Public-Private Information Management to Advance Critical Infrastructure Protection
Published online by Cambridge University Press: 20 January 2017
This article focuses on the information requirements of public and private stakeholders engaged in critical infrastructure protection (CIP).With its emphasis on information management rather than information sharing, the article builds on existing research suggesting that the notion of information sharing inadvertently renders cooperation more difficult as it evokes impressions of information “dominance” rather than joint information ownership. The article proposes a joint public-private information management agenda based on core issues providing actionable information to tackle immediate threats and crosscutting issues looking at the long-term issues that are relevant to understand the overall context in which critical infrastructure development occurs.
1 Borchert, Heiko, “Homeland Security and Transformation: Why It Is Essential to Bring Together Both Agendas”, in Brimmer, Esther (ed.), Transforming Homeland Security. US and European Approaches (Washington, DC: Center for Transatlantic Relations, 2006), pp. 3–22, at p. 4.Google Scholar
2 Willis, Henry H., Lester, Genevieve, and Treverton, Gregory F., “Information Sharing for Infrastructure Risk Management: Barriers and Solutions”, 24 Intelligence and National Security (2009), pp. 339–365, at p. 362CrossRefGoogle Scholar. Emphasis added.
3 Although somewhat dated, one of the best studies advocating CIP-related information policies built on the principle of active sharing rather than confidential information treatment still is: Baird, Joe, Barksdale, James, and Vatis, Michael A., Creating a Trusted Network for Homeland Security. Second Report of the Markle Foundation Task Force (New York: Markle Foundation, 2003).Google Scholar
4 Infrastructure collocation refers to the growing trend of bundling several types of infrastructure in the same infrastructure corridor, such as railways located close to roadways, and pipelines that are used as carriers for communication cables.
5 Willis/Lester/Treverton, “Information Sharing for Infrastructure Risk Management,”, p. 346.
6 The threat of organized crime for CI owners and operators very much depends on the nature of the overall business and the extent to which certain CI sectors might have been infiltrated by organized crime.
7 APT1. Exposing One of China's Cyber Espionage Units (Alexandria: Mandiant, 2013).Google Scholar
8 For example, Swiss experts briefly considered this option in Summer 2011 when drafting the country's new cyber security strategy, but dropped the idea in the end.
9 Inquiry into Counterfeit Electronic Parts in the Department of Defense Supply Chain (Washington, DC: US Senate Committee on Armed Services, 2012)Google Scholar; Occupying the Information High Ground: Chinese Capabilities for Computer Network Operations and Cyber Espionage (Washington, DC: US-China Economic and Security Review Commission, 2012)Google Scholar; The National Security Implications of Investments and Products from the People’s Republic of China in the Telecommunications Sector (Washington, DC: US-China Economic and Security Review Commission, 2011).Google Scholar
10 Quotations in this paragraph are from: BCI, “What is BC?”, available on the Internet at <http://www.thebci.org/index.php/resources/what-is-business-continuity> (last accessed on 27 November 2014).
11 CI owners and operators are likely to prioritize the needs of their customers when incidents occur. The prioritization should be brought in line with overall considerations for national preparedness in times of crisis. Thus CI owners and operators need to know if and to what extent they are serving clients that are considered as CI owners and operators in another sector.
12 Dan Bilefsky, “France arrests 3 with drones by power plan”, New York Times, 6 November 2014, available on the Internet at: <http://www.nytimes.com/2014/11/07/world/europe/3-found-with-drones-near-nuclear-plant-are-questioned-in-france.html?_r=0> (last accessed on 27 November 2014).
13 Graham, Edward M. and Marchick, David M., US National Security and Foreign Direct Investment (Washington, DC: Institute for International Economics, 2006)Google Scholar; Larson, Alan P. and Marchik, David M., Foreign Investment and National Security (New York: Council on Foreign Relations, 2006)Google Scholar; Mehr Schutz vor ausländischen Investoren? Wirtschaftliche und EU-rechtliche Aspekte der geplanten Beschränkung ausländischer Beteiligungen an deutschen Unternehmen (Berlin: BDI/Freshfields Bruckhaus Deringer, 2008).Google Scholar
14 How to best organize a regulatory dialogue very much depends on the national political system. Countries with a Cabinet structure, for example, could opt for the Cabinet Office to set up the respective regulatory dialogue. Another option would be to designate a single lead agency to establish the regulatory dialogue. In this case, the competent agency in charge of the national CIP program could be a candidate in order to make sure that strategy development and overall regulatory considerations evolve hand in hand.
15 Expert interview, Bern, 14 April 2011.
16 See for example: entwurf eines gesetzes zur erhöhung der sicherheit informationstechnischer systeme (it-sicherheitsgesetz), bundestagsdrucksache 18/4096, 25 february 2015, available on the internet at <http://dip21.bundestag.de/dip21/btd/18/040/1804096.pdf> (last accessed on 25 may 2015); proposal for a directive of the european parliament and of the council concerning measures to ensure a high common level of network and information security across the Union, COM(2013)48, Article 14, at p. 24.
17 I am grateful to Genevieve Lester for addressing this issue during the CIP Symposium at the University of St Gallen (Switzerland) in May 2014.
18 For more on this, see: Eric Weiss, N., Cybersecurity and Information Sharing: Legal Challenges and Solutions (Washington, DC: Congressional Research Service, 2015)Google Scholar; Luiijf, Eric and Kernkamp, Allard, Sharing Cyber Security Information. Good practice Stemming from the Dutch Public-Private Participation Approach (The Hague: TNO, 2015)Google Scholar; Mandy Messenger, Why Would I Tell you? Perceived Influences for Disclosure Decisions by Senior professionals in Inter Organisation Sharing Forums, Manuscript, August 2005, available on the Internet at <http://collection.europarchive.org/tna/20141002130836/http:/warp.gov.uk/downloads/Why-would-I-tell-you.pdf> (last accessed on 25 May 2015).