Tuesday, November 26, 2024

Securing critical infrastructure: next-gen public-private partnerships needed

Must read

Healthcare organizations in the U.S. would not disagree, as they were recently targeted by a cyber attack by ransomware group BlackCat (February 21, 2024), which led to delays in claims processing and significant impacts on revenue.

CNI in private hands, with implications for national security

The healthcare ecosystem is only one aspect of Critical National Infrastructure (CNI), a term that covers systems whose compromise would impact the integrity of essential services, resulting in severe economic and social consequences or even in loss of life. CNI includes assets such as energy supply pipelines, food supply chains, transport infrastructure, water supplies, telecommunications and banking. In many countries, CNI is increasingly in private hands, where decisions driven by commercial considerations may have wider implications for national security.

To complicate matters further, a country’s critical national infrastructure is often partly owned by foreign companies. With aging infrastructure and the need for investment, foreign investment has been welcome. As geopolitical tensions and Grayzone aggression are on the rise, how then are governments supposed to safeguard national security? Heated debates around 5G network suppliers in a dozen European countries and in the U.S. showed how security concerns clash with usual procurement processes.

A report by the U.S. National Security Telecommunications Advisory Committee concluded in March 2024 that market forces alone are insufficient to incentivize privately owned entities to prioritize cybersecurity at the levels needed to protect national security

There is no easy solution to this conundrum, but it helps to look at it from two angles:

Recognizing market failures and how to address them

organization-icon

Embracing a “whole of society” approach to resilience

Inadequacy of market forces

The market failure resulting from tensions in the collaborations between the private sector and government stakeholders has long been evident in the field of disaster risk insurance. This situation is analyzed in a new book, Disaster Insurance Reimagined: Protection in a Time of Increasing Risk,by Paula Jarzabkowski et al. As the authors clearly demonstrate, the protection gap results from a triple imbalance: having too little or too much knowledge about risk, who controls the market and who bears the most responsibility for mitigating risk. It looks like the most resilient, forward-looking setup involves well-structured, purposeful public-private partnerships rather than simply relying on the “invisible hand” of markets.

With pure economics optimizing for efficiency rather than resilience — for just-in-time rather than just-in case, spare capacity — redundancy in a system and diversification of suppliers are often deemed suboptimal strategies. There is clearly a need to put a value on resilience, who benefits from it and who needs to pay for it.

The criticality of some national services often becomes evident only when they break down. In the U.K., the forensic services sector is critical to the delivery of justice and has faced significant challenges since 2012 when the publicly owned Forensic Science Service closed. Private companies stepped into the gap. In 2018-2019, with a major provider entering administration, another impacted by data manipulation and a ransomware attack on yet another, service continuity has been at risk, and thousands of cases were re-examined and convictions overturned.

Especially in market economies, it’s easy to overlook the role of competition authorities and wider government in ensuring that markets can meet the needs of people, businesses and the wider economy in normal times, let alone in times of crisis. In a recent discussion paper, the U.K. Competition & Markets Authority illustrated causes of fragility (lack of supply diversity, financial risk) and amplifiers of harm (vulnerable customers, barriers to entry, criticality of service) through a range of compelling case studies, which are reminiscent of enterprise risk management practices.

At the end of 2022, the U.K. government launched its Resilience Framework , which has three core principles:

  1. 01

    A shared understanding of risk

  2. 02

    Increased emphasis on prevention and preparation

  3. 03

    A “whole of society” approach to resilience

Everyone — from government and business to individuals — is encouraged to be prepared.

The independent U.K. National Preparedness Commission had long been championing “whole of society” resilience. Indeed, with its 50 commissioners from across U.K. civil society, the commission is an ideal sandbox to encourage this paradigm shift from a top-down endeavor. Since its formation in 2020, it has overseen a program of work that is both strategic and practical. The opportunity is that being better prepared for many shocks is the same, whatever the initiating crisis or incident. The challenge is to encourage immediate action and to get away from merely admiring the problem. Reports promoted by the commission go into the detail of risk, be it the UNDRR Handbook for Implementing the Principles for Resilient Infrastructure or a review of our economy’s underestimated vulnerability to software failure. It’s not only national governments embracing a whole of society outlook; the military is acutely aware that operations and communications depend heavily on private assets and supply chains.

The North Atlantic Treaty Organization (NATO) organizes a yearly resilience symposium, bringing “together civilian and military leaders, policymakers and experts with a resilience portfolio to promote resilience as a national responsibility and a collective commitment ”. In 2023, the importance of the private sector for securing critical infrastructure and supply chains was underlined, with a determination to explore a more two-way public-private cooperation — talking with the private sector rather than at or about it.

It was probably not a coincidence that the follow up two-day workshop in March 2024 was set in Stockholm. Sweden, which has just joined NATO as its 32nd member, was one of the countries (alongside Finland) that pioneered the concept and practice of “total defence” after World War II, whereby preparation for war (or a crisis) explicitly comprises both military and civil defense. Singapore also adopted this whole of society national defense concept in 1984. The Swedish approach of engaging its whole population in this preparedness was mocked in the U.K. in 2018 when an updated 20-page preparedness guide titled “If crisis or war comes” was delivered to all 4.8 million households. These days it doesn’t sound as ridiculous. The U.K. government is gravitating toward similar advice, but most households are probably unaware of it. When households were recently encouraged to keep a few “analogue capabilities that it makes sense to retain” even in a highly digital age (torches, but also battery-powered radios), press coverage was sceptical.

Indeed, in times of crisis, communication is key. And again, we take our telecommunication infrastructure (mostly in private hands) for granted. Since 2022, multiple examples of suspected sabotage of undersea cables (in the Baltic Sea, in the Red Sea and around Taiwan) have raised awareness of their vulnerability, especially around the key hotspots of geopolitical tension. The business interruption resulting from such incidents can be considerable. The vast majority of cables are privately owned, mostly by telecommunications companies. Tech companies have started investing in the cable business as well. For example, Google owns at least 59,000 miles of submarine cables (nearly 8% of the total). Cable ownership is an international patchwork, reflecting the era of globalization that prevailed when the internet took off in the 1990s, as the world was emerging from the Cold War. SeaMeWe-5, which starts in Singapore and ends in France, is owned by a dozen companies.

While undersea cables have a life expectancy of 25 to 50 years, the odds of seeing them damaged are now raised when factoring in geopolitical motivated Grayzone aggression. The fleet of specialized cable ships able to lay or repair cables is small (60 ships for 574 active and planned cables) and aging, despite the increasing demand for cables and increased vulnerability.

Deeply aware of this, NATO created an Undersea Infrastructure Coordination Cell in 2023, to map risks and coordinate efforts between allies, partner countries and the private sector. This could become a very iconic example of the new equilibrium that the public and private sectors need to reach, with assets largely in private hands but threat detection, information and deterrence in the hands of governments and intergovernmental bodies. Businesses can no longer opt out from geopolitics.

Latest article