SECTION II:  CYBER TERRORISM AND SECURITY IMPLICATION FOR CRITICAL INFRASTRUCTURE PROTECTION

        4.1 Implementation of Critical Infrastructure Protection at the Republic of Croatia Level

        “Different public agencies (legislative bodies, regulators, etc.) set a plethora of norms, rules
        and standards on safety and security issues in different CI sectors. Terrorism-related intel-
        ligence, which is needed to evaluate current types and levels of threat to CI, is often col-
        lected by multiple agencies answerable to different ministries. Effective crisis management
        and response measures require the ability of several public entities (at the local, municipal,
        regional and national level) to play their part in a smooth and quick manner. Also, in many
        cases a number of entities may be involved in a given security function. Such is the case of
        the aviation sector, where the competent authority, airport management and law enforcement
        bodies may share responsibility for the protection of airports, air navigation aids and services”
        (UNOTC, UN CTED and Interpol, 2018: p 107). This hypothesis can be applied globally and
        locally, and as such, will be used for an examination of the implementation of critical infra-
        structure protection at the Republic of Croatia level.

        It should be emphasized  that  despite  the  development  of a solid strategic  and normative
        framework related to the issue of critical infrastructure protection, the Republic of Croa-
        tia has not yet established a system for critical infrastructure protection. Despite the efforts
        and initiatives of the competent system-building authority and individual stakeholders from
        the competent ministries that have recognized the importance of this activity, the necessary
        functionality of the system has not been developed to a level where it can be considered an
        operating system (Mikac, Cesarec, Larkin, 2018: p 111), which is not to say that critical in-
        frastructure is not protected by many other systems and lines of work. However, if a critical
        infrastructure protection system were in place, it would undoubtedly be more efficient, faster
        and more integrated than it is now. Let us start by looking at the current state of things.

        The National Strategy for the Prevention and Suppression of Terrorism (both the 2008 ver-
        sion and the current 2015 one) recognizes the dangers and potential consequences that would
        occur if terrorists attacked critical infrastructure. It should be pointed out that Croatia has
        a very robust, operational and effective system of prevention and suppression of terrorism.
        The challenge in terms of protection of critical infrastructure is found in the exchange of
        data and information between state bodies and critical infrastructure operators. Cooperation
        between the Security and Intelligence Agency and the police is beyond question, as well as
        their cooperation with and provision of the necessary information to state bodies. However,
        there is a lack of flow of information from the level of state bodies (representing sectoral
        coordinators) to critical infrastructure operators in specific sectors. In some sectors, coopera-
        tion does exist, but in some, it does not. This shows that the system is not established in all its
        potential, and brings us to the situation that Dario Malnar and Nikola Mlinac describe in fol-
        lowing words: “Despite the construction of national protection systems and efforts to central-
        ize activities, critical infrastructure protection is still a largely fragmented activity, sectorally
        defined through the competences of various ministries and other state bodies. Such dispersion
        of security and the particularization of facilities makes it difficult to concentrate intelligence
        efforts and adversely affects the effectiveness of action” (Malnar and Mlinac, 2014: p 1013).

        The domain related to the protection of critical infrastructure from natural and technical-
        technological disasters and large accidents is better regulated, because it belongs to a civil
        protection system that is functional and, unlike the previous example, has no obstacles in
        operation and activity. This can be partly explained by the challenge of dealing with sensitive,



       126