Page 138 - Cyber Terrorism and Extremism as Threat to Critical Infrastructure Protection
P. 138
SECTION II: CYBER TERRORISM AND SECURITY IMPLICATION FOR CRITICAL INFRASTRUCTURE PROTECTION
Frameworks generally offer taxonomies of critical infrastructures, procedures for identifying
and designating them, and the codification of the responsibilities of the CI owner/operator ,
such as the drafting of Operator Security Plans to be reviewed regularly or whenever the situ-
ation warrants it, and the designation of competent authorities for each CI sector and of an
overall coordinating authority.
Most owners and operators of Critical Infrastructure in the West are private companies (from
around 75% in the EU to 85% in the US) and this leads to significant challenges, including
of coordination. An added dimension of the challenge stems from the foreign ownership and
operation of certain critical infrastructures. The highest management levels of these particu-
lar organizations are located in other countries, with the attendant complexity with regard to
disinvestment, lack of investment in security processes, lack of bargaining power on the part
of smaller states, limited tools for inducing changes in behaviour, and so on. In addition to
operational and governance issues of CIP, there may also be geopolitical considerations.
As stated above and by Helbing (2013), a great deal of critical infrastructure is networked
regionally and even globally, and therefore surpasses the ability of the authorities of a single
jurisdiction to govern. Even if all jurisdictions feature CIP processes, the lack of coordina-
tion or compatibility may lead to new risks, vulnerabilities and threats appearing in the gaps,
especially as adversaries seek to take advantage of the situation and exploit differences in
governance and in relative preparedness. This is why there are more and more global initia-
tives directed towards governing systemic issues, such as cyber dependencies, global trade
infrastructure and technological standardization for inter-operability.
The EU, however, has built a European Programme for Critical Infrastructure Protection (EP-
CIP), starting with a series of documents of reference such as Directive 114/2008. While
defining best practice for national systems, the European system concerns itself with Critical
European Infrastructures, managed in concert with the national authorities and defined as an
“asset, system or part thereof located in Member States which is essential for the maintenance
of vital societal functions, health, safety, security, economic or social well-being of people,
and the disruption or destruction of which would have a significant impact in a Member State
as a result of the failure to maintain those functions” (Council Directive 2008/114/EC of 8
December 2008 on the identification and designation of European critical infrastructures and
the assessment of the need to improve their protection, 2008). This recognizes the effects of
the intended integration of the EU’s Member States into an “ever closer Union”, especially
projects such as the “Energy Union”, the “Single Digital Market” and the strategic transport
corridors. As we will see in the final section of this paper, this presents opportunities for the
CI governance of SEE nations not in the EU.
3 The Cyber Perspective on CIP and Terrorism
It is important to note that cyber environment does not only designate the ITC critical infra-
structure category, but is also a cross-cutting issue, since cyber has become a medium for
command, control, coordination and information gathering processes at the level of complex
systems of systems (Georgescu & Cîrnu, 2019). Building on the CIP section of this article,
we may say that the efficiencies in the operation of critical infrastructure which enable higher
productivity and functionality have been purchased at the cost of the permeation of cyber
138
