Home : SSI Media : Recent Publications
Jan. 6, 2023

“Understanding Critical Infrastructure” from Enabling NATO’s Collective Defense CISR (NATO COE-DAT Handbook 1)

By Ronald Bearse

This podcast based on Chapter 1 in Enabling NATO’s Collective Defense: Critical Infrastructure Security and Resiliency (NATO COE-DAT Handbook 1 answers the questions: What is critical infrastructure? Why is it important? What is the difference between critical infrastructure protection (CIP) and critical infrastructure security and resilience (CISR)? What are some of the key terms defined in national CISR policy? What are the core areas of activity or work streams involved in implementing CISR policy in and across the North Atlantic Treaty Organization nations?

The answers to these specific questions provide the contextual basis for understanding why CISR is a quintessential societal task for maintaining national security, economic vitality, and public health and safety in a world filled with increasing levels of risk. For NATO member states, building and enhancing CISR at the national level is necessary to safeguard societies, people, and shared values and also provide the foundation for credible deterrence and defense and the Alliance’s ability to fulfill its core tasks of collective defense, crisis management, and cooperative security.



Click here to read the book.

Click here to watch the webinar.

Keywords: CBRNE, critical infrastructure, cyber threats, crisis management, security risk assessment, CISR

Episode transcript “Understanding Critical Infrastructure” from Enabling NATO’s Collective Defense: Critical Infrastructure Security and Resiliency (NATO COE-DAT Handbook 1)

Stephanie Crider (Host)

You’re listening to Conversations on Strategy.

The views and opinions expressed in this podcast are those of the authors and are not necessarily those of the Department of the Army, the US Army War College, or any other agency of the US government.

Conversations on Strategy welcomes Ronald Bearse, author of “Understanding Critical Infrastructure,” featured in Enabling NATO’s Collective Defense: Critical Infrastructure and Resiliency. Bearse is an expert in critical infrastructure protection and national preparedness, with more than 23 years of experience in the US Department of Defense, Homeland Security, and Treasury.

Ron, welcome to Conversations on Strategy. You recently contributed to a book, Enabling NATO’s Collective Defense: Critical Infrastructure Security and Resiliency. I’m looking forward to hearing about your chapter, but first, thank you for being here.

Ronald Bearse

Well thanks Steph. Yeah, I’m happy to discuss that with you today.

Host

What is critical infrastructure?

Bearse

Although there’s no real global or standard or universal definition of critical infrastructure, most, if not all, European and NATO nations, which have a national CIP or CISR policy or national plan, define critical infrastructure as those physical and cyber systems, facilities, and assets that are so vital that their incapacity or their destruction would have a debilitating impact on a nation’s national security, economic security, or national public health and safety.

We kind of understand them (and most people do) as those facilities and services that are so vital to the basic operations of a given society 9like the one we live in) or those without which the functioning of a given society would be greatly impaired. In our book, for example, we talk about critical infrastructure sectors. Here in the United States, for example, we have 16 critical infrastructure sectors where assets and systems and networks, whether they’re physical or virtual, are considered so vital to the United States that their incapacitation or destruction would have a debilitating effect on our national economic security or public health and safety. Those sectors include, here in the United States, and for most Western nations, the same types and same sectors, such as the chemical sector or the dam sector, commercial facilities. Communications sector. Critical manufacturing. The defense industrial base. Emergency services obviously is one. Energy. Financial services sector, food, agriculture, government facilities, healthcare and public healthcare sector. Information. Information and technology. Nuclear reactors, materials and waste sector. The transportation infrastructure sector is huge as well. As well as water and wastewater systems. So there are a number of economic areas, and we call them sectors, that have critical infrastructure, the loss of which would really be a problem.

Within NATO, Allied Command Operations defines critical infrastructure as a nation’s infrastructure, assets, facilities, systems, networks, and processes that support the military, economic, political, and/or social life on which a nation and/or NATO depends.

NATO mission readiness depends on the assured availability of critical infrastructure. Let there be no mistake about that. Critical infrastructure, which I should mention is mostly owned by the private sector. For example, during large NATO operations for exercises, about 90 percent, and that’s nine zero percent, of military transport, relies on civilian ships and civilian railways or civilian aircraft.

Host

Why is critical infrastructure important?

Bearse

Critical infrastructure is vital because it enables a nation’s productivity and quality of life and economic progression by driving economic growth and creating jobs and improving efficiency. It also provides essential services, such as energy and water, electricity, and transportation. It also connects communities via transport and communications networks, which enables the flow of goods and information—not just across the country but between countries and across the world.

Another reason why it’s vital has to do with the fact that it’s highly interconnected today, Stephanie, meaning that critical infrastructure systems often depend on other areas or other critical infrastructure to operate. If it is severely disrupted or destroyed, it can cause severe catastrophic consequences, locally, regionally, nationally, and even globally. And also, if it happens in one sector, you can have cascading events that can cross over into other sectors as well. An increasing number of nations depend on critical infrastructure located in another country, or worse, controlled or operated or owned directly or indirectly by a foreign adversary. And yet another reason is that millions of critical infrastructure systems and the gazillions of devices which connect to them are connected to the Internet. And because of that, you know, we see that there is that vast increase of vulnerability attached with those devices.

We’ve all witnessed how COVID-19 and the ongoing Russian invasion of Ukraine have impacted critical infrastructure. The critical infrastructure of NATO and partner nations—those nations face a rising, unprecedented wave of malicious cyber activities and destabilizing and devastating consequences—and public and private entities that are indispensable to the functioning and well-being and cohesion of allied societies (such as energy providers and telecommunications operators and banks and hospitals). And we’re certainly aware of the current situation, hybrid warfare and real actual warfare at the conventional level. And Europe and Ukraine and seeing how critical infrastructure is being targeted that way.

Host

In the context of keeping critical infrastructure safe and functioning, what’s the difference between critical infrastructure protection and critical infrastructure security and resilience?

Bearse

Humankind has been protecting critical infrastructure for thousands of years, Stephanie. It goes back a long time. In the Peloponnesian Wars, infrastructure then that nations fought over included ships and grain and ports and brick walls around the cities, if you will. And wells where water was. And you know, 1,000 years later you had the fall of Rome. And with the fall of Rome, you had the contribution of the aqueducts falling apart for a variety of reasons. But again, critical infrastructure in the Roman Empire. The shift that has happened over the last 20 years alone is due to the fact that stakeholders have learned that it’s almost impossible to protect critical infrastructure from all the growing risk factors that they face—where we are moving from the protection of critical infrastructure to securing it and making it more resilient against threats. For example, when we talk about security. Security in the CISR, the S, if you will, means reducing the likelihood of successful attacks against critical infrastructure with the effects of natural or man-made disasters through the application of physical means or defensive cybersecurity measures. And resilience is the ability of critical infrastructure to resist, absorb, recover from, or successfully adapt to changing conditions, including attacks.

The concept of critical infrastructure security and resilience is particularly useful to inform policies that mitigate the consequences of such events and speak to the vital need, again, for nations to develop and implement a comprehensive risk-management strategy.

Karen McDowell, who 10 years ago was an information security analyst at the University of Virginia, said something that still haunts me and should actually haunt everybody listening in today. I believe she said, “public opinion isn’t going to lead the push to better protection of critical infrastructure since most people aren’t aware of the security issues and don’t even know that they are at risk, let alone understand the risks to critical infrastructure.”

Host

What are the core areas of activity or workstreams involved in implementing CISR policy in and across the North Atlantic Treaty Organization nations?

Bearse

There are really three essential tasks—assess the risk, improve security, enhance resilience, right? It’s all in those three. That’s the basic process. But the process of accomplishing those three tasks can be extraordinarily complex and a continuing challenge because it requires numerous what I call “streams of work” to be performed by a number of stakeholders—such as government agencies, (whether they’re federal, state, regional, other types of government agencies), the owners and operators in the private sector themselves of critical infrastructure, academicians, people who do research, subject matter experts, international organizations, technology vendors, people that run the ISACS (information sharing and analysis centers). I mean, there’s just many, many, many stakeholders out there. But what’s really, really important is that the major work streams basically include the following. All these are discussed in the book and how they are applied at different levels and case studies and whatnot. But we need to establish very clear roles and responsibilities for all stakeholders. That’s a major workstream just doing that—identifying and determining the criticality of a nation’s infrastructure. The protection of critical infrastructure is a national responsibility. NATO doesn’t go out and identify what’s critical for other nations. It’s up to that nation to do that. It’s up to that nation to figure out what they’re going to do. NATO can certainly help them. The nations help each other as well, and we certainly want to help our partner nations.

So another big workstream here is mapping critical infrastructure dependencies and interdependencies. Determining critical infrastructure vulnerabilities . . . I can’t say enough about that as a workstream. Using applicable risk management, risk analysis, and risk management tools, if you will. Risk assessment tools and approaches. A lot of different critical infrastructure sectors have defined some very good tools to use to do risk-based assessments. They are available to NATO and NATO partner nations.

Establishing crisis management capabilities is important. Another key workstream is establishing public-private partnerships between government and private-sector owners and operators of critical infrastructure Establishing and implementing collaboration and information-sharing mechanisms between government and the owners and operators is also important. Developing and exercising continuity of operations and information technology, disaster recovery plans, and providing physical and cyber security and resilience measures is a big workstream, if you will. Ensuring the integrity and security and continuity of critical infrastructure supply chains is huge. Expanding opportunities to deliver CISR education and training. Another key workstream, this one it’s dear to my heart, is implementing a robust (and when I say robust, I mean thorough) test training and exercise program to determine the extent to which a nation’s current CISR policy or legislation or plans, procedure, systems, research and development efforts, you name it, are either meeting, falling below, or exceeding prescribed requirements and established standards.

Another key part of the workstream that’s vital to this is fostering the local, regional, national, and international cooperation, collaboration, coordination, communication, and concentration that is required to produce results. So, one of the reasons why this book was actually published is because more nations need to be developing and implementing a national CISR policy.

There are many reasons, again, why countries haven’t started down this road, Steph. Let me just share with you the top five really quick. The top three basically, and I believe these are in the correct order, are money, money, and money. The fourth reason is that most countries have been protecting things that they deem important or critical the same way for many years. The military protects W and X. The minister of interior protects Y. And the Department of beta protects Z. And rarely do they coordinate their efforts due to turf, territory, and tradition. And the fifth reason revolves around the realization that CISR is complex, and it is one of the most difficult things a country can do. Even if it had the money and resources to do it.

The good news in this, Steph, is that the book that we are discussing today and it’s follow-on book provides several lessons to be learned as I call them. Good practices. Case studies, methods, tools, (and) approaches and experiences that are designed to promote the security and resilience of all NATO populations and strengthen their ability to function in a way that most people want them to during crisis management and to support collective defense or external operations. Failing to achieve CISR goals or objectives is going to reduce NATO’s mission capability and adversely impact member states’ collective societies because critical infrastructure is the foundation on which vital society and economic functions depend.

Host

Thank you so much for your time today, I really appreciate it.

Bearse

Thanks, Steph. It’s been a pleasure talking to you and your listening audience. And again, it’s a hot topic. It always will be. And it’s a great way for nations to strengthen their capabilities and for the avid reader in national security, if he really or she really wants to, wrap their head around why things are happening in today’s world and how we could get a better grip on preventing some of those bad things from happening, these books also represent good reads, so with that take care.

Host

Same to you, thank you.

Learn more about critical infrastructure, why it matters, and how to protect it in the monograph visit press.armywarcollege.edu/monographs/955.

If you enjoyed this episode and would like to hear more, you can find us on any major podcast platform.

Author information:
Ronald Bearse is an expert in critical infrastructure protection and national security preparedness, with more than 23 years of experience in the US Departments of Defense, Homeland Security, and Treasury. He is an adjunct professor at the Massachusetts Maritime Academy and an adviser to NATO’s Centre of Excellence for the Defence Against Terrorism (COE-DAT), where he teaches in COE-DAT’s Critical Infrastructure Protection Against Terrorist Attacks training program. Bearse earned an undergraduate degree in political science and Soviet studies from the University of Massachusetts at Amherst and a master of public administration degree from George Washington University. He is a distinguished graduate of the US National Defense University and a former senior fellow at George Mason University’s Center for Infrastructure Protection and Homeland Security