Cyberattacks and the debate over what counts as super-critical infrastructure.

The Irritating Debate Damaging Efforts to Keep Infrastructure Safe From Cyberattacks

The Irritating Debate Damaging Efforts to Keep Infrastructure Safe From Cyberattacks

The citizen’s guide to the future.
Dec. 9 2014 7:13 AM
FROM SLATE, NEW AMERICA, AND ASU

War of the Words

If the government wants to protect infrastructure from cyberthreats, it needs to figure out what’s “super critical” and what’s just “critical.”

141208_FT_Infrastructure
Critical or super-critical?

Photo illustration by Lisa Larson-Walker. Photos by Getty Images and Thinkstock.

If all you’re doing to protect yourself from online hackers is changing your password regularly, it’s a step in the right direction (though it’s not a good idea to keep credentials in a document named “Passwords”). But if you’re a government trying to protect infrastructure critical to keeping your country running—like electric power grids, banking institutions, airline and traffic controls, universities, and telecommunication structures—you need a lot more than a good password to stave off cyberthreats.

In a 2014 Global Risks report, the World Economic Forum lists the “failure to adequately invest in, upgrade and secure infrastructure networks” as a top threat to the global economy. Cyberattacks targeting physical infrastructure like the water supply, chemical plants, and public health care services form the basis for nearly every “cybergeddon” scenario you’ve seen in science fiction or former Defense Secretary Leon Panetta’s nightmares.

And while cybergeddon is still a long way off, there have been some instances of hackers targeting these types of infrastructures. Iranian hackers, for instance, have spent the past two years infiltrating some of the world’s top energy, transport, and telecommunication companies, according to a report published by U.S. cybersecurity firm Cylance.

Advertisement

Protecting these infrastructures is a no-brainer. But the task gets more difficult when it becomes necessary to sort out which infrastructures are critical to the country and which ones aren’t or, at least, are less critical. As physical infrastructures, like energy-producing power plants, and the information infrastructure that supports them, like telecommunication systems, become increasingly interconnected, nearly every type of national infrastructure is being labeled “critical.” In fact, the Department of Homeland Security now uses this classification for 16 infrastructure sectors, including transportation systems, dams, financial services, and nuclear reactors.

In an effort to narrow this list, experts and government officials are now using terms like “super-critical” and “covered critical” infrastructure, to distinguish which of these infrastructures are super important to national security and which ones are only kind of important. But the problem with these attempts to prioritize critical infrastructure sectors is that these terms are applied inconsistently, and there seems to be disagreement, or at least ambiguity, surrounding what infrastructure is the most critical.

This is a major problem. It causes confusion among policymakers and experts and leads to inefficiency in curing defects within these infrastructures that could make them vulnerable. To allocate the limited government resources needed to protect these systems and infrastructures, there needs to be a clear, straightforward prioritization of these infrastructure sectors.

President Obama defines critical infrastructure as “systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters,” according to Executive Order 13636. This was an effort to clarify which infrastructures are particularly vital to national security, because previous attempts to designated certain infrastructure as “covered critical” based on an assessment of their “cybersecurity threats, vulnerabilities, risks, and probability of a catastrophic incident” didn’t seem to do the trick. But now, “super-critical” is being used to narrow the list of critical infrastructure.

Advertisement

So how has the term been defined so far?

In some cases, super-critical infrastructure refers simply to infrastructure that is exceptionally important for national security. Take for example an article in Intelligent Utility titled “The Electric Grid: Society’s Emerging Supercritical Infrastructure,” which states that “life is simply inconceivable or unviable without the essential commodity/service this grid provides, more primary in nature than the rest [of critical infrastructures].” Another piece called “Media, Fear and the Hyperreal: The Construction of Cyberterrorism as the Ultimate Threat to Critical Infrastructures” categorizes “computerized systems as a super-critical infrastructure and thus the Achilles heel of advanced industrial societies.” Used this way, super-critical infrastructures are those so integral to the functioning of a modern society that a threat to their integrity would have severe implications for welfare. This definition seems to align with the president’s.

But “super-critical” has also been used in other places to describe infrastructure that is somehow above or on top of what we consider critical infrastructure. It could be “the networks, lines and equipment of private sector information and communications providers who support the [critical infrastructure, consequential infrastructure, and common infrastructure],” according to a report by the World Federation of Scientists, which includes more than 10,000 scientists from 110 countries.

This might be more appropriately called “supra-critical” since, according to this understanding, “super-critical” infrastructure is composed of the networks and equipment that supports things like the electric grid, banking and finance, water supply, transportation, aviation, rail, emergency law enforcement, emergency fire services, oil and gas production and storage, and public health services, which are themselves considered super-critical under other definitions.

Advertisement

To complicate things even further, some usages touch on both definitions. For example, the 2011 International Telecommunication Union report “The Quest for Cyber Peace” outlines all of the infrastructures that it considers “critical,” such as health care, oil and gas transportation, and financial infrastructures, and then highlights “the communication systems and utility grids as the ‘super critical’ infrastructures upon which all others are dependent.” This usage highlights how convoluted the various critical infrastructure definitions are. In one definition, the infrastructures themselves are treated as “super critical,” in the other, only the support systems that allow these infrastructures to function are “super critical,” while in yet another, both the infrastructures and their support systems are considered “super critical.”

This ambiguity isn’t just frustrating—it’s potentially dangerous. Economic and social welfare, not to mention national security, depend on these infrastructures. Government budgets must prioritize the greatest threats to national security, and therefore, the reclassification and reprioritization of critical infrastructures matters. Government officials and security experts should consider ranking infrastructure according to how disruptive their failure would be for to national security from “minimally important” to “super-critical,” as suggested by Dave Clemente at Chatham House.

It’s also important to clear up the super-critical infrastructure terminology in order to clarify what kind of an attack might warrant a military response. If a dam is attacked by another state or nonstate actor resulting in floods that harm nearby homes or people, will that be interpreted as an act of war? What about an attack targeting multiple banks that causes only financial harm? In September of this year, Chinese hackers gained access to the U.S. federal weather network. The National Oceanic and Atmospheric Administration, which includes the National Weather Service, had to seal off data that dealt with disaster planning, aviation, and shipping, according to officials who spoke to the Washington Post. Although Chinese officials denied any responsibility for the attack, NOAA confirmed to members of Congress that the Chinese government was behind the incident.

Whether the National Weather Service’s data falls under the umbrella of super-critical infrastructure is murky under the current definition. And until the United States has a workable, finite, and ranked list of super-critical infrastructures, whether cyberattacks like these fall under acts of war (and therefore the appropriate and legal response to them) will remain ambiguous.

This article is part of Future Tense, a collaboration among Arizona State University, New America, and Slate. Future Tense explores the ways emerging technologies affect society, policy, and culture. To read more, visit the Future Tense blog and the Future Tense home page. You can also follow us on Twitter.