Critical infrastructure

Updates

SpaceX has overcome a major regulatory hurdle in its ambitious plan to provide global Internet connectivity from space. The US Federal Communications Commission (FCC) approved the company’s request to launch an additional 7 518 satellites into space on 15 November 2018. SpaceX now has permission to launch nearly 12 000 satellites into orbit following an earlier approval by the FCC in March 2018 for a constellation of 4 425 satellites. SpaceX has also been authorised to add 37.5-42.0 GHz and 47.2-50.2 GHz frequency bands to its previously authorised non-geostationary satellite orbit (NGSO) constellation.

The unique value of the satellite Internet constellation under the name Starlink is that it will maintain a line of site to connect everyone on Earth, thereby providing global Internet connectivity. The approval also grants SpaceX the flexibility to provide both diverse geographic coverage and the capacity to support a wide range of broadband and communications services for residential, commercial, institutional, governmental, and professional users in the USA and globally.

US President Trump signed the Cybersecurity and Infrastructure Security Agency Act of 2018 into law. The bill redesignates the Department of Homeland Security's (DHS) National Protection and Programs Directorate (NPPD) as the Cybersecurity and Infrastructure Security Agency (CISA). The new agency’s responsibilities will include ensuring cybersecurity and critical infrastructure security, coordinating with federal and non-federal entities, and DHS's responsibilities concerning chemical facility antiterrorism standards. It will consist of the Cybersecurity Division, the Infrastructure Security Division, and the Emergency Communications Division.

At the opening of the annual UN Internet Governance Forum (IGF), held at UNESCO premises in Paris, French President Emmanuel Macron launched the “Paris Call for Trust and Security in Cyberspace”, a high-level declaration on developing common principles for securing cyberspace. The Paris Call builds on the WSIS Tunis Agenda’s definition of the ‘respective roles’ of states and other stakeholders. It also resonates with the UN Group of Governmental Experts reaffirmation that international law applies to cyberspace. The declaration invites for support to victims both during peacetime and armed conflict, reaffirms Budapest Convention as the key tool for combating cybercrime, recognises the responsibility of private sector for products security, and calls for broad digital cooperation and capacity-building. It than invites signatories to, among other, prevent damaging general availability or integrity of the public core of the Internet, foreign intervention in electoral processes, ICT-enabled theft of intellectual property for competitive advantage, and non-state actors from ‘hacking-back’. The Paris Call has strong initial support from hundreds of signatories, including leading tech companies and many governments. Yet the USA, Russia, and China are missing. The declaration and its effects will be discussed again during the Paris Peace Forum in 2019, as well as during the IGF 2019 in Berlin.

Two new resolutions on cybersecurity issues have been adopted by the UN First Committee of the General Assembly (GA): one proposed by Russia by a vote of 109 in favour to 45 against, and the other by the USA with 139 in favour to 11 against. The resolution proposed by Russia (A/C.1/73/L.27.Rev.1), which has undergone number of changes since the draft was introduced mid-October, establishes an open-ended working group, to initially convene in June 2019, which will involve all interested states, hold intersessional consultations with business, NGOs and academia, and report to the UN GA in Autumn 2020. The group is mandated to, on a consensus basis, further develop the eleven norms of the 2015 report of the GGE (spelled out again in the resolution, but with certain changes in wording comparing to the GGE report) as well as the role of private sector and civil society, and discuss their implementation; it will also discuss models for ‘regular institutional dialogue with broad participation’ under the UN. The US resolution (A/C.1/73/L.37), underlines the reports of the UN GGE (2010, 2013, and 2015), and calls for the establishment of another GGE, mandated to further study norms, confidence-building measures and capacity-building measures, taking into account effective implementation of those, to report to the UN GA in Autumn 2021. It particularly suggests that the report should contain written national submissions on how international law applies to cyberspace. It also invites UNODA to conduct consultations with regional organisations (namely AU, EU, OAS, OSCE and the ASEAN Regional Forum), and the UN GGE chair to organise two open-ended informal consultative meetings with all the interested states.

The Office of the Director of National Intelligence (ODNI), the Department of Justice (DOJ), the Federal Bureau of Investigation (FBI), and the Department of Homeland Security (DHS) of the US have issued a joint statement on combating foreign influence in US elections. The agencies stated that ongoing campaigns by Russia, China and other foreign actors, including Iran, aim to undermine confidence in democratic institutions, and influence public sentiment and government policies. The agencies are concerned that these activities also may try to influence voters in the 2018 and 2020 US elections. According to the agencies, using social media to amplify divisive issues, sponsoring specific content in English-language media like RT and Sputnik, seeding disinformation through sympathetic spokespersons regarding political candidates, and disseminating foreign propaganda, are some of the forms these campaigns can take. There is currently no evidence of a compromise or disruption of the voting infrastructure that would enable adversaries to prevent voting, change vote counts or disrupt the tallying of votes in the midterm elections. The statement points out that the US government is tirelessly working to identify and counter threats to the electoral process, and recommends that the US public, government officials, political candidates and their campaigns follow cybersecurity guidelines and be responsible consumers of information in order to mitigate adversarial efforts.

The US Department of Defense (DoD) has published its 2018 DoD Cyber Strategy, which directs DoD to defend forward, shape the day-to-day competition, and prepare for war. According to the document, the DoD will defend forward to disrupt or stop malicious cyber activity at its source and it will preempt, defeat, or deter malicious cyber activity targeting U.S. critical infrastructure. The DoD also aims to shape the day-to-day-competition with USA’s strategic competitors who undermine USA’s stability and prosperity, namely Russia and China. It will also prepare military cyber capabilities to be used in the event of crisis or conflict. Aside from competing and deterring in cyberspace, the strategic approach outlined by the DoD in the document also consists of building a more lethal Joint force, expanding alliances and partnerships, reforming the Department, and cultivating talent.

Critical infrastructures (CI) can be defined loosely as ‘systems that are so vital to a nation that their incapacity or destruction would have a debilitating effect on national security, the economy, or public health and safety’ (according to the IETF Security Glossary). And most countries have defined their own CI depending on their national context; in most cases, these include both core Internet and, more widely, ICT infrastructures (such as telecommunications networks), and transport, energy, and other key infrastructures that are more and more relying on ICTs.

 

Critical infrastructure protection

Critical (information) infrastructure protection (CIP) is ever more important because critical infrastructures depend increasingly on networks linked to Internet. Many vital parts of global society ‒ including industries such as energy, water, and finance ‒ are becoming more and more  dependent on the Internet and other computer networks as an information infrastructure. While allowing for resource optimisation, this also leaves them at the risk of a cyberattack or an Internet fallout.  

The history of the concept can be traced back to the 1998 US Presidential Decision Directive PDD-63 which set up a national programme of Critical Infrastructure Protection. The aim was to secure infrastructures of national importance from cybersecurity risks. Over the last 15 years the concept of CI has developed into a broader concept to include supply chain insurance to physical damage from natural hazards, as well as targeted physical attacks.

In 2007, the IETF added Critical Information Infrastructures to the Internet Security Glossary (RFC 4949). The definition adopted by IETF (presented in the beginning of this description) shows that while ICT can be a CI in itself, the implementation of ICTs in our daily activity has made it a transversal subject. In order to face cyber risks, many countries and even some larger institutions have developed teams of individuals that may respond in case of emergency. This type of team is often called a Computer Emergency Response Teams, but other variations are Computer Emergency Readiness Teams or Computer Security Incident Response Teams (CSIRT). In the case of nation states, these teams are often characterized by strong public-private partnerships (PPP) as many CIs are in the hands of the private sector. The policies pertaining to Information Infrastructure are often called Critical Information Infrastructure Protection (CIIP) policies.

The USA’s approach

The US Presidential Decision Directive PDD-63 was updated in 2003 through the Homeland Security Presidential Directive 7 for Critical Infrastructure Identification, Prioritization, and Protection. This update broadened the definition of infrastructure as the physical and virtual systems that are 'so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters'. In 2013, it was replaced by PPD21 - Critical Infrastructure Security and Resilience with the intention of advancing national efforts to 'strengthen and maintain secure, functioning and resilient critical infrastructure'. The policy directive was accompanied by the Executive Order 13636 'Improving Critical Infrastructure Cybersecurity'. The National Institute of Standards and Technology (NIST) released the Framework for Improving Critical Infrastructure Cybersecurity in February 2014. The document provides a generic guideline on how companies and institutions in charge of CI can organize, improve, mitigate and recover from a cyberattack.

The European Union’s approach

In the European Union, the European Programme for Critical Infrastructure Protection (EPCIP), presented by the European Commission in 2006, outlined a series of principles, processes and instruments proposed to implement EPCIP. A complementing CIIP action plan was also set out, and it was built on five pillars: preparedness and prevention, detection and response, mitigation and recovery, international cooperation, and criteria for European Critical Infrastructures in the field of ICT. Directive 2008/114/EC on the identification and designation of European critical infrastructures followed, with the aim to set up a ‘procedure for the identification and designation of European critical infrastructures (‘ECIs’), and a common approach to the assessment of the need to improve the protection of such infrastructures in order to contribute to the protection of people’. The proposal for a Network and Information Security Directive (proposed by the European Commission in 2013 and agreed upon by Parliament, Council and Commission in December 2015), paired with the EU Cybersecurity Strategy, sets a more specific guidance to member states on the CIIP measures, including the setting up of CERTs. At the same time, the European Union Agency for Network and Information Security (ENISA) is in charge of following up on the implementation of CIIP measures, and providing capacity-building measures and resources. ENISA works closely with national CERTs.

The OECD’s approach

The OECD Recommendations on CIIP (2008) provides a number of steps for the member states: at national level, states are invited to adopt policy objectives on high-level, develop national strategy, identify government agencies and organisations responsible for CIIP, develop organisational structure for prevention and response, including independent (CERTs), consult with private sector and build trusted public-private partnerships, facilitate information sharing with acknowledging the sensitivity of certain information, conduct risk assessment, etc. At the international level, states are encouraged to enhance information sharing and strengthen cooperation across institutions in charge of CIIP.

The approach of the Organization of American States

The Organization of American States (OAS), by General Assembly resolution AG/RES 1939 XXXIII-O/03 of 2003 has the Inter-American Cyber-Security Strategy which pools the efforts of three existing, related groupings of the organisation: the Inter-American Committee against Terrorism (CICTE), Ministers of Justice or Other Ministers or Attorneys General of the Americas (REMJA), and Inter-American Telecommunication Commission (CITEL). These groups cooperate to implement programmes that will prevent cybercrime by, among other things, protecting the critical infrastructure by legislative and other procedural measures.

In 2007, the International Telecommunication Union (ITU), in cooperation with the Center for Security Studies of ETH Zurich, provided a generic national framework for CIIP, with a number of action pillars. ETH Zurich also published the International CIIP Handbook 2008/2009, with an inventory of 25 national and seven international CIIP policies.

Events

Actors

(CCDCOE)

As a multinational and interdisciplinary hub of cyber defence expertise, the Cooperative Cyber Defence Centre

...

As a multinational and interdisciplinary hub of cyber defence expertise, the Cooperative Cyber Defence Centre of Excellence involves experts with military, government, and industry backgrounds and provides an international ‘360-degree’ look at cyber defence. The CCDCOE organises the world’s largest and most complex international technical cyber defence exercise –  Locked Shields, and the annual conference on cyber conflict – CyCon. The CCD COE's Tallinn Manual is a very detailed and elaborate study on how international law applies to cyberspace with regard to warfare.

(OECD)

Convergence is one of the digital policy issues that the OECD is paying attention to, especially in relation t

...

Convergence is one of the digital policy issues that the OECD is paying attention to, especially in relation to the challenges this phenomenon brings on traditional markets, and the need for adequate policy and regulatory frameworks to address them. In 2008, the organisation issued a set of policy guidelines for regulators to take into account when addressing challenges posed by convergence. In 2016, a report issued in preparation for the OECD Ministerial Meeting on the Digital Economy included new recommendations for policy-makers. Digital convergence issues have been on the agenda of OECD Ministerial meetings since 2008, and are also tackled in the regular OECD Digital Economy Outlook report.

(ENISA)

As part of its mission to support EU and its member states in dealing with network and information security is

...

As part of its mission to support EU and its member states in dealing with network and information security issues, ENISA has been paying attention to issues related to the protection of critical infrastructure and services. In 2015, it published a study on ‘Methodologies for the identifications of critical information infrastructure assets and services’. Another study on ‘Stocktacking, analysis and recommendations on the protection of CIIs’ was released in 2016, and it looks at the various approaches taken by member states to protect critical information infrastructures. ENISA also assessed the economic impact of incidents that affect CIIs, in a 2016 study.

(ICANN)

ICANN is responsible for coordinating the evolution and operation of the Domain Name System.

...

ICANN is responsible for coordinating the evolution and operation of the Domain Name System. The organisation coordinates the allocation and assignment of names in the root zone of the DNS, and the development and implementation of policies concerning the registration of second-level domain names in generic top-level domains (gTLDs). It also facilitates the coordination and evolution of the DNS root name server system. When it comes to gTLDs, ICANN concludes agreements with registry operators (for the administration of each gTLD), and accredits registrars. In the case of country code top-level domains (ccTLDs), ICANN only goes as far as (re)delegating them on the basis of some high-level guidelines.

(ITU, UIT)
...

The ITU Telecommunication Standardization Sector (ITU-T) develops international standards (called recommendations) covering information and communications technologies. Standards are developed on a consensus-based approach, by study groups composed of representatives of ITU members (both member states and companies). These groups focus on a wide range of topics: operational issues, economic and policy issues, broadband networks, Internet protocol based networks, future networks and cloud computing, multimedia, security, the Internet of Things and smart cities, and performance and quality of service. The World Telecommunication Standardization Assembly (WTSA), held every four years, defines the next period of study for the ITU-T.

(EU)

In establishing its digital single market, the EU has progressively developed a dense 

...

In establishing its digital single market, the EU has progressively developed a dense copyright legislation corresponding to a set of ten directives, which harmonise essential rights of authors, performers, producers and broadcasters. To ensure EU copyright rules are fit for the digital age, the European Commission has recently presented legislative proposals to modernise the EU legal framework, in order to allow more cross-border access to content online and wider opportunities to use copyrighted materials in education, research and cultural heritage; and have a better functioning copyright marketplace.

Instruments

Conventions

Resolutions & Declarations

Standards

Request for Comments (RFC) dealing with Critical Information Infrastructure (2015)

Recommendations

Other Instruments

Patriot Act (2001)

Resources

Publications

Internet Governance Acronym Glossary (2015)
An Introduction to Internet Governance (2014)

Reports

Towards a secure cyberspace via regional co-operation (2017)
One Internet (2016)

GIP event reports

Closing session: Implementation of the Cape Town Global Action Plan for Sustainable Development Data – the way forward (2018)
Digital trade - Global anarchy or revival of rule-based world order? (2018)
Competition issues in the context of technology and internet-based firms (2018)
The Proposal for a Digital Geneva Convention – Implications for Human Rights (2017)
Report for World Economic Forum Annual Meeting 2017 (2017)

Processes

Click on the ( + ) sign to expand each day.

13th IGF 2018

WSIS Forum 2018

12th IGF 2017

IGF 2016

WSIS10HL

IGF 2015

In general, the workshops on infrastructure focused on specific areas, such as IXPs, spectrum, interconnection, and IPv6. The often technical discussions verged on other issues, such as sustainable development and security. In relation to other areas, few workshops on infrastructure were scheduled.

 

There must be a commercial rationale for IXPs to be more widely introduced and for actors to identify with. IXPs: Driving Connectivity and Local Economies (WS 171) served to showcase the success of some regions in establishing IXPs. Canada, for example, has 7 IXPs, whereas the Caribbean region has 11 IXPs. Accounting for this success, especially in the Caribbean, is the fact that regulators are not running them but simply playing a mediatory role. The discussion provided further insights into the current usage of IXPs in developed and developing countries, and offered suggestions for successful uptake. Among these are the fact that they should be community-led rather than having a top-down structure, they should have a reasonable governance structure, and they should be not-for-profit organisations. More case studies were presented during Ensuring Sustainability for IXPs in the Developing World (WS 201), which concluded that, as in many areas of Internet governance, one size does not fit all when it comes to the governance of IXPs.

The topic of protection of key Internet resources resurfaces in digital policy discussions from time to time. In The Global ‘Public Interest’ in Critical Internet Resources (WS 52), it was concluded that an open process of running the infrastructure of the Internet was crucial. The discussion centred on how the Internet, as a global resource, could be managed in an open and inclusive manner that serves the public interest.
It is interesting to note that the panellists could not agree on a definition of public interest in order to determine what this means with respect to critical Internet resources. In Spectrum Allocations: Challenges & Opportunities at the Edge (WS 188), panellists discussed how new technology - including geo-satellites, orbits, high-altitude platform services, drones, and ‘balloons’ - was putting pressure on the use of spectrum. There are various opportunities, including the development of software for spectrum management.
But just as software was introduced into the management of taxis, resulting in huge efficiencies but at the same time many social and economic downsides, we can either wait for the ‘Uberisation’ of spectrum management to happen, or regulate and manage the process in order to maximise the benefits of software.
In relation to the deployment of IPv6, further discussions on the persistent problem of the depletion of IPv4 numbers took place during the Best Practices Forum (BPF) on Creating an Enabling Environment for IPv6 Adoption. Although the pool of IPv4 is running out at an alarming rate, the panel agreed that the deployment of IPv6 is happening, albeit at its own pace. It was predicted that next year’s BPF will most likely focus on the economic aspects of IPv6 deployment.

 

 

The GIP Digital Watch observatory is provided by

in partnership with

and members of the GIP Steering Committee



 

GIP Digital Watch is operated by

Scroll to Top