PRB 01-7E

 

CRITICAL INFRASTRUCTURE PROTECTION
AND EMERGENCY PREPAREDNESS

 

Prepared by:
Michel Rossignol
Political and Social Affairs Division
June 2001


TABLE OF CONTENTS

INTRODUCTION

INCREASED EMPHASIS IN THE UNITED STATES

CANADIAN INITIATIVES


CRITICAL INFRASTRUCTURE PROTECTION AND EMERGENCY PREPAREDNESS

INTRODUCTION

Computer technology is now such a pervasive element of modern society that its benefits for governments, corporations, public utilities, and many other organizations are taken for granted.  However, the computer age has also introduced new vulnerabilities.  The technology is so widespread and interconnected in the banking, commercial, energy, and manufacturing sectors that any deliberate or accidental interference can have costly repercussions.  Furthermore, any tampering with the computers managing public utilities such as hydroelectric plants and related infrastructure such as dams could cause serious environmental damage as well as major disruptions in commercial transactions and industrial production.  A country’s critical infrastructure could be the target of attacks by terrorist groups based at home or abroad, by foreign governments, and by criminal elements.  The widespread disruptions caused by some recent computer hacking incidents are perhaps only a small sample of the impact a concerted effort to paralyze the essential infrastructure of a country through its computer systems could have.  In the not-so-distant future, the capacity to wage offensive as well as defensive information technology warfare could become an increasingly important element of a country’s ability to ensure its security, but this raises complex moral and ethical issues which are just starting to be debated.

INCREASED EMPHASIS IN THE UNITED STATES

In the meantime, the potential impact of just a few isolated attacks on a country’s essential infrastructure has raised concerns within government and military circles.  The United States in particular has devoted considerable efforts and resources to bolster its ability to deal with such attacks.  Indeed, in the late 1990s, the United States became increasingly conscious that despite its great military power, it could still be very vulnerable to what has been called asymmetrical threats.  Instead of directly confronting the United States, military forces, states or groups antagonistic towards the U.S. could launch terrorist strikes against that country’s critical infrastructure in order to damage the economy and terrorize the population.  To increase the impact of their actions on the civil population, antagonistic states and groups could also resort to terrorist attacks using weapons of mass destruction (WMD) including small nuclear bombs and chemical and biological agents.  Thus, in conjunction with measures taken to protect its vital computer systems, the U.S. has also improved its capacity to deal with the consequences of terrorist attacks withweapons of mass destruction.

Given the emphasis on the protection of the population and the infrastructure within the continental United States, the measures taken by the U.S. government to counter asymmetrical threats are often grouped within what is called homeland defence.   The key elements of homeland defence include two Presidential Decision Directives of 1998:  PDD-62, which was aimed at increasing the capacity of civilian police and medical officials as well as some military units to deal with the consequences of WMD attacks; and PDD-63, which sought to improve the coordination of the various agencies involved in protecting information technology systems. These agencies include:  the National Infrastructure Protection Centre (NIPC), within the Federal Bureau of Investigation (FBI), which is the focal point for threat assessment, warning, investigation, and response to threats to or attacks against the critical infrastructure; and the Critical Infrastructure Assurance Office (CIAO), housed within the Commerce Department, which is involved in the coordination of U.S. Government initiatives.  The U.S. Space Command was designated as the lead organization for the protection of military computer systems.  The complex inter-agency process involved in dealing with cyber-related issues was described in the National Plan for Information Systems Protection issued by the U.S. Government in January 2000.  The new Bush Administration also gives a high priority to critical infrastructure protection, but has announced its intention of producing a new version of the National Plan by late 2001.

Critical infrastructure protection is inevitably complex because it involves privately owned elements as well as government and military ones.  Indeed, government and military systems represent a relatively small portion of the U.S. critical infrastructure when compared to the extensive privately owned and operated systems in the banking, commercial, and public utilities sectors.  Thus, part of the efforts deployed by the U.S. Government to protect the infrastructure involves close cooperation with the private sector in order to:   raise awareness of the issues; and improve coordination – between corporations and government agencies – of measures to deal with cyber attacks.  However, the interconnection between computer systems does not end at borders, and the cooperation of other countries is also crucial in critical infrastructure protection.

CANADIAN INITIATIVES

Indeed, as already demonstrated on numerous occasions, hacking and other types of cyber attacks against U.S. systems can have serious repercussions for the critical infrastructure of many other countries.  Banking, commercial, and government systems throughout the world are so interrelated that few countries can afford to neglect preparations to deal with the consequences of deliberate or accidental interference.  Thus, in February 2001, Prime Minister Jean Chrétien announced the establishment within the Department of National Defence of the Office of Critical Infrastructure Protection and Emergency Preparedness (OCIPEP) which has the task of developing and implementing a comprehensive approach to the protection of Canada’s critical infrastructure.   The new agency encompasses the functions of what used to be called Emergency Preparedness Canada since it may have to deal with the consequences of disruptions in computer systems monitoring or the operation of physical elements of the critical infrastructure such as hydroelectric dams and oil pipelines.  The emergency preparedness side of the agency will also continue to prepare for, and respond to, natural disasters and other situations unrelated to cyber attacks as Emergency Preparedness Canada did in the past.  Indeed, a high level of preparedness will no doubt have to be maintained if only because of the possible increase in the number of extreme weather events due to climate change.  However, the creation of a new agency is also aimed at bringing Canada’s critical infrastructure protection up to speed in light of developments in the U.S. and in other countries.  In terms of cyber attacks, Canada does not necessarily face as great a threat as the U.S. which is the main target of a number of antagonistic states around the world.  However, Canada cannot afford to lag too far behind its allies in the protection of its critical infrastructure because there is always a possibility that terrorist groups could launch attacks against the U.S. through Canada.  Besides, Canada might suffer collateral damage as a result of cyber or WMD attacks within the U.S., regardless of the route chosen by antagonistic states and groups to carry out their aggression.

Nevertheless, despite the creation of OCIPEP, the Solicitor General remains the lead minister for public safety in Canada.  Indeed, as the minister responsible for OCIPEP, the Minister of National Defence will collaborate closely with the Solicitor General and other ministers to ensure a coherent and comprehensive national approach to critical infrastructure protection and emergency preparedness.  Thus, the new office will not take over or coordinate the work of the Canadian Security Intelligence Service (CSIS) and the R.C.M.P. in assessing and dealing with the terrorist threat.  It will instead cooperate with them and rely on their assessments of potential threats, as pointed out by Margaret Purdy, the Associate Deputy Minister of National Defence, who is responsible for OCIPEP within the department, during the 29 May 2001 meeting of the Standing Committee on National Defence and Veterans Affairs of the House of Commons.  The office will also benefit from the ongoing work of organizations within the Department of National Defence involved in the protection of military and government computer systems.  One of these organizations is the Communications Security Establishment (CSE) which advises government departments on network security by providing, for example, threat risk assessment support services.

However, as in the U.S., ensuring the security of military and federal government information technology systems is only one element of critical infrastructure protection.  After all, as the Minister of National Defence pointed out in a 26 June 2001 speech during the World Conference on Disaster Management held in Hamilton, Ontario, only about 10% of Canada’s critical infrastructure is owned or operated by the federal government.  Although private infrastructure owners and operators have developed their own information technology security programs, considerable work remains to be done to improve cooperation such as information-sharing between the public and the private elements of Canada’s critical infrastructure.  Thus, as part of its development of a National Framework for critical infrastructure protection, OCIPEP will not only work to improve the federal government’s capacity to protect its information technology systems, but also develop partnerships with private infrastructure owners and operators and with business organizations such as the Canadian Chamber of Commerce and the Canadian Bankers Association.  However, even if the protection of Canada’s information technology systems against intentional disruptions is maintained at a high level, the country may still have to deal with major natural disasters and cannot afford to be complacent about emergency preparedness.  Thus, on 26 June 2001, the Minister of National Defence also announced that the Government of Canada will begin consultations, led by OCIPEP, with the provinces and the territories and with the private sector in order to develop a National Disaster Mitigation Strategy aimed at saving lives and reducing the impact of disasters.

Indeed, the efforts deployed to protect information technology systems and to bolster emergency preparedness are in keeping with the growing recognition over the years that a country’s security depends on more than its ability to defend itself against attacks by foreign military forces.  In the absence of a sufficient capacity to counter the terrorist threat and to mitigate the effects of major natural disasters, a country could face serious social and economic disruptions which could seriously undermine its security.  Thus, the protection of the critical infrastructure will likely continue to be a major preoccupation of the Canadian government for some time to come, especially because considerable work remains to be done in the development of closer cooperation between the public and private sectors.