On Legally Defining Critical Infrastructure
Published online by Cambridge University Press: 20 January 2017
Regulation of critical infrastructure (CI) is in vogue; and accordingly every government presently develops legal governance regimes. In this paper, I try to analyse some of the present efforts to identify and govern CI. I argue that while the legal definitions introduced contribute little to the actual identification of critical infrastructure, they alter the responsibility and modus operandi of the identification. Political discretion is re-organized into administrative decisions. By relying on similar observations from risk sociology, I set out to criticize the present implementation for masking the hard political choices inherent in the work with CI, and thereby creating a dysfunctional governance regime for the protection of CI.
1 Obviously, the lack of well-developed infrastructure has other consequences for a society. For Lebanon, the lack of a wellfunctioning infrastructure might be the biggest factor limiting industrial and economic growth.
2 See Presidential directive PDD-63 of May 1998. Altered by Presidential Directive HSPD-7 for Critical Infrastructure Identification, Prioritization, and Protection from December 2003.
3 See the really well-written article on the Cold War's possible implications for urban planning in the US, Galison, Peter, ‘War against the Center’, Grey Room, 4 (2001), 5–33 CrossRefGoogle Scholar. According to Galison, the fear of a potential nuclear attack on a US city created ”the architectures of dispersion, counter-urbanization, and non-hierarchical grids”, ibid., at 33. The article convincingly points out that critical infrastructure planning is much older than the Clinton administration, even though the aim, means and the complexity of the exercise is changing.
4 Galison documents how difficult it was for the British to identify ”the interconnections that held together the German economy and war machine”, and how this exercise became self-reflexive during the cold war, ibid., at 8.
5 Or a complex adaptive system (CAS), see more with John H. Holland, ‘Studying Complex Adaptive Systems', Journal of Systems Science and Complexity, 19/1 (2006), 1-8.
6 See for instance the highly functional approach suggested by Ted Lewis in Lewis, Ted G., Critical Infrastructure Protection in Homeland Security. Defending a Networked Nation (Wiley, 2006)CrossRefGoogle Scholar. For a literature review putting emphasis on network theory, see Schintler, Laurie Anne et al., ‘Moving from Protection to Resilliency: A Path to Securing Critical Infrastructure', Critical Infrastructure. Reliability and Vulnerability (Springer, 2007) at 297f.Google Scholar
7 See for instance Murray, A.T. and Grubesic, T.H., Critical Infrastructure. Reliability and Vulnerability (Advances in Spartial Science: Springer, 2007)CrossRefGoogle Scholar. This anthology contains a number approaches using vulnerability analysis to model critical infrastructure protection within a given sector, hereunder transportation and electricity.
8 Schintler et al., ‘Moving from Protection to Resilliency: A Path to Securing Critical Infrastructure'. See also Boin, Arjen and Mcconnell, Allan, ‘Preparing for Critical Infrastructure Breakdowns: The Limits of Crisis Management and the Need for Resillience', Journal of Contingencies and Crisis Management, 15/1 (2007), 50–59 CrossRefGoogle Scholar. In this article the authors advocates to entirely leave behind traditional crisis thinking in conjuncture with accidents and disasters in the critical infrastructure and rather build and support local and community resilience. See also in this regard the influential mathematician and philosopher Nassim Nicholas Taleb, not least Taleb, Nassim Nicholas, The Black Swan (London; New York: Penguin Books, 2010).Google Scholar
9 Lazari, Alessandro, European Critical Infrastructure Protection (Springer, 2014) at 104.Google Scholar
10 See for instance the Swedish MSB's definition: “Fysisk struktur vars funktionaltiet bidrar till att säkerställa upprätthållande av viktiga samhällsfunktioner” [physical structures which function contributes to secure the maintainance of important society functions], cf. “Ett fungerande samhälle i en föränderlig värld, Publ. Nr MSB 266 – dec 2011, p. X.
11 See for instance the Swiss definition: “Kritische Infrastrukturen sind Infrastrukturen, deren Störung, Ausfall oder Zerstörung gravierende Auswirkungen auf die Gesellschaft, die Wirtschaft und den Staat hat” [“Critical infrastructures are infrastructures whose disruption, failure or destruction would have a serious impact on the functioning of society, the economy or the state”], cf. “Nationale Strategie zum Schutz kritischer Infrastrukturen” of 27 Juni 2012, p. 7718, available on the internet at http://www.bevoelkerungsschutz.admin.ch/internet/bs/de/home/themen/ski.parsysrelated1.82246.downloadList.6453.DownloadFile.tmp/natstratski2012d.pdf (last accessed on 23 October 2014).
12 See for instance the Norwegian definition: “Kritisk infrastruktur er de anlegg og systemer som er helt nødvendige for å opprettholde samfunnets kritiske funksjoner som igjen dekker samfunnets grunnleggende behov og befolkningens trygghetsfølelse.” [critical infrastructure is the installations and systems that are entirely necessary to maintain the society's critical functions, which in turn covers the society's basic needs and the feeling of comfort among the population], cf. Ullring et al: “Når sikkerheten er viktigst. Beskyttelse av landets kritiske infrastrukturer og kritiske samfunnsfunksjoner”, Norges offentlige utredninger 2006: 6. Innstilling fra utvalg oppnevnt ved kongelig resolusjon 29. oktober 2004.
13 See the description of the DHS-approach in the following.
14 See the National Strategy for Critical Infrastructure, available on the internet at: http://www.publicsafety.gc.ca/cnt/rsrcs/pblctns/srtg-crtcl-nfrstrctr/srtg-crtcl-nfrstrctr-eng.pdf (last accessed on 23 October 2014).
15 See Kathryn Gordon and Maeve Dion, ‘Protection of “Critical Infrastructure” and the Role of Investment Policies Relating to National Security', (OECD, 2008). For more on CIP in the Netherlands see Luiijf, Eric, Burger, Helen, and Klaver, Marieke, ‘Critical Infrastructure Protection in the Netherlands: A Quick-Scan', EICAR (Copenhagen, 2003).Google Scholar
16 See Des Innern, Bundesministerium, ‘National Strategy for Critical Infrastructure Protection (Cip Strategy)', (Berlin: Federal Republic of Germany, 2009).Google Scholar
17 Council Directive 2008/114/EC of 8 December 2008 on the identification and designation of European critical infrastructures and the assessment of the need to improve their protection, art. 2(a).
18 NATO also entertains a CI-program, available on the internet at: http://www.hazar.org/blogdetail/blog/understanding_nato’s_new_critical_infrastructure_protection_cip_politics_common_efforts_and_solidarity_830.aspx (last accessed on 23 October 2014).
19 Bill Clinton's commission ended up defining CI as “Systems and assets, whether physical or virtual, so and vital that the incapacity or destruction of such may have a debilitating impact on national security, national economic security, public health or safety, environment, or any combination of these matters, across any Federal, State, regional, territorial, or local jurisdiction”, cf. the Presidential Commission on Critical Infrastructure Protection (1997): Final report. The British definition is simpler: “those facilities, systems, sites and networks necessary for the functioning of the country and the delivery of the essential services upon which daily life in the UK depends.”, available on the internet at http://www.cpni.gov.uk/about/cni/ (last accessed on 23 October 2014). An overview of contemporary approaches to critical infrastructure in drawn up in Yusta, Jose M., Correa, Gariel J., and Lacal-Arántegui, , ‘Methodologies and Applications for Critical Infrastructure Protection: State-of-the-Art', Energy Policy, 39 (2011), 6100–19CrossRefGoogle Scholar. See also Belluck, D.A. et al., ‘Environmental Security, Critical Infrastructure and Risk Assessment: Definitions and Trends', in Morel, B. and Linkov, I. (eds.), Environmental Security and Environmental Management: The Role of Risk Assessment (Springer, 2006).Google Scholar
20 Lazari, European Critical Infrastructure Protection at 4.
21 In the following I will use this model as my subject of criticism. Rather than a straw man fallacy, I hope that it serves as an ideal type for the management of critical infrastructure. The aim is thereby not to claim that all countries working with CI works like Switzerland, but that the Swiss-model is an ideal type of something that influences other countries governance-systems, and as such should be subject to criticism.
22 “Nationale Strategie zum Schutz kritischer Infrastrukturen” of 27 Juni 2012, p. 7718, available on the internet at http://www.bevoelkerungsschutz.admin.ch/internet/bs/de/home/themen/ski.parsysrelated1.82246.downloadList.6453.DownloadFile.tmp/natstratski2012d.pdf (last accessed on 23 October 2014).
23 Notably the likelihood of a given section of the infrastructures disruption, failure or destruction is unimportant to its categorization as “critical”.
24 See The Federal Council's Basic Strategy for Critical Infrastructure Protection, 18 May 2009
25 Ibid.
26 Ibid., section 4.
27 Ibid.
28 The link between risk assessment and critical infrastructure also have a more institutional nature, as “most critical infrastructure protection plans have been based on risk management frameworks”, cf. Yusta, Correa, and Lacal-Arántegui, ‘Methodologies and Applications for Critical Infrastructure Protection: Stateof-the-Art', at 6113.
29 The American sociologist Craig Calhoun excellently discusses the consequences of this development in the broader field of emergencies, cf. Calhoun, Craig, ‘A World of Emergencies: Fear, Intervention, and the Limits of Cosmopolitan Order', in Fassin, Didier and Pandolfi, Mariella (eds.), Contemporary States of Emergency: The Poltics of Military and Humanitarian Interventions (New York: Zone Books, 2010).Google Scholar
30 In this paper risk is to be understood as something “equated with hazards and dangers” Power, Michael, The Risk Management of Everything. Rethinking the Polictics of Uncertainty (London: DEMOS, 2004) at 14 Google Scholar. And thereby not in line with ISO 31000 on Risk Management as “the effect of uncertainty on objectives”.
31 Beck, Ulrich, Risk Society, ed. Featherstone, Mike (Theory, Culture and Society: SAGE, 2008).Google Scholar
32 Ibid.
33 Ibid., at 13.
34 Ibid.
35 Rayner, Steve ‘Democracy in the Age of Assessment: Reflections on the Roles of Expertise and Democracy in Public-Sector Decision Making', Science and Public Policy, 30/3 (2003), 163–70.CrossRefGoogle Scholar
36 Perkin, H., The Rise of Professional Society: England since 1880 (London: Routledge and Kegan Poul, 1989).CrossRefGoogle Scholar
37 Rayner, ‘The Rise of Risk and the Decline of Politics', at 166.
38 Ibid., at 167.
39 Ibid., at 166f. It remains a somewhat “loose” concept with Rayner. Rayner understands governmentability as “the ability of the state to replace government by coercion and direct exercise of authority (…) by more subtle instruments of social control, largely by gathering and channeling information”, cf. Ibid., at 167.
40 Ibid., at 171.
41 This observation seems to follow the trajectory of the concept of techno-politics from anthropology, see more Larkin, Brian, ‘The Politics and Poetics of Infrastructure', The Annual Review of Anthropology, 42 (2013), 327–43.CrossRefGoogle Scholar
42 Luhmann, Niklas, Risk: A Sociological Theory (New York: Aldine De Gruyter, 1993) at 16.Google Scholar
43 This is, obviously, an idealized (American) model, but the designation of CI is unquestionably increasingly an administrative matter in Europe as well.
44 Power, The Risk Management of Everything. Rethinking the Polictics of Uncertainty at 22.
45 Such bureaucratization can even be suspected of being a deliberate political strategy: “On the one hand the development of specific regulatory regimes appears to be a rational response, much like auditing, to the management of first-order risks to health, financial security, etc. On the other hand, the very existence of such regulatory agencies can be interpreted as responsibility-shifting strategy by central government concerned with its reputation” Power, The Risk Management of Everything. Rethinking the Polictics of Uncertainty at 60.
46 Jasanoff, Sheila, ‘Beyond Calculation. A Democratic Response to Risk', Disaster and the Politics of Intervention, 14–40 at 36.Google Scholar
47 Ibid., at 19.
48 Power, The Risk Management of Everything. Rethinking the Polictics of Uncertainty at 45.
49 Douglas and Wildavsky, Introduction to Risk and Culture (1983) at 1.
50 See also Power, The Risk Management of Everything. Rethinking the Polictics of Uncertainty at 59ff.
51 Ibid., at 50f.
52 Jasanoff, ‘Beyond Calculation. A Democratic Response to Risk', at 36. Jasonoff suggests five focal points: framing, vulnerability, distribution, deliberative learning.
53 Rayner, ‘The Rise of Risk and the Decline of Politics', at 170.
54 While this might sound reasonable enough, the problem's roots might be deeper than I am leading the reader to believe. In the words of Rayner: “The solution to the problem of democratic participation is not as much dependent on the democratization of expertise, but on what Giddens (1999) has called “the democratisation of democracy””, cf. Rayner, ‘Democracy in the Age of Assessment: Reflections on the Roles of Expertise and Democracy in Public-Sector Decision Making'. Thus, the problem might adhere to a larger, general need for a democratization of democracy.
55 Power, The Risk Management of Everything. Rethinking the Polictics of Uncertainty at 58.