely connected to the threat of terrorism. In the CIP debates <strong>in</strong> the United<br />
States, the view that “We face a determ<strong>in</strong>ed, <strong>in</strong>telligent enemy who seeks to cause<br />
us maximum harm” and therefore one should focus on worst-case analysis (Brown<br />
et al. 2006, p. 16), is clearly hegemonic. But, by way of ref<strong>in</strong>ement, it is useful to<br />
emphasise the different phases <strong>in</strong> the development of the CIP concept from this<br />
perspective.<br />
If one looks at the developments of the CIP <strong>in</strong> the United States, the<br />
emphasis early on was on deliberate threats (PCCIP 1996; cf. Abele-Wigert and<br />
Dunn 2006, pp. 26-27). It is true that the so-called all-hazards approach was<br />
accepted <strong>in</strong> United States’ emergency management plann<strong>in</strong>g as a ‘second priority’<br />
(Guide for All-Hazards Emergency Operations Plann<strong>in</strong>g 1996) and the PCCIP <strong>in</strong> a<br />
way accepts the relevance of this approach by stat<strong>in</strong>g that “Each of the<br />
<strong>in</strong>frastructures is vulnerable <strong>in</strong> vary<strong>in</strong>g degrees to natural disasters, component<br />
failures, human negligence, and willful human misconduct” (PCCIP 1997, p. 27).<br />
However, the report states that “While poor design, accidents and natural disasters<br />
may threaten our <strong>in</strong>frastructures, we focused primarily on hostile attempts to<br />
damage, misuse, or otherwise subvert them.” (PCCIP 1997, p. 31)<br />
Naturally, after 9/11 the emphasis on deliberate attacks was hugely<br />
re<strong>in</strong>forced. The event gave reason to develop the “National <strong>Strategy</strong> for Homeland<br />
Security” (NSHS 2002), which def<strong>in</strong>ed three ma<strong>in</strong> strategic goals: to prevent<br />
terrorist attacks with<strong>in</strong> the United States, reduce America’s vulnerability to<br />
28 NORDREGIO REPORT 2007:5