Protection of Critical National Infrastructure APT-ITU workshop on the International Telecommunications Regulations Bangkok, 6-8 February 2012 Preetam Maloor, ITU Background : References in ITU’s Basic text • Critical national infrastructure has not been explicitly defined in ITU’s Basic Text or decisions made by ITU bodies. • However, many references to the protection of critical national infrastructure exist especially in the context of security of telecommunications/ICT networks and services. PP-10 Res. 130 (Strengthening the role of ITU in building confidence and security in the use of information and communication technologies) PP-10 Res. 174 (ITU's role with regard to international public policy issues relating to the risk of illicit use of information and communication technologies) • ITU CS/CV contains references to the acknowledgement of the right of a Member State over its telecommunications and related infrastructure, considered critical national infrastructure ITU CS/Art.38 emphasizes the importance of the protection of a nation’s telecommunication infrastructure in order to ensure the stability and reliability of international telecommunications ITU CS/Art.34 which provides that Member States may cut off, in accordance with their national law, any private telecommunications which may appear dangerous to the security of the State or contrary to its laws, to public order or to decency ITU CS/Art.35 on the right of a Member State to suspend its international telecommunication service. 2 Background : References in current ITRs • Protection of telecommunication/ICTs as a critical national infrastructure not explicitly mentioned in the current ITRs • Implicit references include: – the acknowledgement of the right of a Member State over its telecommunications and related infrastructure – the need for a Member State to take into consideration the global implications of its actions concerning its national telecommunications infrastructure ITRs/Art.7 (Suspension of Services) which refers to the right of a Member State to suspend its international telecommunication services partially or totally, while also ensuring the need for appropriate timely notification of this action ITRs/Art. 9 (Special Arrangements) which provides that any such special arrangements should avoid technical harm to the operation of the telecommunication facilities of third countries 3 Overview of global precedents and challenges - Definitions • Critical Resources • Critical (national) Infrastructure • Critical Information Infrastructure Definition: Critical Resources • Most expansive of all the terms. Includes those assets within the sphere of critical infrastructure and critical information infrastructure • Has been defined by some national governments to include – natural and environmental resources such agriculture, energy, freshwater, rainforests, etc. – national monuments and icons which have been defined as a physical structure or object recognized both nationally and internationally as representing a nation’s heritage, traditions and/or values. Definition: Critical Infrastructure • Primarily defined in the context of – the adequacy of a nation’s public works, e.g. bridges, roads, airports, dams, etc. – includes telecommunications, in particular major national and international switches and connections. • Many countries, in defining critical infrastructure, include in the definition a reference to that nation • Many other countries have specifically included the national component in the term itself (e.g. UK) Definition of Critical Infrastructure : Examples fromMember States, Regional groups those physical facilities, supply chains, information technologies and communication networks which, if destroyed, degraded or rendered unavailable for an extended period, would significantly impact on the social or economic well-being of the nation, or affect Australia’s ability to conduct national defense and ensure national security. Canada Critical infrastructure refers to processes, systems, facilities, technologies, networks, assets and services essential to the health, safety, security or economic well-being of Canadians and the effective functioning of government. Critical infrastructure can be stand-alone or interconnected and interdependent within and across provinces, territories and national borders. Disruptions of critical infrastructure could result in catastrophic loss of life, adverse economic effects and significant harm to public confidence. European Union ‘critical infrastructure’ means an asset, system or part thereof located in Member States which is essential for the maintenance of vital societal functions, health, safety, security, economic or social well-being of people, and the disruption or destruction of which would have a significant impact in a Member State as a result of the failure to maintain those functions United Kingdom “The [Critical National Infrastructure] comprises those assets, services and systems that support the economic, political and social life of the UK whose importance is such that loss could: 1) cause large-scale loss of life; 2) have a serious impact on the national economy; 3) have other grave social consequences for the community; or 3) be of immediate concern to the national government.” United States systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters. Australia Definition: Critical Information Infrastructure • Increasing reliance on IP-based and other networks as an ubiquitous aspect of social and economic activities of nations – a fundamental component in the design and operation of all forms of “traditional” critical infrastructure (e.g. electricity grids, transportation systems, water supply etc.) • Therefore, some have proposed the introduction of a new term, Critical Information Infrastructure. In Germany, the majority of information infrastructures are run by private companies. Hence, protecting these infrastructures is primarily the task of private operators and service providers. However, given the dramatic consequences damage to those infrastructures might have for the state, the economy and large parts of the population, sole responsibilities of individual operators is neither sufficient nor appropriate. This holds true also for critical infrastructures in Germany*. *Germany’s Federal Ministry of the Interior in a 17 June 2009 report entitled National Strategy for Critical Infrastructure Protection Definition: Critical Internet Resources • With emergence of a global information society, the term “Critical Internet Resources” is considered by many (e.g. CoE) as related to critical information infrastructure in the Internet era. • Subject of intense discussions at WSIS and other international fora • No consensus yet on the proper scope of these resources – general agreement on IP addresses, domain names, and root servers – More expansive view (e.g. CoE): includes backbone infrastructure and IXPs; broadband access • Some argue that considering the dynamic nature of the internet, there should be no rigid definitions and specifically enumerated lists? – e.g. deployment of DNSSEC key signing keys in 2010 Critical Information Infrastructure as intangible assets • E.g. telecommunication infrastructure and number portability – In many jurisdictions, it is not clear who “owns” the telephone number, that is, who has what rights over the number (e.g. can somebody sell or rent the number?). • Similar issue is being faced by many countries on some Internet resources: – whether Internet names and addresses constitute an intangible property, or if it is a mere service which registrants enter into a contractual relationship with the provider Evolution of Definitions to recognize Intangible Property C A N A D A E U (old) Canada’s critical infrastructure consists of those physical and information technology facilities, networks, services and assets which, if disrupted or destroyed, would have a serious impact on the health, safety, security or economic well-being of Canadians or the effective functioning of governments in Canada. (current) Critical infrastructure refers to processes, systems, facilities, technologies, networks, assets and services essential to the health, safety, security or economic well-being of Canadians and the effective functioning of government. Critical infrastructure can be stand-alone or interconnected and interdependent within and across provinces, territories and national borders. Disruptions of critical infrastructure could result in catastrophic loss of life, adverse economic effects and significant harm to public confidence. (old) Critical infrastructure include those physical resources, services, and information technology facilities, networks and infrastructure assets which, if disrupted or destroyed, would have a serious impact on the health, safety, security or economic well-being of citizens or the effective functioning of governments. (current) ‘critical infrastructure’ means an asset, system or part thereof located in Member States which is essential for the maintenance of vital societal functions, health, safety, security, economic or social wellbeing of people, and the disruption or destruction of which would have a significant impact in a Member State as a result of the failure to maintain those functions Bilateral Commercial Arrangements between parties as a critical resource ? • CoE Secretariat report* includes information on the growing reliance of bilateral commercial arrangements between parties as a critical resource and their potential to significantly disrupt global connectivity and resolution. Some reasons cited: – Growing dominance of Internet Exchange Points – major ISPs unwillingness to enter into direct traffic exchange relationships • The failure of these critical bi-lateral contract resources could significantly disrupt the operation of the Internet – E.g. a 2008 dispute between Cogent Communications, a US based internet service provider, and TeliaSonera, Sweden’s largest telecom company cut off access to certain websites to a significant customer base in both continents. * Internet governance and critical internet resources, Council of Europe Secretariat, April 2009 Multilateral Cooperation in the Protection of Critical National Infrastructure • Nations consider protection of their critical infrastructure as closely linked to the protection of their national sovereignty and have a variety of national legislations in place to safeguard this infrastructure. • General agreement that the protection of critical national infrastructure requires multilateral cooperation Canada-United States Action Plan for Critical Infrastructure :The complexity and interconnectedness of Canada-U.S. critical infrastructure requires that the Canada-U.S. Action Plan be implemented using organizational structures and partnerships committed to sharing and protecting information and managing risks Australia: Critical Information Resources is a shared responsibility across governments and the owners and operators of critical infrastructure NATO: Critical Infra. Protection (CIP) involves several stakeholders: public authorities - at the national and local levels, including various public agencies; critical infrastructure operators, which are often private sector firms; and the population at large. CIP has also increasingly gained an international dimension, which raises the question of international co-operation on CIP Proposals made to CWG-WCIT • • • • ITRs do not explicitly refer to protection of critical resources or infrastructure. They do, as mentioned above, implicitly cover the concept. Some provisions of the current ITRs can be considered to specifically relate to the concept, – E.g. the provision in article 9 that special arrangements should avoid technical harm to the operation of the telecommunication facilities of third countries. – Various proposals have been made to modify or increase the scope of such provisions, for example to include avoidance of “financial harm”. Various proposals regarding the misuse of numbering resources could be considered as related to protection of critical information resources, if it is held that naming, numbering, addressing, and identification resources are such critical information resources. Some might consider that proposals to CWG-WCIT related to quality of service and international routes are related to protection of critical resources. There is no consensus yet on the proposals