Protection of Critical National Infrastructure

advertisement
Protection of Critical
National Infrastructure
APT-ITU workshop on the International
Telecommunications Regulations
Bangkok, 6-8 February 2012
Preetam Maloor, ITU
Background : References in ITU’s Basic text
• Critical national infrastructure has not been explicitly defined in ITU’s Basic Text or
decisions made by ITU bodies.
• However, many references to the protection of critical national infrastructure exist
especially in the context of security of telecommunications/ICT networks and services.
PP-10 Res. 130 (Strengthening the role of ITU in building confidence and security in the use of information
and communication technologies)
PP-10 Res. 174 (ITU's role with regard to international public policy issues relating to the risk of illicit use of
information and communication technologies)
• ITU CS/CV contains references to the acknowledgement of the right of a Member
State over its telecommunications and related infrastructure, considered critical
national infrastructure
ITU CS/Art.38 emphasizes the importance of the protection of a nation’s telecommunication infrastructure
in order to ensure the stability and reliability of international telecommunications
ITU CS/Art.34 which provides that Member States may cut off, in accordance with their national law, any
private telecommunications which may appear dangerous to the security of the State or contrary to its laws,
to public order or to decency
ITU CS/Art.35 on the right of a Member State to suspend its international telecommunication service.
2
Background : References in current ITRs
• Protection of telecommunication/ICTs as a critical national infrastructure
not explicitly mentioned in the current ITRs
• Implicit references include:
– the acknowledgement of the right of a Member State over its telecommunications and
related infrastructure
– the need for a Member State to take into consideration the global implications of its
actions concerning its national telecommunications infrastructure
ITRs/Art.7 (Suspension of Services) which refers to the right of a Member State to
suspend its international telecommunication services partially or totally, while also
ensuring the need for appropriate timely notification of this action
ITRs/Art. 9 (Special Arrangements) which provides that any such special arrangements
should avoid technical harm to the operation of the telecommunication facilities of third
countries
3
Overview of global precedents and
challenges - Definitions
• Critical Resources
• Critical (national) Infrastructure
• Critical Information Infrastructure
Definition: Critical Resources
• Most expansive of all the terms. Includes those assets within
the sphere of critical infrastructure and critical information
infrastructure
• Has been defined by some national governments to include
– natural and environmental resources such agriculture,
energy, freshwater, rainforests, etc.
– national monuments and icons which have been defined as
a physical structure or object recognized both nationally
and internationally as representing a nation’s heritage,
traditions and/or values.
Definition: Critical Infrastructure
• Primarily defined in the context of
– the adequacy of a nation’s public works, e.g. bridges, roads,
airports, dams, etc.
– includes telecommunications, in particular major national
and international switches and connections.
• Many countries, in defining critical infrastructure, include in the
definition a reference to that nation
• Many other countries have specifically included the national
component in the term itself (e.g. UK)
Definition of Critical Infrastructure :
Examples fromMember States, Regional groups
those physical facilities, supply chains, information technologies and communication networks
which, if destroyed, degraded or rendered unavailable for an extended period, would significantly
impact on the social or economic well-being of the nation, or affect Australia’s ability to conduct
national defense and ensure national security.
Canada
Critical infrastructure refers to processes, systems, facilities, technologies, networks, assets and
services essential to the health, safety, security or economic well-being of Canadians and the
effective functioning of government. Critical infrastructure can be stand-alone or interconnected
and interdependent within and across provinces, territories and national borders. Disruptions of
critical infrastructure could result in catastrophic loss of life, adverse economic effects and
significant harm to public confidence.
European Union ‘critical infrastructure’ means an asset, system or part thereof located in Member States which is
essential for the maintenance of vital societal functions, health, safety, security, economic or
social well-being of people, and the disruption or destruction of which would have a significant
impact in a Member State as a result of the failure to maintain those functions
United Kingdom “The [Critical National Infrastructure] comprises those assets, services and systems that support
the economic, political and social life of the UK whose importance is such that loss could: 1)
cause large-scale loss of life; 2) have a serious impact on the national economy; 3) have other
grave social consequences for the community; or 3) be of immediate concern to the national
government.”
United States
systems and assets, whether physical or virtual, so vital to the United States that the incapacity
or destruction of such systems and assets would have a debilitating impact on security, national
economic security, national public health or safety, or any combination of those matters.
Australia
Definition: Critical Information Infrastructure
• Increasing reliance on IP-based and other networks as an ubiquitous
aspect of social and economic activities of nations
– a fundamental component in the design and operation of all forms of
“traditional” critical infrastructure (e.g. electricity grids, transportation
systems, water supply etc.)
• Therefore, some have proposed the introduction of a new term, Critical
Information Infrastructure.
In Germany, the majority of information infrastructures are run by private companies.
Hence, protecting these infrastructures is primarily the task of private operators and service
providers. However, given the dramatic consequences damage to those infrastructures
might have for the state, the economy and large parts of the population, sole
responsibilities of individual operators is neither sufficient nor appropriate. This holds true
also for critical infrastructures in Germany*.
*Germany’s Federal Ministry of the Interior in a 17 June 2009 report entitled National Strategy for
Critical Infrastructure Protection
Definition: Critical Internet Resources
• With emergence of a global information society, the term “Critical
Internet Resources” is considered by many (e.g. CoE) as related to
critical information infrastructure in the Internet era.
• Subject of intense discussions at WSIS and other international fora
• No consensus yet on the proper scope of these resources
– general agreement on IP addresses, domain names, and root
servers
– More expansive view (e.g. CoE): includes backbone infrastructure
and IXPs; broadband access
• Some argue that considering the dynamic nature of the internet,
there should be no rigid definitions and specifically enumerated lists?
– e.g. deployment of DNSSEC key signing keys in 2010
Critical Information Infrastructure
as intangible assets
• E.g. telecommunication infrastructure and number portability
– In many jurisdictions, it is not clear who “owns” the
telephone number, that is, who has what rights over the
number (e.g. can somebody sell or rent the number?).
• Similar issue is being faced by many countries on some Internet
resources:
– whether Internet names and addresses constitute an
intangible property, or if it is a mere service which
registrants enter into a contractual relationship with the
provider
Evolution of Definitions to recognize Intangible
Property
C
A
N
A
D
A
E
U
(old) Canada’s critical infrastructure consists of those physical and information technology facilities,
networks, services and assets which, if disrupted or destroyed, would have a serious impact on the health,
safety, security or economic well-being of Canadians or the effective functioning of governments in
Canada.
(current) Critical infrastructure refers to processes, systems, facilities, technologies, networks, assets and
services essential to the health, safety, security or economic well-being of Canadians and the effective
functioning of government. Critical infrastructure can be stand-alone or interconnected and
interdependent within and across provinces, territories and national borders. Disruptions of critical
infrastructure could result in catastrophic loss of life, adverse economic effects and significant harm to
public confidence.
(old) Critical infrastructure include those physical resources, services, and information technology
facilities, networks and infrastructure assets which, if disrupted or destroyed, would have a serious impact
on the health, safety, security or economic well-being of citizens or the effective functioning of
governments.
(current) ‘critical infrastructure’ means an asset, system or part thereof located in Member States which is
essential for the maintenance of vital societal functions, health, safety, security, economic or social wellbeing of people, and the disruption or destruction of which would have a significant impact in a Member
State as a result of the failure to maintain those functions
Bilateral Commercial Arrangements
between parties as a critical resource ?
• CoE Secretariat report* includes information on the growing reliance of
bilateral commercial arrangements between parties as a critical resource
and their potential to significantly disrupt global connectivity and
resolution. Some reasons cited:
– Growing dominance of Internet Exchange Points
– major ISPs unwillingness to enter into direct traffic exchange
relationships
• The failure of these critical bi-lateral contract resources could significantly
disrupt the operation of the Internet
– E.g. a 2008 dispute between Cogent Communications, a US based
internet service provider, and TeliaSonera, Sweden’s largest telecom
company cut off access to certain websites to a significant customer
base in both continents.
* Internet governance and critical internet resources, Council of Europe Secretariat, April 2009
Multilateral Cooperation in the Protection
of Critical National Infrastructure
• Nations consider protection of their critical infrastructure as closely linked
to the protection of their national sovereignty and have a variety of
national legislations in place to safeguard this infrastructure.
• General agreement that the protection of critical national infrastructure
requires multilateral cooperation
Canada-United States Action Plan for Critical Infrastructure :The complexity and
interconnectedness of Canada-U.S. critical infrastructure requires that the Canada-U.S.
Action Plan be implemented using organizational structures and partnerships committed to
sharing and protecting information and managing risks
Australia: Critical Information Resources is a shared responsibility across governments and
the owners and operators of critical infrastructure
NATO: Critical Infra. Protection (CIP) involves several stakeholders: public authorities - at the
national and local levels, including various public agencies; critical infrastructure operators,
which are often private sector firms; and the population at large. CIP has also increasingly
gained an international dimension, which raises the question of international co-operation
on CIP
Proposals made to CWG-WCIT
•
•
•
•
ITRs do not explicitly refer to protection of critical resources or infrastructure. They
do, as mentioned above, implicitly cover the concept.
Some provisions of the current ITRs can be considered to specifically relate to the
concept,
– E.g. the provision in article 9 that special arrangements should avoid technical
harm to the operation of the telecommunication facilities of third countries.
– Various proposals have been made to modify or increase the scope of such
provisions, for example to include avoidance of “financial harm”.
Various proposals regarding the misuse of numbering resources could be considered
as related to protection of critical information resources, if it is held that naming,
numbering, addressing, and identification resources are such critical information
resources.
Some might consider that proposals to CWG-WCIT related to quality of service and
international routes are related to protection of critical resources.
There is no consensus yet on the proposals
Download