Critical Information Infrastructures
Critical Information Infrastructures Resilience and Protection
Maitland Hyslop
Maitland Hyslop Strategic Development Director Onyx Group Aurora Court Barton Road, Riverside Park Middlesbrough, TS2 1RY United Kingdom
Library of Congress Control Number: 2007924497 Critical Information Infrastructures: Resilience and Protection by Maitland Hyslop
ISBN 978-0-387-71861-3
eISBN 978-0-387-71862-0
Printed on acid-free paper. © 2007 Springer Science+Business Media, LLC All rights reserved. This work may not be translated or copied in whole or in part without the written permission of the publisher (Springer Science+Business Media, LLC, 233 Spring Street, New York, NY 10013, USA), except for brief excerpts in connection with reviews or scholarly analysis. Use in connection with any form of information storage and retrieval, electronic adaptation, computer software, or by similar or dissimilar methodology now known or hereafter developed is forbidden. The use in this publication of trade names, trademarks, service marks, and similar terms, even if they are not identified as such, is not to be taken as an expression of opinion as to whether or not they are subject to proprietary rights. 987654321 springer.com
Contents
Chapter 1.
Introduction .....................................................................
1
Chapter 2.
Definitions and Assumptions ...........................................
8
Chapter 3.
Critical Infrastructures and Critical Information Infrastructures: Approaches by Geography .....................
19
Critical Infrastructures and Critical Information Infrastructures: by Type....................................................
45
Chapter 5.
Critical Information Infrastructure...................................
61
Chapter 6.
Some Political, Economic, Social, Technological, Environmental, Legal and Other Process Effects on Critical Infrastructures ................................................
77
Comments on Standards in Information Security, Disaster Recovery, Business Continuity and Business Resilience ....................................................
94
Chapter 4.
Chapter 7.
Chapter 8.
A Tangential Threat To OECD Resilience: The Twenty-First Century East India Company............... 145
Chapter 9.
Resilience and Outsourcing Call Centers Offshore: A Case Study .................................................................... 150
Chapter 10.
Information Infrastructure: Resilience, Recovery, and Security ..................................................... 158
Chapter 11.
A Suggested Approach to Individual, Corporate, National, and International Resilience, Critical Infrastructures, and Critical Information Infrastructures ........ 176
v
vi
Contents
Chapter 12. General Summary and Conclusions ................................. 194 Chapter 13. A Manifesto for Change ................................................... 198 Appendix 1.
Introduction ..................................................................................... 201
2.
Bibliographies/Lists/Directories/Surveys/Search Engines ................. 202
3.
Books – Arranged Alphabetically by Subject ................................... 206 Apache ............................................................................................. Auditing and Security....................................................................... Backup (In Terms of Backing Up Data on Computers) ................... Carnivore ......................................................................................... Certification for Security Professionals ............................................. CISCO ............................................................................................. Code (As In Computer Code) .......................................................... Computer Security ........................................................................... Corporate Security ........................................................................... Crime/Forensics/Malice/Malware ..................................................... Critical Infrastructure ...................................................................... Cryptography ................................................................................... Data/Databases and Related Issues .................................................. Data Mining (The Process of Searching Data for Specific Information) .................................................................. Disaster Recovery and Contingency Planning (Relevant To Technology) ................................................................. eBusiness .......................................................................................... Firewalls .......................................................................................... Hacking............................................................................................ Hardening ........................................................................................ Java .................................................................................................. Kerberos........................................................................................... Linux ................................................................................................ Microsoft and Microsoft Windows General ..................................... Mobile Communications/Mobility ................................................... .NET ................................................................................................ Network Security ............................................................................. Operational Risk .............................................................................. Public Key Infrastructure (PKI) ....................................................... Positive Messages ............................................................................. Reliability .........................................................................................
206 206 206 206 207 209 209 209 209 210 211 211 212 213 213 215 215 216 217 219 220 220 220 221 221 221 223 223 223 223
Contents
Radio Frequency Identification (RFID) ........................................... Securing and Security ....................................................................... Sniffing ............................................................................................. Spam ................................................................................................ Steganography .................................................................................. Virtual Private Networks (VPNs) ..................................................... Warfare and Politics ......................................................................... Wireless ............................................................................................ WordPerfect ..................................................................................... 4.
vii
223 223 226 226 226 227 227 228 228
Articles – Arranged Alphabetically By Subject ................................ 228 Asymmetric Warfare ........................................................................ Banking ............................................................................................ BS7799 ............................................................................................. Critical Infrastructure ...................................................................... Cryptography ................................................................................... Computer Crime and Security .......................................................... Cyberwar and Netwar ...................................................................... Clash of Civilizations ....................................................................... Data Related .................................................................................... Defense ............................................................................................ Digital Development ........................................................................ Dot Com Dreams ............................................................................. Elections........................................................................................... Electronic Intrusion.......................................................................... Electronic Mail ................................................................................. Electronic Signature ......................................................................... Erlang .............................................................................................. Environment .................................................................................... Freedom of Information .................................................................. Fuel Crisis ........................................................................................ Information Security and Warfare, etc. ............................................ Java .................................................................................................. Microsoft and Cisco ......................................................................... National Information Infrastructure ................................................ Network Security ............................................................................. Optimistic Message Logging ............................................................ Open Systems ................................................................................... Obstructive Marketing ..................................................................... Resilience, Robustness, Reliability .................................................... Radio Frequency Identification (RFID) ........................................... Security, etc. ..................................................................................... Strategic Information Warfare..........................................................
229 229 229 229 229 230 230 230 230 230 230 230 230 230 231 231 231 231 231 232 232 232 233 233 233 233 233 233 233 234 234 235
viii
Contents
Telecommunications Networks......................................................... URL (Uniform or Universal Resource Locator – Web Address) Security ..................................................... Utilities ............................................................................................ Video Coding ................................................................................... Wire Pirates ...................................................................................... Year 2000 Issues (Y2K) ....................................................................
235 235 235 236 236 236
5.
Regular Publications – Arranged Alphabetically By Title ................ 236
6.
Links – Arranged Alphabetically by Subject and Site Name............ 239 Academia ......................................................................................... Associations/Institutes/Societies/Organizations, etc. ......................... Asymmetric and Information Warfare ............................................. Australia........................................................................................... Austria ............................................................................................. Canada ............................................................................................. Finland............................................................................................. France .............................................................................................. Germany .......................................................................................... International Organizations ............................................................. Italy .................................................................................................. Lawyers ............................................................................................ Police ................................................................................................ The Netherlands ............................................................................... New Zealand .................................................................................... Norway ............................................................................................ Russia ............................................................................................... Sweden ............................................................................................. Switzerland ...................................................................................... United Kingdom .............................................................................. United States .................................................................................... Vendor Sites ..................................................................................... General Information – Alphabetically by Site ..................................
239 241 243 244 244 245 246 247 247 249 250 250 250 251 252 252 253 253 253 255 256 258 261
Index....................................................................................................... 267
The Author
Maitland Hyslop has had a diverse career. He holds degrees and qualifications in Geography, African and Middle East Studies, International Marketing, Business Studies, and eCommerce. He is a UK Chartered Marketer and a UK Energy Institute Consultant. In 2004 he was named one of the UK’s top 100 eEntrepreneurs of the decade. His professional life started as an Army officer, serving in the Parachute Brigade and Royal Logistic Corps of the British Army. He has been a tutor and demonstrator at Durham University and a Research Fellow in Telecommunications Security at Northumbria University. In the private sector he has run his own Real Estate Agency, Tetra Pak’s African Packaging, Whessoe plc’s Oil Instrumentation, and GNC’s Computer Integrator businesses. He is currently Strategic Development Director for Onyx Group’s ISP/Hosting/Security/Consulting business. In the Public Sector he has run the North East of England’s Inward Investment Team in the USA, developed the Telecommunications Infrastructure for the North East of England, and was the Chief Executive of Ross and Cromarty Enterprise in Scotland. He has additionally run a variety of Public Sector start-up and rescued companies. He has worked all over the world, but principally in the UK, USA, Europe, the Middle East, and Africa. In terms of Infrastructures he has written of them all. He has worked in the oil and gas, finance, food, health, government service, and law and order infrastructures at one time or another. He has run a manufacturing plant, managed and protected national icons, and run transport operations in the UK and abroad. He has written a defining thesis on water and identified key threats from waste water in Middle Eastern cities. He has first-hand experience of the AIDS epidemic in Africa and has been heavily involved in education and education charities. In short, he has theoretical and operational experience in all infrastructures, but principally Information Infrastructure. He has over 50 published articles and five other books to his name. He spends much of his spare time kayaking and coaching.
ix
Acknowledgments
This book would not have been possible without the help of a number of people. Primarily, this work stems from the times I had the privilege of being a postgraduate and tutor at Durham University and a research fellow at Northumbria University. At Durham I was mentored by Professor Gerald Blake, and part of this work is due to his encouragement, Shell International’s support, and my stipend as a tutor at Hatfield College. At Northumbria, the period associated with their Disaster and Development Center was not only a pleasure but a rare opportunity to pursue ideas. Thanks to Kel Fidler, Vice Chancellor, the University Management, and to Dr. Andrew Collins, the Center’s Director. Thanks to Michel Frenkiel, with whom I had the pleasure of working on the European Commission’s eJustice Project, and who is also a prime mover of this book. He opened my eyes to a number of different issues. Thanks to Eric Goetz at I3P in Dartmouth College, NH, USA. If he hadn’t asked me to join one of their working groups this book would not have started. Thanks to Alastair Waite, my colleague, and the CEO at Onyx Group, for giving me some time and some encouragement to write this. Thanks to my family and friends for their support. Thanks to all at Mills Advertising, particularly the Elphee’s, for helping with this manuscript. Finally thanks to Amy Brais at Springer for taking the risk. The opinions and errors in this book are entirely the author’s.
xi
Chapter 1 Introduction
Resilience is an increasingly important concept and quality in today’s world. It is particularly important in the area of Critical Infrastructures. It is crucial in the area of Critical Information Infrastructure. This is because, since the year 2000, man has been dependent on information and telecommunications systems for survival, particularly in the Organization for Economic Cooperation and Development (OECD) countries, and because all other Critical Infrastructures depend upon, to a greater or lesser extent, Critical Information Infrastructure.1,2 Until, probably, the late 1980s it would be fair to say that the defense of individual nation states depended upon a mixture of political will and armed might. The fall of the Berlin Wall may have effectively ended the Cold War, and with it a bipolar world, but it brought globalization and a multipolar digital world in its wake. Simply put, a number of power vacuums were created and these have yet to be fully filled and settled. In this “New World” many changes were afoot. These changes include the increasing irrelevance of nation states in federated structures and the export of democracy on the back of globalization. One of the biggest changes, though, is the use of digital technology by the OECD countries. This is on such a scale that these countries have become both dependent upon information technology and as individual states largely irrelevant to the new “global” electronic economy.3
1 This adaptation of Maslow’s hierarchy of needs is attributed to KPMG. It would seem to be a by-product of the analysis of the Y2K problem – in that, suddenly, it was realized exactly how dependent mankind has become on computers. 2 Maslow’s hierarchy available at www.businessballs.com/maslow.htm (Accessed: 6 January 2007). 3 The OECD consists of Australia, Austria, Belgium, Canada, Czech Republic, Denmark, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Japan, Korea, Luxembourg, Mexico, Netherlands, New Zealand, Norway, Poland, Portugal, Slovak Republic, Spain, Sweden, Switzerland, Turkey, United Kingdom, and the United States of America.
1
2
Critical Information Infrastructures: Resilience and Protection
In 2007, traditional armed conflict is only one of a number of ways of both attacking and defending political and economic interests. Asymmetric Warfare4 is an increasingly popular means of waging war on large entities by smaller ones. Many terrorist groups now use the electronic environment as a means of taking on much greater and bigger enemies. At the same time the equal and opposite reaction to globalization has been the phenomenon of Obstructive Marketing. Obstructive Marketing uses similar tactics to Asymmetric Warfare to stop companies from going global.5 The nature of both the political and economic landscape has therefore changed over the last 25 years. Because of this, the nature of defense has changed too. In a parallel universe, fifty years ago, in the United Kingdom (UK), this chapter might have been called “Defense of the Realm” and might even have been an introduction to a handbook issued by the “War Office.”6 The fact is only something that is likely to be attacked or damaged needs to be resilient or protected. Therefore, it could be said that this book is about defense in its broadest sense. However, it is about a different sort of defense than anything seen before. Both at the time and with hindsight it was clear that the Poles could not win the battle against the Germans in 1939 by pitting horses against tanks. Today the west and north of the world needs to understand that it will not win a modern battle fought with tanks or aircraft carriers in an Asymmetric War, or an Obstructive Marketing environment. Whether understood widely or not, it is the case that the west and north are engaged in an Asymmetric War. An Asymmetric War is a battle between a force with many resources and one with less. This may sound like a normal military conflict except that Asymmetric Warfare is not necessarily a battle between military forces or states. It is increasingly a battle between and, importantly, within infrastructures. Critical Infrastructures themselves need some description and classification. There are some familiar terms in the list. Most people would understand that protection is required from flood defenses. They would understand that a food and water supply is required to live, that waste water and sewage treatment along with health services keeps diseases and illness in check, and that transportation is needed for us to go about our daily lives. Some are clear after some thought: financial, commercial, and industrial institutions are required to maintain our standard of living, our way of life is determined by the political fabric and government services, and a stable society promotes a feeling of safety. These, too, are Critical Infrastructures. Others are not so familiar: national icons and intellectual property. These are more difficult.
4 Hyslop, MP (2003) Asymmetric Warfare, Proceedings International Conference on Politics and Information Systems: Technologies and Applications (PISTA ‘03), Orlando, Florida, USA. 31 July 2003 – 2 August 2003. 5 Hyslop, MP (1999) Obstructive Marketing, MSc Thesis, Huddersfield University Business School. 6 The name for the current UK Ministry of Defense.
Chapter 1 Introduction
3
Yet if the Monarchy, Wembley, Parliament, Nelson’s Column, Tea, Fish and Chips, and the Magna Carta disappeared then Britain would clearly be the poorer and “not British.” It would certainly be poorer if it lost the intellectual property that keeps the country in the forefront of world development: Universities, Formula 1, avionics, and so on. In the USA, the attack on the World Trade Centre needs little comment in this respect. There may be others that should be added to the list: people and education/intellectual property may be two examples. Historically, Critical Infrastructure has had a very physical feel to both the term and artifacts. Critical Infrastructure could be seen. It was pipes, stockpiles, or electricity pylons. As noted half the Critical Infrastructures listed so far cannot be “seen” at all. It follows that protecting Critical Infrastructure has moved from defending “things” to defending what might be generically termed as “processes.” The defense of “things” requires other familiar tools like walls, fences, alarms, decoys, police forces, armies, navies, and air forces. In order to defend “processes” we need the same words but used in different ways. Therefore, we need to understand how Critical Infrastructures are protected today, both seen and unseen. In the 1950s, a Critical Infrastructure was sometimes called a Strategic National Asset. In those days, most of these assets were nationalized and often had a complete Government Department named after them. Today many of them have been privatized and their survival in any “battle” depends upon a Public–Private Partnership that is so far incompletely understood and certainly not formal, except perhaps in the United States of America (USA). Critical Infrastructures are no longer truly “national,” no matter what Governments might want to think. But, Critical Infrastructures remain key to sustaining our way of life. The fact that they are not only under attack, but have also escaped from a society’s control, gives great cause for concern. The necessary partnership between the Public and Private Sectors must work in order to protect our collective futures. All of these Critical Infrastructures are bound together today by the most important one of all: Telecommunications and Information. Most of the time this is hidden from view and most people’s consciousness – but it is always there. It is the most vulnerable point and the most fantastic achievement. It is also the major battleground in an Asymmetric War or Obstructive Marketing campaign. Some ways in which today’s Critical Infrastructure is protected will be familiar: such as the use of geography and physical security. Others will not, such as Governance and Business Effectiveness. The processes of today are not in the sole hands of any Government, they are in the hands of a number of different partners. Hence, there is a need for a partnership of interests. The Private Sector has had long experience of managing threats to processes. Most businesses depend on processes for their livelihood. They manage protection in very different ways to Governments. It is necessary to look not only at how to protect modern Critical Infrastructures but also why and how
4
Critical Information Infrastructures: Resilience and Protection
that protection will differ from any traditional understanding of defense. In 2001–2003, the author argued that Asymmetric War7 fighting methods are not new. They were practiced during previous World Wars, and almost all other wars. They have characteristics of total war – where balance, timing, effort, and resources are deployed in different measures to deny a strong military power the full use of that power. This is, simplistically, where the world is today concerning the attacks on the USA, and their allies, and the responses in Afghanistan and Iraq. However, this is likely to be just the start of a long campaign and it is important to understand how it might develop in regard to infrastructures and what the western and northern powers need to understand in order to fight this Asymmetric War well. Asymmetric Warfare is generally conducted in a covert planned military/ technical, criminal, or cultural manner and less frequently in a spontaneous manner. Critical Information Infrastructure is both a target and a conduit for Asymmetric Warfare. It is a target in that it represents an infrastructure dominated largely by the major economic powers and is therefore seen as a legitimate target by those who seek to destabilize these powers. It is a conduit because the infrastructure and the applications that sit on it, the Internet/World-Wide Web in particular, give an opportunity to those asymmetric combatants to plan, communicate, and sometimes even execute asymmetric events. In particular, steganographic techniques are used for communication. In 1999, the author defined Obstructive Marketing8 as: Any process, legal or not, which prevents or restricts the distribution of a product or service, temporarily or permanently, against the wishes of the product manufacturer, service provider or customer. The term “any process” reflects the global nature of the issue and accepts that different mores will prevail in different parts of the world. The term “legal or not” is used because what is legal and acceptable in one state is not in another. The term “prevents or restricts,” because the sale of goods and services can be stopped in an absolute or relative manner depending on the subtlety of those who seek to obstruct the marketing efforts of others. The term “distribution of product or service,” because distribution is central to the marketing effort. The term “temporarily or permanently,” because time always changes the picture in international relations and this affects business as well as politics and international relations. The term “product manufacturer, service provider, or customer,” because these are the players in Free Market Capitalism. The addition of the words “or customer” to an original definition reflects the later thought that customers, as well as providers, can be deprived because of the potential techniques. This is both logical and common sense, particularly from a marketing viewpoint, and particularly where the customer 7 8
Hyslop, MP (2003) op. cit. Hyslop, MP (1999) op. cit.
Chapter 1 Introduction
5
is key. It is necessary to understand Obstructive Marketing and the lessons it has for Critical Infrastructure Protection and the Public–Private Partnership. An understanding of the relationships between Critical Infrastructures and the Public and Private Sectors is required. In order to be well protected, Critical Infrastructures need to be resilient. The concept of resilience is relatively poorly understood. Resilience is a term that is frequently used incorrectly – and most often incorrectly in the context of recovery from disasters. Resilience in traditional Critical Infrastructures needs to be described in terms that will be familiar. These terms include redundancy in power distribution, stockpiles of fuel, and food. However, these traditional and familiar terms are not a regular feature of these Infrastructures any longer. The privatization of the utilities and the adoption of “Just in Time” delivery techniques for food and fuel means there is very little “give” in the system to cater for unexpected events. There is a very immature approach to both resilience and recovery in the newer and less well-defined Critical Infrastructures, particularly those surrounding those that now control our lives, such as telecommunications and information. In this area, an exploration of the strategic importance of the relationship between telecommunications and systems resilience, recovery and security, and both Asymmetric Warfare and Obstructive Marketing can demonstrate some of the issues to be tackled and suggests a number of approaches. The processes of dealing with Obstructive Marketing not only set a Corporate Security approach but represent the Private Sector’s contribution to the Public– Private Partnership. To protect the Critical Infrastructures of the future will require a new approach to defining threats. Such an approach has to both acknowledge and manage risk. Terrorist risk has led to antiterror legislation. Antiterrorism legislation victimizes, in general, those it seeks to protect. One has only to walk through an USA or UK airport these days to understand the veracity of this statement. Antiterrorism legislation is a victory for the terrorist and usually represents a loss for democratic freedoms. What alternative is there to antiterrorism legislation? There are a surprising number based on intelligence, space planning, border controls, economic measures against terrorists, amendment of terrorist tools by international treaty, technological “sniffers” on planes, trains and rails, and a belief in a way of life. All of which would not necessarily result in a definitive change for the worse in our way of life. The efficacy of these measures can be predicted by using sophisticated risk analysis tools. A risk-based approach to Critical Infrastructure Protection (CIP) is therefore something that needs to be implemented within a Public– Private Partnership. It needs many of the same institutional controls as that exist now to be effective. Most of all, however, it requires a change in attitude. Changes in attitude are notoriously difficult to implement in any society. It is necessary to look at how a risk-based approach to Critical Infrastructure Protection could change, by reducing, the way in which our lives are affected by terrorism.
6
Critical Information Infrastructures: Resilience and Protection
George Bernard Shaw famously commented that an unreasonable man tries to make the world conform to him; whilst a reasonable man conforms to the world. All progress therefore depends upon the unreasonable man. This explains many of the tensions between Government Bureaucrats (reasonable men for the most part) and Entrepreneurs (frequently unreasonable men). It also explains why Governments and Bureaucrats when faced with a challenge usually resort to increased control measures. This is often at the expense of understanding the problem to begin with. The same applies to the Armed Forces. All the incumbent Chiefs grew up with a certain set of toys. As this is written there is still a demand for more Aircraft Carriers, at least in the UK. This is like the Poles ordering more but bigger horses. Aircraft Carriers are no longer particularly relevant to the needs of today’s defense, especially big ones. It is necessary to suggest some “unreasonable” steps to take in order to protect Critical Infrastructure. These suggestions will include reshaping the defense forces, a new Public– Private Partnership, an adjustment to “Just in Time” and the outsourcing of utility and food management plus some ideas on what each and everyone one of us can do to assist the process in the meantime. In the International Community, the approach to Critical Infrastructure Protection is still one based on national interest. At the same time national interest is becoming harder to define. Communities of different sorts appear all the time. Some are based on social affinity, others on economic and many new ones based on hobbies and interests on the Internet. In order to properly engage in Critical Infrastructure Protection, some new ways of looking at International Cooperation are also required. These necessarily become supra- or extranational in nature. The current international bodies do not seem to be sufficiently aware of the problem to promote a common approach. This is evident from the divergent approaches to Critical Infrastructure in different parts of the world. Just as some changes in the way national bodies’ approach Critical Infrastructure will have to change, so will the approach of International Institutions. This change will require organizations such as the North Atlantic Treaty Organization (NATO) sitting with others to plan a new partnership to protect assets and infrastructure necessary to both. To summarize the subject of Critical Infrastructure protection is therefore about defense. The modern context for this recognizes Asymmetric Warfare and Obstructive Marketing to be realities. These help to define, describe, and categorize Critical Infrastructure. Protection is relatively obvious for physical Infrastructure, not so obvious for what might be called process infrastructure. Issues ranging from Geography to Governance as defense mechanisms are important. The symbiotic relationship about Critical Infrastructure between Public and Private sectors demands a new sort of partnership. How this partnership should be established needs to be discussed. Risk management is a key to success. Risk management needs to suggest how and what to implement in terms of a common approach. This process will identify change as a major
Chapter 1 Introduction
7
issue, the sorts of changes required need to be defined further. Finally, an International Model for the protection of Critical Infrastructure should be proposed combining both defense and humanitarian approaches. Once these are properly defined and worked through, then Critical Infrastructures will be on their way to becoming resilient. It should be noted that these suggestions are also important in another context, that of Climate Change. In order for the world to combat Climate Change effectively similar types of defense mechanisms to those required for resilience need to be built. A proper approach to resilience helps the world come to terms with the impact of Climate Change. At the end of this book is an introductory bibliography for materials related principally to Critical Information Infrastructure.
Chapter 2 Definitions and Assumptions
In general this book is very OECD focused, and specifically UK, USA, and Europe centric. It discusses, in fairly broad terms, the shape the OECD and these countries are in to bounce back from damage to Critical Infrastructures. It looks specifically at the OECD because its constituents have the greatest reliance on a particular technology: telecommunications. Over 95% of the world’s data traffic goes through the OECD.9 Such a figure has statistical significance; and defines an approach to life. This book is therefore also focused on Critical Information Infrastructure. It is impossible in a work such as this to review all the threats and potential challenges to such wide-ranging foundations of our modern society. However, it is possible to identify a number of common themes of relevance to each of the main areas. To start, however, we need a common understanding of what Critical Infrastructure and Critical Information Infrastructures are. This is surprisingly difficult, and one of the reasons there is some concentration in this book on the USA, UK, Australia, and New Zealand is because they have taken the definition and understanding of Critical Infrastructures further than most others in the OECD. There is the start of a common theme in the approaches of these countries. Resilience has a number of meanings. It is therefore important to be clear from the outset what is meant by Resilience in this book. Some common definitions of Resilience10 are the following.
Resilience General Definition Resilience generally means the ability to recover from (or to resist being affected by) some shock, insult, or disturbance. It is particularly, in this context, about being able to “bounce back” to an original form.
9 From data available at http://www.oecd.org/oecddata and http://news.netcraft.com (Accessed: 6 January 2007). 10 Definitions available at http://en.wikipedia.org/wiki/Resilience. (Accessed: 6 January 2007).
8
Chapter 2 Definitions and Assumptions
9
Resilience in Materials Science Resilience in materials science is defined as the capacity of a material to absorb energy when it is deformed elastically and then, upon unloading, to have this energy recovered.
Resilience in Ecology Resilience in ecology is about the following: The rate at which a system returns to a single steady or cyclic state following a perturbation or the magnitude of disturbance that can be absorbed before the system changes its structure by changing the variables and processes that control behavior.
Resilience in Psychology Resilience in psychology describes the capacity of people to cope with stress and catastrophe.
Resilience in Business Resilience in business is the ability of an organization, resource, or structures to sustain the impact of a business interruption, recover, and resume its operations to provide minimum services.
Resiliency Resiliency is an American term that is gaining some credibility in Disaster Recovery and Business Continuity Circles. In short it is most akin to “Resilience in Business” description above. However, it is also used as an American substitute for the word resilience.11
Resilience in this Book Resilience in this book means the ability, primarily, of the world’s north, western, and capitalist societies, summarized as the OECD, to withstand shocks to their critical infrastructures, including telecommunication infrastructures, without altering their basic form.
11
Resiliency available at www.resiliency.com (Accessed: 6 January 2007).
10
Critical Information Infrastructures: Resilience and Protection
A consistent approach is required to definitions in terms of both Critical Infrastructure and Critical Information Infrastructure. This consistency is provided by Dunn and Wigert (2004).12 Thus Critical Infrastructure Sectors are the following: Sectors whose incapacitation or destruction would have a debilitating impact on national security and the economic and social well-being of a nation. However, the definition of critical sectors varies among countries. Each country uses different standards of what is critical. The definitions vary over time. Furthermore, some of these infrastructures are always critical, some are occasionally critical, while others only become critical in the case of the failure of other vital infrastructures.13 Although this does not seem immediately helpful an analysis of the definitions of Critical Infrastructures of the countries surveyed by Dunn and Wigert (2004)14 certainly is. Therefore, the common Critical Infrastructure Sectors (the common list) are the following: • Finance • Food supply • Health • Government services • Law and order • Manufacturing • National icons • Transport • Water • Waste water This book will suggest the addition of two others: People and Education/ Intellectual Property, for reasons that should become clear. Critical Infrastructure Protection is delivered by different groups in different countries. In the USA, it is a primary role of the National Guard to defend CriticalInfrastructure. However, successive mission changes have led to the National Guard having a dual mission, homeland defense, and support of the regular army.15 In the UK, it was the primary task of the Territorial Army to defend the homeland. However, successive reviews have meant that, these days, the Territorial Army is increasingly deployed as part of and in support
12
Dunn, M and Wigert, I (2004) Critical Information Infrastructure Protection, The International CIIP Handbook 2004. Zurich, Switzerland. Centre for Security Studies. Available at http://www.isn.ethz.ch/crn/publications/publications_crn.cfm?pubid=224 (Accessed: 6 January 2007). 13 Ibid pp. 227ff. 14 Ibid. 15 Supporting information available at http://www.csmonitor.com/2005/0902/p02s01usmi.html (Accessed: 6 January 2007).
Chapter 2 Definitions and Assumptions
11
of regular army tasks.16 These two examples alone indicate the difficulty of identifying precisely who does defend Critical Infrastructure. The situation is different in other countries. However, one of the reasons for writing this book was the increasingly obvious point that there is no one clearly and specifically tasked with Critical Infrastructure Protection as their sole mission in the USA or the UK. Dunn and Wigert (2004)17 comment as follows on Critical Information Infrastructure: In our view, CIP is more than CIIP, but CIIP is an essential part of CIP. There is at least one characteristic for the distinction of the two concepts. While CIP comprises all critical sectors of a nations’ infrastructure, CIIP is only a subset of a comprehensive protection effort, as it focuses on the Critical Information Infrastructure. The definition of exactly what should be subsumed under CI, and what under CII, is another question. Generally, the CII is that part of the global or national Information Infrastructure that is essentially necessary for the continuity of a country’s critical infrastructure services. The CII, to a large degree, consist of, but is not fully congruent with the information and telecommunications sector, and includes components such as telecommunications, computers/software, the Internet, satellites, fiber-optics etc. The term is also used for the totality of interconnected computers and networks and their critical information flows. Protection of the CII has become especially important due to two reasons: 1) their invaluable and growing role in the economic sector; and 2) their interlinking role between various infrastructure sectors and the essential requirement that other infrastructures function at all times.18 There are, moreover, several features that demand a clear distinction between CI and CII: First of all, the system characteristics of the emerging Information Infrastructure differ radically from traditional structures, including earlier Information Infrastructures. They differ in terms of scale, connectivity, and dependencies.19 This means that understanding them will require new analytical techniques and methodologies that are not yet available. Secondly, it appears that cyber-threats are evolving rapidly both in terms of their nature and of their capability to cause harm, so that protective measures require continual technological improvements and new approaches.
16
Supporting information available at www.mod.uk (Accessed: 6 January 2007) and http://en.wikipedia.org/wiki/Territorial_Army (Accessed: 6 January 2007). 17 Dunn, M and Wigert, I (2004) op. cit. 18 Wenger, A, Metzger, J and Dunn, M (2002) Critical Information Infrastrcuture Protection: Eine sicherheitpolitische Herausforderrung. In: Sillman, Kurt, R and Wenger, A (eds.). Bulletin zur Schweizeruschen Sicherheitspolitik. pp. 119–142. 19 Parsons, TJ (2001) Protecting Critical Information Infrastructures. The Co-ordination and Development of Cross-Sectoral Research in the UK. Plenary Address at the Future of European Crisis Management, Uppsala, Sweden, March.
12
Critical Information Infrastructures: Resilience and Protection
Moreover, there are several “drivers” that will likely aggravate the problem of CIIP in the future: these are the interlinked aspects of market forces, technological evolution, and emerging risks.20 On the one hand we are facing an ongoing dynamic globalization of information services, which in connection with technological innovation (e.g. localized wireless communication) will result in a dramatic increase of connectivity and lead to ill-understood behavior of systems, as well as barely understood vulnerabilities. This assessment ties into the fact that security has never been a design driver. And since pressure to reduce time to market is intense, a further explosion of computer and network vulnerabilities is to be expected.21 We are therefore faced with the potential emergence of infrastructures with in-built instability, critical point of failure, and extensive interdependencies. Additionally, increasingly large parts of the CI will be in the private sector and even in the hands of another nation-state. This prospective view clearly indicates a need to distinguish conceptually between the two concepts of CIP and CIIP. However, the two cannot and should not be discussed as completely separate concepts. As stated above, CIIP is an essential part of CIP. An exclusive focus on cyber-threats that ignores important physical threats are just as dangerous as the neglect of the virtual dimension – what is needed is a sensible handling of both interrelated concepts. The International CIIP handbooks, Dunn and Wigert (2004),22 developed by the Swiss Federal Institute of Technology in Zurich have a high reputation. They are one of few authoritative sources of any research on Critical Infrastructure and Critical Information Infrastructure. However, they have a problem, confirmed by research for this book, with defining these terms. They comment that Critical Infrastructure is both global and national, and so is Critical Information Infrastructure. Critical Infrastructure is reviewed, as is to a lesser extent, Critical Information Infrastructure, against country models. Yet Critical Infrastructure is essentially national in character, and Information Infrastructures (particularly the Internet and World Wide Web) are essentially international (more properly borderless) in character. Their handbook is called Critical Information Infrastructure Protection and this suggests a primacy of Information Infrastructure with which this book would concur. As an aside, controlling these different types of infrastructure becomes even more difficult when post terrorist attacks, the media in particular, becomes vocal about seeing visible responses to Critical Infrastructure attacks. In the UK, for example, this has led to the very disappointing political reaction that the National Information Security Coordination Centre (NISCC) is 20
Ibid. Naf, Michael (2001) Ubiquitous Insecurity: How to ‘Hack’ IT Systems. In: Wenger, Andreas (ed). The Internet and the Changing Face of International Relations and Security: An International Journal, Vol. 7, pp. 104–118. 22 Dunn, M and Wigert, I (2004) op. cit. 21
Chapter 2 Definitions and Assumptions
13
to be subsumed into a Critical National Infrastructure body in 2007 – thus depriving the UK and its allies of a potential leadership role in cross-border management of Information Infrastructure. This goes against the grain of the view that Critical Information Infrastructure now has primacy over Critical Infrastructures. The key point is that Critical Infrastructure remains essentially national in character, whereas Critical Information Infrastructure is increasingly borderless in character. This approach, of course, demands a number of assumptions: • The continued relevance of • The continued relevance of • The continued relevance of • The continued relevance of • The continued relevance of
a nation state or similar Capitalism or similar democracy or similar maintaining a “green” agenda or similar technological progress or similar
And these are taken as “given.” Comments are made on each; but this book is not necessarily concerned about a substantive debate on these subjects. Although society does not regularly look at the reasons for its own existence, it is important to understand why Resilience is important in such a context. Cynically or otherwise our societies are based on certain principles. In hedonistic times these get blurred or confused. However, at the root of society is a certain set of beliefs. It is worth reprising these because they are why Resilience is important. They do define society as a whole. A reasonable starting point, because of the dominance of the USA, within the OECD, on our way of life could be the American Declaration of Independence as follows: When in the Course of human events it becomes necessary for one people to dissolve the political bands which have connected them with another and to assume among the powers of the earth, the separate and equal station to which the Laws of Nature and of Nature’s God entitle them, a decent respect to the opinions of mankind requires that they should declare the causes which impel them to the separation. We hold these truths to be self-evident, that all men are created equal, that they are endowed by their Creator with certain unalienable Rights, that among these are Life, Liberty and the pursuit of Happiness. — That to secure these rights, Governments are instituted among Men, deriving their just powers from the consent of the governed, — That whenever any Form of Government becomes destructive of these ends, it is the Right of the People to alter or to abolish it, and to institute new Government, laying its foundation on such principles and organizing its powers in such form, as to them shall seem most likely to effect their Safety and Happiness.23
23
American Declaration of Independence available at http://www.ushistory.org/ declaration (Accessed: 6 January 2007).
14
Critical Information Infrastructures: Resilience and Protection
At least in theory the Government of the USA (and other Governments) has certain responsibilities to its citizens. Over time this has taken, in part, the form of the construction of various infrastructures to secure life, liberty, and happiness. The preservation of infrastructures designed to ensure that this happens is clearly important. Resilience in such infrastructures is also important. The USA Constitution states the position even more clearly: We the People of the United States, in Order to form a more perfect Union, establish Justice, insure domestic Tranquility, provide for the common defense, promote the general Welfare, and secure the Blessings of Liberty to ourselves and our Posterity, do ordain and establish this Constitution for the United States of America. The United States Bill of Rights as represented by the major amendments to the Constitution: Amendments: First Amendment – Freedom of speech, press, religion, peaceable assembly, and to petition the government. Congress shall make no law respecting an establishment of religion, or prohibiting the free exercise thereof; or abridging the freedom of speech, or of the press; or the right of the people peaceably to assemble, and to petition the Government for a redress of grievances. Second Amendment – Right for the people to keep and bear arms, as well as to maintain a militia. A well regulated Militia, being necessary to the security of a free State, the right of the people to keep and bear Arms shall not be infringed. Third Amendment – Protection from quartering of troops. No Soldier shall, in time of peace be quartered in any house, without the consent of the Owner, nor in time of war, but in a manner to be prescribed by law. Fourth Amendment – Protection from unreasonable search and seizure. The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized. Fifth Amendment – Due process, double jeopardy, self-incrimination, private property. No person shall be held to answer for any capital, or otherwise infamous crime, unless on a presentment or indictment of a Grand Jury, except in cases arising in the land or naval forces, or in the Militia, when in actual service in time of War or public danger; nor shall any person be subject for the same offence to be twice put in jeopardy of life or limb; nor shall be compelled in any criminal case to be a witness against himself, nor be deprived of life, liberty, or property, without due process of law; nor shall private property be taken for public use, without just compensation. Sixth Amendment – Trial by jury and other rights of the accused. In all criminal prosecutions, the accused shall enjoy the right to a speedy and public trial, by an impartial jury of the State and district wherein the crime shall have been committed, which district shall have been previously ascertained by law, and to be informed of the nature and cause of the accusation; to be confronted with the
Chapter 2 Definitions and Assumptions
15
witnesses against him; to have compulsory process for obtaining witnesses in his favor, and to have the Assistance of Counsel for his defense. Seventh Amendment – Civil trial by jury. In suits at common law, where the value in controversy shall exceed twenty dollars, the right of trial by jury shall be preserved, and no fact tried by a jury, shall be otherwise reexamined in any Court of the United States, than according to the rules of the common law. Eighth Amendment – Prohibition of excessive bail, as well as cruel and unusual punishment. Excessive bail shall not be required, nor excessive fines imposed, nor cruel and unusual punishments inflicted. Ninth Amendment – Protection of rights not specifically enumerated in the Bill of Rights. The enumeration in the Constitution, of certain rights, shall not be construed to deny or disparage others retained by the people. Tenth Amendment – Powers of states and people. The powers not delegated to the United States by the Constitution, nor prohibited by it to the states, are reserved to the states respectively, or to the people.24 This constitution gives a clear statement of what the USA society is built upon; and therefore what needs to be defended. The infrastructures that have been built around both the Declaration of Independence and the Constitution to create the USA are the infrastructures that need to be defended. Later in this book, the global nature of Critical Information Infrastructure is noted. It is worth remembering that most of the Critical Information Infrastructure in regard to space and the Internet is in the hands of the USA. It might have been possible to add the Ten Commandments here; but they, despite the rise of the Christian right in the USA and the importance of Christianity across the OECD, seem of little relevance to a modern capitalist state – and, in fact, can be seen to be the antithesis of a modern capitalist state. This is already a critical problem for churches in the OECD. Having said this, the Church is leading on defending personal conscience in the USA and UK. It is recognized that this is a simplistic approach but it is a model, particularly as almost all the OECD countries subscribe to these “ideals” in one way shape or form. Another way of defining our way of life is through Capitalism: Although nowadays there are ideological capitalists - people who support a set of ideas about the economic benefits and importance of “free markets” - the term capitalism was first used to describe the system of private investment and industry with little governmental control which emerged, without an ideological basis, in the Netherlands and Britain in the 17th and 18th centuries. A “capitalist” was an individual who invested money (or capital) in a given business venture. The “Classical economists” [Adam Smith, David Riccardo, et.c], aided by Karl Marx were responsible for positing this de facto set of business arrangements as an ideology. In the United States, thinkers as diverse as Hayek, Friedman and Ayn Rand, have promoted “Capitalism” as every bit as much an ideology as 24
USA Constitution available at http://usconstituion.net (Accessed: 6 January 2007).
16
Critical Information Infrastructures: Resilience and Protection
Marxism. In practice, many modern western economies developed under heavy government support and subsidy.25 The link between Government and the success of Capitalism is as old as Capitalism itself. A third unifier of the OECD is clearly technology and particularly information technology. The way in which life is ordered, goods bought and sold, money transferred, information exchanged, internet used, etc., is more prevalent within the OECD than in any other group of countries. Most data information traffic is between OECD countries in 2007; and more information is stored on digital means in the OECD countries than anywhere else. So there are three unifying features within the OECD and hence this study of Resilience: the first is a broadly common political and social ideal, the second is a common economic approach, and the third is a unifying technology. This is what the Critical Infrastructures and Critical Information Infrastructures support, and this is why they need defending. Resilience in each of these areas is crucial. Importantly, there has been a migration of these infrastructures from primarily Government ownership in the 1950s to a much more public/private split 50 years later. If we take the UK’s list of Critical Infrastructures and look, very simply, at what has happened to it over a 50 year period:
TABLE 1. UK Infrastructure Ownership Infrastructure Communications
Emergency services
Energy
Finance
Food
1957 General Post Office ran the UK’s Post and Telecommunications Police, Fire Ambulance
2007 BT and others run telecommunications; the Royal Mail is now privatized Police, Fire Ambulance
Nearly all Public, heavy state investment in oil companies such as BP Nationalized Bank of England, local national banks
Nearly all private
National Policy on Food Production
Independent Bank of England, international private banks No National Policy On Food Production
Comments Ownership has moved from Public to Private Ownership still public – but many more private providers Ownership has moved from Public to Private Ownership has moved from Public to Private Ownership has moved from some Public to generally Private (continued)
25 Definition available at http://academic.brooklyn.cuny.edu/history/virtual/glossary.htm (Accessed: 6 January 2007).
Chapter 2 Definitions and Assumptions
17
TABLE 1. (continued) Infrastructure Government and Public Service
1957 Public
2007 Public with Quangos26 and Agencies, Some Private Delivery
Public safety
Government Department
Government Agency
Health
Public
Public/Private
Transport
Largely Public
Largely Private
Water
Public
Private
Comments Has grown not shrunk as other parts have moved from Public to Private sector, e.g. now one civil servant+ for every serviceman (see next table) Moved from Central Government to a Quango Ownership has moved from Public to Private Ownership has moved from Public to Private Public to Private
The ability to defend Critical Infrastructures has changed too. In simple terms:
TABLE 2. UK Defense of Infrastructures Defense force Army Air Force Navy Police Size of UK Civil Service
26
195727 More than 690,000 Less than 80,000 Less than 300,000 of which less than 50,000 were devoted to MOD or related activities
200628 107,370 46,560 38,710 130,000+ 570,000 (not includ ing Quangos) of which over 100,000 (over 200,000 if agencies are included) devoted to the MOD or related activities
Comments Less than one-third overall size
More than double the size – and now one civil servant or Quango/agency employee for every serviceman
A Quango is a Quasi-Autonomous Non Government Organization – these are bodies that perform Governmental functions with Government Funding but are outside the formal Civil Service. As a consequence the true size of the public government sector is often masked. 27 Figures from http://www.citizenshippast.org.uk (Accessed: 6 January 2007). 28 Figures from http:///www.dasa.mod.uk/natstats/tsp1/gender.html (Accessed: 6 January 2007) and http://www.police999.com/ukinfo/figures06.html and http:// www.civilservice.gov.uk/management/statistics/publications/xls/pses_q4_2005. xls (Accessed: 6 January 2007).
18
Critical Information Infrastructures: Resilience and Protection
Arguably, the UK is defending a more complex international and national infrastructure now split between public and private sectors, with less than half the operatives it had in 1957, yet with twice as many people administering them. This seems, at face value, to be the inverse of the required development. At the same time there is less, not more, clarity on the who, what, and where of Critical Infrastructures. This is not just an issue that faces the UK – but is a trend across the OECD. It would be naïve to assume that society does not change. It does. In general, it can be assumed that society has changed because its leaders wanted it to change. Wars have been fought to preserve a political position on which leaders have agreed. War, after all, is the extension of politics by other means.29 But what happens when society begins to change without its leaders’ agreement? This is potentially the issue concerning Critical Information Infrastructure. Society has often changed without its population’s consent, notwithstanding “no taxation without representation,” rarely without leaders’ consent. How resilient is society to change without either leaders’ or population’s consent? What happens if society is “sleepwalking” into some form of revolution that may be wanted or unwanted? Has every leader in the OECD agreed to be part of a pervasive information technology that now runs the lives of all their citizens? Of course, this sort of statement may be a little over the top, but if this had been a political, rather than a technical, revolution, how different would have been the view of the leadership? The fact is that the infrastructure is now here, it is here to stay, but there is little general understanding about it, and, it can be argued, very little protection. Since the year 2000, as noted in the introduction, Maslow’s hierarchy of needs has basically changed to include the computer, information technology, and telecommunications infrastructure. So pervasive is this, now, to our lives that Resilience in this area is a major feature of this book. Put together, elements of the computer, information technology, and telecommunications infrastructures are so important that a term has been coined to describe the collective: Critical Information Infrastructure. Critical Information Infrastructure protection is now, perhaps, the most significant issue for both countries and businesses – and, for that matter, any other organization that relies on information of any sort for success. As all of us do to a greater or lesser extent, this does means all of us. Clearly, this book looks at the subject of Resilience in a particular manner, but equally draws on all the common definitions for support. For society to be resilient, it must absorb energy, it must return or change to another acceptable steady state, it must cope with stress and catastrophe, it must sustain interruption to business and recover and resume operations, and it must “bounce back.” To do this it must understand both what resilience is, what its critical infrastructures are, and how to protect them, and what, as a society, it both is and the values it espouses. Resilient societies, it is suggested, do not lose sight of these things. 29
Clausewitz, Karl von (1833) ‘On War’ – various editions available through http:// www.amazon.com (Accessed: 6 January 2007).
Chapter 3 Critical Infrastructures and Critical Information Infrastructures: Approaches by Geography
This review of Critical Infrastructures and Critical Information Infrastructures looks at the major issues from different geographical viewpoints. The purpose of this is to give some understanding to the issues and importance of the overall subject in a number of different countries. The key countries looked at here are the UK, the USA, Australia, and New Zealand. Europe is also covered in some detail. This is simply because in any literature search they are clearly leaders in this field. In the USA Dr. Jim Kennedy of Lucent comments as follows: It has always been the policy of the United States to ensure the continuity and security of the critical infrastructures that are essential to the minimum operations of our economy and government. This critical infrastructure includes essential government services, public health, law enforcement, emergency services, information and communications, banking and finance, energy, transportation, and water supply. So even before the events of 9/11, the Executive Branch of our government, the President through Presidential Decision Directive 63 (PDD 63) issued May 22, 1998, ordered the strengthening of the nation’s defenses against emerging unconventional threats to the United States, including those involving terrorist acts, weapons of mass destruction, assaults on critical infrastructures, and cyber-based attacks. But how many of us really understand what an immense undertaking that was? What is the critical infrastructure in the United States? • More than 3,000 government facilities • 7,569 Hospitals • Telecommunications: 2 billion miles of cable; 1000s of telephone switching central offices • Energy: 2,800 Electric power plants; 300,000 oil and natural gas producing sites; 104 nuclear power plants • Transportation – 5000 public airports – 500,000 highway bridges 19
20
Critical Information Infrastructures: Resilience and Protection
– 2 million miles of pipelines – 300 coastal ports – 500 major urban public transit operators: • 4,893 banks or savings institutions have more than $100 billion in assets • 66,000 chemical and hazardous material producing plants • 75,000 dams • 51,450 fire stations responding to 22,616,500 calls for assistance each year. US business and every individual rely in some manner on the above every day. We depend on their operational resiliency and continuity of operations. Initially, critical infrastructure assurance was essentially a state and local concern. With the massive use of information technologies and their significant interdependencies it has become a national concern, with major implications for the defense of our homeland and the economic security of the United States. However, given all of the focus on critical infrastructure still one in three critical infrastructure operations goes without a business continuity or continuity of operations plan and three out of five of those operations with plans have never tested their plans as “fit for purpose.”30 Clearly Critical Infrastructure and Critical Information Infrastructure is an important issue in the USA. What Critical Information Infrastructure/Infrastructure is: Critical Information Infrastructure is perceived as an essential part of national security in numerous countries today and has become the nucleus of the US terrorism and homeland security debate after 11 September 2001. A critical infrastructure is commonly understood to be an infrastructure or asset the incapacitation or destruction of which would have a debilitating impact on the national security and the economic and social welfare of a nation.31 In the USA, the important initiative and policy on Critical Infrastructure and Critical Information Infrastructures is the following:
Executive Order on Critical Infrastructure Protection By the authority vested in me as President by the Constitution and the laws of the United States of America, and in order to ensure protection of information systems for critical infrastructure, including emergency preparedness communications, and the physical assets that support such systems, in the information age, it is hereby ordered as follows: 30 Kennedy, J (2006) Critical Infrastructure Protection is all about Operational Resilience and Continuity, Continuity Forum, 17 November. Available at http://www.continuitycentral. com/feature0413.htm (Accessed: 6 January 2007). 31 Dunn, M and Wigert, I (2004). op. cit.
Chapter 3 Critical Infrastructures and Critical Information Infrastructures
21
Section 1. Policy. (a) The information technology revolution has changed the way business is transacted, government operates, and national defense is conducted. Those three functions now depend on an interdependent network of Critical Information Infrastructures. The protection program by this order shall consist of continuous efforts to secure information systems for critical infrastructure, including emergency preparedness communications, and the physical assets that support such systems. Protection of these systems is essential to the telecommunications, energy, financial services, manufacturing, water, transportation, health care, and emergency services sectors. (b) It is the policy of the United States to protect against disruption of the operation of information systems for critical infrastructure and thereby help to protect the people, economy, essential human and government services, and national security of the United States, and to ensure that any disruptions that occur are infrequent, of minimal duration, and manageable, and cause the least damage possible. The implementation of this policy shall include a voluntary public-private partnership, involving corporate and nongovernmental organizations. Sec. 2. Scope. To achieve this policy, there shall be a senior executive branch board to coordinate and have cognizance of Federal efforts and programs that relate to protection of information systems and involve: (a) cooperation with and protection of private sector critical infrastructure, State and local governments, critical infrastructure, and supporting programs in corporate and academic organizations; (b) protection of Federal departments, and agencies, critical infrastructure; and (c) related national security programs. Sec. 3. Establishment. I hereby establish the “President’s Critical Infrastructure Protection Board” (the “Board”). Sec. 4. Continuing Authorities. This order does not alter the existing authorities or roles of United States Government departments and agencies. Authorities set forth in 44 U.S.C. Chapter 35, and other applicable law, provide senior officials with responsibility for the security of Federal Government information systems. (a) Executive Branch Information Systems Security. The Director of the Office of Management and Budget (OMB) has the responsibility to develop and oversee the implementation of government-wide policies, principles, standards, and guidelines for the security of information systems that support the executive branch departments and agencies, except those noted in section 4(b) of this order. The Director of OMB shall advise the President and the appropriate department or agency head when there is a critical deficiency in the security practices within the purview of this section in an executive branch department
22
Critical Information Infrastructures: Resilience and Protection
or agency. The Board shall assist and support the Director of OMB in this function and shall be reasonably cognizant of programs related to security of department and agency information systems. (b) National Security Information Systems. The Secretary of Defense and the Director of Central Intelligence (DCI) shall have responsibility to oversee, develop, and ensure implementation of policies, principles, standards, and guidelines for the security of information systems that support the operations under their respective control. In consultation with the Assistant to the President for National Security Affairs and the affected departments and agencies, the Secretary of Defense and the DCI shall develop policies, principles, standards, and guidelines for the security of national security information systems that support the operations of other executive branch departments and agencies with national security information. (i) Policies, principles, standards, and guidelines developed under this subsection may require more stringent protection than those developed in accordance with subsection 4(a) of this order. (ii) The Assistant to the President for National Security Affairs shall advise the President and the appropriate department or agency head when there is a critical deficiency in the security practices of a department or agency within the purview of this section. The Board, or one of its standing or ad hoc committees, shall be reasonably cognizant of programs to provide security and continuity to national security information systems. (c) Additional Responsibilities: The Heads of Executive Branch Departments and Agencies. The heads of executive branch departments and agencies are responsible and accountable for providing and maintaining adequate levels of security for information systems, including emergency preparedness communications systems, for programs under their control. Heads of such departments and agencies shall ensure the development and, within available appropriations, funding of programs that adequately address these mission areas. Cost-effective security shall be built into and made an integral part of government information systems, especially those critical systems that support the national security and other essential government programs. Additionally, security should enable, and not unnecessarily impede, department and agency business operations. Sec. 5. Board Responsibilities. Consistent with the responsibilities noted in section 4 of this order, the Board shall recommend policies and coordinate programs for protecting information systems for critical infrastructure, including emergency preparedness communications, and the physical assets that support such systems. Among its activities to implement these responsibilities, the Board shall: (a) Outreach to the Private Sector and State and Local Governments. In consultation with affected executive branch departments and agencies, coordinate outreach to and consultation with the private sector, including corporations
Chapter 3 Critical Infrastructures and Critical Information Infrastructures
23
that own, operate, develop, and equip information, telecommunications, transportation, energy, water, health care, and financial services, on protection of information systems for critical infrastructure, including emergency preparedness communications, and the physical assets that support such systems; and coordinate outreach to State and local governments, as well as communities and representatives from academia and other relevant elements of society. (i) When requested to do so, assist in the development of voluntary standards and best practices in a manner consistent with 15 U.S.C. Chapter 7; (ii) Consult with potentially affected communities, including the legal, auditing, financial, and insurance communities, to the extent permitted by law, to determine areas of mutual concern; and (iii) Coordinate the activities of senior liaison officers appointed by the Attorney General, the Secretaries of Energy, Commerce, Transportation, the Treasury, and Health and Human Services, and the Director of the Federal Emergency Management Agency for outreach on critical infrastructure protection issues with private sector organizations within the areas of concern to these departments and agencies. In these and other related functions, the Board shall work in coordination with the Critical Infrastructure Assurance Office (CIAO) and the National Institute of Standards and Technology of the Department of Commerce, the National Infrastructure Protection Center (NIPC), and the National Communications System (NCS). (b) Information Sharing. Work with industry, State and local governments, and nongovernmental organizations to ensure that systems are created and well managed to share threat warning, analysis, and recovery information among government network operation centers, information sharing and analysis centers established on a voluntary basis by industry, and other related operations centers. In this and other related functions, the Board shall work in coordination with the NCS, the Federal Computer Incident Response Center, the NIPC, and other departments and agencies, as appropriate. (c) Incident Coordination and Crisis Response. Coordinate programs and policies for responding to information systems security incidents that threaten information systems for critical infrastructure, including emergency preparedness communications, and the physical assets that support such systems. In this function, the Department of Justice, through the NIPC and the Manager of the NCS and other departments and agencies, as appropriate, shall work in coordination with the Board. (d) Recruitment, Retention, and Training Executive Branch Security Professionals. In consultation with executive branch departments and agencies, coordinate programs to ensure that government employees with responsibilities for protecting information systems for critical infrastructure, including emergency preparedness communications, and the physical assets that
24
Critical Information Infrastructures: Resilience and Protection
support such systems, are adequately trained and evaluated. In this function, the Office of Personnel Management shall work in coordination with the Board, as appropriate. (e) Research and Development. Coordinate with the Director of the Office of Science and Technology Policy (OSTP) on a program of Federal Government research and development for protection of information systems for critical infrastructure, including emergency preparedness communications, and the physical assets that support such systems, and ensure coordination of government activities in this field with corporations, universities, Federally funded research centers, and national laboratories. In this function, the Board shall work in coordination with the National Science Foundation, the Defense Advanced Research Projects Agency, and with other departments and agencies, as appropriate. (f) Law Enforcement Coordination with National Security Components. Promote programs against cyber crime and assist Federal law enforcement agencies in gaining necessary cooperation from executive branch departments and agencies. Support Federal law enforcement agencies, investigation of illegal activities involving information systems for critical infrastructure, including emergency preparedness communications, and the physical assets that support such systems, and support coordination by these agencies with other departments and agencies with responsibilities to defend the Nation’s security. In this function, the Board shall work in coordination with the Department of Justice, through the NIPC, and the Department of the Treasury, through the Secret Service, and with other departments and agencies, as appropriate. (g) International Information Infrastructure Protection. Support the Department of State’s coordination of United States Government programs for international cooperation covering international Information Infrastructure protection issues. (h) Legislation. In accordance with OMB circular A-19, advise departments and agencies, the Director of OMB, and the Assistant to the President for Legislative Affairs on legislation relating to protection of information systems for critical infrastructure, including emergency preparedness communications, and the physical assets that support such systems. (i) Coordination with Office of Homeland Security. Carry out those functions relating to protection of and recovery from attacks against information systems for critical infrastructure, including emergency preparedness communications, that were assigned to the Office of Homeland Security by Executive Order 13228 of October 8, 2001. The Assistant to the President for Homeland Security, in coordination with the Assistant to the President for National Security Affairs, shall be responsible for defining the responsibilities of the Board in coordinating efforts to protect physical assets that support information systems.
Chapter 3 Critical Infrastructures and Critical Information Infrastructures
25
Sec. 6. Membership. (a) Members of the Board shall be drawn from the executive branch departments, agencies, and offices listed below; in addition, concerned Federal departments and agencies may participate in the activities of appropriate committees of the Board. The Board shall be led by a Chair and Vice Chair, designated by the President. Its other members shall be the following senior officials or their designees: (i) Secretary of State; (ii) Secretary of the Treasury; (iii) Secretary of Defense; (iv) Attorney General; (v) Secretary of Commerce; (vi) Secretary of Health and Human Services; (vii) Secretary of Transportation; (viii) Secretary of Energy; (ix) Director of Central Intelligence; (x) Chairman of the Joint Chiefs of Staff; (xi) Director of the Federal Emergency Management Agency; (xii) Administrator of General Services; (xiii) Director of the Office of Management and Budget; (xiv) Director of the Office of Science and Technology Policy; (xv) Chief of Staff to the Vice President; (xvi) Director of the National Economic Council; (xvii) Assistant to the President for National Security Affairs; (xviii) Assistant to the President for Homeland Security; (xix) Chief of Staff to the President; and (xx) Such other executive branch officials as the President may designate. Members of the Board and their designees shall be full-time or permanent parttime officers or employees of the Federal Government. (b) In addition, the following officials shall serve as members of the Board and shall form the Board’s Coordination Committee: (i) Director, Critical Infrastructure Assurance Office, Department of Commerce; (ii) Manager, National Communications System; (iii) Vice Chair, Chief Information Officers’ (CIO) Council; (iv) Information Assurance Director, National Security Agency; (v) Deputy Director of Central Intelligence for Community Management; and (vi) Director, National Infrastructure Protection Center, Federal Bureau of Investigation, Department of Justice. (c) The Chairman of the Federal Communications Commission may appoint a representative to the Board.
26
Critical Information Infrastructures: Resilience and Protection
Sec. 7. Chair. (a) The Chair also shall be the Special Advisor to the President for Cyberspace Security. Executive branch departments and agencies shall make all reasonable efforts to keep the Chair fully informed in a timely manner, and to the greatest extent permitted by law, of all programs and issues within the purview of the Board. The Chair, in consultation with the Board, shall call and preside at meetings of the Board and set the agenda for the Board. The Chair, in consultation with the Board, may propose policies and programs to appropriate officials to ensure the protection of the Nation’s information systems for critical infrastructure, including emergency preparedness communications, and the physical assets that support such systems. To ensure full coordination between the responsibilities of the National Security Council (NSC) and the Office of Homeland Security, the Chair shall report to both the Assistant to the President for National Security Affairs and to the Assistant to the President for Homeland Security. The Chair shall coordinate with the Assistant to the President for Economic Policy on issues relating to private sector systems and economic effects and with the Director of OMB on issues relating to budgets and the security of computer networks addressed in subsection 4(a) of this order. (b) The Chair shall be assisted by an appropriately sized staff within the White House Office. In addition, heads of executive branch departments and agencies are, to the extent permitted by law, to detail or assign personnel of such departments and agencies to the Board’s staff upon request of the Chair, subject to the approval of the Chief of Staff to the President. Members of the Board’s staff with responsibilities relating to national security information systems, communications, and information warfare may, with respect to those responsibilities, also work at the direction of the Assistant to the President for National Security Affairs. Sec. 8. Standing Committees. (a) The Board may establish standing and ad hoc committees as appropriate. Representation on standing committees shall not be limited to those departments and agencies on the Board, but may include representatives of other concerned executive branch departments and agencies. (b) Chairs of standing and ad hoc committees shall report fully and regularly on the activities of the committees to the Board, which shall ensure that the committees are well coordinated with each other. (c) There are established the following standing committees: (i) Private Sector and State and Local Government Outreach, chaired by the designee of the Secretary of Commerce, to work in coordination with the designee of the Chairman of the National Economic Council. (ii) Executive Branch Information Systems Security, chaired by the designee of the Director of OMB. The committee shall assist OMB in fulfilling its responsibilities under 44 U.S.C. Chapter 35 and other applicable law.
Chapter 3 Critical Infrastructures and Critical Information Infrastructures
27
(iii) National Security Systems. The National Security Telecommunications and Information Systems Security Committee, as established by and consistent with NSD-42 and chaired by the Department of Defense, shall serve as a Board standing committee, and be redesignated the Committee on National Security Systems. (iv) Incident Response Coordination, co-chaired by the designees of the Attorney General and the Secretary of Defense. (v) Research and Development, chaired by a designee of the Director of OSTP. (vi) National Security and Emergency Preparedness Communications. The NCS Committee of Principals is renamed the Board’s Committee for National Security and Emergency Preparedness Communications. The reporting functions established above for standing committees are in addition to the functions set forth in Executive Order 12472 of April 3, 1984, and do not alter any function or role set forth therein. (vii) Physical Security, co-chaired by the designees of the Secretary of Defense and the Attorney General, to coordinate programs to ensure the physical security of information systems for critical infrastructure, including emergency preparedness communications, and the physical assets that support such systems. The standing committee shall coordinate its work with the Office of Homeland Security and shall work closely with the Physical Security Working Group of the Records Access and Information Security Policy Coordinating Committee to ensure coordination of efforts. (viii) Infrastructure Interdependencies, co-chaired by the designees of the Secretaries of Transportation and Energy, to coordinate programs to assess the unique risks, threats, and vulnerabilities associated with the interdependency of information systems for critical infrastructures, including the development of effective models, simulations, and other analytic tools and cost-effective technologies in this area. (ix) International Affairs, chaired by a designee of the Secretary of State, to support Department of State coordination of United States. Government programs for international cooperation covering international Information Infrastructure issues. (x) Financial and Banking Information Infrastructure, chaired by a designee of the Secretary of the Treasury and including representatives of the banking and financial institution regulatory agencies. (xi) Other Committees. Such other standing committees as may be established by the Board. (d) Subcommittees. The chair of each standing committee may form necessary subcommittees with organizational representation as determined by the Chair.
28
Critical Information Infrastructures: Resilience and Protection
(e) Streamlining. The Board shall develop procedures that specify the manner in which it or a subordinate committee will perform the responsibilities previously assigned to the Policy Coordinating Committee. The Board, in coordination with the Director of OSTP, shall review the functions of the Joint Telecommunications Resources Board, established under Executive Order 12472, and make recommendations about its future role. Sec. 9. Planning and Budget. (a) The Board, on a periodic basis, shall propose a National Plan or plans for subjects within its purview. The Board, in coordination with the Office of Homeland Security, also shall make recommendations to OMB on those portions of executive branch department and agency budgets that fall within the Board’s purview, after review of relevant program requirements and resources. (b) The Office of Administration within the Executive Office of the President shall provide the Board with such personnel, funding, and administrative support, to the extent permitted by law and subject to the availability of appropriations, as directed by the Chief of Staff to carry out the provisions of this order. Only those funds that are available for the Office of Homeland Security, established by Executive Order 13228, shall be available for such purposes. -To the extent permitted by law and as appropriate, agencies represented on the Board also may provide administrative support for the Board. The National Security Agency shall ensure that the Board’s information and communications systems are appropriately secured. (c) The Board may annually request the National Science Foundation, Department of Energy, Department of Transportation, Environmental Protection Agency, Department of Commerce, Department of Defense, and the Intelligence Community, as that term is defined in Executive Order 12333 of December 4, 1981, to include in their budget requests to OMB funding for demonstration projects and research to support the Board’s activities. Sec. 10. Presidential Advisory Panels. The Chair shall work closely with panels of senior experts from outside of the government that advise the President, in particular: the President’s National Security Telecommunications Advisory Committee (NSTAC) created by Executive Order 12382 of September 13, 1982, as amended, and the National Infrastructure Advisory Council (NIAC or Council) created by this Executive Order. The Chair and Vice Chair of these two panels also may meet with the Board, as appropriate and to the extent permitted by law, to provide a private sector perspective. (a) NSTAC. The NSTAC provides the President advice on the security and continuity of communications systems essential for national security and emergency preparedness. (b) NIAC. There is hereby established the National Infrastructure Advisory Council, which shall provide the President advice on the security of information systems for critical infrastructure supporting other sectors of the economy: banking and finance, transportation, energy, manufacturing, and emergency government services. The NIAC shall be composed of not
Chapter 3 Critical Infrastructures and Critical Information Infrastructures
29
more than 30 members appointed by the President. The members of the NIAC shall be selected from the private sector, academia, and State and local government. Members of the NIAC shall have expertise relevant to the functions of the NIAC and generally shall be selected from industry Chief Executive Officers (and equivalently ranked leaders in other organizations) with responsibilities for the security of Information Infrastructure supporting the critical sectors of the economy, including banking and finance, transportation, energy, communications, and emergency government services. Members shall not be full-time officials or employees of the executive branch of the Federal Government. (i) The President shall designate a Chair and Vice Chair from among the members of the NIAC. (ii) The Chair of the Board established by this order will serve as the Executive Director of the NIAC. (c) NIAC Functions. The NIAC will meet periodically to: (i) enhance the partnership of the public and private sectors in protecting information systems for critical infrastructures and provide reports on this issue to the President, as appropriate; (ii) propose and develop ways to encourage private industry to perform periodic risk assessments of critical information and telecommunications systems; (iii) monitor the development of private sector Information Sharing and Analysis Centers (ISACs) and provide recommendations to the Board on how these organizations can best foster improved cooperation among the ISACs, the NIPC, and other Federal Government entities; (iv) report to the President through the Board, which shall ensure appropriate coordination with the Assistant to the President for Economic Policy under the terms of this order; and (v) advise lead agencies with critical infrastructure responsibilities, sector coordinators, the NIPC, the ISACs, and the Board. (d) Administration of the NIAC. (i) The NIAC may hold hearings, conduct inquiries, and establish subcommittees, as appropriate. (ii) Upon the request of the Chair, and to the extent permitted by law, the heads of the executive branch departments and agencies shall provide the Council with information and advice relating to its functions. (iii) Senior Federal Government officials may participate in the meetings of the NIAC, as appropriate. (iv) Members shall serve without compensation for their work on the Council. However, members may be allowed travel expenses, including per diem in lieu of subsistence, as by law for persons serving intermittently in Federal Government service (5 U.S.C. 5701–5707).
30
Critical Information Infrastructures: Resilience and Protection
(v) To the extent permitted by law, and subject to the availability of appropriations, the Department of Commerce, through the CIAO, shall provide the NIAC with administrative services, staff, and other support services and such funds as may be necessary for the performance of the NIAC’s functions. (e) General Provisions. (i) Insofar as the Federal Advisory Committee Act, as amended (5 U.S.C. App.), may apply to the NIAC, the functions of the President under that Act, except that of reporting to the Congress, shall be performed by the Department of Commerce in accordance with the guidelines and procedures established by the Administrator of General Services. (ii) The Council shall terminate 2 years from the date of this order, unless extended by the President prior to that date. (iii) Executive Order 13130 of July 14, 1999, is hereby revoked. Sec. 11. National Communications System. Changes in technology are causing the convergence of much of telephony, data relay, and internet communications networks into an interconnected network of networks. The NCS and its National Coordinating Center shall support use of telephony, converged information, voice networks, and next generation networks for emergency preparedness and national security communications functions assigned to them in Executive Order 12472. All authorities and assignments of responsibilities to departments and agencies in that order, including the role of the Manager of NCS, remain unchanged except as explicitly modified by this order. Sec. 12. Counter-intelligence. The Board shall coordinate its activities with those of the Office of the Counter-intelligence Executive to address the threat to programs within the Board’s purview from hostile foreign intelligence services. Sec. 13. Classification Authority. I hereby delegate to the Chair the authority to classify information originally as Top Secret, in accordance with Executive Order 12958 of April 17, 1995, as amended, or any successor Executive Order. Sec. 14. General Provisions. (a) Nothing in this order shall supersede any requirement made by or under law. (b) This order does not create any right or benefit, substantive or procedural, enforceable at law or equity, against the United States, its departments, agencies or other entities, its officers or employees, or any other person. GEORGE W. BUSH THE WHITE HOUSE, October 16, 2001.32 32 Bush, GW (2001) Executive Order on Critical Infrastructure Protection. Available at http://www.whitehouse.gov/news/releases/2001/10/20011016-12.html (Accessed: 6 January 2007).
Chapter 3 Critical Infrastructures and Critical Information Infrastructures
31
The Executive Order represents a clear political statement about the importance of Critical Infrastructure and Critical Information Infrastructure. It is important to understand that this is probably the clearest statement of this nature from any administration. It does, however, have a weakness in that there is a lack of absolute clarity on who is overall responsible – there is much coordination, different bodies, and consultation. No specific department is charged with either building resilience or defense, although it may be inferred that the Department of Homeland Security has a leading role. In the UK, Critical Infrastructure is termed Critical National Infrastructure. MI5, the security service comments as follows: The Government places a high value on ensuring that the UK is both well prepared for and protected against national emergencies of all kinds . . . Major disruption could result from a range of events such as adverse environmental conditions, major accidents, epidemics, or deliberate terrorist or electronic attack. Strengthening our national resilience to such events requires the joint effort of all Government departments together with the businesses, organizations and communities that are fundamental to our daily lives. Many of the mechanisms to deal with a national crisis and to protect our national assets are already well established, but ensuring a coordinated response among all the stakeholders who play a part in protecting and preparing the UK can be complex. The concept of a Critical National Infrastructure (CNI) helps to introduce a common understanding of key sectors and functions that need to be preserved in the face of any disruptive challenge and protected in the public interest. The Government views the CNI as those assets, services and systems that support the economic, political and social life of the UK whose importance is such that any entire or partial loss or compromise could: • cause large scale loss of life; • have a serious impact on the national economy; • have other grave social consequences for the community, or any substantial part of the community; or • be of immediate concern to the national government. The Government considers that there are ten “sectors” of economic, political and social activity in which there are critical elements. They are: • Communications • Emergency Services • Energy • Finance • Food • Government and Public Service • Public Safety • Health • Transport • Water
32
Critical Information Infrastructures: Resilience and Protection
Not every activity within these sectors is critical, but application of the criteria outlined above assists Government and managers within each sector to identify where best to concentrate protective security effort.33 In the UK Critical Infrastructure Protection and Critical Information Infrastructure Protection is well understood. The definition of the “sectors” is slightly different from the common list described elsewhere, but still comprehensive. The threats are also well understood. Organizations exist to advise and warn. No specific department is charged with either building resilience or defense. On the 25 November 2005, the European Commission launched a Green Paper on “Critical Infrastructure Protection”: The European Commission has adopted a green paper on a Program for critical infrastructure protection which outlines the options on what would enhance prevention, preparedness and response to the Union’s critical infrastructure protection. The Green Paper provides options on how the Commission may respond to the Council’s request to establish an “European Program for Critical Infrastructure Protection” (EPCIP) and a “Critical Infrastructure Warning Information Network” (CIWIN) and constitutes the second phase of a consultation process that began with a Commission Communication on critical Infrastructure Protection that was adopted in October 2004. The Green Paper addresses such key issues as: What should EPCIP protect against? The key principles being: • The type of framework needed • Definition of EU Critical Infrastructure • National Critical Infrastructure • Role of Critical Infrastructure owners/operators • The Critical Infrastructure Warning Information Network (CIWIN) • Funding • Evaluation and monitoring The options presented by the EPCIP Green Paper are a combination of measures and are to be viewed as complementary to current national efforts. The Commission expects that by presenting this green paper, it will receive concrete feedback concerning the policy options outlined in this document. Critical Infrastructure can be damaged, destroyed or disrupted by deliberate acts of terrorism, natural disasters, negligence, accidents or computer hacking, criminal activity, and malicious behavior. To save the lives and property of people at risk in the EU from terrorism, natural disasters, and accidents, any disruptions or manipulations of Critical Infrastructures should, to the extent possible, be brief, infrequent, manageable, geographically isolated, and minimally detrimental to the welfare of the Member States, their citizens, and the European Union.
33
Available at http://www.mi5.gov.uk (Accessed: 6 January 2007).
Chapter 3 Critical Infrastructures and Critical Information Infrastructures
33
The recent terrorist attacks in Madrid and London have highlighted the risk of terrorist attacks against European infrastructure. The EU’s response must therefore be swift, coordinated, and efficient. The damage or loss of a piece of infrastructure in one State may have negative effects on several others and on the European economy as a whole. This is becoming i.ncreasingly likely as new technologies (e.g., the Internet) and market liberalization (e.g., in electricity and gas supply) mean that much infrastructure is part of a larger network. In such a situation, protection measures are only as strong as their weakest link. This means that a common level of protection may be necessary. A common EU level framework for the protection of critical infrastructure in Europe could be put in place in order to make sure that each Member State is providing adequate and equal levels of protection concerning their critical infrastructure and that the rules of competition within the internal market are not distorted. The Commission has organized seminars and invited the submission of ideas and comments by Member States. The submissions have formed the basis for further critical infrastructure protection development. Both Member States and industry associations have participated in the seminars. As a result, the Commission has put forward a green paper on the subject. The objective of the green paper is to receive feedback concerning EPCIP policy options by involving a broad number of stakeholders. The effective protection of critical infrastructure requires communication, coordination, and cooperation nationally and at EU level among all interested parties – the owners and operators of infrastructure, regulators, professional bodies, and industry associations in cooperation with all levels of government, and the public.34 In Europe there is again a good understanding of Critical Infrastructures, but the operational side of things is not well developed. No specific department is charged with either building resilience or defense. In some parts of Australia as much as 90% of critical infrastructure is privately owned. As such, Critical Infrastructure Protection (CIP) cannot be carried out solely by government. CIP brings together a significant number of existing strategies, plans, and procedures that deal with the prevention, preparedness, response, and recovery arrangements for disasters and emergencies. It is not a new discipline, but is a coordinated blending of existing specializations, including: • Law enforcement and crime prevention • Counter terrorism • National security and defense • Emergency management, including the dissemination of information • Business continuity planning
34
European Commission (2005) Critical Infrastructure Protection. Green Paper. Available at http://www.europaworld.org/week247/commission251105.htm (Accessed: 6 January 2007).
34
Critical Information Infrastructures: Resilience and Protection
• Protective security (physical, personnel and procedural) • e-security • Natural disaster planning and preparedness • Risk management • Professional networking • Market regulation, planning and infrastructure development. CIP requires the active participation of the owners and operators of infrastructure, regulators, professional bodies, and industry associations, in cooperation with all levels of government, and the public. To ensure this cooperation and coordination, all of these participants should commit to the following set of common fundamental principles of CIP. These principles are to be read as a whole, as each sets the context for the following. CIP is centered on the need to minimize risks to public health, safety, and confidence, ensure our economic security, maintain Australia’s international competitiveness, and ensure the continuity of government and its services. The objectives of CIP are to identify critical infrastructure, analyze vulnerability and interdependence, and protect from, and prepare for, all hazards. As not all critical infrastructure can be protected from all threats, appropriate risk management techniques should be used to determine relative severity and duration, the level of protective security, set priorities for the allocation of resources, and the application of the best mitigation strategies for business continuity. The responsibility for managing risk within physical facilities, supply chains, information technologies, and communication networks primarily rests with the owners and operators. CIP needs to be undertaken from an “all hazards approach” with full consideration of interdependencies between businesses, sectors, jurisdictions, and government agencies. CIP requires a consistent, cooperative partnership between the owners and operators of critical infrastructure and governments. The sharing of information relating to threats and vulnerabilities will assist governments, and owners and operators of critical infrastructure to better manage risk. It is stated that care should be taken when referring to national security threats to critical infrastructure, including terrorism, so as to avoid undue concern in the Australia domestic community, as well as potential tourists and investors overseas. Stronger research and analysis capabilities can ensure that risk mitigation strategies are tailored to Australia’s unique critical infrastructure circumstances.35 Again Australia has a very clear understanding of the issues. No specific department is charged with either building resilience or defense.
35
Australian Government Attorney General (2006) Trusted Information Sharing Network for Critical Infrastructure Protection. Available at http://www.tisn.gov.au (Accessed: 6 January 2007).
Chapter 3 Critical Infrastructures and Critical Information Infrastructures
35
In New Zealand, most systems assume the continuing supply of power and telecommunications.
Ownership of Infrastructure • The ownership of critical infrastructure is diverse. • Central government departments own items such as the computers running the SWIFTT benefits payment system. • The Defense and Police forces have computer systems and communications networks. • Hospitals use computer systems for accounting and administration. • The Reserve Bank currently operates banking settlements systems. • State-owned enterprises such as Transpower and Airways own critical networks. • Much critical infrastructure is in the private sector, including telecommunications and local electricity distribution. The situation is more complex than the above would suggest. There are many different models for infrastructure-owning organizations to have parts of infrastructure outsourced or managed by another company. Furthermore, although some infrastructure providers have IT or telecommunications networks, these are many cases dependent on circuits provided by a telecommunications carrier such as Telecom or Telstra Saturn. While the government does not own or directly control much of the critical infrastructure of New Zealand, it does have a role in assuring itself that this infrastructure is adequately protected. Infrastructural businesses differ from others in that customers’ interest in their continued ability to supply may exceed the commercial interests of the business to do so. This is especially a concern where the infrastructure business is a monopoly provider, since the The following diagram shows how the various critical infrastructures depend on each other.
Transport
Banking / Finance
Electric Power
Emergency Services
Telecommunications
Oil and Gas
Government Services
FIGURE 1. New Zealand Critical Infrastructure Dependencies (Source: New Zealand Government)
36
Critical Information Infrastructures: Resilience and Protection
competitive pressure to maintain service is reduced or absent. A hypothetical example would be a power company that risked infrastructure failure through underinvestment of funds and time in engineering while choosing, instead to focus on, an area that might increase profitability.
Risks in Critical Infrastructure Given the concerns expressed above over the adequacy of commercial incentives in respect of infrastructure security, Government needs to consider how it can assure itself that sufficient risk management is being undertaken. A reasonable approach is to establish the extent to which infrastructure owners use risk management methods. Best practice risk management starts with a formal model of risk and mitigation. There are a number of formal risk assessment models available. The following diagrams show a summary of risk assessment and mitigation as applied to the critical infrastructure. These models are adapted from Australian and New Zealand Standards. This diagram shows the critical services depending on infrastructure, some areas of which depend on other services. The components of the infrastructure, referred to as assets, are subject to vulnerabilities. Vulnerabilities may be exploited by threats. The action of a threat on a vulnerability may be mitigated through various strategies.
Critical Services Makes use of
Threats Also needs Critical Infrastructure Composed of Assets
Vulnerabilities
Mitigations
Residual Risk
FIGURE 2. New Zealand Infrastructure Threats and Vulnerabilities (Source: New Zealand Government)
Chapter 3 Critical Infrastructures and Critical Information Infrastructures
37
Threats
Assets
Vulnerabilities
Mitigations
Residual Risk FIGURE 3. New Zealand Risk Mitigation Cycle (Source: New Zealand Government)
After risks have been mitigated there is always some residual risk, which needs to be assessed. If it is found unacceptable further mitigation measures will need to be applied. Risk has two components: the consequence, or impact of an event; and the likelihood of the event. Because infrastructure is obviously valuable, physical risks have generally already been considered and some measure of protection applied. The risk of damage to infrastructure from physical threats therefore tends to have a low likelihood, albeit a high consequence. This section, however, focuses on the more rapidly developing and less immediately obvious risks that are associated with the growing dependence on IT.
IT Threats to Critical Infrastructure IT threats (i.e., threats that do not include physical attack) to critical infrastructure may be categorized both by the motivation and resourcing of the attacker or other threat agent, and by the means of attack. Threat agents could be the following: • Staff making mistakes • Disaffected staff or contractors • Recreational hackers • Individuals seeking personal gain, e.g. through theft or extortion
38
Critical Information Infrastructures: Resilience and Protection
• Agents of organized crime, competing commercial interests or issue groups • Agents of foreign governments These vary in the extent of knowledge and resource. The types of IT-borne attack include the following: • Denial of service attacks via the Internet • Hacking or cracking, whether leading to systems damage or breach of confidentiality • Malware – programs with covert malicious intent, including viruses, worms, and trojan horses • Malicious or inadvertent damage by insiders • The unlawful interception of messages (or actual theft of laptop or other computers) Since the Internet has become so ubiquitous in developed nations, most ITborne attacks have been carried out over the Internet. Internet-based attacks have certain characteristics that explain their prevalence and impact: Internet attacks involve action at a distance, in many cases crossing national borders, which offers the attacker a degree of anonymity and reduces the likelihood of punishment. This reduces the deterrent effect of legislation [New Zealand is unusual among Western countries, in that it currently does not have legislation directed against hacking. A Bill to address this is before the House.]. Like other IT-borne threats, Internet attacks often involve the use of computers for automatic repetition of some process, such as the use of dictionary searching tools to crack passwords, or viruses that replicate themselves without limit. This factor can leverage one individual’s cleverness into an attack on infrastructure that has global impact. The size of the impact in this scenario bears no relation to the quantum of resources available to the attacker. Once written, automated attack tools [The authors of such tools are not necessarily malign or reckless, since they are in many cases intended for legitimate uses such as assessing one’s own network for vulnerabilities.] become widely available on the Internet, and may be used by individuals who do not understand the tools or the consequences. The Internet provides a wealth of opportunity for attacks on systems connected to it.
Vulnerability of Infrastructure to IT-Borne Attacks Any area of infrastructure that uses IT-based control systems is vulnerable in principle. The greatest area of risk, in terms of the adverse consequence that could result, is any potential for unaccess to the IT systems used to manage infrastructure networks. Where access is restricted to secure locations, the vulnerabilities are those of physical security and the risk that staff will do something malicious or mistaken. Access through telecommunications (i.e., dial-up) to unstaffed network management facilities (e.g. electricity substations) is used by some infrastructure
Chapter 3 Critical Infrastructures and Critical Information Infrastructures
39
providers for efficient and prompt fault resolution. This introduces a new range of vulnerabilities, since there is a need for authentication of callers to the facility. The authentication system needs to be of strength commensurate with the risks posed by unaccess. The authentication system itself needs timely maintenance to ensure that, for example, resigning employees have their access revoked. Interconnecting systems with the Internet provides benefits in terms of cost savings and functions that can be offered. Large infrastructure providers typically have their corporate business networks connected to the Internet, and have some kind of links between these and their network management systems. While awareness of Internet threats is high in many providers, it is hard to guarantee that unaccess to network management facilities is impossible.
Homogeneity of IT Systems In information technology, New Zealand follows global trends in the choice of equipment and standards. Over the last decade the diversity of IT in wide use has decreased. This has happened because of a desire for common open standards on the part of IT purchasers, partly as a measure to prevent vendor lock-in and monopoly pricing; the overwhelming success of the Internet, due in part to the quality and openness of the engineering on which it is built, effectively displacing other ways of connecting computer systems; and the exit of smaller computer manufacturers with unique equipment from the market (mainly for the reasons above) and the trend for specialized equipment to increasingly be based on off-the-shelf computers and operating systems. These trends have led to a situation in which almost all computer networks use Internet protocols, almost all Internet routers are made by Cisco, most server computers use a version of Microsoft Windows or a flavor of Unix, desktop computers almost all use a version of Microsoft Windows, and where specialist machines such as are those in the power grid are increasingly controlled through widely understood machines of the types above. This is not meant to imply that these products are inherently less secure than alternatives. However, while homogeneity of systems leads to benefits in terms of efficiency and ease of use, it also makes all computers more vulnerable to attack. This is because having a large number of users increases the chance that lurking security problems are discovered and exploited, and because of the number of machines that can be compromised when problems do come to light. The process of convergence to common IT standards may not be complete. Telephony, which is already dependent on digital technology, may move to use Internet protocols and Internet-style routers instead of the specialist switches and PABXs currently used. The Ministry of Social Policy has recently installed just such a system across all Department of Work and Income branches. This does not imply such a move is inherently risky; indeed, it should pay dividends
40
Critical Information Infrastructures: Resilience and Protection
in terms of efficiencies and greater effectiveness. However, it is part of the general convergence of many kinds of technology to a few types whose details are very widely known.
Complexity Continued technological development involves increasing complexity. Although the diversity of building blocks of IT systems is decreasing, the complexity of the blocks themselves is increasing very quickly. Each generation of computer chips has several times more transistors than its predecessor, and each new version of Microsoft Windows adds millions of lines of program code. More and more of these elements are interconnected in novel ways to offer greater levels of automation and control. In this environment it is hard or impossible to test every possible combination of circumstances and user input. Commercial pressures tempt developers to ship products with known problems (some of which are security related), leaving solutions to the problems for product updates. Consequently problems, including security problems, are often found with widely used systems.
Availability of IT Security Staff Securing computer systems and maintaining their security requires considerable expertise. Retaining staff with this expertise is difficult. Because of the premium these people can attract, they are often contractors or consultants. Anecdotal evidence suggests that IT skills in general, and IT security skills in particular, are becoming scarce in New Zealand. There is a similar view in Australia. In an attempt to address this shortfall the Commonwealth Government is considering promoting specific centers of excellence in some universities. With IT security skills in demand in US and Europe, they will always command a premium in New Zealand and Australia. The challenge for infrastructure owners is to manage risk in this environment. Government can help through initiatives to pool knowledge and expertise.
Legal Issues Criminal Law Globally, there are two main areas of criminal law that relate to hacking or other IT-borne attacks: so-called cybercrime, where electronic means are used to commit a non-IT crime such as theft and the making of uncomputer access. There are international moves to agree definitions of cybercrime and to facilitate pursuit of offenders across international boundaries. The EU is attempting to negotiate such a treaty among its members. If it succeeds,
Chapter 3 Critical Infrastructures and Critical Information Infrastructures
41
other jurisdictions may well try to harmonize legislation. The New Zealand Police has also been considering cybercrime through its membership of the Australasian Centre for Policing Research. Most developed nations have now enacted legislation making unaccess to computer systems a crime. New Zealand has yet to do this, though a Bill is before the House (the lack of such a statute may harm New Zealand’s international reputation if not rectified soon). Enacting this legislation will make it easier to pursue New Zealand residents who break into computers, and also will make it more likely that requests by New Zealand law enforcement agencies for assistance to track computer vandals in other jurisdictions will meet with favor. As currently framed [Crimes Amendment Bill No. 6 as amended by Supplementary Order Paper No. 85], the Bill before the House does not address denial of service attacks. This type of attack, discussed elsewhere in this paper, is an increasing problem on the Internet in New Zealand and overseas. There is a risk that New Zealand’s legislation will remain out of step with other countries and with the real world if no attempt is made to make denial of service attacks a crime. Ministry of Justice officials are aware of this issue and are considering further amendments to the Bill to take it into account.
Disclosure Gathering reliable numbers about incidents of this nature is hard since companies are understandably reticent about making disclosures that might harm customer confidence or shareholder value. There is sometimes a public perception that the public sector is more susceptible to IT-related attacks than the private sector, but this may be due to the greater requirements for information disclosure in the public sector. Without reliable figures planning protective strategies is difficult. A solution to this might be some trusted group that maintained an incident database in a suitably anonymous form.
Liability Companies that own infrastructure would be unlikely to be liable in a legal sense if their infrastructure failed, unless it could be shown that they had failed to operate in accordance with widely accepted relevant standards. An exception is the banking industry. As a condition of a banking license, the directors of a bank are required to attest to prudent operation of their bank. This may make them personally liable in the event of failure.36 36
New Zealand Government (2006) Protecting New Zealand’s Critical Infrastructure Available at http://www.e.govt.nz/archive/policy/trust-security/niip-report/chapter3.html (Accessed: 6 January 2007).
42
Critical Information Infrastructures: Resilience and Protection
The description by the New Zealand Government of the issues surrounding Critical Infrastructures and Critical Information Infrastructures is repeated in full here. It is one of the most comprehensive and succinct of any. No specific department is charged with either building resilience or defense. The OECD takes an interest in all aspects of Critical Infrastructure and Critical Information Infrastructure Security. The 2005 report on the Promotion of a Culture of Security in OECD Countries highlighted that an important focus for many government national implementation plans was on ensuring the resilience of Critical Information Infrastructures (CII), whose protection may involve coordination beyond national borders. By analyzing the drivers for and challenges to the development of CII security policies in a number of volunteer countries, the OECD helps governments to share experiences and practices on assessing and managing risks to CII, on the emerging and existing models for public–private information sharing and on national responses to the growing need for cross-border collaboration.
Electronic Authentication Providing assurance to a party regarding who or what that party is interacting with is a key requirement for trust in a digital environment. Electronic authentication fosters trust and helps reduce security risks. Building on work since 1998 aimed at enabling cross-jurisdictional interoperability of authentication, the OECD is finalizing policy and practical guidance for electronic authentication to help countries in establishing their approaches to authentication and to facilitate cross-border exchanges.
Malware and Identity Theft Malicious software is used for extortion schemes targeting large and small businesses (e.g., via distributed denial of service attacks) and identity theft targeting individuals (e.g., via phishing scams) and, with armies of hundreds of thousands of zombie PCs called “botnets,” it could also be used for other criminal purposes such as cyber terrorism. OECD work on malware, conducted in cooperation with the Asia-Pacific Economic Co-Operation (APEC), aims to provide governments with a holistic understanding of the phenomenon, taking into account its cross-border dimension. It will help them develop and implement coordinated policies for effectively fighting criminal malware-based activities, including identity theft, from the economic, technological, regulatory, and educational fronts.
Digital Identity Online Identity management (IDM) holds the promise to help mitigate security risks that have been amplified by the trend towards broadband-enabled “anytime-anywhere” Internet access. However, protecting information in a
Chapter 3 Critical Infrastructures and Critical Information Infrastructures
43
complex (fixed, wireless, mobile), dynamic, and interoperable computing environment raises security challenges related to the secure information sharing and dissemination as well as regarding confidentiality, integrity, and availability of the information stored and maintained in an IDM system. The OECD will examine these challenges in the context of its broader work on IDM.
RFID, Sensors, and Pervasive Networks RFID tags, location devices, and sensor devices can be invisible to individuals, hold the potential to become pervasive in the long term and, in combination with ubiquitous networks, could collect and process data everywhere, all the time. Considering this emerging trend, the OECD is exploring the applicability of the OECD Privacy Guidelines and Security Guidelines in such environments.37 The OECD is clearly very much aware of the issues involved in the protection of Critical Infrastructure and Critical Information Infrastructures. Any review of the major international organizations would conclude that the OECD is particularly aware of the issues involved. No specific department is charged with either building resilience or defense. The coverage of Critical Infrastructure and Critical Information Infrastructure from a geographical viewpoint in other areas is well-documented by Dunn and Wigert’s (2004) Critical Information Infrastructure Protection Handbook.38 Once again this book highlights the awareness of the problems – but no specific departments are charged with either building resilience or defense. Sweden and Switzerland may be exceptions to this general rule with the Swedish Defense Force’s “Network Defense”39 program and Switzerland’s VBS40 approach. This review tells us that there is a broad consensus on what defines a Critical Infrastructure, that the management of risk is important, that the law is a recurrent issue, and that Information Technology is tending to dominate any discussion on critical infrastructures, with some serious issues regarding homogeneity and staffing. It also demonstrates that thought leadership in this area is not proportional to the size of country. If any countries have thought through the issues with regard to Critical Infrastructure Protection and Critical Information Infrastructure Protection, it is the New Zealanders, Swedes, and Swiss. Much has been done in terms of awareness 37
A variety of articles on this subject from the OECD are available at http://www.oecd. org/searchResult/0,2665,en_2649_201185_1_1_1_1_1,00.html (Accessed: 6 January 2007). 38 Dunn, M and Wigert, I (2004) op. cit. 39 Details of Swedish Armed Forces are available at http://www.mil.se (Accessed: 6 January 2007). 40 Details of the Swiss Armed Forces are available at http://www.vbs-ddps.ch (Accessed: 6 January 2007).
44
Critical Information Infrastructures: Resilience and Protection
and information sharing, a little less in terms of public–private partnerships. Despite the understanding that the threats to Critical Infrastructures are high, and that the threat through and from Critical Information Infrastructure is particularly high, it is the case, that with a couple of exceptions, little has been done to build a resilience and defense program. A review of the ability of Intelligence Agencies in various different countries to deal with the issue presents a mixed picture. Recent disarray in the CIA and other agencies in the OECD balance their claims to have solved a number of potential in-country attacks.41
41
Fidker, S and Sevatopulo, D (2006) The Spies Who Lost It. CNP Online, 12 May, Available at http://www.cnponline.org/index.php?tg=articles&idx=More&topics=86&article=5 8 (Accessed: 6 January 2007).
Chapter 4 Critical Infrastructures and Critical Information Infrastructures: By Type
This Chapter seeks to identify issues relevant to each of the common Critical Infrastructures. Each infrastructure is looked at briefly from a general perspective; then some comments are made about each infrastructure from an international, national, and then a local and individual perspective. There are many threats to these infrastructures and so this review may seem pessimistic. However, it remains a challenge to the society to deliver solutions to problems such as these. Geologists tell us that stocks of oil and gas are running out and there are no more to be found. If the financial markets really take this message to heart then there will be, in all likelihood, a collapse. The world’s economy will become destabilized and war will replace trade as the only reliable way for nations to secure enough food, water, and energy for themselves. Unless we change our approach to the use of fossil fuels it is also the case that Global Warming may continue unabated.42 A rush for coal has been predicted.43 This is on the basis that there is still much of it about; it is readily accessible, and not unduly expensive to extract. Nuclear energy has been the focus of much recent attention for future sustainable energy.44 However, this has well-documented dangers. Alternative energy sources such a wind, solar, tide, and wave technologies are increasingly viable but not necessarily, yet, large scale enough to deliver the required amounts of energy.45
42
Leggett, J (2006) Half Gone: Oil, Gas, Hot Air and the Global Energy Crisis, Portobello Books. 43 Jaccard, M (2006) Sustainable Fossil Fuels, The Unusual Suspect in the Quest for Clean and Enduring Energy. CUP. 44 Kirby, A (2005) Analysis: Is Nuclear Power the Answer? BBC News. Available at http://news.bbc.co.uk/1/hi/sci/tech/4216302.stm (Accessed: 6 January 2007). 45 Culture Change, available at http://www.culturechange.org (Accessed: 6 January 2007), amongst others, limits the medium term impact of alternative sources of energy at around 30% of current consumption albeit, with the capability, in time, to take over completely. 45
46
Critical Information Infrastructures: Resilience and Protection
At an international level the competition for resources is truly breathtaking in an historical context. Russia has virtually nationalized a joint venture with Shell in Sakhalin46 and effectively turned off gas and oil supplies to various parts of Europe47,48 in the last two years; both actions would have been the cause for war a century ago. China is exercising a diplomatic offensive around the world in a bid to win resources from the west to meet its own requirements.49 This competition is trampling on nuclear treaties, human rights agreements, humanitarian developments, and views in ways that have not been seen for decades. This is an important issue for the OECD. At a national level in the UK, there has been a shift from self-sufficiency in energy to dependency. Self-sufficiency was based on energy resources from the North Sea and Atlantic Ocean. Now dependency is based on, clearly unreliable, energy resources from Eastern Europe and Siberia. This shift has not been well planned, nor is the contingency planning (or the resilience) in place. This is clearly evidenced by the documented gas shortages for UK industry in the winter of 2005/2006, and the discussions on contingency and resilience that followed. At local and individual level the increasing demand for energy in all parts of the world puts increasing pressure on relatively scarce international and national resources. The sustainable use of timber, wind, and alternatives to electricity (such as clockwork, candle/natural light, etc.) are technologies and skills that have not received the same technological and developmental input as fossil fuel derived energy sources, with one or two exceptions. Thus resilience in energy is probably at an all time low. For four decades, insurance losses have been rising at 10% a year.50 If this continues by around 2060 wealth will be destroyed faster than it can be created. Global warming will be a significant issue here. The possible extent of losses caused by extreme natural catastrophes in one of the world’s metropolitan or industrial centers would be so great as to cause the collapse of the world’s financial markets.51 At the same time the amount of capital available for 46
Macalister, T and Parfitt, T (2006) $20bn Gas Project Seized by Russia. The Guardian. 12 December. Available at http://www.guardian.co.uk/russia/article/0,,1970064,00. html (Accessed: 6 January 2007). 47 BBC News (2006) Gas Row Sends Shiver Through EU. 2 January. Available at http:// news.bbc.co.uk/2/hi/europe/4574264.stm (Accessed: 6 January 2007). 48 Halpin, T, et al. (2007) Russia Turns off Europe’s Oil Supply, The Times, 8 January. 49 Navarro, P (2006) The Coming China Wars: Where They Will Be Fought and How They Can Be Won. Financial Times Prentice Hall. 50 Amongst general insurance sites that say the same thing the big trends in insurance are commented on Insurance 2020: Innovating beyond Old Models. Available at http:// www-935ibm.com/services/us/index.wss/ibvstudy/bcs/a1024461 (Accessed: 6 January 2007). 51 See amongst others: Mills, E (2005). On Insurance Risk and Climate Change. 23 September. Available at http://www.lbl.gov/science-articles/archive/sabl/2005/September/ 05-insurance-risk.html (Accessed: 6 January 2007).
Chapter 4 Critical Infrastructures and Critical Information Infrastructures
47
projects around the world – be they business or developmental – is at an all time high. This apparent contradiction highlights a management issue where the link between the availability of capital and its deployment is very different to that a century ago. At an International level the competition for finance remains fierce. The main issue is probably the USA debt and the China surplus, the second Russia (about which comment has already been made). The China surplus has been used to buy USA treasury bonds, this in turn finances the USA debt. This effectively puts China in a strong position to control the health of the USA economy.52 This situation may be one of the defining issues of the twenty-first century. It is of such importance that the future success of the OECD economy is inextricably linked to it. At a national level in the UK, there are two key concerns. The first is the health of the City of London. This is based on international finance and insurance. This is a driver for the whole of the south-east of the UK, and has a particularly significant effect on housing, land prices, and retail sales. This health is threatened by a number of factors relating to financial markets and the UK in particular; and previous comments regarding losses in the insurance market. The second is the grounding of the UK economy in property wealth. This is threatened by a collapse in world markets (see Energy above), and difficulties in the international money and insurance markets. (Not to mention domestic debt and other issues.) At a local and individual level it remains the case that financial health depends upon the ability to compete in world markets. This is increasingly under threat from relatively high taxation; job losses to more favorable labor markets, the rise of China, the rise of India, etc. Thus resilience in terms of finance is under threat – particularly for the larger, mixed and trading, economies. Food, after water, is the most important human need. As there are now more obese people in the world than there are malnourished then part of the problem is clearly one of political will, distribution, and management.53 On the other hand the declining number of species used to grow basic foodstuffs such as wheat, maize, and rice gives great cause for concern.54 This is because a relatively minor disease mutation could, potentially, wipe out most of the major basic food supply very quickly.55 Equally worrying is climate change. Climate change is having a vast, and quick, effect on food 52 Pesek, Jr, W (2005) If China Shuns Dollar, Look Out US Bonds. 28 January. Available at http://bloomberg.com/apps/news?pid=71000001&refer=columnist_ pesek&sid=aEBBmwvtNuxA (Accessed: 6 January 2007). 53 BBC News (2006) Overweight Top World’s Hungry. 15 August. Available at http:// news.bbc.co.uk/1/hi/health/4793455.stm (Accessed: 6 January 2007). 54 Plants For a Future. Available at http://www.pfaf.org/leaflets/intro.php (Accessed: 6 January 2007). 55 See, amongst others, Borlaug, N (2006) A Warning 6 April. Available at http:// 3billionandcounting.com/phpbb/viewtopic.php?p=418&sid=f02536aecea00f7caa329 ec86009cf2f (Accessed: 6 January 2007).
48
Critical Information Infrastructures: Resilience and Protection
supplies. Harvests in key areas56,57 are down – raising the potential specter of famine in the OECD for the first time in over a century. At an international level the critical problem is the availability of grain stockpiles. These are their lowest level for 25 years.58 The latest USDA report shows that global wheat production for 2006–2007 will drop from 11 million metric tons to 585 million tons, or 5.4% below the previous year. Carryover stocks from previous harvests, meanwhile, will decline to 119.3 million tons – the lowest stocks in 25 years. If this continues, there will not be enough grain to feed millions of hungry people on all continents. The level of wheat stockpiles relative to consumption has hit the lowest level on record. Deutsche Bank estimates global corn stockpiles have fallen to their lowest level since 1979. Drought also has cut a swath across Europe, China, India, Africa and South America. The USDA lowered the 2006–2007 predicted wheat production for Australia, the world’s third largest grain exporter, down 55% to just 11 million tons from 24.5 million tons the previous year. Only a month earlier, the USDA estimated it would be 19.5 million tons. Reducing its estimate for the second time in a month, AWB – Australia’s primary wheat exporter – predicted on October 25, 2006 the severe drought could reduce the nation’s wheat production by 65% to only nine million tons and force the import of feed grains. The Grains Council of Australia predicts barley production could drop even more steeply – about 75%, from 10 million to 2.5 million tons.59 At a national level consumer food supply is dominated by the supermarkets. These have developed the delivery of cheap food through just-in-time delivery down to a fine art. The average amount spent by the UK household on food has halved in a generation, in real terms, and the quality has undoubtedly risen.60 At the same time world markets, the policies of successive domestic governments, and the European Union have led to a decline in the overall national emphasis placed on food production. This is to the extent that the major national emphasis on the land is for recreational opposed to food production. The fragility of this overall situation was more than adequately demonstrated by the UK fuel strike of 2000. This placed food supplies to the population in jeopardy within 48 hours, and was the main reason the strike came to an end.61
56 See, amongst others, information available at http://www.heatisonline.org/soils.cfm (Accessed: 6 January 2007). 57 Making Money: Wheat Is the New Gold. The Week, 13 January 2007, p. 13. 58 Morrison, K (2006) Grain stockpiles at lowest for 25 years. 12 October. Available at http://www.ft.com/cms/s/0c021878-5a16-11db-8f16-0000779e2340.html (Accessed: 6 January 2007). 59 Figures available at www.usda.gov and http://www.realtruth.org/articles/466-odfs. html (Accessed: 6 January 2007) 60 Statistics available at http://statistics/defra.gov.uk/esg/publications/efs/2005 (Accessed: 6 January 2007). 61 Lewis,R, et al. Miles and Miles and Miles. 10 May. The Guardian. Available at http:// www.guardian.co.uk/food/focus/story/0,13296,951962,00.html (Accessed: 6 January 2007).
Chapter 4 Critical Infrastructures and Critical Information Infrastructures
49
For a fascinating and ambivalent report on the state of food security in the UK, see Department for Environment Food and Rural Affairs report of December 2006,62 which does actually call for an increase in resilience. This report has some interesting contrasts with other EU countries, particularly France’s very high self-sufficiency ratio. Locally and individually the main problem, again, is the lack of local food sources and the increasing inability of individuals, or even those with the knowledge, to grow food. During the Second World War almost all members of the UK population grew some food of their own, allotments (areas for individuals to grow food) dropped by 50% in the 1970s and 1980s and despite a halt in decline, less than 5% of the population grow any of their own food.63 Thus resilience in terms of food is under threat. Health is not obviously a problem for the OECD countries, with death rates in all age groups at arguably the lowest level ever, overall health good and the causes of ill health, and the required remedies much more understood than 50 years ago.64 However, a number of factors give rise for some concern on health too. One is overall hygiene and cleanliness and another is the immune system. Health is clearly dependent upon these. Yet standards of personal hygiene and cleanliness are declining, as is the standard of the same in many hospitals. Another example might be the lack of care given to personal manners regarding sneezing and coughing, which need to improve.65 Another, the rise of sexually transmitted diseases particularly in OECD nondrug using young.66 Immune systems are prevented from developing because of emphasis on the wrong sort of cleanliness and hygiene in the young. The old are kept in unclean homes and become reservoirs for MRSA.67 The second is personal weight control. Obesity in the western world tops more than 25% of the population. This has an effect on health and productivity. The last point is exercise – with still fewer than 25% of the population taking more than 3 sessions of 30 minutes exercise per week.68 Internationally the failure to eradicate polio completely, with new outbreaks in Nigeria69 and elsewhere, and the worldwide fear of avian flu70 gives the lie to 62
DEFRA (2006) Food Security and the UK. December, available at http://statistics. defra,gov.uk/esg/reports/foodsecurity/foodsecurity.doc (Accessed: 6 January 2007). 63 http://www.sovereignty.org.uk/features/footnmouth/urbanag2.html 64 http://www.oecd.org/document/46/0,2340,en_2649_37407_34971438_1_1_1_37407,00.html 65 A variety of sites on how to lessen the impact of all types of flu. Example available at http://dallascounty.org/department/hhservcies/servcies/publichealthalert/dcouments/ Drbuhner_presentations_to_schools.pdf (Accessed: 6 January 2007). 66 More information at http://www.jca.apc.org/fem/bpfa/NGOreport/C_en_Health. html#2-3-f (Accessed: 6 January 2007). 67 MRSA (Watch 2007) MRSA Hits Nursing Home Residents. 5 January. Available at http:// tahilla.typepad.com/mrsawatch/care_homes/index.html (Accessed: 6 January 2007). 68 Amongst others available at http://www.activeatwork.org.uk (Accessed: 6 January 2007). 69 Raufu, A (2002) Polio Cases Rise in Nigeria As Vaccine Is Shunned for Fear of AIDS. 15 June. British Medical Journal. Available at http://www.bmj.com/cgi/content/ full/324/7351/1414/a (Accessed: 6 January 2007). 70 CBS (2005) European Avian Flu Fears Lead To Drug Stockpiling. 18 October. Available at http://www.cbc.ca/world/story/2005/10/18/bird-flu-pharmacies051018.html (Accessed on: 6 January 2007).
50
Critical Information Infrastructures: Resilience and Protection
any complacency on health. The increasing failure of antibiotics on a world level to deal with bacterial infections and the difficulty in treating old and new viruses, compound the problem.71 The international outlook for health is not necessarily good. At a national level health is rapidly becoming a problem. All the difficulties noted above can generally be found in the UK. The standard of health of the nation’s youngsters is poor, and they are unlikely to live longer than their parents and are certainly going to have shorter lives than their grandparents. The cause of this is a mixture of poor personal health, eating and drinking disorders, drugs, lack of exercise and a view that all ills can be cured by the National Health Service. Despite recent improvements many health measures are behind those of the rest of the OECD in the UK.72 On top of all of this Global Warming brings the return of tropical diseases.73 At a local and individual level there is more of the same. Local Doctors have little interest in prevention and so little is done to ensure the resilience in individuals from a health point of view, whether this is from attitude, exercise, or life structure. This means that, at least in the UK, the young population has less idea of how to look after themselves than their parents, and is demonstrably less healthy. Thus resilience in terms of health can be said to be under threat. At an international level “government” services are provided by the major multilateral organizations, and by the federations. None of these have a particularly strong reputation for resilience under pressure. The most effective are probably the OECD and NATO, a clear personal opinion. Government services in a national setting ensure the continuation of society on a day to day basis. In the best circumstances they are the “oil” that allows society to operate smoothly. In times of crisis they should really come into their own – they become the bedrock for the continuity the society requires. This is certainly recognized by those who seek to attack them. One such attack occurred in the UK in January 2005.74 This was an Information Infrastructure Trojan attack on UK Government Services. A reasonable proxy for the effectiveness of Government Services is eGovernment. The take up of eGovernment is slow in some countries, and slipping
71
CSP (1998) Stop Squandering Antibiotics. 28 May. Available at http://www.cspinet. org/new/antibiot.htm (Accessed: 6 January 2007). 72 Health at a Glance – OECD Indicators 2003. Briefing Note (United Kingdom). Available at http://www.oecd.org/dataoecd/20/47/16502649.pdf (Accessed: 6 January 2007). 73 Chittenden, M (2006) Tropical Diseases Back As Europe Warms Up, Sunday Times, 7 January 2007. 74 Goodwin, B (2005) UK Critical Infrastructure Under Massive Attack. 16 June. Computer Weekly. Available at http://www.computerweekly.com/Articles/2005/06/16/210416/ uk-critical-infrastructure-under-massive-attack.htm (Accessed: 6 January 2007).
Chapter 4 Critical Infrastructures and Critical Information Infrastructures
51
in some countries previously in the vanguard, e.g., the UK.75 The welldocumented difficulties at the UK Home Office demonstrate a weariness of approach, process, and procedure in a department of State that should be in the vanguard of protecting the UK’s infrastructure.76 Resilience in society depends on effective government services. There is absolutely no point in having a well-run social services department if the infrastructure does not work. Yet in the UK, Councils continue to raid infrastructure budgets (Northumberland and Nottinghamshire to name two) to support social services. This is putting the cart before the horse, and demonstrates politically skewed priorities. The resilience of Government services, and certainly some local government infrastructure services, is under threat. In a previous Chapter it has already been noted that there is no effective defense organization for Critical Infrastructures and Critical Information Infrastructures. Law and order in the context of Critical Infrastructure means a number of things. It means the continued existence and prevalence of law and order; it means the continued ability to make laws and maintain order in a democratic society; it means the ability to enforce laws and orders; and it means the consent of society to be governed by those laws and orders. There is no effective international position on law and/or order with regard to Critical Infrastructures. No negotiations, no treaties, exist that specifically cover Critical Infrastructures in an international context. Some bilateral activity has taken place. The USA has enacted legislation that has some international reach. At a national level there is, in the UK, an interesting position between the Government and the Judiciary. Much legislation regarding Critical Infrastructure is related to antiterrorist legislation. This legislation, in the UK, has eroded many freedoms held since the Magna Carta. This has led to significant disagreements between the Judiciary, who wish to preserve the freedoms – and the Government who wish to tighten legislation.77 This is a fascinating conundrum. The ability of terrorists of any nature to win battles is determined largely by the reaction of their foe to attacks. In an Asymmetric War the terrorists win when the Government starts changing the way of life within its society to counter perceived or actual threats. In a technological age when the country is fighting an expensive war in Iraq it is no longer beyond the wit of technology to introduce both the technology and profiling to identify potential difficulties. Both France and the UK are in the European Union – yet from a legislative point of view
75
eGov Monitor (2005) Q&A with Marcus Robinson, Accenture. 17 June. Available at http://www.egovmonitor.com/node/1522/print (Accessed: 6 January 2007). 76 The real Home Office failures. The Guardian. 2 May 2006 . Available at http:// www.guardian.co.uk/letters/story/0,,1765297,00.html#article_continue. 77 Porter H, The Future’s Brown, The Future’s Bleak, The Observer, 24 September 2006. Available at http://www.guardian.co.uk/commentisfree/story/0,,1879864,00. html (Accessed: 6 January 2007) for relevant comment.
52
Critical Information Infrastructures: Resilience and Protection
the freer country is currently France – why should this be so? It has to be because the Government has chosen it to be so; if it has chosen it to be so it has decided that the way of life enjoyed by its citizens is to be changed, and has legislated accordingly. This is worrying on a number of levels. The legislation introduced has often been ill thought through and has had to be revised a number of times. This indicates a knee-jerk reaction to events rather than a considered approach to preserving a national way of life. This is not the reaction of people committed to the preservation of our society’s values. At a local and individual level the preservation of law and order is more often about confidence than the law and order itself. This requires that legislation that has a local impact, such as the Civil Contingencies Act (qv) in regard to Critical Infrastructures, is both well understood and resourced. Much ground is being made up in terms of awareness and understanding, but no real new economic resource has been put behind this (especially when compared to expenditure on Iraq, for example). In a western world that is concentrating on the Knowledge Economy and the provision of services over and above the delivery of manufactured goods, it may be difficult to understand why manufacturing is a Critical Infrastructure. Manufacturing adds value to a number of raw, or partly manufactured, materials to create a useful product. This adds value in the process. This value tends to be, but is not always, greater than the value created within a service product. It is of national importance because of the value it adds, the people it employs and the technological advantages the possession of a manufacturing base confers on countries from a research, development and defense perspective. Internationally there has been a wholesale shift in manufacturing away from high labor cost markets to low labor cost manufacturing centers. Simply put, a move from the OECD to Eastern Europe, China, India, and other Far East economies. Comment has already been made regarding the effect of this on the USA under Finance. Peter Le Magnen comments as follows: Since 1997, the European Investment Monitor (researched and powered by Oxford Intelligence on behalf of Ernst & Young) has captured details of more than 17,000 FDI projects in Europe. Historically, the trend has been for Western Europe to attract the lion’s share of this investment. However, in the past eight years, the flow of investment has shifted steadily eastwards: in the initial phases to the mainstream central European countries of Poland, Hungary and the Czech Republic but, in the runup to the 10 accession states joining the EU in May 2004 and the subsequent period, the shift has been further east into Romania, Bulgaria and Russia. Already, the EU accession countries and the rest of central and Eastern Europe account for one third of all foreign investment projects into Europe, against a backdrop of rising investment into the region. In the short term (the next two to three years), this trend will continue and it would not be surprising to see these countries accounting for up to 40% of all investment projects into Europe in a few years’ time. Already, nearly 35% of companies identified by
Chapter 4 Critical Infrastructures and Critical Information Infrastructures
53
Oxford Intelligence’s CorpTracker product are declaring future investment plans for central and eastern Europe and in certain sectors this level is now at, or approaching, 50% of projects – notably in the automotive sector and general industrial sectors. The CorpTracker helps government agencies and service providers to locate companies with international location plans and fast track them into the market. It is in the new technology areas, driven by research and product innovation, which “old Europe” will continue to attract the bulk of investment. As each industrial sector or product matures, the drift eastwards will increase. This is because cost reduction continues to be the main driver for companies to maintain or increase margin. The business service sector will remain a major generator of jobs and investment in the West but, again, as these processes become established and mature, the drive to reduce costs will result in certain functions moving further east.
Medium to Long Term In the medium to longer term (five to 15 years), there will be significant increases in investment into Western Europe, as the two powerhouses of the Far East, India and China, move into a globalization phase for their indigenous companies. This will follow the trend set by Korea and Japan in the 1980s and 1990s in their expansion drive to gain market share in Western economies. The countries that will gain the manufacturing units of these companies are likely to be not only the newly-emerged central European markets, but also North African countries, such as Morocco, Egypt, Algeria and Tunisia. However, the establishment of technical support, sales, business support, research and development (R&D) and localization, and key administrative and HQ functions will continue to focus on the key centers of Western Europe. The UK will be best positioned to be the main recipient for this type of investor. Looking at the type of activity on which the different markets can expect to compete, the CorpTracker database supports the shifts described above. Greenfield activity is increasingly moving eastwards, as are the lower-cost service functions. However, the higher-value activity, such as sales and marketing and technical support functions, are still strongly focused on old Europe. The type of activity generated by the investing companies will vary considerably, depending on the sector in question. Comparing three important sectors for Europe – automotive, business services and medical technologies – highlights some key differences in investment activity. When looking at R&D investment, medical technology companies play an important role, while sales and marketing functions are much more significant in the business services area and far less important in the automotive sector.78 78
Lemagnen, P (2005). Steady Shift to The East. 5 January. Available at http:// www.fdimagazine.com/news/fullstory.php/aid/999/Steady_shift_to_the_east.html (Accessed: 6 January 2007).
54
Critical Information Infrastructures: Resilience and Protection
In International, National, Local, and Individual terms the threat from the east to the manufacturing base of the west is severe. There is some hope that the core elements of research and development may remain – but if the figures coming out of China and India for qualified graduates are maintained then even this must be considered under threat. Thus without the manufacturing base, and without trained personnel, there is little hope that added value can continue to be added in a manufacturing sense over the long term. The resilience of manufacturing is clearly under threat in the west, and OECD in general. Icons are important. They give a sense of place and identity. The removal of statues of Lenin from the former Soviet Union characterized both Glasnost and the end of the Soviet era. The removal of the Berlin Wall signified the end of a divided Europe. The attack on the World Trade Centre needs little comment. The slapping of effigies of Saddam Hussein with the soles of shoes as they were brought down after the invasion of the Iraq signified the view of the population about his removal (at least initially). The delays over the completion of the national stadium at Wembley in the UK have filled the news and sports pages of the UK’s newspapers for months. Internationally icons may seem to have little relevance. However, there are some international icons: world heritage sites; the Antarctic; Mecca; Canterbury Cathedral, and the Vatican that define all of us as a civilized race. The destruction by the Taliban of Buddhist statues from the third century in Afghanistan is a case in point.79 The destruction of international icons represents a failure in international cohesion. So important are they that there have been agreements between enemies to preserve particular icons. The Hague Convention of 1899 states as follows in Article 27: Article 27: In sieges and bombardments all necessary steps should be taken to spare as far as possible edifices devoted to religion, art, science, and charity, hospitals, and places where the sick and wounded are collected, provided they are not used at the same time for military purposes. The besieged should indicate these buildings or places by some particular and visible signs, which should previously be notified to the assailants. This convention was particularly important during World War Two.80 Nationally icons are very important. They are symbols of a nation, of a society, and of a region. They bond people together. They can rejuvenate and restore. Cities as diverse as Barcelona (Spain) and Newcastle-upon-Tyne (UK) have recognized the need for new icons in order to redefine themselves. Comment has already been made of Wembley – but Nelson’s Column, Fish and Chips, the Magna Carta all define the UK in one way, shape, or form. The loss of one or all represents a change for the worse in the national psyche. 79
Voices in Muslim World Decry Taliban Vow to Destroy Statues. Available at http:// www.tibet.ca/en/wtnarchive/2001/3/11_5.html (Accessed: 6 January 2007). 80 Information on the Hague Conventions is available at http://net.lib.byu.edu/~rdh7/ wwi/hague.html and http://en.wikipedia.org/wiki/Hague_Conventions_(1899_and_ 1907) (Accessed: 6 January 2007).
Chapter 4 Critical Infrastructures and Critical Information Infrastructures
55
A review of Yale’s Avalon Project81 indicates that an update of the Hague Conventions is required in a number of areas. Even with an update, how does international law deal with attacks on national icons that are not committed by members of nation states? This is a recurrent problem in today’s world. From earliest times the ability to move freely about the world has been a privilege constantly sought. Formal rights of passage under agreed rules and the acknowledgement of free movement have characterized all great civilizations at some point or another. This is not to be confused with mass migrations, which are different. Mass migrations tend to be informal; rights of passage and free temporary movement tend to be formal. The passport is the universal document for free passage.82 Even so-called closed societies have always maintained some sort of contact with the rest of the world – except where these societies were not “civilized” but “isolated” from the rest of mankind. The free passage of goods and services has defined common markets and free trade, and has characterized the growth of world trade since, at the very least, the end of the second world war.83 Internationally the expansion of land, sea, and air transport systems characterizes political stability and open economic trading agreements. The European Union and the United States are classic examples. Both have demolished transportation barriers both internally and, largely, externally. More closed societies, societies at war with themselves or others close down the open links to the outside world via transportation systems. They make it difficult to move around, and do business. The existence, and preservation, of international transportation links is a good proxy for resilient societies. Nationally, the state of country’s transportation system can be an equally good proxy for the state of the nation. Resilient countries must, by definition, have good transportation systems and good alternatives to systems when they break down. Thus the pressure on all parts of the UK’s transportation system gives rise to some overall concern about the resilience of the country itself. Listen to the rush-hour traffic news bulletins and the nightmare of the road system is all too apparent; listen to the inability of Heathrow to cope with fog prior to Christmas84 and the UK’s ability to compete with Schipol (Netherlands) is once again in doubt85; listen to the news that the UK is almost the only country in Europe to close down its rail system over Christmas and the ability to switch from road to rail is recognized as merely a pipe dream86; understand the 81
The Avalon Project. Available at http://www.yale.edu/lawweb/avalon/20th.htm (Accessed: 6 January 2007). 82 Passports. Available at http://www.ucalgary.ca/~rosenede/passport/passports.html (Accessed: 6 January 2007). 83 A range of information is available at http://www.wto.org (Accessed: 6 January 2007). 84 Fog Causes Chaos . . . Available at http://www.worldtravelguide.net/news/2759/news/ Fog-causes-third-day-of-chaos-at-Heathrow.html (Accessed: 6 January 2007). 85 Heathrow Must be Allowed to Expand. Available at http://comment.independent. co.uk/leading_articles/article37336.ece (Accessed: 6 January 2007). 86 Christmas Rail Chaos http://skynews.typepad.com/my_weblog/2006/12/christmas_rail_.html
56
Critical Information Infrastructures: Resilience and Protection
inability to put a complete merchant fleet to sea in order to maintain trading routes and it is understood that the country is fully dependent upon others for survival. Add in the concern for interconnectors87 on gas pipelines and all parts of the transport system are under pressure. These are worrying features for a mixed and trading nation’s long-term survival. The argument that this is a problem of growth and success is entirely spurious: as is evidenced by the ability of some developing countries to ensure transportation infrastructures receive priority precisely in order to maintain growth.88 Locally and individually the ability to survive without reliance on the road system in particular is also of concern. The privatization of both the rail and public road transportation systems in the UK cut off many communities. The travel to work patterns of great swathes of the population have changed since the 1960s: no longer is there a hub and spoke system of daily commutes in any particular village, town, or region. The basis of the individual’s ability to live in today’s society, outside of the big cities, is defined by the need for a motorized vehicle and fuel. Individuals can no longer take a bike, or walk, to work, simply because they live too far from their work. Calls to do so entirely miss the point.89 Water is probably second, if not equal, to oil as a source of international conflict.90 The effects of a lack of clean water to developing communities is well documented and repeatedly demonstrated by TV channels. The distribution of water and ownership of storage vessels has, in the UK and elsewhere, shifted from public ownership to private ownership over the last 50 years. Investment in water distribution is no longer something carried on through the taxation system for the benefit of all citizens – but something that is left to the vagaries of the market. At an international level the following example will highlight the problem: We depend on the Nile 100% for our life. If anyone, at any time, thinks to deprive us of life we will not hesitate to go to war. President Anwar Sadat, 1978. A survey of the popular and specialist press over the last three decades would indicate that the most valuable, and vital, commodity in the Middle East is oil. A similar look at the catalysts of regional warfare would indicate the Arab–Israeli conflict. However it is contended that, first, the most valuable commodity in the Middle East is water and, second, that water is 87
Centrica (2006) Inquiry into the European Commission Green Paper A European Strategy For Sustainable, Competitive And Secure Energy. 18 April. Available at http://www.centrica. com/files/reports/2005cr/files/EU_GreenPaper_response.pdf (Accessed: 6 January 2007). 88 (Malaysia’s) Developed Infrastructure. Available at http://www.msc.com.my/xtras/ whymalaysia/infrastructure.asp (Accessed: 6 January 2007). 89 Transport Choices of Car Users in Rural and Urban Areas. Available at http:// www.dft.gov.uk/stellent/groups/dft_localtrans/documents/page/dft_localtrans_504026. hcsp (Accessed: 6 January 2007). 90 Hyslop, MP (1983) Fresh Water Conflict in the Middle East, MA Thesis, Durham University.
Chapter 4 Critical Infrastructures and Critical Information Infrastructures
57
likely to emerge as the most likely threat to peace in the region over the next two decades. Controversy over Israeli control of water resources in southern Lebanon, and the Saudi belief that drilling for water is now more important than drilling for oil, gives a foretaste of the status water may achieve in the political balance of the Middle East. The Middle East is an arid zone. It has only four rivers of major international significance in the Nile, Tigris, Euphrates and Jordan – and the latter is a dubious contender. Over 50% of the area is desert; much of the rest is of marginal agricultural potential. Most of the population and food supply is concentrated on coasts, valleys, or oases. Aridity is alleviated in part by groundwater resources, but these are not equally distributed between states and do not respect international boundaries. Historically, the population of the region was divided, crudely, between the nomadic tribes of the deserts and the sedentarists of the fertile valleys. For the most part these two groups lived in a relative, symbiotic harmony. The emergence of new states cut across this relationship. The process was reinforced by the increasing nationalism of the new states. Water resources became either over-abundant or restricted by the new boundaries. Disproportionate population growth and industrial/technical development exacerbated the differences in water resources and requirements between states. In general terms water requirements per caput in the region reach a critical level at between 1,000 and 1,500 liters per day for all purposes. A survey of the major regional countries shows that this critical level has already been reached in Israel, Syria, Libya, the Saudi peninsula, Egypt, Iraq and Turkey, from as early as 1984. Water is the life giver. Despite a myriad of technological developments it is unlikely that these, or improvements in distribution, can stave off the deterioration of an already critical position. The economic development of many states has relied on the uninterrupted supply of oil. A shortage of water stems the flow of oil and foreign exchange: it is essential to both the extraction and treatment of the mineral. Water can thus be said to be the most valuable commodity in the Middle East today. A number of historical, current, and possible confrontations over water emphasize the politico-military implications of water – related concentrations on the Saudi Peninsula, Israel, Egypt, Libya, Turkey, and Iraq to name but a few. It would be inadequate to suggest that the stability of the Middle East rests solely on the provision of an adequate supply of water in all countries comprising the region. Statistics showing critical levels are open to varying interpretations and political statements relating to water may be surrogates for more subtle signals. Nevertheless, water is in short supply. Today the competition is not between desert and valley but between urban and rural, between sect and sect, and between nation and nation. The legacy of colonialism, in form of international boundaries, has not been helpful.
58
Critical Information Infrastructures: Resilience and Protection
A number of the most powerful countries of the Middle East, all of whom have large and growing populations, do not have sufficient renewable resources within their boundaries to provide enough water for their own populations today, let alone in the future. Will Egypt invade Sudan? In the general run of international relations this would be unthinkable, as would, until recently, Israeli retention of the Litani. History is littered with military invasions provoked by equally simple pretext: famine and population pressure being two examples for which there are a number of representative cases. The simplicity of the need must not be obscured by the overtones of either current international diplomatic discussions or language. Yet the subtleties of relations over water must not be underestimated either. The complex political, diplomatic, economic, religious, and social ties of the Middle East states makes discussion about such a basic need as water difficult. This brief account can do little more than brush the surface of an intriguing subject. Water will remain a potential “boiling-point” in the Middle East.91 At a national level the water resources of the UK have moved from public to private ownership over the last 50 years. The owners are, more often than not, non-UK companies. This means that the most basic human requirement, that of the provision of clean water, has been lost from national “ownership.” Not only this but the fragmented nature of water companies in the UK means there is no “national” plan, no “national” grid, and no “national” will to ameliorate water shortages in the Southeast by transporting water from the water-rich north. If, at the same time the national gas grid was laid, a national water grid was laid then many current problems would have been ameliorated. At the same time the ability to control run off, despite the efforts of the UK Department of Food and Rural affairs and the UK Environment Agency, has been curtailed as never before. This is simply because there is more run-off from drained land, and the built environment, and less money to control it. Thus the quality of ground water is deteriorating as it is polluted by an ever increasing number of harmful substances.92,93 Waste water is not usually fit for human consumption. It is characterized by sewage, industrial effluent, storm water run-off, and temperature-modified sea water. Each of these has the ability to affect resilience. Sewage reduces the ability of rivers to take-up oxygen, and can kill the relevant fauna and flora. Industrial effluent poisons rivers and seas, the disastrous effects of which have lasted for decades in Europe, since the industrial revolution, and are increasingly apparent in Russia, India, China, and South America. Storm water run-off
91
Ibid. Abridged and updated. Demand-side Management and Urban Infrastructure Provision. Available at http:// www.sussex.ac.uk/Units/gec/ph3summ/marvin3.htm (Accessed: 6 January 2007). 93 Public–Private Partnerships for Funding Municipal Drinking Water Infrastructure: What Are the Challenges. Available at http://policyresearch.gc.ca/doclib/SD/DP_SD_ PPP_200605_e.pdf (Accessed: 6 January 2007). 92
Chapter 4 Critical Infrastructures and Critical Information Infrastructures
59
carries petrochemicals from roads, and fertilizers, insecticides, and manure from farms, into water courses and underground water systems. Waste water from power stations on both land and close to the sea modifies the eco-systems of watercourses and seas. At worst chemicals such as Cadmium can enter the human food chain with catastrophic results. Waste Water needs careful management.94 At an international level the increasing levels of waste water damage to the planet are a factor in global warming, species extinction, poor health, and the spread of many diseases. Waste water management at an international level is critical for the resilience of the planet. Over the last 30 years, and in no small way due to EU legislation, waste water management in the UK has much improved. However, many problems remain, not least in regard to the pollution of underground water reservoirs and damage to fish stocks both in rivers and at sea.95,96 At the local and individual level waste water management has ceased to feature as a function or process to be managed. It is done by someone else. So the use of domestic waste water for fertilizer and the ability to use waste water for some domestic functions has generally been lost or is ignored. This in turn puts greater pressure on the need for more fresh water. Poor waste water management, plus global warming, will further the increase of pests such as mosquitoes with associated malaria, over time. Two additions to the list of Critical Infrastructures are proposed. These are people and education/intellectual property. It might seem Malthusian97 to add people to the list of Critical Infrastructures. It is necessary to go back to Stalin again, “Quantity has a quality all of its own.”98 The message here is that both the numbers and type of people are important in any society. It is a lesson that is important to learn and understand. Possibly the best example of why this is important is Zambia – where over 50% of the young male population has been wiped out by AIDS with devastating consequences.99 At the other end of the scale the ability of countries such as China and India to deliver more than 10 times the number of graduates in computerrelated studies than some leading western countries (the UK, for example) means that there will be a shift of leadership at some stage from west to east.100
94
World Water Assessment Program: Case Studies. Available at http://www.unesco.org/ water/wwap/case_studies/index.shtml (Accessed: 6 January 2007). 95 Water. Available at https://www.oecd.org/department/0,2688,en_2649_34311_1_1_ 1_1_1,00.html (Accessed: 6 January 2007). 96 Water. Available at http://ec.europa.eu/environment/water/index.html (Accessed: 6 January 2007). 97 Thomas Robert Malthus. Available at http://cepa.newschool.edu/het/profiles/malthus. htm (Accessed: 6 January 2007). 98 Quote available, and correct source and context, at http://www.thecompleatstrategist. com/index.asp?PageAction=VIEWPROD&ProdID=968 (Accessed: 6 January 2007). 99 Introduction to AIDS in Zambia. Available at http://www.avert.org/aids-zambia.htm (Accessed: 6 January 2007). 100 Navarro, P (2006) op. cit.
60
Critical Information Infrastructures: Resilience and Protection
In the future a high level of education and an equally high level of intellectual property development, the latter being roughly a consequence of the former, is probably the single characteristic that may allow the economies of the west to survive. Education really follows from people. A highly educated workforce is likely to be a high value-added society. This is seen in some Scandinavian countries. In the UK the current Labor Government came to power in 1997 on the back of an “Education, Education, Education” manifesto (among other things). It has made some headway – but the UK still turns out semiliterate and seminumerate school graduates to a frustrated business and commercial community.101 Ten years on the same mantra is heard – but with no real plans to ensure that every child leaves a UK school fully able to read, write, and count and use IT. In fact, as this goes to print the Government has abandoned its IT targets. This is national disgrace in terms of the resilience this book is seeking. The majority of the acknowledged Critical Infrastructures, and two additional ones in terms of people and education/IPR, are clearly under threat. It would be difficult to describe any of them as naturally resilient for a variety of reasons: political, economic, and social. This is of serious concern in societies that are under attack from various different sources at both the political and economic level in particular. In the last Chapter some shortcomings in the approaches of different countries were noted. Combined with known difficulties in most Critical Infrastructure areas, this would suggest that our governments may not be taking the issue seriously enough. These are priority areas in our societies. So far, there is little confidence they could sustain, or recover from, an attack of any real nature. Having said this, the success of the Intelligence Agencies in apparently countering the threats to Critical Infrastructures should not be underestimated.102
101
Education, education, education. Available at http://www.pkblogs.com/eureferendum/ 2006/12/education-education-education.html (Accessed: 6 January 2007) and STATISTICS OF EDUCATION – Education and Labour Market Status of Young People in England aged 16–18: 1992–1998.Available at http://www.dfes.gov.uk/rsgateway/DB/ SBU/b000092/735-00.htm (Accessed: 6 January 2007). 102 Report into the London Terrorist Attacks on 7 July 2005. Available at http:// www.cabinetoffice.gov.uk/publications/reports/intelligence/isc_7july_report.pdf (Accessed: 6 January 2007).
Chapter 5 Critical Information Infrastructure
The review of Critical Infrastructure so far gives a somewhat confusing picture. There is a lack of clarity between Critical Infrastructures and Critical Information Infrastructures in almost all documentation related to Critical Infrastructure. Although the terms are not used specifically in an interchangeable manner, it remains the case that there is a considerable amount of overlap in the use of the terms. However, a common list of what are termed Critical Infrastructures has been arrived at. They are complemented by Critical Information Infrastructure. This Chapter seeks to place Critical Information Infrastructure in its correct context. It is important to understand the proportionality of Critical Information Infrastructure. By this is meant the importance relative to other Critical Infrastructures. One way of doing this is by understanding the dependency of Critical Infrastructures on Critical Information Infrastructure. The Critical Infrastructures looked at have been, the common list, referred to earlier: • Finance • Energy • Food Supply • Health • Government Services • Law and order • Manufacturing • National Icons • Transport • Water • Waste Water • People • Education Each of these has a reliance on Critical Information Infrastructure to a greater or lesser extent. It is not necessary, here, to repeat the comments contained in the country reviews. Looking at the points already made about these infrastructures we can say that within the OECD these are more strongly linked to Critical Information Infrastructure than elsewhere, because Information Infrastructure is more prevalent in the OECD than elsewhere, 61
62
Critical Information Infrastructures: Resilience and Protection
and it can be said that in the areas of Finance, Food, Manufacturing, and Transport there is total reliance on Critical Information Infrastructure. That this is so should be reasonably obvious. However, for the sake of clarity it is worth pointing out that Finance depends on the electronic investment, commercial, and personal banking services to be maintained; food depends on the supermarket, and other outlets, reordering and “just-in-time” processes to function as a supply chain; manufacturing depends on a variety of Manufacturing Resource Programs to succeed and Transport depends heavily on electronic information, ticketing, and electronic control measures. This is without necessarily introducing the Internet into the equation. All other Critical Infrastructures also have heavy dependence on electronic information systems. In many cases they are now dependent on Information Infrastructure; it is just that in these cases there is a possibility of returning to some form of manual alternative. This is not the case in Finance, Food, Manufacturing, and Transport. These infrastructures would simply not survive a collapse in the Critical Information Infrastructure. Critical Information Infrastructure is proportionally more important than all other infrastructures because there is a dependence on Critical Information Infrastructure by all other infrastructures. It is important, therefore, to understand how well advanced the various parts of the Critical Information Infrastructure industry is in protecting itself and customers from this perspective. In doing this it is worth bearing in mind the approach of the Petroleum Industry. The American Petroleum Institute103 and the UK’s Institute of Petroleum (now the Energy Institute)104 have developed a series of approaches and standards to their business that has, over time, made operation of electrical and electronic equipment “intrinsically safe” in hazardous petrochemical environments. The operation of Critical Information Infrastructure has similar demands in terms of an approach. As yet, most of this development is in private hands and not coordinated, except at an information level, by any national or international body. Critical Information Infrastructure can be broken down into the key areas of connectivity, hosting, security, hardware, and software. The major countries also have official bodies looking at the performance of different related industries. In addition, a number of national and international mechanisms for developing public–private partnerships and the sharing of information have been established. A review of these activities in relation to Critical Information Infrastructure follows. There is no international body specifically responsible for Critical Information Infrastructure. A number of international bodies with some concern for Critical Information Infrastructure have already been mentioned. The International Telecommunications Union (ITU)105 has responsibility at an international level for telecommunications – but this does not extend to the 103
Available at http://www.api.org (Accessed: 6 January 2007). Available at http://www.energyinst.org.uk (Accessed: 6 January 2007). 105 Available at http://www.itu.int/home/index.html (Accessed: 6 January 2007). 104
Chapter 5 Critical Information Infrastructure
63
Internet, computers, and information security just yet. However, significant progress is being made in addressing these issues. In the USA a major connectivity company is Verizon.106 Verizon’s Web sites carry no major policies or views on Critical Information Infrastructure, yet are responsible for the resilience of whole swathes of the US communication network. The same picture emerges with their competitors. In the UK BT’s Web site,107 the major telecommunication provider carries very little on Critical Information Infrastructure or resilience. BT generally gives good advice on resilience, but sometimes, as in the Manchester fire,108 it can fall foul of an incomplete understanding of its own network in terms of resilience. Global Crossing109 is a major provider of fiber and connectivity within and between countries, yet there is nothing on Information Infrastructure protection on their Web site. In terms of where data is hosted and by whom then yet again there is little the industry is doing to advise clients on Information Infrastructure. Sun Microsystems110 carries some information on their Web site as does Hewlett Packard.111 Data centers and server farms carry little information on their sites. SunGard112 carries much useful information; it is in the business of ensuring availability. China is major source of both components and “grey” market goods that provide all markets, but particularly relevant to the server market. Langchao,113 a major Chinese server manufacturer, carries details of how products deal with Information Security – but not how it looks at the issue of Critical Information Infrastructure. With Chinese Bank servers114 implicated in “phishing” attacks care in the selection of equipment is clearly required. In addition to the availability companies such as SunGard the security companies such as Checkpoint115 and RSA116 carry much relevant information on their Web sites. The related businesses of insurance, such as Marsh,117 and 106
Available at www.verizon.com (Accessed: 6 January 2007). Available at www.bt.com (Accessed: 6 January 2007). 108 BBC News (2004) Fire cuts off 130,000 phone lines. 29 March. Available at http:// news.bbc.co.uk/1/hi/england/manchester/3577799.stm (Accessed: 6 January 2007). 109 Available at www.globalcrossing.com (Accessed: 6 January 2007). 110 Available at http://onesearch.sun.com/search/onesearch/index.jsp?qt=Critical%20 Information%20Infrastructure&charset=UTF-8 (Accessed: 6 January 2007). 111 Available at http://search.hp.com/query.html?lang=en&submit.x=8&submit.y=6&qt =Critical+Information+Infrastructure&la=en&cc=us (Accessed: 6 January 2007). 112 Available at http://www.sungard.com (Accessed: 6 January 2007). 113 Available at http://www.langchao.com/english/prodserv_is.html (Accessed: 6 January 2007). 114 Available at http://news.netcraft.com/archives/2006/03/12/chinese_banks_server_ used_in_phishing_attacks_on_us_banks.html (Accessed: 6 January 2007). 115 Available at http://search.checkpoint.com/search/?sp-a=sp090e5c03&sp-q=Critical +information+Protection (Accessed: 6 January 2007). 116 Available at http://www.rsasecurity.com/programs/texis.exe/webinator/search/?pr= default_new&query=Critical+Information+Infrastructure&x=15&y=8 (Accessed: 6 January 2007). 117 Available at http://www.marsh.co.uk (Accessed: 6 January 2007). 107
64
Critical Information Infrastructures: Resilience and Protection
consultants, such as Deloitte’s118 (and the other of the “Big Four”) also carry detailed information. The Deloitte and PriceWaterhouseCoopers annual surveys (qv) on security are benchmarks. There is an argument about hardware. Who controls it; who has the ultimate capability of controlling hardware? Nearly every router is a Cisco product, most chips are Intel’s, and many PCs are from Dell. A review of their Web sites suggests that they are not totally engaged in Critical Information Infrastructure protection; yet they are, to many, the Critical Information Infrastructure. Cisco has its Critical Information Assurance Group. A review of its Web site suggests an appropriate interest in the subject – but perhaps not the breadth and depth that might be expected of a body defining Critical Infrastructure at an International level.119 Intel carries little in the way of information on Critical Information Infrastructure,120 and nor does Dell.121 There is another argument raging with regard the security and relevance of both open and closed source software. This discussion can be monitored on Professor Ross Anderson’s blog,122 and associated sites. There is more on this subject in a later Chapter. The major provider of software to the world is Microsoft. Microsoft’s statement on Homeland Security is as follows: At Microsoft, we realize that the challenge of preventing, deterring, and responding to threats to our nation’s security is complex and constant. It requires an intelligent understanding of the big picture coupled with the knowledge and expertise to solve the operational complexities of information-sharing across multiple agencies on a daily basis. For that reason, we believe that the ability to seamlessly share information is the key to protecting our nation and its citizens. Information technology is uniquely suited to meet the real-world requirements of providing information to the right people at the right place and time so they can act and make critical decisions. As a technology leader, we are actively embracing this challenge. Collaborating with partners and customers, Microsoft is delivering an actionable road map to proactively address the nation’s Homeland Security needs. Fueled by $6.5 billion US in research and development (R&D) and the largest network of partners in the world, we’re building on existing technology assets and open standards to implement reliable, fully integrated Homeland Security solutions. 118
Available at http://www.deloitte.com (Accessed: 6 January 2007). Available at http://www.cisco.com/pcgi-bin/search/search.pl?searchPhrase=Critical +Information+Infrastructure&accessLevel=Guest&language=en&country=US&Sea rch+All+Cisco.com=cisco.com&x=12&y=14 (Accessed: 6 January 2007). 120 Available at http://mysearch.intel.com/corporate/default.aspx?culture=en-US& q=Critical+Information+Infrastructure&searchsubmit.x=26&searchsubmit.y=12 (Accessed: 6 January 2007). 121 Available at http://search.euro.dell.com/results.aspx?s=gen&c=uk&l=en&cs=&k=Criti cal+Information+Infrastructure&cat=ans&x=4&y=8 (Accessed: 6 January 2007). 122 Ross Anderson’s Web site/blog. Available at http://www.cl.cam.ac.uk/~rja14 (Accessed: 6 January 2007). 119
Chapter 5 Critical Information Infrastructure
65
Microsoft’s responsibility as a technology leader: Microsoft is committed to helping local and regional governments and federal agencies fulfill the requirements of the national response system. We are prepared to help these agencies realize their potential in their mission to prevent, deter, and respond to threats. As a responsible industry leader, we embrace this challenge.
The Big Picture Microsoft understands that addressing the Homeland Security challenge doesn’t start with technology. Instead, powerful technology enables individuals and organizations—from police and fire professionals to intelligence analysts and customs officers—to share information and succeed in their critical operations.
Actionable Road Map As the world’s largest software company, Microsoft is a leader in turning possibilities into realities through innovative technology. Informed by our experience in enterprise environments and realized through our world-class partners, we deliver end-to-end solutions designed to be scalable to local, regional, and national levels; solve operational complexities; and meet the ultimate requirements for affordability and reliability.123 Microsoft also has a 40 page blueprint for justice and public information sharing.124 However, given the size of Microsoft and the terms of the Executive Order there does seem to be a mismatch between ambition (the USA Presidential Executive Order) and reality (the Industry approach). Antivirus and malware companies should properly be considered to be ambivalent about Critical Information Protection (!) – because if Critical Information Infrastructures become truly secure these companies will be out of business! This is perhaps more than a little unfair, and they will certainly see it as so – but the point is a valid one. Their sites do, however, contain much useful information. There are risks in software development: Dependencies and many risks arise because of dependencies our project has on outside agencies or factors. We cannot usually control these external dependencies, so mitigation strategies may involve contingency plans to acquire a necessary component from a second source, or working with the source of the dependency to maintain good visibility into status and detect any looming problems. Here are some typical dependency-related risk factors: 123 Available at http://www.microsoft.com/industry/government/actingonthechallenges. mspx (Accessed: 7 January 2007). 124 Available at http://www.microsoft.com/industry/government/HLSinformationsharing. mspx (Accessed: 7 January 2007).
66
Critical Information Infrastructures: Resilience and Protection
• customer-furnished items or information • internal and external subcontractor relationships • inter-component or inter-group dependencies • availability of trained, experienced people • reuse from one project to the next125 and, of course, the software companies themselves and those who would seek to damage the code. The Federal Communication Commission (FCC) is an independent United States government agency, directly responsible to Congress. The FCC was established by the Communications Act of 1934 and is charged with regulating interstate and international communications by radio, television, wire, satellite and cable. The FCC’s jurisdiction covers the 50 states, the District of Columbia, and U.S. possessions.126 In a search of the FCC site for the term “Critical Information Infrastructure” the closest we get to any particular theme is a release on a bird-flu pandemic. The FCC is clearly not greatly interested in Critical Information Infrastructure resilience per se. However, its brief suggests it should be interested. This is, of course, an oversimplification because there is much overlap with the Department of Homeland Security. The Department of Homeland Security, as noted in the Executive Order in Chap. 3, has responsibility for Critical infrastructures. Its role in Critical Information Infrastructure is defined by the 2002 Act. The relevant part of which is as follows: Under Secretary for Information Analysis and Infrastructure Protection shall be as follows: (1) To access, receive, and analyze law enforcement information, intelligence information, and other information from agencies of the Federal Government, State and local government agencies (including law enforcement agencies), and private sector entities, and to integrate such information in order to— (A) identify and assess the nature and scope of terrorist threats to the homeland; (B) detect and identify threats of terrorism against the United States; and (C) understand such threats in light of actual and potential vulnerabilities of the homeland. (2) To carry out comprehensive assessments of the vulnerabilities of the key resources and critical infrastructure of the United States, including the performance of risk assessments to determine the risks posed by particular
125 Wiegers, KE (1998) Know Your Enemy: Software Risk Management. Software Development. October. Available at http://www.processimpact.com/articles/risk_mgmt.html (Accessed: 7 January 2007). 126 The FCC Web site is available at http://www.fcc.gov/aboutus.html (Accessed: 7 January 2007).
Chapter 5 Critical Information Infrastructure
67
types of terrorist attacks within the United States (including an assessment of the probability of success of such attacks and the feasibility and potential efficacy of various countermeasures to such attacks). (3) To integrate relevant information, analyzes, and vulnerability assessments (whether such information, analyzes, or assessments are provided or produced by the Department or others) in order to identify priorities for protective and support measures by the Department, other agencies of the Federal Government, State and local government agencies and authorities, the private sector, and other entities. (4) To ensure, pursuant to section 202, the timely and efficient access by the Department to all information necessary to discharge the responsibilities under this section, including obtaining such information from other agencies of the Federal Government. (5) To develop a comprehensive national plan for securing the key resources and critical infrastructure of the United States, including power production, generation, and distribution systems, information technology and telecommunications systems (including satellites), electronic financial and property record storage and transmission systems, emergency preparedness communications systems, and the physical and technological assets that support such systems. (6) To recommend measures necessary to protect the key resources and critical infrastructure of the United States in coordination with other agencies of the Federal Government and in cooperation with State and local government agencies and authorities, the private sector, and other entities. (7) To administer the Homeland Security Advisory System, including— (A) exercising primary responsibility for public advisories related to threats to homeland security; and (B) in coordination with other agencies of the Federal Government, providing specific warning information, and advice about appropriate protective measures and countermeasures, to State and local government agencies and authorities, the private sector, other entities, and the public. H. R. 5005—13 (8) To review, analyze, and make recommendations for improvements in the policies and procedures governing the sharing of law enforcement information, intelligence information, intelligence-related information, and other information relating to homeland security within the Federal Government and between the Federal Government and State and local government agencies and authorities. (9) To disseminate, as appropriate, information analyzed by the Department within the Department, to other agencies of the Federal Government with responsibilities relating to homeland security, and to agencies of State and local governments and private sector entities with such responsibilities in order to assist in the deterrence, prevention, preemption of, or response to, terrorist attacks against the United States.
68
Critical Information Infrastructures: Resilience and Protection
(10) To consult with the Director of Central Intelligence and other appropriate intelligence, law enforcement, or other elements of the Federal Government to establish collection priorities and strategies for information, including law enforcement-related information, relating to threats of terrorism against the United States through such means as the representation of the Department in discussions regarding requirements and priorities in the collection of such information. (11) To consult with State and local governments and private sector entities to ensure appropriate exchanges of information, including law enforcementrelated information, relating to threats of terrorism against the United States. (12) To ensure that— (A) any material received pursuant to this Act is protected from un disclosure and handled and used only for the performance of official duties; and (B) any intelligence information under this Act is shared, retained, and disseminated consistent with the authority of the Director of Central Intelligence to protect intelligence sources and methods under the National Security Act of 1947 (50 U.S.C. 401 et seq.) and related procedures and, as appropriate, similar authorities of the Attorney General concerning sensitive law enforcement information. (13) To request additional information from other agencies of the Federal Government, State and local government agencies, and the private sector relating to threats of terrorism in the United States, or relating to other areas of responsibility assigned by the Secretary, including the entry into cooperative agreements through the Secretary to obtain such information. (14) To establish and utilize, in conjunction with the chief information officer of the Department, a secure communications and information technology infrastructure, including datamining and other advanced analytical tools, in order to access, receive, and analyze data and information in furtherance of the responsibilities under this section, and to disseminate information acquired and analyzed by the Department, as appropriate. (15) To ensure, in conjunction with the chief information officer of the Department, that any information databases and analytical tools developed or utilized by the Department— H. R. 5005—14 (A) are compatible with one another and with relevant information databases of other agencies of the Federal Government; and (B) treat information in such databases in a manner that complies with applicable Federal law on privacy. (16) To coordinate training and other support to the elements and personnel of the Department, other agencies of the Federal Government, and State and local governments that provide information to the Department, or are consumers of information provided by the Department, in order to
Chapter 5 Critical Information Infrastructure
69
facilitate the identification and sharing of information revealed in their ordinary duties and the optimal utilization of information received from the Department. (17) To coordinate with elements of the intelligence community and with Federal, State, and local law enforcement agencies, and the private sector, as appropriate. (18) To provide intelligence and information analysis and support to other elements of the Department. (19) To perform such other duties relating to such responsibilities as the Secretary may provide.127 There is very little operational “meat” in this. The role of the Information Infrastructure Department includes the exchange of information between public and private entities. However, until recently little progress has been made on this. The establishment of the working parties related to I3P128 in Dartmouth, NH, is a step forward. To find real operational progress in these areas we need to look at a number of ground-up initiatives, rather than top down initiatives. The best known of these is probably William Pelgrin’s program129 at New York State. In Europe it has already been noted that ENISA’s130 role is not operational and that the operational role is left to others. If research is then undertaken to establish what is, actually, going on, operationally in Europe – little is found. There are initiatives on a national level, some strategic coordination – but a common approach to Critical Information Infrastructure across Europe there is not. ETSI131 and ETIS132 perform roles in the telecommunications sector, but this is not the same as an encompassing approach to Information Infrastructure. An attempt was made with ETR2A133 to develop an approach, but this foundered on its host’s internal difficulties. Critical Information Infrastructure resilience in the UK is probably the responsibility of NISCC:134 A fundamental role for any government is to ensure the continuity of society in times of crisis. This often involves providing extra protection to essential services and systems to make them more resistant to disruption and better able to recover quickly. In the UK, these essential services and systems are known as the Critical National Infrastructure (CNI). The role of NISCC (pronounced “nicey”) is to minimize the risk to the CNI from electronic attack; other parts of government work to protect the CNI from physical attack or natural disasters. 127
Available at http://www.dhs.gov/xlibrary/assets/CII_Act.pdf (Accessed: 7 January 2007). All details of I3P work is available at www.thei3p.org (Accessed: 7 January 2007). 129 Access to the William Pelgrin and New York State Program is available at http:// www.cscic.state.ny.us/about/director/bio.htm (Accessed: 7 January 2007). 130 ENISA’s role is available at http://www.enisa.eu.int (Accessed: 7 January 2007). 131 ETSI’s role is available at http://www.etsi.org (Accessed: 7 January 2007). 132 ETIS’ role is available at http://www.etis.org (Accessed: 7 January 2007). 133 ETR2A’s role is available at http://etr2a.org (Link not active 7 January 2007). 134 NISCC’s role and activities available at http://www.niscc.gov.uk (Accessed: 7 January 2007). 128
70
Critical Information Infrastructures: Resilience and Protection
NISCC was set up in 1999 and is an inter-departmental centre drawing on contributions from across government. Defense, Central Government Policy, Trade, the Intelligence Agencies and Law Enforcement all contribute expertise and effort. In the UK the majority of the CNI is run by the private sector and NISCC works closely with a wide range of companies many of which have strong international links or are foreign-owned. CNI issues transcend geographical borders and problems can strike anywhere in the world. NISCC therefore operates in a global context. NISCC has no regulatory, legislative or law enforcement role; it seeks to achieve its aim through four broad work streams: Threat Assessment. Using a wide range of resources to investigate, assess and disrupt threats. Outreach. Promoting protection and assurance by encouraging information sharing, offering advice and fostering best practice. Response. Warning of new threats; advising on mitigation; managing disclosure of vulnerabilities; helping the CNI investigate and recover from attack. Research and Development. Devising the most advanced techniques and methods to support efforts across all work streams.135 OFCOM136 is the independent regulator for telecommunications in the United Kingdom. Hopefully, it will have some impact on Critical Information Infrastructure. At present it is coming to terms with the convergence of the industry, and the convergence, in itself, of watchdogs it superseded. In the USA there is a very clear understanding, and central idea, of what Critical Infrastructure and Critical Information Infrastructure is, while this is not quite so clear cut in the UK. The UK’s system is one where there are always checks and balances to issues. However, the lack of clarity and purpose of Critical Infrastructure Protection is a relative weakness compared to the approach of other states. As noted earlier in this book the decision to subsume NISCC into a CNI body is the reverse of what should be happening in a modern world. Most other countries in the OECD have similar types of bodies governing or regulating industries. In terms of Critical Information Infrastructure many of them are operationally weak. All are relatively strong in terms of initiating Public–Private Partnerships and Information Sharing Organizations. Public–Private Partnerships are important to Critical Information Protection. This is because much of the infrastructure is in private hands. Yet in a review of OECD countries the Government takes no active operational steps. It acts as a facilitator in almost every case. This is not really good enough given the importance of the infrastructure.
135 136
Information on NISCC available at http://www.niscc.gov.uk (Accessed: 7 January 2007). Role of OFCOM available at http://www.ofcom.org.uk (Accessed: 7 January 2007).
Chapter 5 Critical Information Infrastructure
71
The commonly understood information sharing bodies, in a public–private context, for Critical Information Infrastructure are CERTs and WARPs. These abound, in one form or another, across the OECD. CERTS, or Computer Emergency Response Teams, are now established in much of the OECD.137 An example is the one at Manchester University in the UK and this is how it works: MAN-CERT: Computer Emergency Response Team Incident Response Team Services The team offers: • a central reporting point for security incidents:
[email protected] • services of a computer security team: Computer Emergency Response Team, always willing to give advice and pointers to more information on matters of computer security. • a vulnerability alert service. We currently subscribe to a service from Secunia who send us advisory notices of known security vulnerabilies for the products that we use. We have registered the vast majority of operating systems and packages known to be in use on campus. More can be added if required. Currently, the advisories are sent to the security coordinator who forwards them on to the cert-announce mailing list. The list is closed and moderated, please contact the IT security coordonator if you would like to join. • a mailing list for general discussion of security matters, security-forum@lists. man.ac.uk is available. This list is open to any member of the university. Please do not post sensitive information here such as vulnerability exploit code or usernames and passwords. • liaison with other CERT teams: sharing information about vulnerabilities, prevention methods and incidents. The MAN-CERT works particularly closely with JANET-CERT. Their WWW pages are an invaluable collection of original documents and pointers to information pertaining to various aspects of computer security.
Incident Response Procedures When the CERT team receives a report indicating one of our machines is causing problems or has been compromised in some way, the following action will be taken: The report is logged in a call logging system. The CERT members are notified and one of the team will take ownership of the report and deal with it. The address is blocked at the campus firewall. This should prevent the machine from causing any further disruption to systems off campus. The owner of the machine or the support unit for the address range will then be informed and asked to investigate and clean up. The CERT team is available to give advice 137
An inventory of CERTs in Europe is available at.http://www.enisa.eu.int/cert_inventory/pages/01.htm (Accessed: 7 January 2007).
72
Critical Information Infrastructures: Resilience and Protection
about how to clean up machines. In the event that a breach of the IT Security policies that is subject to disciplineray proceedings has occurred, then the user’s Head of School and, in the case of a student user, the Head of Student Upport and Services will be informed. If it is suspected that UK law has been broken, then the police will be informed. Once confirmation is received that a machine has been cleaned, the block at the campus router will then be removed. Requests for removal should be sent to
[email protected]. A full description of the procedures followed and the action taken in response to a security incident is available.
Reporting an Incident If your system suffers from a security incident (un access, possibly resulting in system or data files being unlawfully read or modified) read this first and then contact the MAN-CERT (Computer Emergency Response Team). Please do the same if you notice suspicious activity at your computer, particularly activity targeting another system. Do not delay informing MAN-CERT because you are unsure of the perpetrator’s identity, or because a disciplinary action against the offender may be pending. The primary role of the CERT team in this case is ‘damage limitation’ and helping with evidence gathering: we will inform the other site about the attack and either ask them for help in investigating the intrusion from their end, or alert them to possible damage done from your system. At this stage we (or the other site) are not interested in the offender’s identity, all we want to do is to limit, and repair, any damage done. The identity of your system will not be revealed to sites not directly involved in the incident.
Unsolicited E-mail (SPAM) Unfortunately this nuisance exists, and seems to be on the increase. Unwanted email is a concern throughout Internet (including JANET), consuming resources and causing distress to individual end users. MC’s e-mail team have implemented an anti-spam service, this document also describes actions taken by MC to prevent systems under its control from being used for spam distribution and for the detections of spam. You may wish to consult UKERNA document describing the problem in detail and discussing various possible actions against unsolicited mail. CIAC (an US DoE agency dealing with computer abuse) issued guidelines, with emphasis on filtering. Individual recipients of spam messages may wish to consider the recommendations from the e-mail team. If you feel strongly against spam (aka UCE: Unsolicited Commercial Email), you may wish to read about an anti-spam campaign.
Chapter 5 Critical Information Infrastructure
73
Defamatory Material It should be emphasized that circulation of offensive or defamatory material in any form (including email) is prohibited by the University of Manchester General Regulations, Regulation XV. Any instances of violation of this prohibition should be reported to
[email protected]. Please include copies of offending material, including all email headers.
Why so Much Security? We are frequently asked “Why do I need more security than just a password?” Well for a good introduction to help answer this question, see here. Information on network-related security risks is available here. This document categorises networked PC’s, work stations and computers by the type of information they hold and the by the importance of their integrity of service. It also recommends practical steps for Novell and Unix systems to ensure their service integrity is provided at a level commensurate with the type of service provided. Further general information about how to secure workstations or PCs running Linux can be found here, kindly provided by Simon Hood of the Specialist Unix team. More detailed information can be obtained here. People running UNIX/ Linux systems should at least read the essential sections before connecting their machine to the network. Securing obsolete (“legacy”) systems requires special treatment, described here.138 CERTS can be run across any type or size of community – some cover countries. NISCC in the UK have introduced WARPs, or Warning Action and Reporting Points. These points are helpful to both the Government and Private Sector in providing information that helps keep networks secure. In NISCC’s words: WARPs (Warning, Advice and Reporting Points) are part of NISCC’s information sharing strategy to protect the UK’s Critical National Infrastructure from electronic attack. WARPs have been shown to be effective in improving information security by stimulating better communication of alerts and warnings, improving awareness and education, and encouraging incident reporting. Membership of a WARP can also reduce the costs of good Security Four sections relating to WARPs are described below: • Introduction to WARPs • WARP Strategy • WARPs in the News • WARPs in action 138
The full details of the Manchester CERT are available at http://www.itservices. manchester.ac.uk/security/computeremergencyresponseteam/index.htm (Accessed: 7 January 2007).
74
Critical Information Infrastructures: Resilience and Protection
NISCC is promoting Information Sharing with the Central Sponsor for Information Assurance (CSIA) to provide assistance in setting up WARPs. This assistance comes in the form of a WARP Toolbox which is freely available to qualifying organizations or communities that want to set up their own WARP. With the WARP Toolbox you can: • get help in producing a business case for a WARP; • read guidelines, case studies and reference documents; • download customisable documents, presentations and spreadsheets; • download publications which you can re-use; • obtain software to help build and run a WARP. For more information on the WARP Toolbox or to register your interest in creating a WARP contact:
[email protected]
Introduction to WARPs WARP members agree to work together in a community and share information to reduce the risk of their information systems being compromised and therefore reduce the risk to their organization. This sharing community could be based on a business sector, geographic location, technology standards, risk grouping or whatever makes business sense. WARPs can deliver more effective and lower cost security by providing to members: • A trusted environment • Security information filtering • Access to expert advice • Early warning of threats • Strategic decision support • Improved awareness The WARP Toolbox website supports the development and provision of three core WARP services, which, between them, deliver all the benefits listed above: Filtered Warning Service – where members receive only the security information relevant to their needs as determined by categories selected in an on-line ticklist. These categories cover Warnings & Advisories associated with Vulnerabilities & Fixes; Threats & Incidents and Good Practice Advice Brokering Service – where members can learn from other members’ initiatives & experience using a bulletin board messaging service restricted to WARP members only. Subjects can be anything which adds value to the members e.g. patch management; training; supplier/product evaluations, security awareness Trusted Sharing Service – where reports are anonymous so members can learn from each others attacks & incidents without fear of embarrassment or recrimination.
Chapter 5 Critical Information Infrastructure
75
WARP Strategy WARPs perform some of the tasks of CERTs but are not expected to provide the technical response service of most CERTs. A WARP provides to its community a service of early warnings of alerts and vulnerabilities, specifically tailored for its community; this can avoid the duplication of each member sorting through dozens of sources, or even worse, not having time to monitor developing threats. The WARP also provides a limited help-desk service for the community, geared to the specialized needs and building on the knowledge of the community membership. It also provides a trusted focus for incidents and attacks to be reported, to help find assistance or co-operation in dealing with the problem. Such reports will be valuable to members, but when sanitized and anonymous, sharing them with other communities can be equally valuable, and will encourage reciprocal Information Sharing. WARPs can be set up by a few able and enthusiastic individuals, to serve their community, whether this is a group of small businesses, a particular industry association, or a local community. The concept is particularly applicable to local government organizations, where it can be applied in several ways. A WARP can be a mechanism to link and support a group of authorities (e.g. the London Boroughs). WARPs can be used to support dispersed elements of a single local or regional authority. A WARP could supply its services to the citizens of a local community. The benefits include early warning of new electronic attack threats and vulnerabilities, trusted sharing of incident information, increased exchange of best practice, collaboration on dealing with problems, increased user awareness and education, and greater confidence in using Internet-based services, to name but a few. The greatest strength of WARPs and CERTs comes from their willingness to co-operate with each other, to share experience, expertise, and information. NISCC encourages and supports this process. The following article describes WARPs within the context of NISCC’s Information Sharing strategy:
WARPs and Information Sharing NISCC also works closely with other organizations such as the Information Assurance Advisory Council to promote Information Sharing and WARPs. The following article was published by IAAC from their series of briefing papers for senior management entitled Information Sharing: A “no-brainer” approach to improved risk management (July 2003)_which identifies WARP membership as a solution to more effective risk management. From a practical standpoint some have realized much of the difficulty in managing Critical Information Infrastructure.
76
Critical Information Infrastructures: Resilience and Protection
After 9/11 the Manhattan Downtown Alliance, and John Gilbert of Rudin Management,139 took a new look at managing information infrastructure. Their answer is to look at the problem holistically from a “Smart” building perspective. They look at the whole problem from the CFO’s point of view, from a real estate and cost point of view. They do not totally agree with a number of Department of Homeland Security perspectives because they have developed a new approach to resilience within a “Smart” building, rather than a recovery or continuity plan. In wireless technology they suggest the use Wi-Fi for convenience and Wi-Max for resilience. They are encouraging customers to take responsibility for the “first mile” of connectivity (from the building) as opposed to the Telco’s last mile approach to the building. This is turning some traditional thoughts on their head. Despite 9/11 economics rule, customer-driven resilience is an important starting point for a new approach. Overall the subject of Critical Information Infrastructure is fascinating. It is fascinating in its own right. It is also fascinating in respect to how the subject is dealt with in different environments. Dunn and Wigert (2004)140 call their handbook Critical Information Infrastructure, but much of it is about Critical Infrastructure. However, they are on the right lines because there is a dependency, almost a total dependency by all Critical infrastructures on Critical Information Infrastructure. It has been previously noted that Critical Infrastructures tend to be national, whereas Critical Information Infrastructure tends to be multinational. It is understood that many of the providers of connectivity, hardware, software, and security to this global infrastructure are USA based. Yet the providers seem to have little interest in the subject relative to the importance placed on the subject by the politicians, who themselves seem a little confused by it when it comes down to the distinction between Critical Infrastructures and Critical Information Infrastructures. The telecommunication standards bodies at international, European, and national level have some interest in the subject, but it is not as well developed as their interest in telecommunications per se. The national regulatory bodies have not yet really got to grips with the subject either. There are many Public–Private partnerships, but these are not well developed. There are also many Information Sharing initiatives. The CERTs and WARPs work well, as do Critical Information Infrastructure initiatives generally, when driven bottom-up rather than top-down. Overall this gives a pretty confused picture, and when it comes to resilience or building resilience, not much is really in evidence from either a theoretical or practical point of view.
139 140
Hyslop, MP (2004) Conversation with John Gilbert, 6 December 2004. Dunn, M, et al. (2004) op. cit.
Chapter 6 Some Political, Economic, Social, Technological, Environmental, Legal, and Other Process Effects on Critical Infrastructures There are so many political, economic, social, technological, environmental, legal, and other effects on Critical Infrastructures that this Chapter can only highlight a few. A reasonable view would be that everything of this nature affects Critical Infrastructure. The major political driver with regard to Critical Infrastructure and particularly Critical Information Infrastructure in the OECD and, arguably, in the rest of the world is the USA government. Therefore much of this Chapter’s political section relates to effects that have an origin in the USA. The economics section looks at some of the actual resilience of Capitalism and some of the dangers marketers face. Social, technological, and environmental sections look at some current issues relevant to Critical Infrastructures. The legal section looks at the USA Patriot Act and the recent Civil Contingencies Act in the UK. Some comments are made about risk management. The export of democracy as a political ideal has been used by the United States of America since President George W. Bush came to power. It has been used to back the invasions of Afghanistan and Iraq and has been suggested as a potential weapon against others states and religions. The export of democracy has had an arguably, important affect on United States of America itself (terrorism in response?) and an obvious effect on the Infrastructures, both physical and information, of others. Rather than target a list of relevant examples the following column in the Washington Times by Ernest W. Lefever141 gives the current context: President Bush in his State of the Union address said: “Our nation is committed to an historic, long-term goal: We seek the end of tyranny in our world.” He earlier vowed to devote his second term to this high purpose. He told a recent Kansas rally “our troops” are helping to “change the world by spreading liberty and freedom,” acknowledging “Some dismiss that goal as misguided idealism.”
141 Lefever, E (2006) Can We Export Democracy. Washington Times. Available at http://www. washingtontimes.com/commentary/20060311-102356-4785r.htm (Accessed:7 January 2007).
77
78
Critical Information Infrastructures: Resilience and Protection
On Feb. 15, the Bush administration asked for an additional $75 million to promote freedom in Iran by funding political dissidents there. In response, Rep. Henry J. Hyde, a staunch Republican, cautioned Secretary of State Condoleezza Rice against efforts to push democracy where it is an alien concept. President Bush’s confidence in America’s ability to spread democracy and freedom was not shared by most of his White House predecessors. Woodrow Wilson, the notable exception, failed to understand the limits of America’s capacity to sponsor democracy abroad. His idealism fed utopian expectations here and abroad. Then reality intruded. The unraveling of history in the wake of his Fourteen Points enunciated in 1918 prompted some critics to say, “He reached for utopia and gave us hell.” All our presidents, including the Founders, believed in “American exceptionalism,” the idea America had a special mission beyond its borders. The Declaration stated that, “all men,” not just Americans, “are endowed by their Creator with certain unalienable rights, which among them are Life, liberty and the pursuit of happiness.” The Founders hoped other peoples would follow America’s example and enjoy the blessings of liberty. Yet, their world and ours, has been drenched in “wars and rumors of wars,” tyranny, conquest and oppression. In the 20th century alone, hundreds of millions have suffered under brutal tyrants or been killed in war. Today, genuine freedom and democracy are the exception for the peoples who live in the 190-plus member states of the United Nations. America remains the major example and promise of freedom and democracy, but these lofty goals can be won only through a long struggle by the peoples who are denied them. We can and should assist those who seek a better way, but these blessings are the fruit of those who earn them. Abraham Lincoln, who understood the heavy price of freedom in a bitterly divided nation, spoke of his “oft-expressed personal wish that all men everywhere could be free,” but he recognized the severe limits to promoting democracy abroad. President John Quincy Adams perhaps best understood America’s unique but limited role: “Wherever the standard of freedom and independence has been or shall be unfurled, there will be America’s heart, her benediction and her prayers. She goes not abroad in search of monsters to destroy. She is the well-wisher to the freedom and independence of all. She is the champion and vindicator only of her own.” Ronald Reagan also emphasized this more modest national aspiration when he likened America to “a shining city on a hill,” a beacon for all who yearn to be free. His words can serve as a warning to Americans who speak too glibly of exporting democracy or establishing freedom in other countries. Of course, there were times and places when America’s role abroad was substantial, even decisive. During the 1940s, we knew Nazi Germany and Imperial Japan had to be defeated. Our intervention was not a crusade, but a just war to protect the Western democratic heritage. By winning that war and occupying two defeated peoples, we were able to impose democratic disciplines on disparate societies that had seen a substantial measure of democracy.
Chapter 6 Effects on Critical Infrastructures
79
In today’s dangerous world, America, the most powerful and generous nation on Earth must steel itself against the arrogance of power. Shakespeare said: “O, it is excellent to have a giant’s strength; but it is tyrannous to use it like a giant.” And Reinhold Niebuhr cautioned America to use its great might “with fear and trembling. The political effects of the export of democracy on Critical Infrastructures both in the USA and elsewhere have been well documented. This theme will be returned to in a later Chapter, but one response to the export of democracy and other initiatives has been the rise of Asymmetric Warfare. A further view on Asymmetric Warfare will be given later. Suffice at this point to record that: By the advent of the 21st Century, not only is it likely that many of the conflicts facing the United States and her allies will be of an asymmetrical and devolving nature, (but) it is also likely that the threats will come from diverse and differing vectors. Particularly of concern is the possibility that conventional terrorism and low-intensity conflict will be accompanied or compounded by computer/infrastructure attacks that may cause damage to vital commercial, military, and government information and confront communications systems. Unfortunately, it would appear that while the United States gains tremendous advantages from its advanced information and battlefield management systems, we also become increasing vulnerable to cyber-attacks from our adversaries.In other words, we would anticipate efforts to cause widespread fear by computer-generated attacks on electrical, water, banking, government information, emergency response systems and other vital infrastructures, while simultaneously suffering terrorist tactics involving multiple conventional explosives and/or chemical/biological/ nuclear devices. Even a country as large and sophisticated as the United States could suffer greatly at the hands of an educated, equipped, and committed group of fewer than 50 people. At the present time, such an attack could realistically be expected to cause an effect vastly disproportionate to the resources expended to undertake it.142,143 “War is the continuation of politics by other means,” said Clausewitz144. Antulio J. Echevarria II writes “In fact, Clausewitz’s varied usage of Politik and the historical context within which he wrote indicate that he meant three things by the term. First, Clausewitz did intend Politik to mean policy, the extension of the will of the state, the decision to pursue a goal, political or otherwise.
142 Staten, CL (1998) Asymmetric Warfare, the Evolution and Devolution of Terrorism;The Coming Challenge for Emergency and National Security Forces. 27 April. Emergency Response Institute. Available at http://www.emergency.com/asymetrc.htm (Accessed: 7 January 2007). 143 The Changing Face of War. Available at http://www.henciclopedia.org.uy/autores/ Laguiadelmundo/GlobalWar.htm (Accessed: 7 January 2007). Gives an interesting perspective on the changing nature of war. 144 Clausewitz, Karl von (1833) op. cit.
80
Critical Information Infrastructures: Resilience and Protection
Second, Politik also meant politics as an external state of affairs, the strengths and weaknesses provided to a state by its geo-political position, its resources, alliances and treaties, and as an ongoing process of internal interaction between a state’s key decision-making institutions and the personalities of its policy makers. Lastly, Clausewitz used Politik as an historically causative force, providing an explanatory pattern or framework for coherently viewing war’s various manifestations over time.145 The Revolution in Military Affairs and associated doctrine that has driven much of the USA’s war fighting capability over the last decade has been predicated in large part on the selective and specific identification of Critical Infrastructure targets accompanied by electronic warfare directed at information systems. It is useful to reflect that formal attack on the United States by any similarly capable power will also result in attacks on the USA’s Critical Infrastructures.146 So far this book has been a little pessimistic about the capability of Critical Infrastructures to withstand shocks and rebound, resilient. To start a brief look at Economics, Baker comments on the ability of the USA to survive in an optimistic manner is as follows: I give you this little statistical litany not just for its own intrinsic appeal, but as a healthful antidote to some of the wishful thinking about America’s inevitable decline you can read in the rest of the media. Historically speaking, indeed, America’s economic hegemony has never been greater. However messy Iraq and Afghanistan get, it would be unwise to bet that the US will not continue to be Top Nation for quite a while yet. What could undermine long-term US dominance? Some fret that the precarious American fiscal position could do it. However, this is mostly hyperventilation. The fiscal deficit, at a cyclically adjusted 2.5 per cent of GDP, is on the large side, but American public debt as a proportion of GDP — at less than 70 per cent — still puts the United States comfortably among the more frugal of the world’s big nations. The inevitable unraveling of global financial imbalances could certainly harm US demand growth in the short term, as both public and private sectors increase savings, but, assuming these extra savings are efficiently allocated by America’s highly flexible capital markets, they might even end up improving long-run potential. The ageing population will surely crimp American economic activity. Most economists expect trend growth to slip a bit in the early part of the next decade as the proportion of the population in work begins to drop. Yet relative to the rest of the world this may not matter that much. America’s demographics — a reasonable
145 Echevarria 11, AJ (1995) War and Politics: The Revolution in Military Affairs and the Continued Relevance of Clausewitz. Winter 1995–1996. Joint Services Quarterly. Available at http://www.clausewitz.com/CWZHOME/ECHEVAR/ECHJFQ.htm (Accessed: 7 January 2007). 146 For a slightly different approach to this subject see Smith, R (2005) The Utility of Force. Allen Lane.
Chapter 6 Effects on Critical Infrastructures
81
birth rate and strong immigration flows — are actually rather better than for most other industrialized countries. A century ago, China’s population was almost six times that of the US. In 50 years’ time, on current trends, it will be less than three times the size. The only real threat to American economic hegemony, I suspect, is the willingness of its people to continue to tolerate the pains associated with its success. Income and wealth inequalities have grown rapidly in the past ten years — even as the long-term growth rate has accelerated — and, given the continuing direction associated with globalization, they may get even worse over the next 20 years.147 On the other side of the fence, so to speak, it is necessary to bear in mind that processes such as Obstructive Marketing change completely the way in which marketing is viewed. Obstructive Marketing is: Any process, legal or not, which prevents or restricts the distribution of a product or service, temporarily or permanently, against the wishes of the product manufacturer or service provider.148 It recognizes that there are challenges to the positive, western, consumeroriented practice of marketing that have, hitherto, gone unremarked and unanticipated. The process is indicative of the dangers involved in stepping outside a traditional domestic market, a friendly international market, or a global market characterized by sales to wealthy clone zones of western consumerism. With few exceptions this is so far what globalization has been about. Since the end of Cold War many of the impediments to Free Market Capitalism have been summarily dismissed. It was assumed that this was something everybody wanted. Obstructive Marketing demonstrates that such an attitude is incorrect. Obstructive Marketing offers a wide range of techniques that can slow, resist, obstruct, or modify the behavior of companies employing traditional marketing approaches. In addition the identification of these Obstructive Marketing techniques gives these same companies additional weapons to use in markets over and above those traditionally thought of as marketing tools. This is important because it brings marketing out of a singular western approach to a rather more sophisticated mainstream global approach, an environment where things are not quite so simple. Most of business in the capitalist world is conducted along honorable lines, while it should not be assumed that this is the case when companies step outside the boundaries of the capitalist world and try to do business as capitalists in noncapitalist environments. A whole new range of approaches is appropriate to deal with different business ethics, mores, cultures, family values, and legal systems to name a few. By understanding the differences and trying to marry these to, for example, the USA’s Foreign Corrupt Practices Act, the extraterritoriality of
147 148
Baker, G (2006) America’s Economic Hegemony Is Safe. 25 April 2006. The Times. Hyslop, MP (1999) op. cit.
82
Critical Information Infrastructures: Resilience and Protection
USA law, and the drive for globalization on western terms then a better and more successful development may be achieved. Obstructive Marketing is therefore an example of how traditional marketing techniques are restricted, particularly in overseas markets, and also a new way of approaching marketing in some difficult areas. This requires some depth of understanding and also the ruthlessness to pursue policies that allow businesses, in Machiavelli’s terms, to remain virtuous in the long run. Globalization by western companies is only just beginning. It is made possible by the demise of military confrontation in traditional sense between east and west, free market legislation, open currency markets, and massive amounts of available capital, particularly in the USA. Nevertheless this process has really only gone as far as reinforcing early victories in existing western markets and establishing bridgeheads in rich pockets of other parts of the world. At the same time it has taken advantage of a temporary maladjustment in some potentially competitive areas: China and Eastern Europe for low wages for example. It has not yet extended reach and depth on a true global basis. As it attempts to do so further Obstructive Marketing issues will arise, principally from China, India, and Russia who will all have their own idea of how to globalize in their own way. Sometimes globalization is characterized as a world event – it is not, western companies and capital dominate it. This is not necessarily going to remain the case in the long run. However, while companies such as Microsoft continue to have a turnover close to the GDP of China, the period of uncertainty is likely to continue for a considerable period. In addition to the implications for the Marketing Mix there are also implications for Directors/Management. This does not just mean marketing management. It means the seven (the six usual suspects plus the Chief Information Officer!) regular executive constituents of a board, the chairman, and the nonexecutive directors, too. All have a responsibility to ensure that the business is run properly. (This is now enshrined in the Sarbanes-Oxley Act in the USA and the various standards and guides that exist in the UK on Governance.) In a public company it is the responsibility of the board and management to deliver a return to shareholders. In a private company it is the responsibility of the board and management to meet the objectives set by the business owner. In a public service organization, or a company limited by guarantee, it is the responsibility of the board of management to deliver the objectives set by the institution. It is not on the agenda to have the integrity of these purposes compromised by any internal or external issues. There is, therefore, a duty of care imposed on the directors and management of an organization to ensure delivery of the business objectives. This has to be achieved by exerting continuous due diligence over business developments. Some writers, Friedman (1999)149 for example, would say that this approach to functions is a load of nonsense, and potentially outdated. They would say
149
Friedman, TL (1999) The Lexus and the Olive Tree. FSG. New York.
Chapter 6 Effects on Critical Infrastructures
83
that under the three new democracies; the democracy of the PC, the democracy of Finance (availability of credit), and the democracy of the Internet – this is all old news. In the New World every product or service becomes a commodity and it does not matter where it comes from; the consumer is king and price will drop to meet the demand of the consumer. So do not worry about the old rules just adapt to deliver the product and service as fast and as cheaply as possible and the “devil take the hindmost.” A key example of the differences between these two philosophies would be between the telephone companies and the computer companies. Telephone companies generally have some sort of statutory duty to provide a service so equipment has to be delivered to a standard and last; this is much less so in the computer industry where products change every six months. Moore’s Law150 used to double chip speeds every eighteen months, and so what if it does not work it is out of date and you need a new one. Other areas where the fast approach is dangerous are in motor cars – as the Detroit moguls are fond of saying151, “We do not build computers - our products can kill people if we don’t get them right.” Oil and gas equipment, defense equipment, and food are all areas where the new paradigm may not apply except in improving productivity. (Note: it is only in the technology-based areas that there is currently growth – other areas are marginal).152 So Friedman’s argument is only true in part, and is specifically unhelpful in dealing with Critical Infrastructures. Every revolution has had an impact on productivity and cost, but eventually a new balance emerges in which the traditional bargain is struck between buyer and seller – where one side provides a good or service of a particular quality in return for compensation. It seems to be a peculiarly USA idea that this should mean the lowest price, as this tends to develop careless products and dangerous practices. The Lopez153 event in the car industry is now acknowledged as a wrong turn down the low cost route – reality has returned and prevailed. The law also tends to lag these events – so there is a period of anarchy (as there was during the agricultural and industrial revolutions) – but it does eventually catch up. There is a general human concern with right and wrong, and the rule of law that is not going to be changed by any new model. What all this means is that there is going to be a considerable period of uncertainty, change, and challenge for many producers of goods and services. To survive productivity will need to continue to increase, and speed to market will be extremely important. This
150 Definition available at http://en.wikipedia.org/wiki/Moore’s_law (Accessed: 7 January 2007). Not as applicable as it was. 151 Comment of Fleer, CS (1998) CEO of United Technology, to audience at SAE 1998. 152 Ernst and Young (1995) US Manufacturing Abroad. Ernst and Young. 153 Lopez revolutionized purchasing for GM and Volkswagen. Volkswagen got the best out of him, because unlike GM, they did not allow him to completely dominate the supply chain. A resume on the Lopez affair is available at http://www.laramie.willshireltd.com/ NewWorldOrder.html (Accessed: 7 January 2007).
84
Critical Information Infrastructures: Resilience and Protection
change and rate will also mean more opportunities for Obstructive Marketing episodes. So, in general, the comments made above with regard to each business department will prevail and will require attention. Such an understanding will help the management of Critical Infrastructures by ensuring that each is aware of such issues. The UN believes that inequality is the key social problem of our time: The 2005 Report on the World Social Situation: the Inequality Predicament was launched on August 25. The Report sounds alarm over persistent and deepening inequality worldwide, focusing on the chasm between the formal and informal economies, the widening gap between skilled and unskilled workers, the growing disparities in health, education and opportunities for social, economic and political participation. The 2005 Report on the World Social Situation (RWSS) will focus on the international aspects of inequality. As emphasized by the ten-year review of the implementation of the Copenhagen Declaration and Program of Action, there has been uneven progress in many areas of social development (e.g., access to health and education), with important regression in others (e.g., inequality and social integration). The analysis of the underlining causes for this state of affairs highlights several issues, among which the reduced emphasis received in the decade since Copenhagen in the commitments made during the World Summit on social development especially in the areas of equality, equity and social justice stands out. Actual trends in inequality and the changing nature that inequality itself has acquired in the recent decade call for a more in-depth analysis. Thus the main assumption of the RWSS 2005 is that issues of equity and inequality has acquired such importance nowadays that it renders a difficult task to strengthen the development agenda without first addressing the segmentation of society that, among other reasons, rising levels of inequality have produced.154 In addition to the key principal point of inequality it can be noted that different parts of the world have different levels of access to Critical Infrastructures. This is also an inequality, but only in part. This is because inequality itself is not always viewed as inequality. Sometimes it is a different sort of equality. Sometimes, there is the view that no one should have access to these Critical Infrastructures at all. For example, one of the most difficult social, and political, issues of all is how to deal with divergence of view between an essentially nation-state, capitalist oriented, “Christian” but secularly governed, OECD and a nonnation-state, religious, fundamental, society based on Islam. Balancing these two social and political approaches is one of the great challenges of our time. If it is accepted that Global Warming is indeed occurring, and there are still arguments about this, it does not really matter if it is caused by natural 154
UN (2005) Report on the World Social Situation. Available at: http://www.un.org/esa/ socdev/rwss/rwss.htm (Accessed: 7 January 2007).
Chapter 6 Effects on Critical Infrastructures
85
or human events. In terms of Critical Infrastructures the effect of Global Warming is profound. Taking a quick look at the common list there will be some startling results of even relatively minor changes in temperature. Some of these have already been alluded to and most have already been witnessed in whole or in part: • Finance • Energy • Food supply • Health • Government services • Law and order • Manufacturing • National icons • Transport • Water • Waste water • People • Education
City of London floods Power generators fail Nuclear power plants flood Harvests shrink New diseases Under pressure Under pressure Current locations inadequate Damaged Disrupted Scarce, in the wrong place Contaminated In the wrong place Disrupted
On the whole Technology should be understood to have a positive effect on Critical Infrastructures. Technology has already contributed to the London Flood Barrier, protecting London and the City from flooding for the last twenty years or so. Technology has already delivered improvements in the efficiency of power stations, and a reduction in pollution. Harvests have grown over the last generation because of technology. Health has been maintained, and new treatments found for disease. Efficiencies in law and order have been delivered by improved systems based on technology advances. National Icons can be viewed by more people, especially remotely. Transport has benefited enormously from technology – improved fuel efficiency, safety, and less pollution to name a few obvious ones. Water has become available to more people, and waste water has been treated more effectively, much due to advances in technology. People are better educated, have access to more information, and education has never been available to so many on such a scale. This is now. However, there is a warning note for the future. What new has really been created that will take things forward? Has the growth of understanding and the ability to analyze data improved the chances of a future built from technology advances in the same way as the past 100 years has been transformed by technology? Two examples will suffice to give pause for thought. The first is the man born in 1923 who in his first 80 years experienced the introduction of cars, telephones, electricity, air travel, space travel, antibiotics, computers, and genetics on a widespread basis. His father knew nothing of most of these things. Statistically, he is likely to live longer than his son born in 1954 who in his first 50 years saw nothing that was not already seen by his father. It is a fact that those who were born at the beginning of the twentieth century
86
Critical Information Infrastructures: Resilience and Protection
probably saw more change in their lifetimes than subsequent generations. The second is new drugs. Why have most of the good drugs been found without the aid of statistical analysis and computers? It remains a fact that the rate of discovery of new drugs has slowed. These examples do not bode well for the future resilience of Critical Infrastructures.155 The USA Patriot Act of 2001 is one of a number of USA Acts that have extraterritorial reach. Comments on others are made elsewhere in this book. Here is noted the effect of USA legislation on non-USA individuals and organizations. The following is the conclusion from Joseph Tompkins’ paper for the IMF on this subject: First, the Act is very broad in nature. While U.S. financial institutions and persons are directly affected, the Act has significant impacts on non-U.S. banks and persons. The Act creates broad new information-gathering obligations for U.S. financial institutions, which have an indirect effect on non-U.S. financial institutions, and which create significant new costs for all those affected. The Act also creates new and unprecedented investigative and law enforcement authority for U.S. government officials, not just with respect to terrorist activities, but for money laundering and a wide range of other crimes. Second, the Act is a work in progress. It contains many provisions that are ambiguous or subject to great discretion in their application by U.S. government officials. Some of those uncertainties will be resolved by regulations and other guidance issued by the Department of 40 Treasury and other Executive Branch agencies. Other ambiguities will have to be ultimately resolved by U.S. courts or perhaps by clarifying legislation from the Congress. In the meantime, those affected by the Act must be diligent in attempting to comply with its provisions, but also vigilant to make certain that the Act is implemented in a manner that is fair and consistent with fundamental rights. The government officials charged with exercising the new authority given them under the Act hopefully understand that their authority must be carried out in a fair and responsible manner. To do otherwise would be self-defeating, not only for the immediate tasks at hand, but also for the fundamental liberties and the principles that the USA PATRIOT Act was designed to protect.156 Probably the most significant piece of legislation applicable to Critical National Infrastructure in the UK is the Civil Contingencies Act. Jim Birtles of the Business Continuity Institute comments as follows: In the United Kingdom, all Civil Protection activity at the local level was empowered by Civil Defense legislation dating from 1948. This legislation had defined 155
Cuatrecasas, P (2006) Drug Discovery in Jeopardy. 1 November. The Journal of Clinical Investigation. Available at http://www.pubmedcentral.nih.gov/articlerender. fcgi?artid=1626142 (Accessed: 7 January 2007). 156 Tompkins, JB (2002) The Impact of the USA Patriot Act on Non-USA Banks. International Monetary Fund Seminar on Current Developments in Monetary and Financial Law. 7–17 May. Available at www.imf.org/external/np/leg/sem/2002/cdmfl/eng/tompki. pdf (Accessed: 7 January 2007).
Chapter 6 Effects on Critical Infrastructures
87
the events local responders should prepare for in terms of “hostile attack” from a foreign power. With the ending of the Cold War such a threat evaporated and local efforts in recent years have been focused on preparing for civil emergencies such as localized flooding and major transport accidents. The provisions for Emergency Powers were based on the Emergency Powers Act 1920 which defined an emergency in terms of certain services and resources which provided the community with the essentials of life. Clearly, the 1920 Act is out of date and doesn’t reflect the threats which the UK now faces (for example, the 1920 Act did not cover terrorist threats or threats to the environment). Background After the fuel crisis and severe flooding in the autumn and winter of 2000, the Deputy Prime Minister launched a review of current emergency planning arrangements. This included a public consultation with representatives from both public and private sectors. In addition to a formal BCI presence, a number of BCI members were involved in the process as a natural extension of their normal responsibilities. The review reinforced the Government’s viewpoint that the existing legislation was out of date for modern civil protection efforts and new legislation was needed. The development of the new legislation was initiated by a further public consultation working on a draft Bill. This exercise ran from June to September 2003, setting out the proposals for a new framework for civil protection work at the local level and a new framework for the use of special legislative measures. The resulting draft Bill was then scrutinized by a Joint Parliamentary Committee. Following amendments in the light of further consultation, and the recommendations of the Committee, the Bill was introduced to Parliament in January 2004. Whilst developing the Bill, the Cabinet Office implementation team worked in close consultation with a number of key stakeholders, including the BCI, in an open and comprehensive policy-making process. The Bill was passed by Parliament on 17th November 2004 and received Royal Assent on 18th November to become the Civil Contingencies Act 2004 (The “Act”). The Act came into force in April 2005 and compliance will be enforced and audited from September 2005 onwards, allowing 6 months grace for implementation. However, the BCM promotion duty will not be enforced until 12 months later, in April 2006, when the whole of the Act will become subject to full audit and enforcement.157 Given the reviews in Chaps. 3–5 it might be expected that significant attention would have been given by the Governments of the United States and the United Kingdom, in particular, to resolving the particular issues regarding the deficiencies in certain Critical Infrastructures. It may be unfair to say so but it would seem that the current political reaction has a lot to do with legislative window-dressing as opposed to practical and real problem solving 157 Courtesy of Jim Birtles, FBCI. Available at http://www.thebci.org/ccact.htm (Accessed: 7 January 2007).
88
Critical Information Infrastructures: Resilience and Protection
in key Critical Infrastructure problem areas. One of the problems here, of course, is that many of these Infrastructures, and particularly Information Infrastructure, are not in the hands of Governments any more. National governments, such as the USA and the UK, have taken action in recent years to improve corporate governance standards in the wake of a number of high profile private sector corporate financial scandals. Thus in the USA the implementation of the Sarbanes-Oxley Act, a series of corporate governance recommendations and increased vigilance by the Financial Services Authority158 in the UK and the various UK Governance Reports,159 and a focus on Information Security from the European Commission have all had the purpose of improving corporate governance and the accountability of senior management. This has led to an increase in regulatory control for business. Such governance and regulation also affects banks. Banks are inextricably entwined with corporate governance and financial accounting standards. They have the additional burden of monitoring transactions associated with economic crime, specifically drug money laundering. The Basle Committee for Banking Supervision160 basically sets the standards of operation for international banks. All reputable banks are associated with the committee. Basle I (1988 Basle Capital Accord) set out the regulatory framework for banks and other financial institutions to cover potential losses, specifically rules governing risk-weighted capital ratio. This was broadly set at 8%. In other words a bank’s capital should not fall below 8% of its risk-weighted assets. Basle II161 is a sophistication of Basle I. It is more sensitive to credit and market-related risks. For the first time the accord deals with operational risk: “The risk of loss, resulting from inadequate or failed internal processes, people and systems, or from external events.” Capital must be held to cover these risks. Less capital is needed if the risks are well managed. The Accord is not mandatory but: • The European Union (EU) is taking a strong line and is expecting all banks and investment firms to comply • The US Federal Reserve expects the top 11 US banks to comply, others are expected to comply • Some countries, India and China, are not expected to comply
158 FSA is the regulator of all providers of financial services in the UK; Bank of England retains responsibility for systemic risk. Further information available at http://www.fsa. gov.uk (Accessed: 7 January 2007) and at http://www.bankofengland.co.uk (Accessed: 7 January 2007). 159 A good summary is available at http://learningmatters.com/dwn/21397/21397ref0.html (Accessed: 7 January 2007). 160 More information is available at http://www.federalreserve.gov/generalinfo/basel2 (Accessed: 7 January 2007). 161 More information is available at http://www.pwc.com/extweb/industry.nsf/docid/ 0DE78A7E597CB7B985256EFF00571250 (Accessed: 7 January 2007).
Chapter 6 Effects on Critical Infrastructures
89
Basle II will be implemented in the EU via the Risk Based Capital Directive (CAD III). The Accord is likely to have the biggest impact in Europe and the USA. The biggest impact of Basle II will be a significant increased cost of compliance. The total cost is estimated between $½ trillion and $1 trillion dollars with an average expenditure of around £50 million per bank. Against this must be taken the benefits of compliance (a strong reputation) and the potential reduction in required capital ratios for those that do comply. The USA Sarbanes-Oxley Act162 of 2002 was introduced in response to a number of corporate governance scandals in the USA. The main drivers were those issues surrounding the financial management, or otherwise, at Enron, WorldCom, and Tyco. Although it is clear that Sarbanes-Oxley is the most complete corporate anticrime law ever published in the USA, it is still unclear exactly how companies are to comply. It is important to note that the Act is intended to have international reach. There are implications for subsidiaries of USA companies abroad, who are expected to comply, and for subsidiaries of foreign companies in, or linked to, the USA who will also be expected to comply. This is particularly so if they have any reporting requirements with the USA Securities and Exchange Commission. This is also important for companies listed on a variety of Stock Exchanges. The Sarbanes-Oxley Act covers all aspects of corporate governance, with particular emphasis on financial statements, audit requirements, and board control. The Sarbanes-Oxley Act impacts all USA companies and their subsidiaries at home and abroad. It impacts all foreign companies with subsidiaries or dealings with USA parent or subsidiary companies. It impacts all companies with reporting requirements to the Securities and Exchange Commission. Currently, it specifically affects all companies with a market capitalization in excess of $75 million. Senior Management faces prison (up to 20 years) or large fines (up to $5 million) or both, for infringements. The Sarbanes-Oxley Act was passed in 2002 and came into force on 15 June 2004. Compliance deadline was 15 April 2005. It should be noted that as this book is written, a number of amendments are proposed to the Act. The Act has the purpose of enforcing a change not only in USA governance but also in international governance. It therefore has a potential worldwide impact. Although the major impact of Sarbanes-Oxley is clearly focused on financial controls the aim of the Act is to be more wide ranging. This is partly because all aspects of a business are related to finance. Thus papers on the impact of Sarbanes-Oxley on travel and health and safety have already been written. To a certain extent Sarbanes-Oxley is a “bandwagon” that many have
162 Sarbanes Oxley Act is available at http://www.soxlaw.com (Accessed: 7 January 2007). Deloittes also have information available at http://www.deloitte.com (Accessed: 7 January 2007).
90
Critical Information Infrastructures: Resilience and Protection
joined. However, the key point is that when linked to current and proposed Corporate Governance changes in Europe/UK, Basle II accords, and the focus by the European Commission on Information Security standards, SarbanesOxley will represent a fundamental shift in corporate governance standards. Section 404 of the Act deals the Management Assessment of Internal Controls. As most management information and financial information is now held digitally it is critical to have information systems and telecommunications that assist, rather than detract from, compliance. There have been some interesting negative effects from the Act. These are noted elsewhere. A number of significant changes to accounting, governance, and reporting standards are affecting companies across the world. In addition, forthcoming changes to operational risk assessments affecting banks under the Basle II accords will have an impact on how businesses interact with their banks. All these changes have an impact on telecommunications and information technology requirements. In addition new accountancy standards are being implemented across the world. The European Union wishes to introduce a common capital market.163 It follows that this requires a common financial language. This language is known as the International Accounting Standard and interpreted by the International Financial Reporting Standard. From 2005 all listed companies (listed on an EU regulated Stock Exchange) across the European Union will have to prepare their consolidated financial statements based upon International Financial Reporting Standards. They will no longer be able to produce accounts based upon national standards. In addition to the EU member states, over 70 countries currently permit or require the use of International Financial Reporting Standard by some or all of their domestic listed companies or have announced plans to do so. There are about 7,000 such companies, of whom 2,500 are in the UK. It is not possible to pick and choose which standards are adopted. Listed companies must adopt the entire International Financial Reporting Standard. For everyone else it is an all or nothing choice. An entity whose financial statements comply with International Financial Reporting Standard must make an explicit and unreserved statement of such compliance in the notes to its accounts. Financial statements shall not be described as complying with International Financial Reporting Standards unless they comply with all the requirements of International Financial Reporting Standards. The International Accounting Standards Board is currently in the process of discussing an international version of Financial Reporting Standard for Smaller Entities for small and nonpublicly accountable entities.
163
More information on IFRS available at http://business.timesonline.co.uk/section/0,16649,00. html (Accessed: 7 January 2007) and at http://www.ifrs.co.uk (Accessed: 7 January 2007).
Chapter 6 Effects on Critical Infrastructures
91
Any companies that meet the above definition will need to prepare consolidated financial statements using International Financial Reporting Standard for accounting periods commencing on or after 1 January 2005. The adoption of International Financial Reporting Standard is a major cost to business. In most cases this process of adopting International Financial Reporting Standard should already be underway. However, research suggests that many companies have made little or no progress towards this goal. Implications for Information Infrastructure Resilience and Recovery of these regulatory changes can be summarized thus: The adoption of the measures is likely to require: • New software systems • Review of hardware systems • New means of communicating with/from customers • New risk assessments and dependencies A general checklist from a telecommunications and IT perspective would include: • Impact assessment • Risk assessments and dependencies review • Contract review including a liability review • Systems and integration review • Capacity and capability required • Reporting/data retention Such a checklist implies the need for strategically integrated systems, a robust telecommunication infrastructure, a business continuity plan and a disaster recovery plan. These measures are likely to add some measure of resilience to business. Most risk management tools are inquisitive and prescriptive, in other words they ask you lots of questions, and then tell you what to go and do. Dependency Modeling provides a way of capturing a model of an organization, whereby it uncovers all kinds of possibly unforeseen vulnerabilities, measures the risks, and helps reduce the vulnerabilities to cut out the most serious problems, thereby reducing the risk. Stock Markets hate uncertainty, it always depresses prices. They prefer hard news – even bad news – to uncertainty. Since earliest times, uncertainty has been one of the greatest problems faced by mankind. Mankind achieves by making decisions, and uncertainty paralyses the decision making process. Uncertainty promotes paroxysms of discussion, argument, and sometimes conflict. Some of the oldest writings known to historians are concerned with man’s wrestle with uncertainty, and over thousands of years he has evolved a number of ways to attempt to handle it, from sacrifices to influence the harvest, to fortune telling such as astrology, to more scientific means such as market research and economic modeling.
92
Critical Information Infrastructures: Resilience and Protection
Risk management concerns itself with uncertainties about the future that could bring down an organization. It is among the most important disciplines of modern management, yet it is poorly understood. It is concerned with statistics and unpredictability, yet most managers – even many trained scientists – do not grasp statistical behavior at the intuitive level. Subconsciously we all confuse a very small probability of a major disaster, with a small disaster. The formal parts of an organization are those most often emphasized. These are the parts about which we make decisions and over which we have some control. We will sometimes refer to them as the controllable parts of the organization, although we have at best only partial control over them. They include our mission, our organizational structure, our recruitment policy, the systems we use, the hardware we buy, the training we provide, the procedures we enforce, and so on. But a fuller picture includes factors over which we have virtually no control, such as national strikes, equipment failures, outbreaks of fire, the weather, the existence and intentions of hostile parties, human frailty, and so forth. These uncontrollables, each of which affects many business functions, do not just occur singly, but may arise in combination, and of course the number of combinations is enormous. It is unfashionable to speak much of these uncontrollables since they make us feel uncomfortable and helpless. Yet every organization on the planet is susceptible to certain combinations of things all going wrong at the same time. But as risk analysts we know that we all depend on things over which we have little or no control. These things constitute the essential luck we need to continue functioning. Our job is to arrange things so that we rely on as little of this luck as possible. This leads us to the following definitions: • Risk is sensitivity to those things we cannot control. • Risk Management is the science of understanding and reducing our sensitivity to those things we cannot control. Understanding risk involves understanding why we depend on things we cannot control, through an understanding of Dependency Relationships. The formal part of the organization can be thought of as being under constant attack by the uncontrollable part. Risk Management is about designing the former to be maximally resilient to the latter. While we cannot control the root causes, the uncontrollables, nevertheless the effects are more under our control through management of the dependency relationships within the organization. Interdependency relationships are unique to the particular organization, and only by coming to terms with the actual relationships in that organization can anything really valuable be done to understand, manage, and reduce risks. Dependency Modeling was developed to capture these interdependencies in a highly visual model so that the consequence of failures could be uncovered in the safe, virtual environment of the computer.
Chapter 6 Effects on Critical Infrastructures
93
Having created the model it is relatively easy to: • Infer the risk to the organization implied by the model • Illustrate the risk graphically in easy-to-understand terms • Find which scenarios are the most dangerous to the organization • Find variations of the organizational structure which carry less risk • Evaluate the effectiveness of any countermeasures • Determine which factors are important and which can be ignored • Support management proposals with evidence • Avoid spending money on measures which are likely to be ineffective • Find ways of reducing risk without necessarily spending money” Using the methodology above also allows us to create an Obstructive Marketing Risk Model. The risk model, of course, would be different for each company looking to deal with Obstructive Marketing threats. This modeling is important because it has allowed the concept of Obstructive Marketing to move from an idea, to a concept, through examples, to a scientific base, to a plan to control it. Clearly, the model has developed from the who, when, where, how, and why questions. This is not only a complete cycle, but completes the requirement concerning the ordering experience. Obstructive Marketing is therefore sufficiently real for a plan to be constructed to deal with the various aspects of it.164 In this Chapter a variety of political, economic, social, technical, environmental, legal, regulatory, and risk issues have been looked at. Although there is some optimism in the political, economic, technical, legal, and regulatory areas from this and previous Chapters, it is the case that the “common list” of Critical Infrastructures is affected adversely by many of these processes. For the management of Critical Infrastructures to be successful they must remain a priority in the development of each of these processes form a national perspective. Unfortunately, this is not, overall, the case. The primacy of Critical Information Infrastructure is once again emphasized.
164
From Hyslop, MP (1999) op. cit. These comments also appeared in Hyslop, MP et al. (1996) Advanced Inventory Management. Whessoe plc. Some parts of this latter description are accredited to Professor John Gordon and Chris Baker.
Chapter 7 Comments on Standards in Information Security, Disaster Recovery, Business Continuity, and Business Resilience
This Chapter looks at some aspects of the private sector approach to resilience. There are a number of ways this can be approached by both business and as a subject. However, over the last twenty years or so, there has been continuous development of an approach related to firstly disaster recovery, then business recovery, then business continuity, and, most recently, a move toward business resilience; which will potentially obsolete all the former. This progression has seen the development of some standards. These have been focused on the regulated businesses. This Chapter charts this journey and ends by comparing a significant number of the different standards now in use. As this book goes to press the new Business Continuity Standard in the UK, BS25999, has been published, which is really the next step in the business continuity industry’s development. As with all Critical Infrastructures, the mission critical elements of a business are almost always related to Information Infrastructures these days. Hence the concentration on standards related to Information Infrastructure. This Chapter reproduces text from articles by the author originally published in Continuity Planning’s online newsletter.165 There have been, are, three developing themes in the business risk management industry – business recovery, business continuity, and business resilience – and all have a common driver: regulation. In the latter’s case, however, there is also the business strategy driver to consider. Regulation during the 1980s in the banking industry, especially in Europe and the City of London, drove players to evolve procedures that could recover financial data, in particular, from disrupted media in such a way that information could be retrieved and businesses could continue to operate. At the same time, companies, such as Kroll166 and Control Risks,167 were starting to look, again in regulated businesses and/or high-profile businesses, at the risks to business and began drawing up procedures to handle them. The personnel involved at the time were often ex-forces or maverick IT-types. 165
All articles available at http://www.contingencyplanning.com (Accessed: 7 January 2007). More information available at http://www.kroll.com (Accessed: 7 January 2007). 167 More information available at http://www.controlrisks.com (Accessed: 7 January 2007). 166
94
Chapter 7 Information Security, Disaster Recovery, Business Continuity
95
In the mid 1980s a number of London banks and their subsidiary “network” management companies168 started to develop bespoke approaches for their clients. Many of these approaches have stood the test of time in a number of ways, or, at the very least, have provided a foundation for future developments. The sort of advice they gave at the time, however, is almost unrecognizable just 20 years later. The following is the checklist given to Managing Directors, in the 1980s, to control sensitive information of a company that excelled in electronic innovations: • Is there a classification for company information? • Does the procedure require certain controls? • Are copies of the procedure issued to all employees? • Is each employee provided with somewhere safe to lock things away? • Is there a shredder beside each photocopier? • Is all sensitive waste shredded? • Are microfiche readers controlled and negatives disposed of securely? • Are microfilms prepared by outside contractors securely handled? • Is telephone equipment checked form time to time for eavesdroppers? • Is data transfer, whether by computer or telefax, secured against intervention from outsiders from a physical as opposed to a virtual sense? • Are board and conference rooms checked on a frequent, random basis to detect bugging? • Is access closely controlled to rooms and stores where confidential documents are kept? Electronic data transfer at that time was limited to a few major international centers. e-Mail existed via the company’s own satellite system, but only on a limited basis. Even so, the controls in place then for managing data were more relevant to the recovery of the business than to the preservation of the data. In fact, the preservation of data and information was not a particularly big issue. This was a private company and the owner pretty much decided what it was or what it was not appropriate to keep. Today, even as a private company, this organization could not be quite so independently minded as to the sort of information it chose to keep – especially in Europe and the United States, and even in a relatively lightly regulated industry. In the international field, the company operated freely and carried little in the way of data or presentations, except that which employees kept in their heads or on traveling overheads. (In 1989, one Managing Director had an early Amstrad laptop confiscated at six airports during a two-week trip through Africa.) Decisions were made on the spot and contracts were rarely more than two pages long. In the banking industry, then as now the most regulated of services, things were being looked at a little differently. Again, a number of London (and New York) banks were involved. Their checklist for computer security still has some resonance today. 168
E.g. Hambros Bank’s Network Security Management Limited.
96
Critical Information Infrastructures : Resilience and Protection
Computer Security: • Are standards for system design, new applications, changes, etc., written down in company manual and invariable followed? • Are new systems and system changes looked at from a fraud vulnerability point of view? • Is ownership of all data and programs clearly assigned? • Is a system manager designated for each installation, network, and PC? • Is access to all computer resources restricted on a need-to-know basis? • Is access established on the lowest privileged principle? • Is access to sensitive files restricted, depending on the privilege level of users? • Have standard file names been removed from all systems? • Are “default” and other low-level accounts closely monitored? • Are all computer installations and communications physically secured? • Is access to all terminals physically controlled? • Are dial port and other means of open access kept to the minimum, and then on a secure basis? • Are dial port numbers ex-directory and in a different telephone area from the company’s voice lines? • Have all remote users been warned about the dangers of decoy and virus programs and of logging on after a suspected communications failure? • Does the system’s console sound and print a warning when repeated failures to log on are identified? • Does network software enable the identity of the remote user to be traced? • Must all passwords be more than seven characters long and alphanumeric? • Are passwords changed at regular intervals and always after an employee’s service has been terminated? • Is there an automatic procedure for checking that a user does not repeat or rotate passwords? • Are all password files kept in an encrypted form? • Is the use of all resources journalized onto tape and printer? • Are all system failures logged and followed up? • Are test and production facilities kept completely separate? • Are restricted utilities catalogued and closely controlled? • Are temporary files to programs and files audited? • Are diagnostic and engineering programs kept off-line under secure conditions? • Is all line testing equipment kept under secure conditions? • Are all IP addresses kept securely? • Have all router passwords been changed from their default? • Is all audit software kept off-line and loaded only when needed? • Are copies of important programs and files retained under secure conditions in remote stores? • Is all printed output kept securely while awaiting collection by the owner? • Is all unwanted output shredded prior to disposal? • Have proper contingency plans been prepared for all important applications and resources?
Chapter 7 Information Security, Disaster Recovery, Business Continuity
97
• Are all new programs and modifications reviewed by a “peer group” before being accepted for production purposes? • Are all program changes and new applications approved by audit before being accepted for production purposes? • Are all source programs kept off-line under secure conditions and loaded on the authority of the owner of senior data processing manager? • Are printed source listings kept secure and released against signature when required? • Are interrelated applications designed to automatically check control totals, with the minimal of manual intervention? These same requirements can be seen today underpinning, in particular, FDA 21 CFR Part II, the Payment Card Industry (Data Security Standard), as well as being part of the original basis for what has become ISO 17799. The 1980s were dominated by procedures driven by regulation in the banking industry in London and New York. This was a time that saw the beginning of a European approach to business recovery and continuity. By 2005, the approach was to be driven heavily by the United States. Information security and business continuity processes were being developed. As before this is looked at very much from a European/USA perspective. It is the case that, so far, even many other OECD countries are well behind both the USA and UK in developing and implementing these sorts of techniques. The UK’s greatest contribution to information security is probably what was originally known as British Standard 7799. The development of this standard, largely by Brian Doswell, spawned an array of consulting services: Survive! and the Business Continuity Institute being the best known. Such was the success of this approach that the original British Standard eventually became the International Standard Organization’s Standard 17799. The key elements of ISO 17799 are: • Information Security Policy • Organizational Security • Asset Classification and Control • Personnel Security • Physical and Environmental Security • Communications and Operations Management • Access Control • Systems Development And Maintenance • Business Continuity Management • Compliance (Now there is also BS 25999 dealing with Business Continuity too.) The important issue here, if compared to the checklists at the head of the Chapter, is that there is a shift of emphasis from Business Recovery to Business Continuity. A number of the issues mentioned in the early checklists of the first article are codified and structured with the aim of ensuring that business continues in the event of a disaster rather than faces the need to just to recover. Research by the major consultancy companies, Price Waterhouse
98
Critical Information Infrastructures : Resilience and Protection
Cooper169 and Deloittes170 in particular, has demonstrated that there was an increasing chance of business survival for those businesses that took Business Continuity seriously. The Information Security and Business Continuity “industry” was greatly assisted during the 1990s by the great Y2K issue. Y2K led to a frenzy of information technology investment and security in parallel to the expanding “bubble” of information technology stocks. It is perhaps not long enough in the past to have an unbiased view of this period. However, what can be said is that it did identify, certainly from the year 2000, that man was as reliant on computers for survival as he was on food, water, shelter, etc. In fact, many of these basics could not be supplied unless computers worked. Computers were really important. Business Continuity, but particularly Information Continuity, came of age. The anticipation of difficulties concerning the Y2K problem led governments and regulatory bodies to require certain important industries to take Business Continuity seriously. This assisted the development of the Business Continuity industry. Using ISO 17799/25999 as a basis many organizations, particularly regulated bodies were required to produce Business Continuity Planning manuals. The overall methodology for this approach is a cycle of analysis, solution design, implementation, testing and acceptance, and maintenance. Analysis meant both impact analysis and threat analysis. Impact analysis looked at the difference between critical and noncritical organizational structures. The recovery/continuity requirements looked at the time frame, the business requirements and the technical requirements for critical functions. Threats analysis included disease, earthquakes, fire, flood, cyber attack, hurricane, utility outage, and terrorism. Following analysis a recovery requirement document was generally produced. Solution design looked principally at what the base application and application data requirements plus the time frame in which these were to be available. The solution design phase also determines: • The crisis management command structure • The location of a secondary work site • Telecommunications architecture • Data replication methodology • The application and software required at a secondary site • The type of physical data requirements at the secondary work site Implementation is the execution of the design. Testing and organizational acceptance may cover: • Crisis command team call-out testing • Technical testing of move from primary to secondary locations 169
The State of Information Security 2006. Available at http://www.pwc.com/extweb/ pwcpublications.nsf/docid/3929AC0E90BDB001852571ED0071630B (Accessed: 7 January 2007). 170 The 2006 Technology, Media & Telecommunications Security Survey. Available at http://www.deloitte.com/dtt/research/0%2C1015%2Ccid%25253D122104%2C00.html (Accessed: 7 January 2007).
Chapter 7 Information Security, Disaster Recovery, Business Continuity
99
• Technical testing of move from secondary to primary locations • Application test • Business process test Maintenance is concerned with confirming the accuracy of the manual, testing the technical solutions and testing the documented organization recovery procedures. This is probably the most important part – not least because a plan is worthless unless it is regularly tested and kept up to date. Research by Hyslop (1999)171 through members of the Executive Club of Chicago in 1999 demonstrated the importance of Business Continuity planning. Most businesses that suffered some sort of information technology, or other for that matter, disaster generally went out of business. Those that had some form of Business Continuity plan tended to survive. In those days (8 years is a long time in this industry) more than 66% of businesses would admit in an anonymous poll to having had some form of competitive, criminal, or culturally inspired interruption to their business. In the regulated businesses both the fear of, and the actual, incident level was higher. Business Continuity, as Business Recovery had been before it, was driven by the need of the engines of capitalism to keep turning. More importantly the same research demonstrated a need for a strategic business approach to handling business information. This more strategic approach is about building resilience into a business, as a form of DNA. This is, actually, a radically different approach to business recovery and business continuity, which are essentially tactical responses. In Europe the key engines were in London and Frankfurt. Both these financial centers were much further forward in planning for Business Continuity than their European colleagues. In the Far East, another financial center, Hong Kong, has led the way. Of course, in the USA it has been New York and Chicago. The 1990s saw the expansion of both the Internet and the World Wide Web, still based pretty much around data traffic between OECD countries, and the rise of globalization. Both of these phenomena increased the threats to both the regulated and nonregulated industries. The World-Wide Web, Internet, and Globalization not only changed the threats they also changed the rules of the game. All of a sudden there was a completely different universe. However, for those that operate within the electronic economy there is a whole set of new requirements to be met. In an interconnected world you need to be able to stay interconnected. To do so it is no longer appropriate to recover or find a way of continuing operations, it is important for those operations to “bounce-back” immediately. Business Resilience therefore became practically more important than recovery or continuity, although it has not been particularly well articulated. In addition, there have been a number of events that have further changed the threat pattern. These include 11 September 2001 and Enron. These, amongst other events, will hopefully lead a greater need, and hopefully concentration, on strategic resilience rather than tactical recovery and continuity programs.
171
Hyslop, MP (1999) op. cit.
100
Critical Information Infrastructures : Resilience and Protection
There has been a progression from very simple measures to protect business data and information to the creation of a whole industry dedicated to business continuity. After 11 September 2001 and Enron the slight drop in attention paid to both business recovery and business continuity prior to both these events was replaced by rising attention driven primarily by regulation and, increasingly, compliance. What had started as a very much financial market driven approach in the UK, Europe, and the USA became an approach dominated by regulation from federated authorities: the USA, the European Union, and the world’s financial organizations in particular. Business Resilience, however, is very different from both Business Recovery and Business Continuity. In many ways it is a Holy Grail. Most research indicates that over 75% of companies who fail to institute some form of Business Recovery or Business Continuity process fail to recover from a disaster or attack.172 Resilience means the ability to bounce back from a setback in “original form,” so there should be no need for either recovery or continuity, and businesses should not fail. Clearly, in the case of companies hit by some form of disaster or attack, such a definition means that the company will survive. As business information becomes increasingly held within information technology systems, and away from the heads and filing cabinets of managers, resilience becomes increasingly important for business survival. This is not the only reason for developing resilient companies. Internal and external auditors are increasingly looking for more sophisticated record keeping in order to ensure compliance with a range of regulations. These auditors want to see resilient companies, because resilient companies will not lose track of, primarily, financial data. Business Resilience is the ability, as noted, to bounce back in original form. Regulation and compliance are important drivers. There are, however, at least three more issues that will drive the move towards resilient companies. These are asymmetric warfare, obstructive marketing, and the rise of an American led and dominated electronic economy. The following regulation and compliance issues have some form of correspondence with what was known as Business Recovery and Continuity and what is now required, in terms of formal compliance at today’s date, with regard to early measure for Business Resilience. Guidelines for publicly traded companies on stock exchanges: • Turnbull Guidelines (UK) – Address business continuity, risk management, and appropriate internal controls for companies listed on the London Stock Exchange, which first mandated requirements of this type. Stock exchanges around the globe are watching the impact this has when the compliance date has been reached and what the domino effect will be. • NYSE (proposed) Rule 446 – Addresses business continuity, risk management, and appropriate internal controls for companies listed on the New York
172 Data available at http://www.prem.co.uk/DRStatistics.html (Accessed: 7 January 2007) amongst others.
Chapter 7 Information Security, Disaster Recovery, Business Continuity
101
Stock Exchange. NASD has required that all of its members implement risk management and business continuity programs. • Sarbanes-Oxley Act (2002) – Requires auditors (internal and external) to provide a detailed report on a company’s internal controls to the SEC. This will be published in the annual reports in its entirety. Regulations related to privacy, security, risk management, and corporate governance: • HIPAA (US) – Includes seven specific business continuity management points with 2003 compliance by large corporations. Includes federal civil and criminal penalties. • Expedited Funds Availability Act (US) – Demonstrated BC plans to ensure prompt availability of funds (federally chartered financial institutions). • Gramm-Leach-Bliley Act (US) – Wide range of organizations providing financial services beyond banks (for example, auto dealers, retail stores, financial planners, tax preparers, and insurance and real estate industries) requiring appropriate controls in place for a strong focus on client privacy. An unusual addition to this act is that it also includes vendors and suppliers to the institutions identified. • Presidential Decision Directive (PDD) 63 (US, 1998 and later updates) – Calls for an effort to ensure the security and continuous availability of critical infrastructures (physical, IT, and telecommunication) by 2003. • Telecommunications Regulations 2000 (UK). • Australian Commonwealth Criminal Code (December 2001 update) – Establishes criminal penalties for officers and directors of organizations that experience a major disaster and fail to have a proper business continuity plan in place. • Telecommunications Act of 1996 (US). • Foreign Corrupt Practices Act (FCPA) – Addresses internal controls and criminal penalties. Additional regulations and guidelines: • Computer Fraud and Abuse Act of 1986, revised 1996 • Computer Security Act of 1987, Public Law 100-235 • Federal Financial Institutions Examination Council (FFIEC): Information Systems Examination Handbook • Federal Reserve Commercial Bank Examination Manual, Section 4060 Computer Services • Federal Deposit Insurance Corporation, BL-22-88: Contingency Planning for Financial Institutions • Federal Reserve Board, Policy Statement, SR89-16: Interagency Policy on Contingency Planning for Financial Institutions SP-5 • Federal Reserve Board, Policy Statement, SR97-15 (SPE): Corporate Business Resumption and Contingency Planning SP-5
102
Critical Information Infrastructures : Resilience and Protection
• Federal Reserve Board, Policy Statement, SR98-9 (SUP): Assessment of IT in the Risk-Focused Framework173 amongst others. A number of recent surveys seem to indicate that whilst CEOs believe that Business Resilience, and the Recovery and Continuity procedures that precede and build it, is important most CSOs/CIOs are reporting budget restrictions. (See Continuity Planning, March 2006 Newsletter.)174 This is a simple matter of market economics: “If everyone else is taking the risk why should WE protect ourselves and increase our costs” says the CEO, reasonably. The real answer is that he or she is playing Russian roulette with the business. The banks, oil, and utility companies have at least realized this (compliance may have pushed them but they are looking for wider Resilience solutions for sensible and pragmatic commercial reasons now). Asymmetric Warfare and Obstructive Marketing are covered again in a later Chapter. Suffice to say they are also important in the context of Business Resilience. In Europe there is a growing awareness that the USA could be developing the means and legal framework to control the global electronic economy. Such a move would make the rise of China and India potentially irrelevant. If you are not part of the USA club, the argument goes, then you are out of the new market! The pros and cons of such an approach are for a later Chapter. However, consider the following: what would be required of companies to participate in such an electronic market? Regulation and compliance, yes. Asymmetric Warfare and Obstructive Marketing defenses, yes. In other words Business Resilience is the passport to the new Electronic capitalism. This is a very different environment to Business Recovery in the 1980s! If your CEO is, as suggested, cutting back on the Information Security budget then the following should help to refocus his or her mind. Previously the migration from Business Recovery to Business Resilience has been discussed. No business is really free from the need to act on Information Security Standards in some way shape or form. As we know, Information Security is now the business. The major standards covered here are: • ISO 17799 • Sarbanes-Oxley • Health Insurance Portability and Accountability Act (HIPAA) 1996 • Food and Drug Administration 21 Code of Federal Regulation Part ll • Federal Energy Regulatory Commission/North American Electric Reliability Council
173 More detail available at http://ftp.hp.com/pub/services/continuity/info/corp_gov_ bca_5983-1677EN.pdf (Accessed: 7 January 2007). 174 Available at http://www.contingencyplanning.com/archives/2006/mar (Accessed: 7 January 2007).
Chapter 7 Information Security, Disaster Recovery, Business Continuity
103
• Payment Card Industry Data Security Standard • Federal Financial Institutions Examinations Council • Gramm-Leach-Bliley Act • Basel 11 • Control Objectives for Information and Related Technology (COBIT) • ITIL • EU Directive on Data Protection • UK Data Protection Act The bad news is that one or more of these enforceable or voluntary standards are likely to be relevant to your business (and there are some not mentioned here that are particularly relevant to specific industries). The good news is that using, for example, ISO 17799 as a base some sense can be made of the overall requirements – as many of these standards demand similar approaches. ISO 17799 Section 3.1 Information Security Policy: Issue and Maintain Information Security Policy. This is a requirement of all other standards. ISO 17799 Section 4.1 Organizational Security: Management Framework. This is a requirement of all other standards. ISO 17799 Section 4.2 Organizational Security: Security of Third Party Access. This is a requirement of all other standards though not explicitly of the Payment Card Industry and Basel ll. ISO 17799 Section 4.3 Organizational Security: Security of Outsourcing. This is a requirement of all other standards though not explicitly of the Payment Card Industry and ITIL. ISO 17799 Section 5.1 Asset Classification and Control: Accountability for Assets. This is a requirement of all other standards though not explicitly of the Payment Card Industry. ISO 17799 Section 5.2 Asset Classifications and Control: Information Classification. This is a requirement of all other standards though not explicitly of the Payment card Industry. ISO 17799 Section 6.1 Personnel Security: Security in Job definition and resourcing. This is a requirement of all other standards. ISO 17799 Section 6.2 Personnel Security: User Training. This is a requirement of all other standards – though not explicitly of the Payment Card Industry. ISO 17799 Section 6.3 Personnel Security: Responding To Security Incidents. This is a requirement of all other standards, though not explicitly of the Payment Card Industry. ISO 17799 Section 7.1 Physical and Environmental Security: Secure Areas. This is a requirement of all standards. ISO 17799 Section 7.2 Physical and Environmental Security: Equipment Security. This is a requirement of all standards. ISO 17799 Section 7.3 Physical and Environmental Security: General Controls. This is a requirement of all Standards. ISO 17799 Section 8.1 Communications and Operations Management: Operational Procedures and Responsibilities. This is a requirement of all standards but not explicitly of the Payment Card Industry.
104
Critical Information Infrastructures : Resilience and Protection
ISO 17799 Section 8.2 Communications and Operations Management: System Planning and Acceptance. This is a requirement of all standards but not explicitly of HIPAA, FERC/NERC, Payment Card Industry, FFIEC and GLBA, and Basel ll. ISO 17799 Section 8.3 Communications and Operations Management: Protection Against Malicious Software. This is a requirement of all standards. ISO 17799 Section 8.4 Communications and Operations Management: Housekeeping Routine. This is a requirement of all standards but not explicitly of the Payment Card Industry and ITIL. ISO 17799 Section 8.5 Communications and Operations Management: Network Management. This is a requirement of all standards. ISO 17799 Section 8.6 Communications and Operations Management: Media Handling and Security. This is a requirement of all standards. ISO 17799 Section 8.7 Communications and Operations Management: Exchanges of Information and Software. This is a requirement of all standards. ISO 17799 Section 9.1 Access Control: Business Requirement for Access Control. This is a requirement of all standards. ISO 17799 Section 9.2 Access Control: User Access Management. This is a requirement of all standards. ISO 17799 Section 9.3 Access Control: User Responsibilities. This is a requirement of all standards. ISO 17799 Section 9.4 Access Control: Network Access Control. This is a requirement of all standards. ISO 17799 Section 9.5 Access Control: Operating System Access Control. This is a requirement of all standards. ISO 17799 Section 9.6 Access Control: Application Access Control. This is a requirement of all standards. ISO 17799 Section 9.7 Access Control: Monitoring System Access and Use. This is a requirement of all standards. ISO 17799 Section 9.8 Access Control: Mobile Computing and Teleworking. This is a requirement of all standards, though not explicitly of ITIL. ISO 17799 Section 10.1 Systems Development and Maintenance: Security Requirements of Systems. This is a requirement of all standards though not explicitly of HIPAA and FFIEC/GLBA. ISO 17799 Section 10.2 Systems Development and Maintenance: Security in Application Systems. This is a requirement of all standards. ISO 17799 Section 10.3 Systems Development and Maintenance: Cryptographic Controls. This is a requirement of all standards though not explicitly of COBIT. ISO 17799 Section 10.4 Systems Development and Maintenance: Security of System Files. This is a requirement of all standards though not explicitly of HIPAA and Payment Card Industry. ISO 17799 Section 10.5 Systems Development and Maintenance: Security in Development and Support Processes. This is a requirement of all standards though not explicitly of HIPAA, FERC/NERC, Payment Card Industry, FFIEC/GLBA, and Basel ll.
Chapter 7 Information Security, Disaster Recovery, Business Continuity
105
ISO 17799 Section 11.1 Business Continuity Management: Aspects of Business Continuity Management. This is a requirement of all standards though not explicitly of Payment card Industry and the EU Directive. ISO 17799 Section 12.1 Compliance: Compliance With Legal Requirements. This is a requirement of all standards, though not explicitly of FERC/NERC, Payment Card Industry, and Basel ll. ISO 17799 Section 12.2 Compliance: Reviews of Security Policy and Technical Compliance. This is a requirement of all standards. ISO 17799 Section 12.3 Compliance: System Audit Considerations. This is a requirement of all standards. Health warning: Implicitly all standards expect much the same approach. Get advice before acting on these comparisons! It should be noted that ISO 17799 is also a good basis for compliance with the Sarbanes-Oxley Act. In November 2007 the Markets in Financial Instruments Derivatives will be another regulation, primarily for the Financial Sector, to take into consideration in Europe.175 In such a short description as this it is not possible to do full justice to each of the standards. However, the general idea should be clear. It is no longer acceptable to be reactive in handling Information Security. CSOs/CIOs have all got to be proactive in managing Information Security. If that is a problem for your CEO dig out the compliance issues that affect your industry in addition to the generic ones quoted here and see how you get on with an accountability discussion. However, these standards still really only address the tactical issues. Alternatively think about this: The following tables and the above description of the developments in the recovery and continuity business areas demonstrate the immense amount of activity that has been devoted to this area. A contention could be that this is looking through the wrong lens. This is very operationally based activity with, frequently, very little visibility at C-suite level. Further it’s not really about resilience in a true sense, and nor is this activity truly strategic. At worst it can be described as a quick tactical response to an irritating problem. However, this book should have identified by now that the issue is actually much bigger than this. Any self-respecting CEO would expect his CFO to have a firm handle on the finances of the business. Yet, time and again, the matter of information management in a company is dealt with 2–4 levels down from the C-suite. This is because the issue of information management and security is looked at completely incorrectly. A reasonable analogy is that of Brands. Brands at one stage were given no value on balance sheets. Now they are. Information management is given no value on a balance sheet. Is this truly appropriate? What does information management deliver? Well it can be argued that it is the DNA of businesses. Businesses with “good” DNA do well; those with “poor” DNA do badly. Another way of
175 Information on MiFID available at http://www.fsa.gov.uk/Pages/About/What/ International/EU/fsap/mifid/index.shtml (Accessed: 7 January 2007).
106
Critical Information Infrastructures : Resilience and Protection
looking at it is that proper information management represents the difference between the net book value of a company and the market capitalization. The value difference between these two figures represents the “good” DNA, the excellent direction, and the effective management’s contribution to the business’ value. This should make the strategic importance of information management and security, and the need to be involved, especially, in Critical Information Infrastructure Protection of importance to C-suite members. This implies an executive board member, the CIO. This is a concept that has developed well in the USA, so far less well elsewhere. It is absolutely critical to understand that a strategic approach to business information security and resilience in Information Infrastructure is vital for the future success of any business. This can be undertaken on a full-time basis, for large companies, or a part-time basis for SMEs.176 The key responsibilities of the CIO would be: • Develop a strategic corporate policy for Information Infrastructure • Managing and mitigating the Information Infrastructure corporate risk profile • Institute corporate standards for Information Infrastructure • Design, implement, and maintain an integrated corporate Information Infrastructure • Plan investment and finance with regard to Information Infrastructure • Liaise with other Chief Officers with regard to their corporate and departmental requirements • Engineer appropriate business processes to use the Information Infrastructure appropriately • Deliver an effective corporate knowledge base and information sharing protocols • Monitor performance, strengths, and weaknesses in the Information Infrastructure and correct as necessary • Advocate a quality approach to Information Infrastructure • Evaluate the potential of new technologies • Establish appropriate user fora • Adopt appropriate business recovery and continuity plans • Act as the company’s Information Infrastructure spokesman • Lead the corporate crisis management team • Comply with business specific and generic requirements with regard to Information Infrastructure • Maintain an appropriate dialogue with other C-suite members • Deliver a resilient organization based on an excellent Information Infrastructure Note: The major standards discussed in this Chapter are compared, in a little more detail, in the following tables: 176
Many SMEs use part time HR Directors. The same principle can be applied to CIOs. Onyx Group, www.onyx-group.net, is a company that handles part-time CIOs, business recovery, continuity, and resilience – and all associated services.
Objective: Infrastructure: A management framework should be established to initiate and control the implementation of information security within the organization
Requirement: Organizational Security
Section: 4.1
Issue and maintain an information security policy across the organization
Requirement: Information Security Policy Objective:
Section: 1 Section: 2 Section: 3.1
ISO 17799
Information and Communication
Control Activities General Controls
Internal Environment Commitment to Competence Organizational Structure Human resource Policies and practices Objective Setting Risk Appetite Risk tolerance Risk Assessment Likelihood and Impact Internal Environment Commitment to Competence Organizational Structure Human resource Policies and Practices
Sarbanes-Oxley COSO
Security Standard: 2. Assigned Security responsibility (R) (a) 1. Information System Activity Review (R)
Security Standard: 1. Sanction Policy (R) (a) 2. Assigned Security Responsibility (R)
HIPAA
TABLE 3. Comparison of international information security standards
(c) Protection of records throughout the records retention period
(c) Protection of records throughout the records retention period
FDA 21 CFR
1201. Cyber Security Policy 1210. Information Protection
1201. Cyber Security Policy 1210. Information Protection
FERC/NERC
(continued)
Maintain an Information Security Policy: 12. Maintain a policy that addresses information security
Maintain an Information Security Policy: 12. Maintain a policy that addresses information security
Payment card industry data security standard
Sarbanes-Oxley COSO
Internal Environment Management’s Philosophy and Operating Style Human resource Policies and Practices Risk Assessment Likelihood and Impact Control Activities General Controls
Internal Environment Commitment to Competence Human resource Policies and Practices Risk Assessment Likelihood and Impact Control Activities General Controls Information and Communication Monitoring
ISO 17799
Section: 4.2 Requirement: Organizational Security Objectives: Third-party access: To maintain the security of information assets accessed by third parties
Section: 4.3 Requirement: Organizational Security Objectives: Outsourcing: To maintain the security of information when information processing is outsourced to another organization
TABLE 3. (continued)
Security Standard: (b) 1. Written contract or other arrangement
Security Standard: (b) 1. Written contract or other arrangement
HIPAA
(c) Protection of records throughout the records retention period
(c) Protection of records throughout the records retention period
FDA 21 CFR
1207. personnel 1210. Information Protection
1207. personnel 1210. Information Protection
FERC/NERC
N/A
N/A
Payment card industry data security standard
Risk Assessment Likelihood and Impact Event Identification Event Categories
Section: 5.2
Objectives: Information Classification: Information should be classified to indicate the need, priorities, and degree of protection
Requirement: Asset Classification and Control
Control Activities General Controls
Section: 5.1 Requirement: Asset Classification and Control Objectives: Accountability for assets: All major information assets should be accounted for and have a nominated owner Security Standard: 1. Risk Analysis (R) (a) 1. Risk Management (R)
Physical Standard: (d) 2. Device and media Controls – Accountability (A)
(c) Protection of records throughout the records retention period
(c) Protection of records throughout the records retention period
1202. Critical Cyber Assets 1210. Information Protection
1202. Critical Cyber Assets 1210. Information Protection
N/A
N/A
(continued)
Internal Environment Human Resource Policies and Practices Control Activities General Control Information and Communication
Internal Environment Human Resource Policies and Practices Control Activities General Control Information and Communication
Section: 6.1 Requirement: Personnel Security Objectives: Security in Job definition and resourcing: To reduce the risks of human error, theft, fraud, or misuse of facilities
Section: 6.2
Objectives: User Training: To ensure that users are aware of information security threats and concerns and are equipped to support security policy in the course of their normal work
Requirement: Personnel Security
Sarbanes-Oxley COSO
ISO 17799
TABLE 3. (continued)
Security Standard: (a) 5. Security reminders (A)
Security Standard: (a) 1. Sanction Policy (R) (a) 3. Authorization and/ or Supervision (A) (a) 3. Workforce Clearance procedure (A) (a) 3. Termination Procedures
HIPAA
(c) Protection of records throughout the records retention period (I) Users of electronic record/eelectronic signature systems have appropriate education, training and experience
(c) Protection of records throughout the records retention period
FDA 21 CFR
1207. Personnel 1211. Training
1207. Personnel
FERC/NERC
N/A
Implement Strong Access Control Measures: 8. Assign a unique ID to each person with computer access
Payment card industry data security standard
Event Identification: Event Interdependencies Risk Response: Identify Risk Responses Select Responses Control Activities General Controls Information and Communication Monitoring
Control Activities: General Controls Information and Communication Monitoring
Section: 6.3 Requirement: Personnel Security Objectives: Responding to Security Incidents and Malfunctions: Incidents affecting security should be reported through appropriate management channels as quickly as possible
Section: 7.1 Requirement: Physical and Environmental Security Objectives: Equipment Security: Equipment should be physically protected from security threats and environmental hazards
Security Standard: (a) 3. Authorization and/ or Supervision (A) 3. Workforce Clearance Procedure (A) Physical Standard: (a) 1. Facility Access Control (a) 2. Facility Security Plan (a) 2. Access Control and validation Procedures
Security Standard: 1. Sanction Policy (a) 5. Protection from Malicious Software (a) 6. Response and reporting (R) (a) 7. Emergency Mode Operation Plan (R)
(c) Protection of records throughout the records retention period
Validation of systems and the ability to discern invalid or altered records (c) Protection of records throughout the records retention period
1205. Physical Security Perimeter 1206. Physical Access Controls 1208. Monitoring Physical Access
1211. Training 1214. Electronic Incident Response Actions 1215. Physical Incident response Actions
(continued)
Implement Strong Access Control Measures: 9. Restrict physical access to cardholder data
N/A
Control Activities: General Controls Information and Communication
Control Activities: General Controls Information and Communication
Section: 7.2 Requirement: Physical and Environmental Security Objectives: Equipment Security: Equipment should be physically protected from security threats and environmental hazards
Section: 7.3
Objectives: General Controls: To prevent compromise or theft of information
Requirement: Physical and Environmental Security
Sarbanes-Oxley COSO
ISO 17799
TABLE 3. (continued)
Physical Standard: (a) 1. Facility Access Control (d) 2. device and media Controls – Accountability (A)
Physical Standard: Workstation Use (R) Workstation Security 1. Device and media Controls – Disposal (R) (d) 2. Media reuse (R)
HIPAA
(c) Protection of records throughout the records retention period
(c) Protection of records throughout the records retention period
FDA 21 CFR
1205. Physical Security Perimeter 1206. Physical Access Controls 1208. Monitoring Physical Access 1210. Information Protection
1205. Physical Security Perimeter 1206. Physical Access Controls 1208. Monitoring Physical Access 1210. Information Protection
FERC/NERC
Implement Strong Access Control Measures: 9. Restrict physical access to cardholder data
Implement Strong Access Control Measures: 9. Restrict physical access to cardholder data
Payment card industry data security standard
Objectives: System Planning and Acceptance: Advanced planning and preparation are required to ensure the availability of adequate capacity and resources.
Requirement: Communications and Operations Management
Section: 8.2
Objectives: Operational Procedures and Acceptance: Advanced planning and preparation are required to ensure the availability of adequate capacity and resources.
Requirement: Communications and Operations Management
Section: 8.1
Control Activities General Controls Monitoring
Internal Environment Assignment of Authority and Responsibility Risk response: Identify Risk Responses Select Responses Control Activities General Controls Monitoring
N/A
Security Standard: 1. Information System Activity review (R) (a) 1. Sanction Policy (R) (a) 2. Assigned Security responsibility (R) (b) 1. Written Contract or Other Arrangement (R) 6. Response and reporting (R) Physical Standard (a) 2. Contingency Operations (R) Validation of systems and the ability to discern invalid or altered records (c) Protection of records throughout the records retention period
Validation of systems and the ability to discern invalid or altered records (c) Protection of records throughout the records retention period (f) Use of operational system checks to enforce sequencing of steps and events as appropriate (k) Use of appropriate controls over systems documentation N/A
1214. Electronic Incident Response Actions 1215. Physical Incident Response Actions
N/A
N/A
(continued)
Objectives: House keeping: Routine procedures for implementing the back-up strategy
Requirement: Communications an d Operations Management
Section: 8.4
Objectives: Protection Against Malicious Software. Precautions are required to prevent and detect the introduction of malicious software
Event Identification: Event interdependencies Control Activities General Controls Monitoring
Event identification: Event interdependencies Risk Response: Identify Risk Responses Select Responses Control Activities General Controls Information and Communication Monitoring
Section: 8.3
Requirement: Communications and Operations Management.
Sarbanes-Oxley COSO
ISO 17799
TABLE 3. (continued)
Security Standard: (a) 7. Data backup Plan (a) 7. Disaster recovery Plan (R) (a) 7. Emergency Mode Operation Plan (R) 7. Testing and Revision procedure (A) Physical Standard: (a) 2. Contingency Operations (R) (a) 2. Data Backup and Storage (A)
Security Standard: (a) 5. Protection from Malicious Software (A)
HIPAA
(c) Protection of records throughout the records retention period
(c) Protection of records throughout the records retention period
FDA 21 CFR
1211. Training 1216. recovery Plans
1210. Information Protection 1212. Systems Management 1214. Electronic Incident Response Actions
FERC/NERC
N/A
Build and Maintain a Secure Network: Install and maintain a firewall Maintain a Vulnerability Management Program: 5. Use and regularly update antivirus software
Payment card industry data security standard
Objectives: Media Handling and Security: procedures for protecting tapes, disks, cassettes from damage, theft, and unaccess
Requirement: Communications and Operations Management
Section: 8.6
Requirement: Communications and Operations Management Objectives: Network Management: Security management of networks spanning organizational boundaries and/or public networks
Section: 8.5
Control Activities General Controls Information and Communication
Risk Assessment Control Activities General Controls Monitoring
Physical Standard (d) 1. device and media Controls – Disposal (R) (d) 2. media reuse (R) (d) 2. device and media Controls – Accountability (A)
Technical Standard: (a) 2. Encryption and Decryption (A) (e) 1. Transmission Secuirty (e) 2. Integrity Controls
(c) Protection of records throughout the records retention period (e) Use of secure, computer-generated audit trails, which are retained for a certain period of time
(c) Protection of records throughout the records retention period
1206. Physical Access Controls 1210. Information Protection
1203. Electronic Security Perimeter 1210. Information Protection 1212. Systems Management
(continued)
Protect Cardholder Data: protect stored data Implement Strong Access Control measures: 9. Restrict physical access to cardholder data
Build and Maintain a Secure Network: 1. Install and maintain a firewall Maintain a vulnerability Management Program: 5. Use and regularly update antivirus software
Objectives: Business requirements for Access Control: Access control policies and rules
Requirement: Access Control
Section: 9.1
Objectives: Exchanges of Information and Software: Controls for exchanges of Information and software between organizations
Internal Environment Human Resource Policies and Practices Control Activities: General Controls
Risk Assessment Risk Response: Select Responses Control Activities General Controls Information and Communication Monitoring
Section: 8.7
Requirement: Communications and Operations Management
Sarbanes-Oxley COSO
ISO 17799
TABLE 3. (continued)
Security Standard 4. Access Authorization (A)
Security Standard 1. Written contract or other arrangement Technical Standard 2. Encryption and Decryption (A) (d) Person or Entry Authentication (R) (e) 1. Transmission Security (e) 2. Integrity Controls (A)
HIPAA
(c) Protection of records throughout the records retention period
(c) Protection of records throughout the records retention period
FDA 21 CFR
1203. Electronic Security Perimeter 1206. Physical Access Controls 1207. Personnel 1210. Information Protection 1212. Systems Management
1210. Information Protection
FERC/NERC
Implement Strong Access Control Measures: 7. Restrict access to data by business-need-toknow
Build and Maintain a Secure Network: 1. Install and maintain a firewall
Payment card industry data security standard
Objectives: User Responsibilities: User awareness particularly with the use of passwords and the security of equipment
Requirement: Access Control
Section: 9.3
Objectives: User Access Management: Formal procedures to control the allocation of access rights to information systems and services.
Requirement: Access control
Section: 9.2
Internal Environment Human Resource Policies and Practices Control Activities: General Controls
Control Activities: General Controls Monitoring
Security Standard: (a) 5. Password management (A) Physical Standard: Workstation Use (R) Workstation Security
Security Standard 4. Access Authorization (A) 4. Access Establishment and Modification (A) (a) 5. Password Management (A) Technical Standard: (a) 2. Unique User Identification (R)
(c) Protection of records throughout the records retention period (d) Limiting system access to authorized individuals Use of authority checks to ensure that only authorized individuals can use the system (i) Users of electronic record/electronic signature system have appropriate education, training and experience
(c) Protection of records throughout the records retention period (d) Limiting system access to individuals (g) Use of authority checks to ensure that only individuals can use the system
1203. Electronic Security Perimeter 1206. Physical Access Controls 1211. Training 1212. Systems Management
1203. Electronic Security Perimeter 1206. Physical Access Controls 1210. Information Protection 1212. Systems Management
(continued)
Build and Maintain a Secure Network: 2. Do not use vendorsupplied defaults for system passwords. Implement Strong Access Control measures: 8. Assign a unique ID to each person with computer access
Implement Strong Access Control Measures: 7. Restrict access to data by business-need-toknow
Objectives: Operating System Access Control: Security at the operating system level to control access. Methods include ensure quality passwords, user authentication, and the recording of successful and failed system accesses
Requirement: Access Control
Section: 9.5
Objectives: Network Access Control: Ensure that appropriate authentication mechanisms for users and equipment are in place
Internal Environment: Human Resource Policies and Practices Control Activities General Controls Monitoring
Internal Environment: Human Resource Policies and Practices Control Activities General Controls Monitoring
Section: 9.4
Requirement: Access Control
Sarbanes-Oxley COSO
ISO 17799
TABLE 3. (continued)
Security Standard 4. Access Establishment and Modification (A) 5. Password management (A) Technical Standard: (a) 2. Unique user identification (R) 2. Automatic Logoff (A) (d) Person or Entity Authentication (R)
Security Standard 5. Password Management (A) Technical Standard 2. Mechanism to Authenticate Electronic Protected Health Information (A) (d) Person or Entity Authentication (R)
HIPAA
(c) Protection of records throughout the records retention period (d) Limiting system access to individuals (g) Use of authority checks to ensure that only individuals can use the system
(c) Protection of records throughout the records retention period (d) Limiting system access to individuals (g) Use of authority checks to ensure that only individuals can use the system
FDA 21 CFR
1203. Electronic Security Perimeter 1207. Personnel 1209. Monitoring Electronic Access 1212. Systems Management
1203. Electronic Security Perimeter 1207. Personnel
FERC/NERC
Build and Maintain a Secure Network: 2. Do not use vendorsupplied defaults for system passwords. Implement Strong Access Control measures: 8. Assign a unique ID to each person with computer access
Implement Strong Access Control measures: 8. Assign a unique ID to each person with computer access
Payment card industry data security standard
Objectives: Monitoring System Access and Use: Systems should be monitored to detect deviations from access control policy and provide evidence in case of security incidents
Requirement: Access Control
Section: 9.7
Objectives: Application Access Control: Security to restrict access within application systems
Requirement: Access Control
Section: 9.6
Control Activities: General Controls Monitoring
Control Activities: * General Controls
Security Standard: 5. Log-In Monitoring (A) 1. Information System Activity review (R) 8. Audit Controls (R)
Security Standard: 4. Access Establishment and Modification (A) 5. Password management (A) Technical Standard: (a) 2. Unique user identification (R) (d) Person or Entity Authentication (R) Validation of systems and the ability to discern invalid or altered records (c) Protection of records throughout the records retention period (d) Limiting system access to authorized individuals (g) Use of authority checks to ensure that only individuals can use the system
(c) Protection of records throughout the records retention period (d) Limiting system access to individuals (g) Use of authority checks to ensure that only individuals can use the system 1203. Electronic Security Perimeter 1206. Physical Access Controls 1207. Personnel 1209. Monitoring Electronic Access
1203. Electronic Security Perimeter 1207. Personnel
(continued)
Implement Strong Access Control measures: 8. Assign a unique ID to each person with computer access Regularly Monitor and test Networks: 10. Track and monitor all access to network resources and cardholder data
Build and Maintain a Secure Network: 2. Do not use vendorsupplied defaults for system passwords Implement Strong Access Control measures: 8. Assign a unique ID to each person with computer access
Objectives: Security Requirements of Systems: To ensure that security is built into information systems, including infrastructure, business applications, and user-developed applications
Requirement: Systems development and Maintenance
Section: 10.1
Objectives: Mobile Computing and Teleworking: To ensure information security when using mobile computing and teleworking facilities
Control Activities: General Controls Monitoring
Internal Environment: Human Resource Policies and Practices Control Activities: General Controls Monitoring
Section: 9.8
Requirement: Access Control
Sarbanes-Oxley COSO
ISO 17799
TABLE 3. (continued)
N/A
Security Standard: (a) 4. Access Establishment and Modification (A)
HIPAA
(c) Protection of records throughout the records retention period (e) Use of secure, computer-generated audit trails, which are retained for certain period of time (k) Use of appropriate controls over systems documentation
(c) Protection of records throughout the records retention period (d) Limiting system access to authorized individuals (g) Use of authority checks to ensure that only autho rized individuals can use the system
FDA 21 CFR
1210. Information Protection
1203. Electronic Security Perimeter 1212. Systems Management
FERC/NERC
Maintain a Vulnerability Management Programme: 6. Develop and maintain secure systems and applications
Implement Strong Access Control measures: 8. Assign a unique ID to each person with computer access
Payment card industry data security standard
Objectives: Cryptographic Controls: Cryptographic systems and techniques should be used for information considered at risk
Requirement: Systems development and Maintenance
Section: 10.3
Objectives: Security in Applications Systems: To prevent loss, modification, or misuse of user data in application systems
Requirement: Systems development and Maintenance
Section: 10.2
Control Activities: General Controls Monitoring
Control Activities: General Controls
Technical Standard: (a) 2. Encryption and Decryption (A) (e) 2. Transmission Security – Encryption (A)
Technical Standard: 2. Transmission Security – Integrity Controls (A)
(c) Protection of records throughout the records retention period (e) Use of secure, computer-generated audit trails, which are retained for certain period of time (h) Use of device checks to determine validity of source data input or operational instruction (k) Use of appropriate controls over systems documentation
(c) Protection of records throughout the records retention period (e) Use of secure, computer-generated audit trails, which are retained for certain period of time (f) Use of operational system checks to enforce sequencing of steps and events as appropriate (k) Use of appropriate controls over systems documentation 1203. Electronic Security Perimeter
1212. Systems Management
(continued)
Protect Cardholder Data: 4. Encrypt transmission of cardholder data and sensitive information across public networks
Maintain a Vulnerability Management Programme: 6. Develop and maintain secure systems and applications
Objectives: Security in Development and Support Processes: Project and support environments should be strictly controlled
Requirement: Systems Development and Maintenance
Section: 10.5
Objectives: Security of System Files: Access to system files should be controlled
Control Activities: General Controls Monitoring
Control Activities: General Controls Information and Communication Monitoring
Section: 10.4
Requirement: Systems Development and Maintenance
Sarbanes-Oxley COSO
ISO 17799
TABLE 3. (continued)
N/A
N/A
HIPAA
(c) Protection of records throughout the records retention period (k) Use of appropriate controls over systems documentation
(a) Validation of systems and the ability to discern invalid or altered records (c) Protection of records throughout the records retention period (e) Use of secure, computer-generated audit trails, which are retained for certain period of time (k) Use of appropriate controls over systems documentation
FDA 21 CFR
N/A
1203. Electronic Security Perimeter 1210. Information Protection 1212. Systems Management
FERC/NERC
N/A
N/A
Payment card industry data security standard
Objectives: Compliance With Legal Requirements: To avoid breaches of any criminal and civil law, statutory, regulatory, or contractual
Requirement: Compliance
Security Standard: 1. Sanction Policy (R) (a) 6. Response and reporting (R) (b) 1. Written Contract or Other Arrangement (R)
Section: 12.1
Internal Environment: Risk Appetite Commitment to Competence Event Identification: Risks and Opportunities Risk Assessment: Likelihood and Impact Control Activities: General Controls Information and Communication Monitoring
Security Standard: 7. Disaster recovery Plan (R) 7. Testing and Revision Procedures (A) (a) 7. Applications and Data Criticality Analysis
Event Identification: Event Interdependencies Requirement: Risk Response: Business Continuity Man- Identify Risk Responses agement Select Responses Control Activities: Objectives: General Controls Aspects of Business Con- Information and Comtinuity management: To munication counteract interruptions Monitoring to business activities and to protect critical business processes from the effects of major failures or disasters
Section: 11.1
(c) Protection of records throughout the records retention period
(c) Protection of records throughout the records retention period
N/A
1211. Training 1214. Electronic Incident response Actions 1216. Recovery Plans
N/A
N/A
(continued)
Internal Environment: Risk Appetite Commitment to Competence Control Activities: General Controls Monitoring
Section: 12.2
Objectives: Reviews of Security Policy and Technical Compliance: Reviews should be performed against the appropriate security policies and the technical platforms and information systems should be audited
Requirement: Compliance
Sarbanes-Oxley COSO
ISO 17799
TABLE 3. (continued)
Security Standard: (a) 8. Technical Evaluation that measures compliance with security requirements (R)
HIPAA (a) Validation of systems and the ability to discern invalid or altered records (c) Protection of records throughout the records retention period (f) Use of operational systems checks to enforce sequencing of steps and events as appropriate
FDA 21 CFR 1212. Systems Management 1213. Test Procedures
FERC/NERC
Regularly Monitor and test Networks: 10. Track and monitor all access to network resources and cardholder data Regularly Monitor and test Networks: 11. Regularly test security systems and processes
Payment card industry data security standard
Objectives: System Audit Considerations: There should be controls to safeguard operational systems and audit tools during system audits
Requirement: Compliance
Section: 12.3
Monitoring
Security Standard: (b) 8. Audit Controls (R)
(c) Protection of records throughout the records retention period
1213. Test Procedures
Regularly Monitor and test Networks: 10. Track and monitor all access to network resources and cardholder data
ISO 17799
Objective: Infrastructure: A management framework should be established to initiate and control the implementation of information security within the organization
Requirement: Organizational Security
Section: 4.1
Requirement: Information Security Policy Objective: Issue and maintain an information security policy across the organization
Section: 1 Section: 2 Section: 3.1
Key Risk Assessment Practices
Information Security Strategy
Security Process Roles and responsibilities
Information Security Strategy
Security Process Roles and responsibilities
FFIEC & GLBA
Risk Management Organizational Management
Risk Management Organizational Management Policy Management
Basel II
Deliver: Ensure Systems Security
Plan: Define a Strategic IT Plan Define the IT Organization and relationships Communicate Management Aims and Direction Manage Human resources
COBIT ®
4.1.1 Establish a management framework to initiate and manage information security
2.2.3 Responsibilities, powers, and duties are clearly specified by policy, processes, procedures, and work instructions
ITIL
Article 4: Technical and organizational measures to safeguard electronic communications services
Section 20: Measures to safeguard the security of communications
Article 4: Technical and organizational measures to safeguard electronic communications services
Section 20: Measures to safeguard the security of communications
EU directive
Seventh Principle: Technical and organizational measures against un or unlawful processing of personal data
Second Principle: Personal data shall be obtained only for one or more specified and lawful purposes
First Principle: Personal data shall be processed fairly and lawfully
Seventh Principle Technical and organizational measures against un or unlawful processing of personal data
UK data protection
Objectives: Third-party access: To maintain the security of information assets accessed by third parties
Requirement: Organizational Security
Section: 4.2
Logical and Administrative Access Control
Security Process Roles and responsibilities
N/A
Deliver: Manage ThirdParty Services Ensure Systems Security
4.1.1 Identify the risks arising from links with third parties
Article 4: Technical and organizational measures to safeguard electronic communications services
Section 32: Subcontracting and subsequent data processing should be in full compliance regarding security of personal data
Section 20: Measures to safeguard the security of communications
(continued)
Eighth Principle: Personal data shall not be transferred to a country or territory outside the European Economic Area, unless adequate level of protection for personal data is ensured
Seventh Principle: Technical and organizational measures against un or unlawful processing of personal data
Second Principle: Personal data shall be obtained only for one or more specified and lawful purposes
Objectives: Accountability for assets: All major information assets should be accounted for and have a nominated owner
Requirement: Asset Classification and Control
Section: 5.1
Objectives: Outsourcing: To maintain the security of information when information processing is outsourced to another organization
Requirement: Organizational Security
Section: 4.3
(continued) ISO 17799
FFIEC & GLBA
Information Security Risk Assessment Information Gathering Analyze Information
Security Process Roles and responsibilities
Security Testing Outsourced Systems
Service Provider Oversight SAS 70 Reports
Security Process Roles and responsibilities
Basel II
Risk Management Asset Management
Policy Management Outsourcing Policy
COBIT ®
Plan: Define the IT Organization and relationships
Deliver: Manage ThirdParty Services Define and Manage Service Levels
Plan: Manage Quality
ITIL
4.2.1 Ensure there is an overview of the most important information sources and systems; allocate responsibility for all information and systems
3.3.1 Configuration and Asset Management process
N/A
EU directive
Article 4: Technical and organizational measures to safeguard electronic communications services
Section 20: Measures to safeguard the security of communications
Article 4: Technical and organizational measures to safeguard electronic communications services
Section 32: Subcontracting and subsequent data processing should be in full compliance regarding security of personal data
Section 20: Measures to safeguard the security of communications
UK data protection
Seventh Principle: Technical and organizational measures against un or unlawful processing of personal data
Seventh Principle: Technical and organizational measures against un or unlawful processing of personal data
Fifth Principle: Personal data processed shall not be kept for longer than necessary
Second Principle: Personal data shall be obtained only for one or more specified and lawful purposes
First Principle: Personal data shall be processed fairly and lawfully
Objectives: Security in Job definition and resourcing: To reduce the risks of human error, theft, fraud, or misuse of facilities
Requirement: Personnel Security
Section: 6.1
Objectives: Information Classification: Information should be classified to indicate the need, priorities and degree of protection
Requirement: Asset Classification and Control
Section: 5.2
Personnel Security Background Checks and Screening Agreements: Confidentiality, Nondisclosure, and Authorized Use Job Descriptions
Information Security Risk Assessment Information Gathering Analyze Information Prioritize responses
Policy Management Personnel Policy
Risk Management Asset Management
Deliver: Manage Facilities
Plan: Manage Human resources
Deliver Ensure Systems Security
Plan: Assess risks Define the Information Architecture
4.2.2 Includes job descriptions, applicant screening, confidentiality agreements
4.2.1 Rules for classification are outside the sphere of ITIL
Article 4: Technical and organizational measures to safeguard electronic communications services
Section 20: Measures to safeguard the security of communications
Article 4: Technical and organizational measures to safeguard electronic communications services
Section 20: Measures to safeguard the security of communications
(continued)
Seventh Principle: Technical and organizational measures against un or unlawful processing of personal data
Eighth Principle: Personal data shall not be transferred to a country or territory outside the European Economic Area, unless adequate level of protection for personal data is ensured
Seventh Principle: Technical and organizational measures against un or unlawful processing of personal data
Objectives: Responding to Security Incidents and Malfunctions: Incidents affecting security should be reported through appropriate management channels as quickly as possible
Requirement: Personnel Security
Section: 6.3
Objectives: User Training: To ensure that users are aware of information security threats and concerns and are equipped to support security policy in the course of their normal work
Requirement: Personnel Security
Business Continuity Considerations
Intrusion Detection and response Intrusion Response
Logging and Data Collection
FFIEC & GLBA
Personnel Security: Training
ISO 17799
Section: 6.2
(continued)
Basel II
Policy Management Personnel Policy Virus Scanners Incident response Plan
Policy Management Personnel Policy
COBIT ®
Deliver: Manage Problems and Incidents Manage Operations
Educate and Train Users
Deliver:
Plan: Manage Human Resources
ITIL
4.2.2 Includes responding to security incidents as quickly as possible through the right channels
4.2.2 Includes training to make employees aware of security threats and of the importance of information security
EU directive
Article 4: Technical and organizational measures to safeguard electronic communications services
Section 20: Measures to safeguard the security of communications
Article 4: Technical and organizational measures to safeguard electronic communications services
Section 20: Measures to safeguard the security of communications
UK data protection
Seventh Principle: Technical and organizational measures against un or unlawful processing of personal data
Seventh Principle: Technical and organizational measures against un or unlawful processing of personal data
Second Principle: Personal data shall be obtained only for one or more specified and lawful purposes
Objectives: Equipment Security: Equipment should be physically protected from security threats and environmental hazards
Requirement: Physical and Environmental Security
Section: 7.2
Objectives: Equipment Security: Equipment should be physically protected from security threats and environmental hazards
Requirement: Physical and Environmental Security
Section: 7.1
Physical Security: Data centre Security Cabinet and Vault Security Physical Security in Distributed IS Environments
Physical Security: Data centre Security Cabinet and Vault Security Physical Security in Distributed IS Environments
Policy Management Physical Security Policy
Policy Management Physical Security Policy
Manage Facilities
Deliver:
Ensure Systems Security Manage Data Manage Facilities
Deliver:
Select locations for installing equipment that involve the least risk from outside
ITIL Environmental Management Set
ITIL Environmental Strategy Set
Article 4: Technical and organizational measures to safeguard electronic communications services
Section 20: Measures to safeguard the security of communications
Article 4: Technical and organizational measures to safeguard electronic communications services
Section 20: Measures to safeguard the security of communications
(continued)
Seventh Principle: Technical and organizational measures against un or unlawful processing of personal data
Seventh Principle: Technical and organizational measures against un or unlawful processing of personal data
Objectives: Operational Procedures and Acceptance: Advanced planning and preparation are required to ensure the availability of adequate capacity and resources
Requirement: Communications and Operations Management
Section: 8.1
Objectives: General Controls: To prevent compromise or theft of information
Requirement: Physical and Environmental Security
Business Continuity Considerations
Intrusion Detection and response Intrusion Detection Intrusion Response
Logging and Data Collection
Security Process Roles and Responsibilities
FFIEC & GLBA
Physical Security: Data centre Security Cabinet and Vault Security Physical Security in Distributed IS Environments
ISO 17799
Section: 7.3
(continued)
Basel II
Intrusion Detection Incident Response Plan Systems Administration
Policy Management Physical Security Policy
COBIT ®
Manage Problems and Incidents Ensure Continuous Service Manage Operations
Deliver:
Manage Data Manage Facilities
Deliver:
ITIL
4.2.3 Ensure there are established responsibilities for the management of all IT resources and all parts of the IT infrastructure including segregation of duties and security incident handling
Create an environment that promotes the safe handling of information and systems
EU directive
Article 4: Technical and organizational measures to safeguard electronic communications services
Section 20: Measures to safeguard the security of communications
Article 4: Technical and organizational measures to safeguard electronic communications services
Section 20: Measures to safeguard the security of communications
UK data protection
Seventh Principle: Technical and organizational measures against un or unlawful processing of personal data
Seventh Principle: Technical and organizational measures against un or unlawful processing of personal data
Objectives: Protection Against Malicious Software. Precautions are required to prevent and detect the introduction of malicious software
Requirement: Communications and Operations Management.
Section: 8.3
Objectives: System Planning and Acceptance: Advanced planning and preparation are required to ensure the availability of adequate capacity and resources
Requirement: Communications and Operations Management
Section: 8.2
Malicious Code: Controls to protect Against malicious Code
N/A
Cyber Intelligence Patch Management Firewalls Active Content Filtering Intrusion Detection Virus Scanners Incident response Plan
N/A
Manage Problems and Incidents Ensure Systems Security Manage the Configuration
Deliver:
Ensure Continuous Service Manage Performance and Capacity
Deliver:
4.2.4 Access Control, Antivirus control policy
3.3.2 Incident Control/Help Desk
3.4.3 Improving performance in terms of throughput capacity and response times; other measures include resource, demand and workload management, application sizing, and modeling
3.3.4 Change Management Process
Article 4: Technical and organizational measures to safeguard electronic communications services
Section 20: Measures to safeguard the security of communications
Article 4: Technical and organizational measures to safeguard electronic communications services
Section 20: Measures to safeguard the security of communications
(continued)
Seventh Principle: Technical and organizational measures against un or unlawful processing of personal data
Seventh Principle: Technical and organizational measures against un or unlawful processing of personal data
Objectives: Network Management: Security management of networks spanning organizational boundaries and or public networks
Requirement: Communications and Operations Management
Section: 8.5
Objectives: House keeping: Routine procedures for implementing the back-up strategy
Requirement: Communications and Operations Management
Logical and Administrative Access Control: Network Access
FFIEC & GLBA
Business Continuity Considerations
ISO 17799
Section: 8.4
(continued)
Basel II
Risk Management Asset Management Cyber Intelligence Patch Management Firewalls Active Content Filtering Web Application Security Intrusion Detection Virus Scanners
Incident Response Plan
COBIT ®
Ensure Systems Security
Deliver:
Ensure Continuous Service Manage Data
Deliver:
ITIL
4.2.3 Communications and Operations Management: security measures for networks
ITIL does not normally go into details on housekeeping
EU directive
Article 4: Technical and organizational measures to safeguard electronic communications services
Section 20: Measures to safeguard the security of communications
Article 4: Technical and organizational measures to safeguard electronic communications services
Section 20: Measures to safeguard the security of communications
UK data protection
Seventh Principle: Technical and organizational measures against un or unlawful processing of personal data
Seventh Principle: Technical and organizational measures against un or unlawful processing of personal data
Objectives: Exchanges of Information and Software: Controls for exchanges of Information and software between organizations
Requirement: Communications and Operations Management
Section: 8.7
Objectives: Media Handling and Security: procedures for protecting tapes, disks, cassettes from damage, theft, and unaccess
Requirement: Communications and Operations Management
Section: 8.6
Logical and Administrative Access Control: Access Rights Administration Network Access Remote Access
Electronic and Paper-Based Media Handling: Handling and Storage Disposal Transit
Active Content Filtering Firewalls Web Application Security Virus Scanners
Physical Security
Ensure Systems Security
Deliver:
Manage Data
Deliver:
Section 20: Measures to safeguard the security of communications
4.2.3 Communications Section 20: Measures to and Operations safeguard the security Management: hanof communications dling and security of data carriers and Article 4: Technical network services and organizational measures to safeguard Agreements should be electronic communicaincluded in the SLA tions services
Section 22: During the period of storage, 4.2.3 Communications confidentiality remains and Operations guaranteed Management: handling and security Article 4: Technical of data carriers and organizational measures to safeguard electronic communications services
3.4.4 Fallback Planning
3.4.2 Availability Management
(continued)
Eighth Principle: Personal data shall not be transferred to a country or territory outside the European Economic Area, unless adequate level of protection for personal data is ensured
Seventh Principle: Technical and organizational measures against un or unlawful processing of personal data
Seventh Principle: Technical and organizational measures against un or unlawful processing of personal data
Fifth Principle: Personal data processed shall not be kept for longer than necessary
Objectives: User Access Management: Formal procedures to control the allocation of access rights to information systems and services
Requirement: Access control
Section: 9.2
Objectives: Business requirements for Access Control: Access control policies and rules
Requirement: Access Control
Logical and Administrative Access Control: Access Rights Administration Network Access Authentication Operating Systems Access Application Access Remote Access
FFIEC & GLBA
Logical and Administrative Access Control: Access Rights Administration
ISO 17799
Section: 9.1
(continued)
Basel II
Access Controls/Authentication Active Content Filtering Web Application Security Virus Scanners Systems Administration
Access Controls/Authentication Systems Administration
COBIT ®
Ensure Systems Security
Deliver:
Ensure Systems Security
Deliver:
ITIL
4.2.4 Access Control: network, computer and application access control
Largely outside the scope of ITIL
EU directive
Article 6: Processing of traffic data restricted to authorized persons
Article 4: Technical and organizational measures to safeguard electronic communications services
Section 21: Prevent unaccess to communications
Section 20: Measures to safeguard the security of communications
Article 6: Processing of traffic data restricted to authorized persons
Article 4: Technical and organizational measures to safeguard electronic communications services
Section 21: Prevent unaccess to communications
Section 20: Measures to safeguard the security of communications
UK data protection
Seventh Principle: Technical and organizational measures against un or unlawful processing of personal data
Seventh Principle: Technical and organizational measures against un or unlawful processing of personal data
Objectives: Network Access Control: Ensure that appropriate authentication mechanisms for users and equipment are in place
Requirement: Access Control
Section: 9.4
Objectives: User Responsibilities: User awareness particularly with the use of passwords and the security of equipment
Requirement: Access Control
Section: 9.3
Logical and Administrative Access Control: Network Access
Personnel Security: Training
Access Controls/Authentication Active Content Filtering Web Application Security Virus Scanners
Access Controls/Authentication Virus Scanners Systems Administration
Ensure Systems Security
Deliver:
Ensure Systems Security
Deliver:
4.2.4 Access Control: network, computer access control
Outside the scope of ITIL, this is the responsibility of the user organization
Article 6: Processing of traffic data restricted to authorized persons
Article 4: Technical and organizational measures to safeguard electronic communications services
Section 21: Prevent unaccess to communications
Section 20: Measures to safeguard the security of communications
Article 6: Processing of traffic data restricted to authorized persons
Article 4: Technical and organizational measures to safeguard electronic communications services
Section 21: Prevent unaccess to communications
Section 20: Measures to safeguard the security of communications
(continued)
Seventh Principle: Technical and organizational measures against un or unlawful processing of personal data
Seventh Principle: Technical and organizational measures against un or unlawful processing of personal data
Objectives: Application Access Control: Security to restrict access within application systems
Requirement: Access Control
Section: 9.6:
Objectives: Operating System Access Control: Security at the operating system level to control access. Methods include ensure quality passwords, user authentication, and the recording of successful and failed system accesses
Requirement: Access Control
Logical and Administrative Access Control: Application Access
FFIEC & GLBA
Logical and Administrative Access Control: Operating System Access
ISO 17799
Section: 9.5
(continued)
Basel II
Access Controls/Authentication Active Content Filtering Web Application Security Virus Scanners
Access Controls/Authentication Active Content Filtering Web Application Security Intrusion detection Virus Scanners Systems Administration
COBIT ®
Ensure Systems Security
Deliver:
Ensure Systems Security
Deliver:
ITIL
4.2.4 Access Control: application access control
4.2.4 Access Control, computer access control
EU directive
Article 6: Processing of traffic data restricted to authorized persons
Article 4: Technical and organizational measures to safeguard electronic communications services
Section 21: Prevent unaccess to communications
Section 20: Measures to safeguard the security of communications
Article 6: Processing of traffic data restricted to authorized persons
Article 4: Technical and organizational measures to safeguard electronic communications services
Section 21: Prevent unaccess to communications
Section 20: Measures to safeguard the security of communications
UK data protection
Seventh Principle: Technical and organizational measures against un or unlawful processing of personal data
Seventh Principle: Technical and organizational measures against un or unlawful processing of personal data
Objectives: Mobile Computing and Teleworking: To ensure information security when using mobile computing and teleworking facilities
Requirement: Access Control
Section: 9.8
Logical and Administrative Access Control: Authentication Remote Access
Logging and Data Collection
Requirement: Access Control
Objectives: Monitoring System Access and Use: Systems should be monitored to detect deviations from access control policy and provide evidence in case of security incidents
Monitoring
Section: 9.7
Policy Management Remote System Access Controls/Authentication Active Content Filtering Web Application Security
Access Controls/Authentication Active Content Filtering Web Application Security Virus Scanners
Ensure Systems Security
Deliver:
Monitor: Assess Internal Control Adequacy
N/A
4.2.4 Access Control: monitoring and auditing information system access
Article 6: Processing of traffic data restricted to authorized persons
Article 4: Technical and organizational measures to safeguard electronic communications services
Section 21: Prevent unaccess to communications
Section 20: Measures to safeguard the security of communications
Article 6: Processing of traffic data restricted to authorized persons
Article 4: Technical and organizational measures to safeguard electronic communications services
Section 21: Prevent unaccess to communications
Section 20: Measures to safeguard the security of communications
(continued)
Seventh Principle: Technical and organizational measures against un or unlawful processing of personal data
Seventh Principle: Technical and organizational measures against un or unlawful processing of personal data
Objectives: Security in Applications Systems: To prevent loss, modification or misuse of user data in application systems
Requirement: Systems development and Maintenance
Section: 10.2
Objectives: Security Requirements of Systems: To ensure that security is built into information systems, including infrastructure, business applications, and user-developed applications
Requirement: Systems development and Maintenance
Logical and Administrative Access Control: Application Access
FFIEC & GLBA
N/A
ISO 17799
Section: 10.1
(continued)
Basel II
Cyber Intelligence Patch Management Systems Administration
Systems Administration
COBIT ®
Acquire and Maintain Application Software
Acquire:
Acquire and Maintain Application Software Acquire and Maintain technology Infrastructure
Acquire:
ITIL
ITIL is not specifically concerned with system development
ITIL book software lifecycle support and the business perspective set
ITIL is not specifically concerned with system development
ITIL book software lifecycle support and the business perspective set
EU directive
Article 4: Technical and organizational measures to safeguard electronic communications services
Section 20: Measures to safeguard the security of communications
Article 4: Technical and organizational measures to safeguard electronic communications services
Section 20: Measures to safeguard the security of communications
UK data protection
Seventh Principle: Technical and organizational measures against un or unlawful processing of personal data
Seventh Principle: Technical and organizational measures against un or unlawful processing of personal data
Objectives: Security of System Files: Access to system files should be controlled
Requirement: Systems Development and Maintenance
Section: 10.4
Objectives: Cryptographic Controls: Cryptographic systems and techniques should be used for information considered at risk
Requirement: Systems development and Maintenance
Section: 10.3
Logical and Administrative Access Control: Operating System Access Application Access
Encryption
Systems Administration
Active Content Filtering Web Application Security Virus Scanners Systems Administartion
Ensure Systems Security Manage the Configuration Manage Changes
Deliver:
N/A
ITIL is not primarily concerned with individual components, such as files, queues, data, or messages
Article 4: Technical and organizational measures to safeguard electronic communications services
Section 20: Measures to safeguard the security of communications
Article 4: Technical and organizational measures to safeguard electronic communications services
ITIL is not specifically Section 20: Measures to concerned with syssafeguard the security tem development of communications
(continued)
Seventh Principle: Technical and organizational measures against un or unlawful processing of personal data
Seventh Principle: Technical and organizational measures against un or unlawful processing of personal data
Objectives: Aspects of Business Continuity management: To counteract interruptions to business activities and to protect critical business processes from the effects of major failures or disasters
Requirement: Business Continuity Management
Section: 11.1
Objectives: Security in Development and Support Processes: Project and support environments should be strictly controlled
Requirement: Systems Development and Maintenance
Business Continuity Considerations
FFIEC & GLBA
N/A
ISO 17799
Section: 10.5
(continued)
Basel II
Incident Response Plan
N/A
COBIT ®
Ensure Continuous Service Manage Problems and Incidents Manage Data
Deliver:
Ensure Systems Security Manage Changes
Deliver:
ITIL
EU directive
3.4.4 Business Continuity Planning: an entire ITIL book is dedicated to this topic
N/A
Article 4: Technical and organizational measures to safeguard electronic communications services
ITIL is not specifically Section 20: Measures to concerned with syssafeguard the security tem development of communications
UK data protection
Seventh Principle: Technical and organizational measures against un or unlawful processing of personal data
Seventh Principle: Technical and organizational measures against un or unlawful processing of personal data
Objectives: Reviews of Security Policy and Technical Compliance: Reviews should be performed against the appropriate security policies and the technical platforms and information systems should be audited
Requirement: Compliance
Section: 12.2
Objectives: Compliance With Legal Requirements: To avoid breaches of any criminal and civil law, statutory, regulatory, or contractual
Requirement: Compliance
Section: 12.1
Security Testing: Testing Concepts and Application Independent Diagnostic tests Key factors Outsourced Systems Monitoring and Updating
Regulatory Guidance, Resources, and Standards Information Security Strategy
Risk Management Asset Management Intrusion Detection Vulnerability and Penetration Testing
N/A
Monitor the processes Assess Internal Control Adequacy Obtain Independent Assurance
Monitoring:
Install and Accredit Systems
Article 4: Technical and organizational measures to safeguard electronic communications services
(continued)
Seventh Principle: Technical and organizational measures against un or unlawful processing of personal data
Acquire:
4.3 Audit and EvaluSection 20: Measures to ate: Security reviews safeguard the security of IT systems of communications
Seventh Principle: Technical and organizational measures against un or unlawful processing of personal data
Plan: 4.3 Audit and EvaluSection 20: Measures to Ensure Compliance ate: Security reviews safeguard the security with External of IT systems of communications requirements Article 4: Technical Monitoring: and organizational Monitor the Procmeasures to safeguard esses electronic communicaAssess Intertions services nal Control Adequacy Obtain Independent Assurance
Objectives: System Audit Considerations: There should be controls to safeguard operational systems and audit tools during system audits
Requirement: Compliance
FFIEC & GLBA
Security Testing: Testing Concepts and Application
ISO 17799
Section: 12.3
Basel II
Intrusion Detection Vulnerability and Penetration Testing
COBIT ® N/A
ITIL
EU directive
Article 4: Technical and organizational measures to safeguard electronic communications services
4.3 Audit and EvaluSection 20: Measures to ate: Security reviews safeguard the security of IT systems of communications
UK data protection Seventh Principle: Technical and organizational measures against un or unlawful processing of personal data
Chapter 8 A Tangential Threat to OECD Resilience: The Twenty-First Century East India Company177
This chapter sets out some very general and wide-ranging views, slightly tongue in cheek, about a possible future trading bloc and consequences, based on Critical Information Infrastructure and posing a potential threat to European and OECD resilience in economic terms. This shows that the existing Infrastructure is not just of use to potential asymmetric fighters. The more detailed, and serious, work behind these views has been looked at in the Universities of Northumbria and Nice, at the European Telecommunications Resilience and Recovery Association and the Institut Pericles. The issue dealt with here is about a different type of approach to resilience. In the seventeenth century, one of the then major global powers, Britain, took the step of establishing a monopoly of commerce between itself and the Far East. The monopoly was given to the British East India Company. This relationship culminated in the effective rule of India and control of much of Britain’s import and export trade. The relationship lasted, in one form or another, for over 250 years. The company’s methods were based on a mixture of extraterritorial law and the establishment of key trading relationships. The company annexed territory on the grounds that the ruler was evil; it took over territory and businesses in other ways; and became exempt from many taxes and duties. Eventually the company became corrupt and was taken over by the State, and became the basis of Britain’s Asian colonies. A shorter lived, but only by 50 years, enterprise by the Dutch led in turn to the Dutch Asian Colonies. Essentially these enterprises were state-sponsored resource, globalization and trading empires operating independently in an anarchic environment. The wealth accumulated, directly and indirectly, to the sponsor states. They were a cornerstone of modern-day capitalism, and changed trading practices forever. They also enabled and financed further expansion elsewhere. Even today
177
This idea arose from a conversation between the author, then a Research Fellow at Northumbria University, and Christian Tafani, Research Fellow, Institut Pericles, University of Nice, at the ETR2A Conference in Sophia Antipolis in June 2005. 145
146
Critical Information Infrastructures: Resilience and Protection
the major data highways in the Far East are based on the key trading sites established by these companies and their allies over 200 years ago. One view of Capitalism today might be that it has become the dominant economic system across the world. At the same time as the system becomes ubiquitous it also tends toward the lowest common denominator and commoditization. All countries/economies cannot make money out of cars/ textiles/other consumer goods in such an environment. As a consequence high-cost “advanced” economies start to move out of mass production/manufacturing and migrate towards “service” and “knowledge economies.” The next decade will see both the continued rise of economies such as China and India and the drift of manufacturing jobs from the advanced nations. This may gather such momentum over the next five years that anyone who has recently won an election may come to rue the day. Some economies recognize that this is not going to be good enough to sustain an ever-growing standard of living. They recognize that they will still need to compete with China, and India, if, for no other reason, than to maintain the cohesion, stability and tax take of their own societies. Some advanced economies have sufficient critical mass to be in the position to determine much more successfully than others their own fate. They have large internal markets and relatively secure international trading patterns. It can be assumed that Europe and the USA might be two such entities. These two entities have very different social approaches. On the one hand there is a purist, noninterventionist, capitalist approach modified by limited Federal Government regulation, generating high-growth on the back of Information Technology improvements in particular. On the other hand is a much more socially motivated model that is constantly concerned that it is not meeting its rival’s growth, jobs, and tax achievements. It has a looser Federal structure, but a much more interventionist approach. This gives it cause for concern about the long-term viability of the social model. Both entities have historically been aggressive. Components of both are more likely to settle their differences by war than other means. Both have tried to take commercial advantage of the “anarchic” vacuum left by the end of the Cold War. Europe has been the prime example of a Christian–Military Complex for a millennium or more. The USA has been the prime example of a Christian–Industrial–Military Complex for a century or more. As the pace of change compresses the longevity of ascendancy the race is on for dominance between a Christian–Military–Information Complex, as exemplified by the USA, and the rest. This scenario has led researchers at the Universities of Northumbria and Nice to look closely at the implications for the future. The starting point is the NU-UN Hypothesis, which states as follows: That recent political, economic, social, technical, environmental and legal acts in the United States, the EU and elsewhere will have the effect, coincidentally or otherwise, of posing a security threat to EU political, economic, social and technical progress particularly in regard to the Lisbon Agenda, growth and jobs.
Chapter 8 A Tangential Threat to OECD Resilience
147
Another way of interpreting this is to suggest that Europe’s future growth is at risk from a USA-driven twenty-first century Information-based “East India Company.” Perceived and actual extraterritorial legislation from the United States is impacting many businesses and economies. The legislation may not be directly applicable outside the USA, but those involved in global supply chains meeting USA OEM demands are already feeling the effects. An example is the Sarbanes-Oxley Act – the governance and information technology requirements of which impact throughout the supply chain. Another is the Homeland Security Executive order, which also has extraterritorial implications. Yet another is the Gramm-Leach-Bliley Act. Another is the HIPPA Act. All of these have an impact not only on how USA companies participate in the economy, but also how those who wish to interact with the USA economy participate too. Additionally, as recent events in the online gambling industry have shown, the USA is perfectly willing to take protectionist steps to protect certain parts of the economy from online competition – even when this falls foul of the World Trade Organization.178 At the same time as extraterritorial legislation is impacting business USA political and social influence expands. From the former southern states of the former USSR, through the Middle East and South America the influence of the sole global superpower rises. Militarily the USA is more active than it, arguably, has ever been in its history. Despite the activities of Russia, India, and China the world’s resources in the form of oil and other raw materials are still concentrated in the hands of American companies and their allies. The development of competitors is limited, even in places like Russia, because of the huge capital requirements of that development. Those who hold within their national boundaries large natural resources are destined to remain the poorer partners – as the oil- and diamond-rich countries of the twentieth century, for example, have already found. Any self-respecting USA multinational now seeks tax breaks before committing to placing economically interesting projects in other countries. Foreign Direct Investment from the USA is dominated by tax considerations. Over and above all this the USA controls the new means of access and delivery, the Internet. Any argument the contrary is simply wishful thinking – as any map of data traffic and value traffic shows. So it is contended that the USA, its businesses and its allies have constructed a Twenty-first Century East India Company with remarkable similarities to the British East India Company of the Seventeenth Century. It uses extraterritorial law, the acquisition of resources, trading relationships, and a new trading mechanism, eCommerce, to accumulate wealth to itself via a range of commercial partners and military intervention.
178 Kirchgaessner, S and Pimlott, D (2006) US Could Face WTO Pressure Over Online Protectionism. 4 October. Financial Times.
148
Critical Information Infrastructures: Resilience and Protection
The good news about this is several fold. Europe is, in general, a good ally of the USA for all sorts of sensible and pragmatic reasons. Staying that way would mean, if not the creation of a modern day Dutch East India Company, then at least participation in the “new” information-driven capitalist market place. Recent cooperation on cyber crime has been strong.179 This could help to ensure the preservation of manufacturing, service, and “knowledge” jobs to the overall benefit of Europe. Further the split between a “new” capitalist economy based on the USA and the “old” capitalist’ economy based on China and India could mean benefit for everybody in terms of the overall global standard of living increase. On the other hand this could all turn out to be really bad news. The inability of Europe to keep up and match an aggressive USA may lead to further unemployment and recession, not more jobs and growth as the Lisbon Agenda demands. Additionally, an effective global digital divide may cause more trouble. China and India may wish to challenge the overall strategy; Russia may feel marginalized, to yet unknown consequences; other groups may feel even more victimized and marginalized and react with a variety of cyber and traditional terrorist attacks – all aimed at the heart of the new market. The on–off aim of Europe to try and create a new Internet is also bad news –this will exacerbate differences rather than unite similarities for the good of both. The USA has a history of destabilizing those that do not entirely conform to its wishes and is matched in Machiavellian intent, according to some, only by China. It would be dangerous to be on the outside looking in, rather than vice versa. The new European Commission has a strategy based on the Lisbon Agenda. In order to deliver this strategy it has a number of severe challenges to face. If it does not meet these challenges then the very idea of Europe is under threat in a way that challenges the underlying tenets of the Union. Of course, there’s no answer to this. However, there are some givens in the equation. The first is that there is a need to progress in Europe and so pragmatic developments and policies are required. A second is that the Information Economy is not going to go away and so successful involvement and participation is critical to future success. A third is that there is going to be a hemorrhage of manufacturing and service jobs and so it will be necessary to find a way of mitigating this to ensure social stability. A fourth, there will be a shortage of resources in some of the competing regions and so ownership of resources and infrastructures is critical for future success and negotiating. Finally, war has changed; so it is important to understand that war is no longer about tanks, aircraft, and battleships but about technical superiority, asymmetries, and bugs. Given these a pragmatic approach to ensure the delivery of the European social model is extremely important. Cooperation 179
EU Business (2006) US Joins European Cybercrime War. 30 August. EU Business. Available at http://www.eubusiness.com/Internet/060929201838.df5jgr30 (Accessed: 7 January 2007).
Chapter 8 A Tangential Threat to OECD Resilience
149
between Europe and the USA under the aegis of the OECD could create a sustainable electronic economic model of advantage to both. A counter argument is that the supposed extraterritorial nature of USA laws such as Sarbanes-Oxley are very counter intuitive and counter productive. Sarbanes-Oxley has resulted in extreme costs, according to some, and has not really addressed the Governance issues arising from Enron and WorldCom. It has also resulted in a fall in the number of new business starts and a rise in the number of Initial Public Offerings on the London markets as opposed to the USA markets. This in turn has led to potential bids for the London Stock Exchange from American Exchanges. Thus far from extending its hegemony, the USA has actually “shot itself in the foot.” However, it remains the case that this and other legislation can be perceived as being extraterritorial and supportive of an alternative agenda. The development of the social model for Europe is under challenge from a perceived expansionist USA, which is acting in some ways as a latter day East India Company. It is not clear that the European social model will be able to sustain this challenge without modification, and such modification is likely to require a much more aggressive pursuit of the Lisbon Agenda than is currently evident. In the USA legislation of this nature is not always seen in such a way.
Chapter 9 Resilience and Outsourcing Call Centers Offshore: A Case Study
This Chapter seeks to demonstrate that holistic thinking is required when outsourcing in business. Failure to think of the whole picture may lead to Information Infrastructure, in particular, being corrupted. It emphasizes the primacy of Information Infrastructures over other Infrastructures in the private sector. Call centers are Information-Infrastructure-dependent businesses that have been increasingly outsourced over recent years. This Chapter will be an example of how to encourage a strategic approach to Information Infrastructure, as opposed to a tactical approach to a business issue. This should help the distinction between resilience, recovery, and continuity. The future is not known for sure – so what sort of industries there will be is not known for sure either. What is known is that it will be a bit like today, only different. This has been the story of development so far. In telecommunications the pace of change has been so fast that we know that this is likely to have an impact on the “different” bit of this statement. The technology exists today for us all in the “connected” world to regulate our homes, order goods and services, transport ourselves, and communicate with others by use of our mobile phone. In the “connected” world individual’s hierarchy of needs has come down to the need to earn money to buy and pay for a mobile phone – then everything is possible. This, of course, is the case for the still privileged few. But the actual numbers of this privileged few will shortly outnumber all persons living at the turn of the twentieth century. This few is an enormous number of people – enormous numbers (however relative), as Stalin said (qv), have a quality all of their own. Call centers are pivotal to this “connected” world. They are the means by which everything will work. They can be automated or “human” – either way they have to be reliable and be, above all, user friendly. They must also make money. As English is the majority language for the privileged communicators (this does not mean all users of mobile phones – but those who increasingly use Information Infrastructure to run and organize their lives) it follows that call centers must major in English. It will be some years yet before China, for example, develops the tastes of the American, Japanese, or European middle 150
Chapter 9 Resilience and Outsourcing Call Centers Offshore
151
classes and this is where the money is: over 70% of the world’s GDP and more of its disposable income. A telecommunication infrastructure is also a requirement. This does not just mean a satellite receiving station and/or a switching station. It means a sophisticated fiber optic and wireless infrastructure supported by appropriate disaster recovery and support services. The biggest single risk factor in locating a call center is available personnel, closely followed by disaster recovery. Such centers and infrastructure require large capital investments. They cannot safely be located in areas of high political or economic risk. The support services required for such operations are varied. They run from the computer service team on 24 hours standby to replace critical items to the market research companies looking at forward buying trends in the market place. Such a combination of skills can only be found in relatively few sophisticated markets. The more call centers the more of these types of services are required. These are not “unskilled” jobs – they demand high-tech or high-marketing skills or a combination of both. Few long-lived call centers have closed, and most have got bigger and added further services. In summary an international call center must: • Have a market and a product • Have a low cost base, but access to high quality services • Have a reliable and user friendly environment • Have English as the lead language • Serve the major “disposable” income areas • Have an infrastructure and disaster recovery services • Have a labor pool • Be located in areas of low political and economic risk • Have high-tech and high-marketing skills to hand. (N.B. Practical experience in places like Utah, Colorado, Leeds, Dublin, Amsterdam demonstrates that, unfortunately perhaps, these requirements all need to be met in the immediate geographical area and cannot be “telecommunicated” in! (A paradox, but one worth remembering!) Cost is critical not only to the development of call centers but also to producing the new “embedded systems” and the marketing tools required to ensure the continued development of the call center. House builders and household goods makers are reluctant to take the risks of using such technology because, although they are relatively slight, the costs involved erode already tight margins on products. A further paradox therefore is that the only areas to locate call centers and associated future products are in relatively low labor cost areas, with access to high tech areas. These areas are to be found in relatively few areas of the USA and Europe. If the other factors required in location mentioned above are included, then the potential locations become even fewer.
152
Critical Information Infrastructures: Resilience and Protection
It would be churlish to single out any particular region, but a potential list would run as follows: • Some regions of the USA • Particular regions of the UK (The North and Scotland being prime – the former in particular for user friendly voices!). • The Republic of Ireland (Although there is a potential labor shortage now) • The Netherlands and Belgium • Potentially some emerging East European countries such as Romania, Poland, and the Czech Republic, where English is becoming a relatively common second language; the accents are pleasant and a high standard of engineering, marketing, and infrastructure is present This is a very short list, shorter, in fact, than those countries that could take a major car plant, electronics plant, or engineering plant. The same list would, more or less, fulfill most of the other requirements for the establishment of a call center, but few others could compete, and where this has been tried it has frequently met with embarrassing failure. The sorts of support businesses that call centers attract can, as noted, only attract labor from a high tech pool. These sorts of businesses are, however, varied and not only demand high skill levels but also promote higher skill levels in a region. The System Integrators – the people who actually put the call center together and then maintain it – need to maintain a pool of software and hardware engineers skilled in wire and wireless communication. They, in turn, attract the distributors for the major software and hardware manufacturers. In their turn they attract the manufacturers of software and hardware. Sales and marketing teams from these businesses peddle their wares to associated applications: process control, finance houses, and local government. This increases the level and sophistication of the use of technology in an area and has a positive impact on productivity. This in turn attracts new business and so the circle becomes an ever more virtuous one. As long as a pool of relatively cheap labor remains then the call centers usually stay put – as newly acquired local expertise drives improvements in the industry. Proper Disaster Recovery is not cheap. Fixed sites need to be prepared to mirror existing operations in some cases. These need to be moved to by either a flick of a switch, or physically in short order. The infrastructure required to do either of these things successfully (and/or maintain the existing facility with sufficient fail/safe attributes to make it virtually disaster proof) is simply not available everywhere – not even in the G8 countries. The requirements of disaster recovery therefore limit location further. The skills for Crisis Management, Disaster Planning, are dependent on a pool of properly trained people to be successful. These, too, are not available everywhere. Where they exist they attract additional management expertise – often dealing in food contamination
Chapter 9 Resilience and Outsourcing Call Centers Offshore
153
problems, environmental control, and critical infrastructures of all kinds. This brings yet another level of expertise into play for the region. Then comes the specialist support services: the data miners, the forecasters, and the market research companies. These companies bring research techniques that are at the very forefront of marketing practice. These techniques have more than one market application – so they get sold to the car manufacturer, the ice cream maker, and the international engineering plant – all of whom become more efficient, raising further the general efficiency of the region. Practical experience tells us that these companies do move to call center loci. English may be the lead language, but other languages are needed. The general tendency is that international call centers improve the language skills of an area in general. The Universities put on more courses; the adult education centers change their syllabuses to match the demand for specific labor. The region becomes more International in outlook – there is a bigger pool of better-qualified labor. The effects of this can be staggering. The case study is the Irish Development Agency’s approach. Some years ago they went round all the schools, wrote to all the parents, spoke to all the children (everyone) about the skills they would need in five years time because of the businesses they intended to attract. The success of this program is absolutely evident today in the high tech nature of the Republic of Ireland’s business growth over the last ten years and the reduction in unemployment. Training in other respects becomes important too and there are similar knock on effects to those previously described from basic telephony training to sophisticate programming courses at Universities. Then there is the matter of cost. Few regions are in a position to offer the incentives that can make call centers an attractive long-term economic proposition. Even fewer can generate the support services required. Far fewer can develop those into a forward thinking business. Those that can need have no fear that the call centers they attract are mobile, unless other factors such as risk profile changes come into play, and they can be confident that by attracting them they are adding significantly to the overall skill and competence base of their region. A view that call centers enhance the technological and industrial environment is not universally held. Many believe that they are merely temporary residents, which milk the incentive round to best advantage. Practical experience would seem to counter this – certainly historically and currently. What then of the future? This Chapter started with the premise that the future will be much the same as the present but different: and that the “different” bit is likely to stem from telecommunications and Information Infrastructure. It is certain that the business of running our lives will be revolutionized. It is equally certain that new industries will be created – not just to service the telecommunications providers but also to generate new sorts of businesses currently unthought-of. The receiving of calls will remain the critical part of the business, and requires an
154
Critical Information Infrastructures: Resilience and Protection
infrastructure. Already leading telecommunication companies have advancedcall center technology by connecting customers to a call center via a Web site. The call centers have not physically moved to provide this service, but their infrastructure has improved. Such innovations have a host of applications from medicine through to catalogue shopping –this catalogue shopping will be able to automatically restock the larder with your regular and favorite foods, and suggest changes to your diet, which will already have been prequalified to your taste and budget. The people driving these events are not in Silicon Valley – they are frequently running call centers and researchcenters in Troy (MI), Greeley (CO), Cork (Ireland), Sunderland (UK), Noord-Brabant Netherlands, or Flanders (Belgium): not immediately identifiable as centers of high tech excellence, but certainly becoming so. The effects of the changes that will sweep the telecommunication industry will be passed on to industry at large. Everything will become faster, and companies will be able to react to all sorts of forces quicker. The ones that do so first and will continue to do so are likely to be close to existing centers. In the meantime we have seen 9/11, and much cost cutting in particular service industries. There has been a consequent trend over the last few years to outsource call centers from USA and European sites offshore to places such as India and the Philippines. Typically a “seat” in a USA or European call center will cost up to $100,000. Savings have been identified through offshore outsourcing of $50,000 per “seat” and more. However, as with all change, there are benefits and costs to offshore outsourcing. Call centers are places customers call to seek satisfaction from suppliers on such things as choice, orders, order tracking, service, complaints, and account management of all descriptions. Call centers are typically “in-house” or “outsourced.” “In-house” call centers tend to be closely linked, both functionally and in location, to their principals. “Outsourced” call centers tend to deliver a similar function for a range of clients. Large, worldwide businesses have emerged to handle this latter type of service. In-house call centers are rarely outsourced offshore. However, recently some major companies have announced that they will outsource the more minor functions of in-house call centers offshore. Outsourced call centers are increasingly being located offshore. Many western financial, airline, and telecommunication companies, in particular, have led the establishment of call centers to replace generic customer services in High Street locations. Generic functions are concentrated in one place and handled by telephone agents acting for a company contracted to deliver a similar functional service to many principals. Fast moving consumer goods and government services are also increasingly handled by call centers – but these are unlikely to be outsourced offshore in quite the same way as finance, airline, and telecommunication. Financial services, airlines, and telecommunication companies have led the way in outsourcing. This trend is unlikely to be followed by other sectors in quite the same way. Call centre outsourcing has been a feature of western domestic markets for many years. The trend to offshore outsourcing started some seven years
Chapter 9 Resilience and Outsourcing Call Centers Offshore
155
ago (2000) and has rapidly gathered pace over the last four years (since 2002). This pace has been driven by cost as principally financial services; airlines and large telecommunication companies seek to reduce overhead.180 It is difficult to predict how long the current trend will last. Certainly, as long as there is real or perceived benefit to offshore outsourcing then the trend is likely to continue. However, there are some difficulties emerging. These are related to over expansion of the sector and some anticipated consolidation, cultural problems particularly in some financial sectors, quality issues at middle management level, etc, and the emergence of an alternative. Technology improvements have led to an alternative to offshore outsourcing emerging. Ki work181 and home-working initiatives practices, particularly in rural areas in both the USA and Europe, suggest that savings of more than 80% of those achieved in current offshore outsource locations can be achieved in-country. This approach sees singleton agents working from home for single or multiple principals. Recent studies also seem to demonstrate that such savings are matched by retention rates, i.e., how many clients are kept by the agent/call centre, some 3–5 times higher than those in offshore centers, and lower “churn” rates, i.e., the agent staff stay longer. Concerns have also emerged from customers and data protection commissioners over the location of corporate individual data in “foreign” hands. The drive for offshore outsourcing is frequently human resource cost driven (as the cost of agents is often the single biggest cost) and often ignores the higher costs of data transfer between principal and provider locations. The pros and cons of outsourcing offshore can be summarized as follows:
Pros Lower operating/direct costs Fast implementation Change management by contract Quality (sometimes) Flexibility
Cons/Risks Getting the right partner Quality (sometimes) Culture Increased data transfer costs Technology Political instability (see comments on Asymmetric Warfare) Breach of UK/European Data Protection Legislation and possibly USA Legislation. Customer revolt Ki work emerging
180 For more information on the advantages of outsourcing is available at: http://www. outsource2india.com/why_outsource/articles/Call_center_outsourcing.asp (Accessed: 7 January 2007). 181 More information on Ki work is available at: http://www.ki-work.com (Accessed: 7 January 2007).
156
Critical Information Infrastructures: Resilience and Protection
The following is a brief checklist of major areas for attention: • Overall Internal Controls • Effectiveness and efficiency of operations • Reliability of financial reporting • Compliance with applicable laws and regulations • IT/Telecommunication • Definition of relationships • Risk assessments • Management • Performance and capacity • Continuous Service • Monitoring of processes • Assurance • International data transfer availability, cost, resilience, and recovery Such a checklist again implies the need for strategically integrated systems, a robust telecommunication infrastructure, and a tactical business continuity and disaster recovery plan. In the case of call centers located offshore the demands on resiliencies very high indeed, and not to be underestimated. Approaches that deal with the issue from a tactical, human resource perspective, and not from a strategic, business resilience, perspective are apt to miss the mark. Ki work exploits the coming together of three forces, which change the way in which contact/admin center work will be done: • The recent trend toward offshoring creates a new focus on driving down transaction costs, although operators are starting to be concerned about quality trade-offs • Broadband has become pervasive and the supporting network technology is now ready for secure virtual call centers • Increasing stress in the workplace is leading to changes in the way people view work. Workers desire more flexibility and control over their work/life balance. A new generation is less interested in the traditional command and control approach to managing work relationships In addition, organizations who have work that is suited to a contact/admin center approach (which are referred to as process owners) are under relentless pressure to reduce costs, improve quality, reduce staff turnover, and find the right people. The companies that manage those contact centers, commonly referred to as outsource service providers, who account for 12.5% of all contact centers, face the same problems. The only current solutions using command-and-control structures are either to increase automation, to offshore to places like India, or to focus more on customer value. Employees in command-and-control organizations are subjected to increasing levels of stress and many are now looking for ways to improve work/life balance. At the same time there is a largely untapped and highly skilled workforce of independent home workers,
Chapter 9 Resilience and Outsourcing Call Centers Offshore
157
who are seeking more rewarding ways to work, and to have more flexibility and control over their lives. Ki workers work from home and are connected to one or more outsource service providers over a secure broadband connection. Ki work manages the network that gives them access to that work and supports them in their everyday activities. It also provides some elements of the infrastructure that enable process owners and outsource service providers to access the information they need to manage that work. Ki work is a highly scalable and network-centric solution that delivers real improvements in service, productivity, and cost and that matches and integrates the needs of these three groups. India, Philippines, and South Africa for English, and Mexico and South America for Spanish are the most popular offshore destinations. In these locations much money has been put into infrastructure, capitalizing companies and lobbying. There is some doubt that the returns are there, even with current growth rates being maintained. This will naturally lead to consolidation and potential dangers for principals.
Chapter 10 Information Infrastructure: Resilience, Recovery, and Security
This Chapter is concerned with bringing together much of the foregoing. There is a little repetition here of earlier comments and statements. This is supposed to be helpful by way of putting a number of ideas into a context. It does this by exploring the strategic importance of the relationship between Information Infrastructure, telecommunications resilience, recovery and security and both Asymmetric Warfare and Obstructive Marketing. This relationship is neither well documented nor well understood. However, it is important to a philosophical and pragmatic approach for sustaining order, development, and cohesion in Information Infrastructure. This is because it is now clear that the success of the western/northern world economies, and sustainability for other economies, is increasingly dependent on the reliable operation of Information Infrastructure. The year 2000 was an eventful year for Information Infrastructure and associated industries. The world did not collapse as a result of the Year 2000 (Y2K) computer stability and calendar issue. Eos (2004)182 describes how well things actually went. In the middle of the year mankind became more dependent on computers for survival than anything else, this was determined largely from Y2K related projects that identified the how and why of the dependency. The dot.com bubble effectively burst. Bloor (2000)183 catalogues the end of the dot.com dreams. The following year, 2001, as the first year of the millennium, was almost as important. 2001 was the year in which the United States of America (USA) economy began to show signs of massive productivity growth on the back of Business to Business (B2B) productivity improvements enabled by telecommunications (as tracked by The Economist, Bloomberg, Business Week, Europa (2004)184 and others); it
182
The Eos Life – Work Resource Centre Y2K Update. Available at http://www.eoslifework. co.uk/Y2Kupdate.htm (Accessed: 3 January 2007). 183 Bloor, R (2000) The Destruction of Dot Com Dreams. Available at http://www. it-analysis.com/article.php?articleid=1429 (Accessed: 3 January 2007). 184 Europa (2004) Available at http://www.europa.eu.int/abc/index2_en.htm (Accessed: 3 January 2007). 158
Chapter 10 Information Infrastructure: Resilience, Recovery, and Security
159
TABLE 4. Broadband access in OECD 2003. Proxy for telecommunications and data usage (Source: OECD185) Broadband access in OECD countries per 100 inhabitants, June 2003 Source: OECD 25
20 DSL
Cable Modem
Other
15
10
5
E Sp U ai F n r U ni P anc te or e d t u Ki g ng al do m A Lu u Ita xe str ly N m al ew b ia Ze our a g H land un C ze g ch Ire ary R lan ep d u M blic ex Po ico l Tu and Sl ov G rke ak re y R ec ep e ub lic
K C ore an a Ic ada D ela en nd m N B ark et e he lgi rla um n Sw Sw ds itz ede er n la U ni Ja nd te p d an St a Au tes s Fi tria nl an O d N EC o D G rw er ay m an y
0
saw a conservatism develop in the telecommunication players as a counter-point to both Y2K and as a reaction to the dot.com bubble. This conservatism was partly a result of reduced expenditure on computer and Information Infrastructure related items post Y2K. This conservatism reduced the hype of Business to Consumer (B2C) developments in favor of making B2B work. At the same time developments in standards began to gather pace according to the British Standards Institute and others. These changes were exacerbated by the well-documented events of the 11 September 2001 at the World Trade Center, New York, USA. Telecommunications traffic remains massively skewed toward the biggest world economies (OECD) and remains the driving force of the differential growth rates between the OECD and others. Information Infrastructure and associated systems are therefore clearly at the heart of day-to-day life, economic development and globalization, and, as a consequence, a key strategic resource. Information Infrastructure is a Critical Infrastructure. The elements of a telecommunication system are a transmitter, a medium (line) and possibly a channel imposed upon the medium, and a receiver. The transmitter is a device that transforms or encodes the message into a physical
185
Source available at http://www.oecd.org/document/16/0,2340,en_2649_34225_ 35526608_1_1_1_1,00.html (Accessed: 7 January 2007).
160
Critical Information Infrastructures: Resilience and Protection
phenomenon; the signal. The transmission medium, by its physical nature, is likely to modify or degrade the signal on its path from the transmitter to the receiver. The receiver has a decoding mechanism capable of recovering the message within certain limits of signal degradation. In some cases, the final “receiver” is the human eye and/or ear (or in some extreme cases other sense organs) and the recovery of the message is done by the brain (see psychoacoustics.) Free Dictionary.com (2004).186 Note that systems sit on Information Infrastructures and are therefore both dependent upon them and part of them. Information Infrastructure encompasses both the infrastructure and the systems. From such a description it might be inferred that the term Information Infrastructure resilience has the clear attributes of an oxymoron. Although this is not true, what is true is that there are a series of dependencies involved that ensure that the running of a secure Information Infrastructure network is not a simple, or necessarily secure, task. These dependencies can be mapped using appropriate software, an example would be the Dependency Modeling Tool (Wong, 2003)187,188 and a probability of failure arrived at, as well as a worst combination of events and single points of failure. In order to reduce difficulties it is important that telecommunication infrastructures are as resilient, and recoverable, as possible, and dependencies fully understood. A review of available literature would suggest that Information Infrastructure resilience is one of the most underresearched and underdeveloped parts of the telecommunications industry, little is written about it. It is certainly important as is clear from the ease with which everything from hard wired national telecommunication networks to the World Wide Web are brought, frequently, to a crashing halt. The Hong Kong Monetary Authority’s (2002)189 lessons from 11 September 2001 summarize the main issues involved in such events. General assumptions are also made about resilience, such as the more open a physical network is the less resilient it is and the more recoverable a system is the more resilient it is. Arguments for and against open systems are well made by Anderson (2002).190 These systems are part of the telecommunication network in that 186 Free Dictionary.com. Available at http://encyclopedia.thefreedictionary.com/Teleco mmunications%20service (Accessed: 7 January 2007). 187 Wong, A (2003) Before and Beyond Systems: An Empirical Modeling Approach, Ph.D. Thesis. Department of Computer Science, University of Warwick, UK, January. Available at http://www.dcs.warwick.ac.uk/~allan (Accessed: 7 January 2007). 188 See also Professor John Gordon’s dependency modeling tool known now as VuRisk. Available at http://www.johngordonsweb.co.uk/concept/about.html (Accessed: 7 January 2007). 189 Banking Development Department Hong Kong Monetary Authority (2002) Business Continuity Planning After 9/11, Hong Kong Monetary Authority Quarterly Bulletin, 11. 190 Anderson, R (2002) Security in Open Versus Closed Systems – The Dance of Boltzmann, Coase and Moore. Available at http://www.ftp.cl.cam.ac.uk/ftp/users/rja14/toulouse. pdf (Accessed: 7 January 2007).
Chapter 10 Information Infrastructure: Resilience, Recovery, and Security
161
they sit on top of the physical infrastructure. Anderson notes that the statistical difference between the reliability of open and closed systems is negligible. Although this is not necessarily the case for the physical networks, it is the case that a view that closed networks are more secure than open networks is one that is not statistically or commercially proven. Reardon (2004)191 has commented on the dangers of allowing proprietary and ostensibly secure systems, developed by commercial players such as Microsoft to be deployed on a wide-scale basis. Anderson (2004)192 has commented similarly, as has the Computer and Communications industry Association.193 A counter argument is available.194 This Chapter is not going to argue for or against open networks; there is merit in both open and closed systems. If the status quo is accepted it remains the case that, open or closed, the resilience of the system needs to be improved in order that the larger system of predominantly western and northern society continues to operate successfully. Developing resilience in the existing open systems raises a whole series of political, economic, social, technical, environmental, and legal issues others have commented upon. If Anderson (2002)195 is right then there is, in both systems and networks, an argument for a greater “defense” role in maintaining networks. The United States House of Representatives (1996 on)196 is looking ever more closely at this subject. The “defense” issue is not just evident at a “control” level. It is also evident at an operational level. Kendra et al. (2003)197 comment as follows in a defense context in regard to the 11 September 2001 disaster: Resilience thus requires: • A high degree of organizational craftsmanship, composed in turn of individually exercised craftsmanship • The ability to respond to the singularities in the interactions of social, technological and natural systems, which requires artistry; and
191
Reardon, M (2004) Microsoft and Cisco Clash on Security CNET.news.com. 17 September. Available at http://insight.zdnet.co.uk/internet/security/0,39020457, 39166968,00.htm (Accessed: 7 January 2004). 192 Anderson, R (2004) Trusted Computing. Available at http://www.cl.cam.ac.uk/ ~rja14/tcpa-faq.html (Accessed: 7 January 2007). 193 Report on Cybernet Insecurity. Available at http://www.ccianet.org/papers/ cyberinsecurity.pdf (Accessed: 6 January 2007). 194 An argument that Microsoft is not a threat to US National Security is available at http://news.netcraft.com/archives/2004/2005/28report_microsoft_not_a_threat_to_ us_national_security.html (Accessed: 6 January 2007). 195 Anderson, R (2004) op. cit. 196 United States. House of Representatives. (1996) The Cyber-Posture of the National Information Infrastructure. Washington. Chairman: Willis H Ware. Available at http:// www.rand.org/publications/MR/MR976/mr976.html (Accessed: 7 January 2007). 197 Kendra, JM, et al. (2003) Elements of Resilience After the World Trade Centre Disaster: Reconstituting New York City’s Emergency Operations Centre. Disasters, 27(1) pp. 37–53.
162
Critical Information Infrastructures: Resilience and Protection
• A sense for what is the same and what is different from prior experience in every new experience, so that responses are continually adjusted, anomalies are sensed, and learning occurs and is incorporated into the next incremental unit of response This sort of resilience is demonstrated in High Reliability Organizations, such as submarines and aircraft carriers. Rochlin et al. (1987)198 comment on why these particular entities are so resilient. Resilience is not robustness, which is withstanding stress; resilience is not redundancy, which is about substitution; it is not resourcefulness, which is about marshalling ingenuity; it is not rapidity, which is about timeliness; “but these features may also be seen as having a telescoping relationship, wherein the robustness, redundancy, resourcefulness and capacity for rapidity of elements that constitute a socio-technical system contribute to the system’s overall resilience.” Kendra et al. (2003).199 Resilience in children has been well documented. Grotberg (1998)200 identifies 15 elements of resilience – these can be compared to those that can be seen in Rochlin et al.’s (1987)201 high reliability organization.
TABLE 5. Comparison of Resilience Qualities Grotberg (1998) – resilient children characteristics Trusted network Limits on behavior Show how to do things right Learn to be independent Assisted when sick Am liked and loved Am well behaved Am respectful Am responsible Am confident Can communicate Can solve problems Can control when things go wrong Opportunistic Can get help when needed
198
Rochlin et al. (1987) – high reliability organizations operator characteristics Trust Discipline Teaching organization Learning organization Supportive Camaraderie Behavioral norms Hierarchical empathic organization Clear responsibilities Confident Formal and informal communication Solve problems Adaptive Opportunistic Can get help when needed
Rochlin, GI, et al. (1987) The Self-Designing High Reliability Organization: Aircraft Carrier Flight Operations at Sea, Naval War College Review, Autumn. 199 Kendra, op. cit. 200 Grotberg, E (1998) The International Resilience Project, 55th Annual Convention, International Council of Psychologists, Graz, Austria, July 14–18, 1997 (published 1998). 201 Rochlin, GI (1987) op. cit.
Chapter 10 Information Infrastructure: Resilience, Recovery, and Security
163
As Grotberg’s (1998)202 15 characteristics are also evident in the operator characteristics of high reliability organizations, it would be reasonable to suggest that such characteristics are those are to be expected in a resilient telecommunication network. These characteristics need to be evident in both the equipment, as both Rochlin et al. (1987)203 and Kendra et al. (2003)204 suggest, and the individuals who run it. The characteristics required of a resilient Information Infrastructure network would seem to be rare. They are clearly in defense-oriented situations. They also seem to be evident in those organizations that have a defense mentality. Individual observation would suggest that they are evident in operations run by companies such as EDS205 and Qinetiq206; they are becoming apparent in parts of the Financial Services industry, but seem to be absent from much of elsewhere. Information Infrastructure resilience is often confused with telecommunications disaster recovery and business continuity planning. It is of course important to “bounce back” from difficulties, but it is also important that such a return is to the “original” form. The current emphasis in the industry with regard to disaster recovery and business continuity planning is akin to planning “to close the stable door after the horse has bolted,” rather than securing the door in the first place. The door does need to be more secured. Information Infrastructure resilience is important. It is the strategic approach, as opposed to the tactical approach. Information Infrastructure recovery is an area of both applied and original research that is much better covered than resilience – but that is because it is a much less difficult area than resilience. British Standard (BS) 7799, the Information Security Standard, and the British Standard Institute’s Business Continuity Standard BS 25999 are both standards that deal with this subject rather than true Information Infrastructure resilience. Recovery assumes that something will go wrong, and puts plans in place to try and ensure recovery from that wrong. At the simple level this is about replacing one router with another, it is about building redundancy. Redundancy is very different to resilience. Redundancy is a short-term fix; resilience is a long-term fix. Long-term fixes tend to be more expensive than short-term fixes in the short term, but cheaper in the long term. Recovery, and redundancy, is about what to do when true resilience has failed. However, recovery, and redundancy, is important and the better-prepared all are to recover from problems then the better all round. There is a lesser debate to be had regarding the disciplines of disaster recovery and business continuity being part of resilience or recovery. This Chapter
202
Grotberg, E (1998) op.cit. Rochlin, GI (1987) op.cit. 204 Kendra, JM (2003) op.cit. 205 More information available at http://www.eds.com (Accessed: 7 January 2007). 206 More information available at http://www.qinetiq.com (Accessed: 7 January 2007). 203
164
Critical Information Infrastructures: Resilience and Protection
would argue that both these disciplines are part of the recovery process, once resilience has failed. Security is the state of being free from danger or injury; resilience is about being able to return to original form after deformation. Information Infrastructure security is again slightly different to resilience, recovery, and redundancy. The four key things required to keep Information Infrastructure secure are people, physical, systems, and electronic security. This includes resilience, recovery, and redundancy. Secure communications tend to be, currently, closed communications, confidential (security vetted individuals), physically secure, system secure, and electronically secure. Most of the time, most people are dealing with open systems that have few vetted individuals and are both physically and electronically insecure. This is the perception, and reality, despite open systems being statistically as likely to be as secure, in certain circumstances, as closed software system according to Anderson (2002).207 The more general trick will be to turn the statistically secure open systems into those that are both accepted as such and operated as such – then they will be both secure and resilient. This is another subject completely that cannot be adequately covered here. Information Infrastructure is now the critical infrastructure and all the OECD economies are dependent upon it. Resilience, recovery, and redundancy are not the same thing. Resilience is an underresearched but key area of interest in the maintenance of Information Infrastructure and telecommunication systems. There are clear parallels between how children and high reliability organizations become resilient and the qualities sought in a resilient Information Infrastructure. Whether or not a system is open or closed is not necessarily a security issue; but security is certainly dependent on resilience. Security is about, as noted, being free from danger or injury. One of the biggest current security threats to states at the moment is Asymmetric Warfare. One of the biggest current security threats to business and commerce is Obstructive Marketing. If Information Infrastructure is central to the OECD countries’ economic performance then a link should exist between Information Infrastructure, Asymmetric Warfare, and Obstructive Marketing. Hyslop (2003)208 argued that Asymmetric War fighting methods are not new. They were practiced during previous world wars, and almost all other wars. They have characteristics of total war – where balance, timing, effort, and resources are deployed in different measures to deny a strong military power the full use of that power. This is, simplistically, where the world is today with regard to the attacks on the USA, and their allies, and the responses in Afghanistan and Iraq. However, this is likely to be just the start of a long campaign and it is important to understand how it might develop and what
207
Anderson, R (2002) op. cit. Hyslop, MP (2003) Asymmetric Warfare, Proceedings International Conference on Politics and Information Systems: Technologies and Applications (PISTA’03), Orlando, Florida, USA. 31 July 2003 – 2 August 2003. 208
Chapter 10 Information Infrastructure: Resilience, Recovery, and Security
165
the western and northern powers need to understand in order to fight this asymmetric war well. Consider an incomplete table of differences between two conflicting groups: TABLE 6. Comparison of West v Al Qaeda Western/Northern alliance An Al Qaeda type alliance Believe they are right Believe they are right Have lots to lose Have not much to lose Have money Have less money Have little faith Have lots of faith Geographically concentrated Geographically dispersed Perceived as strong, arrogant Perceived as weak Not used to fighting Used to fighting Hi-technology dependent Technology independent, parasitic Family in decay Family strong High crime Low crime Weak group cohesion Strong group cohesion Lowering education Rising education “Own” resources, especially food and “Own” fewer resources, especially food water and water Use lots of resources Use fewer resources Believe in capitalism Believe in god Has massive conventional military Has limited conventional military power power Does not use terrorism Does use terrorism Visible Not easily visible Timing: operate to short term goals Timing: operate to long term goals driven by driven by political considerations a sense of history
This table could be extended but it is clear it has little symmetry. Asymmetric Warfare therefore brings all these sorts of pluses, minuses, and inequalities into play in a contest between the two (or more) protagonists. Clearly an Asymmetric War will involve many more factors than just a conventional military contest. Asymmetric Warfare is generally conducted in a covert planned military/technical, criminal, or cultural manner and less frequently in a spontaneous manner. Information Infrastructure is both a target and a conduit for Asymmetric Warfare. It is a target in that it represents an infrastructure dominated by the major powers and is therefore seen as a legitimate target by those who seek to destabilize these powers. It is a conduit because the infrastructure and the applications that sit on it, the Internet/World-Wide Web in particular, gives an opportunity to those asymmetric combatants to plan, communicate, and sometimes even execute asymmetric events. Steganographic techniques are often used for communication. Hyslop (1999)209 defined Obstructive Marketing as Any process, legal or not, which prevents or restricts the distribution of a product or service, temporarily or permanently, against the wishes of the product manufacturer, service provider or customer. 209
Hyslop, MP (1999) op. cit.
166
Critical Information Infrastructures: Resilience and Protection
The term “any process” reflects the global nature of the issue and accepts that different mores will prevail in different parts of the world. The term “legal or not” is used because what is legal and acceptable in one state is not in another. Judgment must often be suspended in looking at global practices from a purely western legal standpoint. (Otherwise, for example, it would be impossible to discuss Islam in an unbiased fashion). The term “prevents or restricts,” because the sale of goods and services can be stopped in an absolute or relative manner depending on the subtlety of those who seek to obstruct the marketing efforts of others. The term “distribution of product or service” because distribution is central to the marketing effort. The term “temporarily or permanently” because time always changes the picture in international relations and this affects business as well as politics and international relations. The term “product manufacturer, service provider, or customer” is used because these are the players in Free Market Capitalism. The addition of the words “or customer” to an original definition reflects the later thought that customers, as well as providers, can be deprived as a result of the potential techniques. This is both logical and common sense, particularly from a marketing viewpoint, and particularly where the customer is key. In the same way that a table can be drawn up to reflect the differences between the main protagonists in an Asymmetric Warfare situation then a similar table can be drawn up between those who seek to globalize their business and those that may seek to prevent that globalization, an obstructive marketing group. TABLE 7. Comparison of Globalisation v Obstructive Marketing Globalizing company Obstructive Marketing group Believe they are right Believe they are right Have lots to lose Have lots to lose Have money Have some money Have faith Have faith Geographically concentrated Geographically dispersed (many, everywhere) Perceived as strong, arrogant Perceived as weak Used to dominating Used to serving Hi-technology dependent Technology independent, parasitic Independent of family Family dependent Suffers from organized crime Suffer from casual crime Tends to be independent of groups Tends to group cohesion Lowering education – tasks carried out Rising education – multitasked and independently e.g. checkouts in adaptable supermarkets “Own” resources “Own” fewer resources Use lots of resources Use fewer resources Believe in capitalism Believe in different things Has massive economic power Has limited economic power Visible Not easily visible Operate to short-term goals driven by Operate to long term goals quarterly results and shareholders
The table for Obstructive Marketing has some clear parallels with the table for Asymmetric Warfare.
Chapter 10 Information Infrastructure: Resilience, Recovery, and Security
167
Obstructive Marketing is characterized by planned competitive, criminal, and cultural attacks or, less frequently, casual attacks. The consequences of these events on economic development as a whole can be summarized in the following table. After Yip (1997)210 and Hyslop (1998)211 TABLE 8. Impact of Recent Events on Global Drivers Key current global driver Likely impact of recent events Common customer needs More differentiation Global customers Regional markets reemerge Global channels Regional channels Transferable marketing More differentiation Global scale economies Regional economies (except China) Steep experience curves More measured approaches Low transportation costs Higher transportation costs Difference in in-country costs Continues – but slower High product development costs Higher product development costs Need for technology transfer Technology transfer less popular Open trade policies Protectionism reemerges Open technical standards Continues – but slower Open marketing regulations Protectionism High exports and imports Less imports Interdependence More independence Globalized competitors Regional competitors Transferable competitive advantage Held competitive advantage
Asymmetric Warfare and Obstructive Marketing have striking similarities. Both represent key threats to the political and economic fabric of western/ northern societies. These threats are strategic because they threaten the political and economic stability of the western/northern societies. The main parallels are: • A contest between “big” and “small” • A contest between “rich” and “less rich” • A contest between “concentrated” and “dispersed” groups • A contest between those perceived as “strong” and those perceived as “weak” • A contest between hierarchical and flat structure groups • A contest between the hi-technology dependent and the not-technology dependent • A contest between those with relatively weak group cohesion and those with strong group cohesion
210
Yip, G (1998) Global Strategy and the Role of Call Centers. Proceedings of the International Call Center Summit. April, 20, 21, 22, 1998, Reston, Virginia, USA. 211 The main ideas on this were contained in Hyslop, MP (1998) The International Call Centre, Elements for Survival. April. Telemarketing and Call Center Solutions. Available at http://findarticles.com/p/articles/mi_qa3700/is_199804/ai_n8806136 (Accessed: 7 January 2007).
168
Critical Information Infrastructures: Resilience and Protection
• A contest between those that deal primarily with organized crime and those that deal with casual crime • A contest between the highly educated and the less/differently educated • A contest between those that own massive resources and those who do not • A contest between those that use lots of resources and those who do not • A contest between those who basically believe in some form of Capitalism and those who believe in something different • A contest between those with massive economic power, and those with less • A contest between highly visible entities, and the less visible • A contest between those with short-term goals, and those with a very different view of time. It is clear from research (Hyslop, 1999)212 that the corporate world has had, arguably, rather more success in dealing with Asymmetric/Obstructive challenges than the political world. One reason for this is that both the corporate world and its challengers share an attribute, faith, or a determined belief (for example, delivering shareholder value concentrates the mind wonderfully) in what they are doing, which is often missing from the political world. Further it is clear that the corporate world has been dealing with the problem, consistently rather than intermittently, for a considerable period of time. This has lead to a whole industry growing up to deal with such threats. In simple terms the Old World Order disappeared, and the Second World War finally ended, with the collapse of the Berlin Wall and Communism in the USSR at the end of the 1980s or early 1990s. This world order was marked by relative certainty. There was the East, the West, and the Third World where the other two competed, often by proxy, against each other. The titanic struggle between two competing philosophies was governed by mutually assured destruction and treaty. The new world order that seemed to emerge after the early 1990s was greeted with enthusiasm in the West, which saw an opportunity for both itself and its new partners states in, particularly, the north of Europe to extend Capitalism across the world. This was to be the era of globalization. But not all saw it in such a way. China took the opportunity to develop a different approach to wealth creation more akin to its own “permanent revolution” ideology than the capitalism of the West. Others took exception to the imposition of a foreign culture and there was a backlash, particularly in those countries where faith predominates over capitalism. Further groups took the opportunity to press their own special interests – these ranged from corporately driven coups, through drug baron wars to fundamentalist insurgency. There was no mutually assured destruction, just the opportunity for more groups to destroy each other, and no treaties. The world became
212
Hyslop, MP (1999) op. cit.
Chapter 10 Information Infrastructure: Resilience, Recovery, and Security
169
unstable and writers such as Huntington (1993)213 predicted a clash between ideologies that has more or less been vindicated. Others such as Fialka (1997)214 saw parallels in the economic world and felt that war was now being waged on an economic front. In parallel to the change in world order was the Information Infrastructure revolution. As with all true revolutions this changed the world too. This revolution initially affected primarily the western and northern states (primarily the OECD) – but held out great promise for the east and south as a means of making up ground on the richer west and north. Dramatic changes in the way capitalism operated followed as new and more efficient means of handling, and making, money appeared. So much so that by the end of the millennium the dependency of the western and northern financial system on Information Infrastructure to operate was total, hence part of the reason for targeting of the World Trade Centre on the 11 September 2001. At the same time the telecommunication revolution spread to most of the OECD population as digital technologies became common, most particularly with the spread of the mobile telephone. Overlain were the World Wide Web and the Internet – although this was not truly world wide because most of the users paralleled the western and northern associated states – and this allowed access to the new technology for many, good, and bad. This reliance and availability was not matched by a set of standards that secured both the hardware and software. The dependency of the western/ northern political and economic systems on insecure hardware and software led to a new environment in which the strategic dependency of the western/ northern societies on an insecure base became a “soft underbelly” that could be attacked. Over the last ten years the political and economic infrastructure of the west and north has been the subject of repeated attacks through the Information Infrastructure, and its associated applications. This has led to the comments of Anderson (2002)215 already noted and more recently the following comment by Reardon (2004).216 The two companies (Microsoft and Cisco) have each proposed competing “end to end” security architectures, marking the latest evolution in network defense – an approach concerned not only with scanning for viruses but also with policing networks to deny connections to machines that don’t conform with security policies. For now at least, however, the twin offerings are not interoperable. That means customers might be forced to choose between using
213 Huntington, SP (1993) The Clash of Civilizations, Foreign Affairs. Summer, v72, n3, pp. 22(28). 214 Fialka, JJ (1997) War by Other Means, Norton, New York. 215 Anderson, R (2002) op. cit. 216 Reardon, M (2004) Microsoft and Cisco Clash on Security. CNET News. 17 September. Available at http://news.zdnet.co.uk/security/0,1000000189,39166968,00. htm (Accessed: 7 January 2007).
170
Critical Information Infrastructures: Resilience and Protection
technology from one company or the other, unless the two tech giants can strike a deal to guarantee compatibility. The current position is therefore that the world is a different place than it was just 25 years ago in terms of Information Infrastructure. This world, it may be argued, is characterized by a dependency, on behalf of the western/ northern political and economic system, on Information Infrastructure and associated systems that are neither resilient nor secure, and that are under attack through the use of both Asymmetric Warfare and Obstructive Marketing techniques. In order that such a dependency and such attacks are minimized it is important that the relationship between political, economic, social, technological, environmental and legal, security, and Information Infrastructure resilience and recovery is understood. In each of these areas steps need to be taken to improve Information Infrastructure resilience and recovery in order that Asymmetric Warfare or Obstructive Marketing, in particular, does not compromise security. Before recommendations can be made on how to deal with the issues in a systematic manner it is important to first understand the threats to each of these areas. Twenty-five years or more ago Governments, particularly in the aftermath of the Second World War, had a view on what were and what were not strategic political resources. An inventory of the time would see coal, steel, electricity, gas, fuel, and food protected not just as industries under some political flavor but also as true resources to be harbored in the case of national need. The 1980s and later saw these strategic resources “privatized” or allowed to become fallow. “Just –In- Time” became the order of the day. The shallowness of this approach was revealed during the UK fuel crisis of 2000. This demonstrated that national reserves were dependent on Information Infrastructure and just in time deliveries – no strategic planning was in place to cover such eventualities. Plans to repeat the protest in 2004 led to: Secret plans have been agreed between the Home Office and the Food Chain Emergency Group, set up after the 2000 fuel protests and incorporating Britain’s biggest supermarkets and food manufacturers. Their plans to safeguard the food and fuel chain from disruption go much further than tactics used by the police to quash previous fuel protests, Townsend and Bright (2004).217 As noted elsewhere it also led to the establishment of the Civil Contingencies Act. Further investigation reveals that it is not just food and fuel that is dependent on Information Infrastructure and just-in-time deliveries; complaints were also received during the 2000 event from industrialists and the construction industry amongst others. As the primary duty of a Government is to protect its citizens, this left the national political machinery potentially in breach of its main political duty. 217 Townsend, M and Bright, M, Army Guard on Food if Fuel Crisis Flares, The Observer, 6 June 2004. Available at http://observer.guardian.co.uk/uk_news/ story/0,6903,1232432,00.html (Accessed: 7 January 2007).
Chapter 10 Information Infrastructure: Resilience, Recovery, and Security
171
The political machinery of any society depends on communication with its constituents. For centuries the political machinery of democratic, and more particularly, nondemocratic states has sought to exercise benign, or otherwise, control over the messages received by the electorate. The anarchy of the World-Wide Web enabled by the Information Infrastructure revolution threatened the political communications strategies of all political entities across the world. The ability of individuals to access information threatened both stable and unstable regimes and required a different approach from political entities in communicating with their constituents. The enemies of some states are using insecure telecommunication infrastructure to launch attacks. In order to exercise some control over the telecommunication patterns the USA introduced “Carnivore,” EPIC (2002).218 This is a development of “sniffer” technology that allows security services to access and monitor predominantly packet driven Information Infrastructure. In Europe improvements in telecommunication and information security have become one of main priorities of the European Union, according to Europa (2004).219 Dealing with Information Infrastructure security has got a profile; it has a profile because the current state of affairs threatens the political status quo. Ergo this is a strategic and not a tactical issue. The British Government identifies civilian telecommunication and information systems as targets according to the UK Ministry of Defense (2004).220 Zekos (1999)221 argues that the Internet alters the operating environment under which a vast array of institutions including the State operates. He concludes that there has been a shift of some components of the state’s sovereignty over to other entities and that this carries the potential to limit sovereignty. This may not be an elimination rather than a partial relocation to supranational institutions, such as multinational companies. Hyslop (1999) has demonstrated that 60% of USA companies have suffered from sort of telecommunication-related attack. These issues have become so common that MI5 (2004),222 the UK’s domestic intelligence service, comments as follows: The theft, copying or destruction of information is a growing problem for many organizations. 218
EPIC (2002) The Carnivore FOIA Litigation. Available at http://www.epic.org/ privacy/carnivore (Accessed: 7 January 2007). 219 Europa (2004) op. cit. 220 UK Ministry of Defense (2004) The Future Strategic Context for Defense. Available at http://www.mod.uk/issues/strategic_context/military.htm (Accessed: 7 January 2007). 221 Zekos, G (1999) Internet or Electronic Technology: A Threat to State Sovereignty, Commentary. The Journal of Information, Law and Technology (JILT (3) ). Available at http://elj.warwick.ac.uk/jilt/99-3/zekos.html (Accessed: 7 January 2007). 222 MI5 (2004) Protecting Your Information. Available at http://www.mi5.gov.uk/ output/Page236.html (Accessed: 7 January 2007).
172
Critical Information Infrastructures: Resilience and Protection
Criminals, foreign intelligence services, terrorists or business competitors may attempt to access your information by breaking into your IT systems, obtaining the data you have thrown away, or infiltrating your organization through a disaffected member of staff. Consider first the nature of the threat you might face, and where your vulnerabilities lie. To what extent is your information at risk? Threats to information may come from an “insider” in your organization. The motivation of disaffected individuals may include personal gain, boredom, revenge, or sympathy with some external cause. A vulnerable member of staff could also be coerced or blackmailed. Follow the general advice under “Managing staff securely – the “insider” threat”, and consider whether you should take more detailed measures against espionage. Your IT systems may be vulnerable. Make sure they are supplied and maintained by reputable and reliable companies. For more detailed advice, see the page on “Electronic attack”. Look at how you dispose of waste documents and other forms of data. Consider whether any of it might be of use to terrorists or others and read our advice on “Confidential waste”. Zekos (1999)223 also commented on the power of Information Infrastructure to manipulate economic growth, security, and development. He and Hyslop (1999)224 link both political and economic security. In an interesting recent development the BBC Today programme (2004)225 announced that the changes in Britain’s gambling laws are a direct result of Internet gambling and consequent loss of taxes. The key social problem for most OECD societies is the Digital Divide. Hammond (2001)226 explores this in more detail: The United Kingdom is verging on the same type of “digital divide” that the U.S. government discovered in America’s urban and rural communities last summer. This gap in access to the Internet and technology between the “haves” and “have nots” will only get worse, the consulting firm warns, unless the government takes steps to intervene. The impact on the “have nots” would be severe, as the ability to conduct everything from the most basic daily transactions to more complicated business deals continues to shift into the online world. The data shows that about four million new users, or eight percent of the population, are getting online each year. “Far from evening out the emerging
223 Zekos, G (1999) Internet or Electronic Technology: A Threat to State Sovereignty. Electronic Law Journal(3). Available at http://www2.warwick.ac.uk/fac/soc/law/elj/ jilt/1999_3/zekos (Accessed: 7 January 2007). 224 Hyslop, MP (1999) op. cit. 225 Today (2004) Will the Number of Casinos Rise After the Changes to the Gambling Bill, BBC Radio 4, 19 October 2004, 07.32 hours. 226 Hammond, A (2001) Digitally Empowered Development, March/April. Foreign Affairs. pp. 96–106.
Chapter 10 Information Infrastructure: Resilience, Recovery, and Security
173
inequalities, the wave of growth is likely to exacerbate them in relative terms, leaving an unconnected or excluded group of over 20 million citizens,” the company said. Trendle (2002)227 identified a new social democracy damaging to companies. She comments that companies are oblivious to the rising power of a new social grouping called “advocacy networks.” Thereby combining the issues of both economic and social security in a manner whereby social groups start to exercise pressure, in a manner previously unknown, on businesses. Technological security in the OECD is threatened in a number of ways. It is threatened by espionage via Information Infrastructure. It is threatened by the openness of international communication. It is threatened by the fact that a transfer of technology research and development has occurred from the military to the civilian market. These threats are summarized by Tolchin and Tolchin (1992).228 However, Gompert (1998)229 argues that the size and power of political, military, and information resources in the hands of the USA merely reinforces technical superiority for the USA. This comment is, however, in its own right, also a threat. An Information Infrastructure threat to environmental security is not necessarily immediately obvious. The impact of political, economic, and technological development and uncertainty is well documented. The Trudeau Centre for Peace and Conflict Studies at the University of Toronto has done much work on environmental security. Underlying many of its papers is the spread and influence of Information Infrastructure. Homer-Dixon (1991)230 describes the main interactions between different systems, many of which are now controlled by Information Infrastructure. Legal security has depended on a series of events to ensure that contracts are safe and proven. Legal security is still dependent on boundaries: English law, American law, Roman law, etc. applies in different geographical areas. The telecommunication revolution has challenged many existing precepts of law from signatures to the conveyance of contracts in this respect. There is a view that the Internet is an extension of the USA, from a USA point of view, just as most USA law has some supranational applicability, at least from a USA perspective. In the UK the Tax Bureaucracy has suffered from a loss of Value Added Tax following international purchases from the Internet that have evaded boundary(ied) tax regimes. Information Infrastructure allows
227 Trendle, G (2002) The Next Threat to Business – Social Democracy. Internet Integrity Annual Intelligence Briefing, Tuesday 21st May 2002, BDO Stoy Hayward. Available at http://www.creativematch.co.uk/viewnews/?88210 (Accessed: 7 January 2007). 228 Tolchin, M and SJ (1992) Selling Our Security, Knopf, New York. 229 Gompert, DC (1998) Right Makes Might: Freedom and Power in the Information Age, McNair paper 59, Chapter 3, May. Available at http://www.rand.org/publications/ MR/MR1016/MR1016.chap3.pdf (Accessed: 7 January 2007). 230 Homer-Dixon, TF (1991) On the Threshold: Environmental Changes as Causes of Acute Conflict, Trudeau Centre for Peace and Conflict Studies, University of Toronto International Security, Vol. 16, No. 2 (Fall). pp. 76–116.
174
Critical Information Infrastructures: Resilience and Protection
multinational companies much more opportunity for “cross border tax efficiency” than has previously been the case. Further detail on these threats can be found at Faegre and Benson (2004).231 There is a strategically important relationship between Information Infrastructure and systems resilience, recovery, and security and both Asymmetric Warfare and Obstructive Marketing. It is clear that both Asymmetric Warfare and Obstructive Marketing methods use Information Infrastructure to both attack states and companies. It is also clear that there is a general pervasiveness with regard to these actions. To counter such events it is further clear that Information Infrastructure and systems resilience, recovery, and security needs to be improved. This is no longer a tactical issue for business recovery or continuity. These remain important but a strategic view must also be taken. Information Infrastructure and systems are key national resources, and strategic in nature. At a recent conference (Resilience, 2004) the question was asked: “How Can the Financial Sector Be Reassured That, In The Event Of An Incident, Their Utilities Supplies Will Be Uninterrupted? Is This A Viable And Feasible Request? Hyslop (2004)232 commented that traditionally they have had to look after themselves. If the utilities went down so did the Information Infrastructure. Today, however, capitalism has come under threat from electronic attack; since 11 September 2001; since Basle II and Sarbanes-Oxley; since some USA Department of Defense papers; it has become clear that defending the utilities that service the financial sector, the driver of capitalism, is not a purely academic question. In the United States of America the House of Representatives (1996)233 and others have commented as follows: The United States increasingly relies on information networks for the conduct of vital business. These networks are potentially subject to major disruptions from a variety of external sources. To date, there has been no clear statement of the magnitude of this threat or the ability of the various networks to withstand or respond to such disruptions. There is an argument for strategic intervention by major power governments to protect their major strategic assets in the face of irresponsible use of Information Infrastructure and associated systems. This may or may not be a “good” idea. There is also a strategic opportunity for one or more commercial organizations to gain control of wide sections of the international 231
Faegre and Benson. Available at http://www.faegreandbenson.com (Accessed: 7 January 2007). 232 Hyslop (2004) How Can the Financial Sector be Reassured That in the Event of an Incident, Their Utilities Supplies Will be Uninterrupted? Is This a Viable and Feasible Request? Comments to the Resilience (2004) Conference, Millennium Hotel, London. 22/23/24 September 2004. 233 United States. House of Representatives. (1996) The Cyber-Posture of the National Information Infrastructure. Washington. Chairman: Willis H Ware. Available at http:// www.rand.org/publications/MR/MR976/mr976.html (Accessed: 7 January 2007).
Chapter 10 Information Infrastructure: Resilience, Recovery, and Security
175
telecommunication and associated systems traffic. This too may or may not be a “good” idea. What is a “good” idea is to take a dispassionate and detailed look at how the strategic nature of Information Infrastructure can be both harnessed and unleashed to continue the development it has heralded in the last decade and a half. A critical area of research is Information Infrastructure resilience independent of both commercial and single state control. It is clear that Asymmetric Warfare and Obstructive Marketing techniques affect a wide range of organizations. These organizations need to know how to protect themselves. The expertise on protection actually lies in the private sector, which has had more experience of dealing with these sorts of techniques than anyone else. The private sector also has something the public sector seems to lack and that is faith (even if only faith driven by the need to satisfy shareholders). Thus commercial organizations should perhaps be deploying their own experience in a very different way than today. Some examples may be: • Advising on or adopting the creation of appropriate open or closed systems and virtual private networks • Advising on or adopting the creation of information and knowledge management communities within, not across, networks • Training of personnel by other people, not by electronic means, in security procedures • Using Operational Risk Procedures to identify weakest points • Linking profitable and discrete communities to the Network, not necessarily all customers to the Network • Redefining Trust in the context of a mix of open and closed relationships This is not to advocate the demise of the World Wide Web or the Internet or Networks but it is to advocate the creation of a new look at resilience and security and how it might be implemented. To do this new types of fora will be needed. Examples are the USA and UK CERTS, and the UK’s WARPS. A reasonable conclusion to this Chapter is that not enough is known about the possible Asymmetric Warfare and Obstructive Marketing threats to the resilience, in particular, as well as recovery and security, of Information Infrastructure. There is no clear consensus as to what constitutes a secure Information Infrastructure environment. Different drivers are apparent: commercial, national, strategic, and tactical amongst them. The big threat to states, Asymmetric Warfare, and corporations, Obstructive Marketing, will not go away. It would be useful if a consensus could be bridged to bring a common approach to a key strategic problem that will enable resilient and secure Information Infrastructure to be deployed effectively. This will require considerable cooperation from a wide range of parties.
Chapter 11 A Suggested Approach to Individual, Corporate, National, and International Resilience, Critical Infrastructures, and Critical Information Infrastructures This Chapter seeks to make suggestions at individual, corporate, national, and international level of ways in which to make Critical Infrastructures and Critical Information Infrastructures more resilient.
Individual In children we need to nurture the characteristics noted by Grotberg (1998)234 of: • Trusted network • Limits on behavior • Shown how to do things right • Learn to be independent • Assisted when sick • Am liked and loved • Am well behaved • Am respectful • Am confident • Can communicate • Can solve problems • Can control when things go wrong • Opportunistic • Can get help when needed These characteristics must assume an education that also delivers numeracy and literacy. These are sixteen things for parents and teachers to deliver to a child over the sixteen or so years to adulthood. In OECD countries this is a problem, and should not be. These are life skills writ large. They are what is needed for the future.
234
Grotberg, E (1998) op. cit.
176
Chapter 11 Individual, Corporate, National, and International Resilience
177
In the adult environment it is necessary to nurture the characteristics of high reliability organizations noted by Rochlin et al. (1987):235 • Trust • Discipline • Teaching organizations • Learning organizations • Supportive • Camaraderie • Behavioral norms • Hierarchical empathic organization • Clear responsibilities • Confident • Formal and informal communication • Solve problems • Adaptive • Opportunistic • Can get help when needed Additional individual resilience skills include knowing how to grow and harvest food, exercise, use of alternative fuels at home, protecting oneself from things like bird flu (by understanding key personal hygiene rules), and having some sort of individual plan to survive food and other shortages. Above all to do all of this within a society that has a clearly defined set of values, and, by and large, lives them.
Corporate In the corporate environment it is suggested that four key things are important: • To understand common sense business strategy • To understand how to manage complexity • To understand the threats and counter-threats of Obstructive Marketing and Asymmetric Warfare • To help the defense of Critical Information Infrastructure The first two of these are beyond the remit of this book, but are things all businesses should be doing anyway. Help on both is available in concise form from Pearson (1988)236 and Wood (2000),237 or from a myriad of MBA and business courses. On the third point it is evident from Hyslop (1999)238 that many major corporations understand these threats. There is less of an understanding within 235
Rochlin, GI (1987) op. cit. Pearson, B (1988) Common Sense Business Strategy. Mercury. 237 Wood, R (2000) Managing Complexity. The Economist. 238 Hyslop, MP (1999) op. cit. 236
178
Critical Information Infrastructures: Resilience and Protection
supply chains and SMEs of how to deal with these threats. A similar issue faces Sarbanes-Oxley, where the major corporations understand the reason for it and have spent the money to conform, but the supply chain (particularly the non-USA supply chain) seems unsure why they should conform. At the SME level it has slowed the creation of businesses in the USA. The people in touch with these businesses are the Chambers of Commerce and the Small Business federations. They need, eventually, a more formal role in how to help their membership survive both Asymmetric and Obstructive Marketing threats. Smaller businesses need some online guidance about how to manage their Information Infrastructure in particular, and manage other Asymmetric and Obstructive marketing threats. At the major corporate level businesses must be engaged with the defense forces in order to both understand the threats and protect themselves and their markets form Asymmetric and Obstructive Marketing threats. At the Information Infrastructure level much more needs to be done to both coordinate and inform the defenses required not just for Information Infrastructures but also for all other Critical Infrastructures. This implies the creation of proper associations, the development of standards and the development of a rigorous approach to the management of Information Infrastructure that is based, loosely, on the approaches that have worked in the past for both the Petroleum and telephone industries. This is not so much to impose constraint as to suggest responsibility. In terms of reliability and safety the Information Infrastructure needs to be at the same level as the airline industry. Hopefully, there will be much more cooperation between USA and European businesses both in defense and in the creation of an electronic environment. Outsourcing to developing countries based solely on human resource savings should be discouraged. Strategic approaches on all fronts are to be encouraged.
National The following statements summarize the major threats to OECD countries: The USA’s global power rests on a triad of capabilities: space, sea, and cyberspace.239 This statement is paraphrased from a relatively recent article on a new defense model for space. The UK’s MI5 identifies International terrorism, Northern Ireland, Weapons of Mass Destruction, and Espionage as the key threats to the United Kingdom.240 The new threats to Europe are best defined in the European Security Strategy as presented in December 2003:241
239 Cebrowski, AK and Raymond, JW (2005) Operationally Responsive Space: A New Defense Business Model. Parameters, Summer. 240 http://www.mi5.gov.uk (Accessed: 7 January 2007). 241 Bailes, AJK (2005) European Security Strategy, an Evolutionary History, SIPRI Policy Paper No. 10, Stockholm International Peace Research Institute, February. Available at http://www.sipri.org/contents/editors/publications/ESS_PPrapport.pdf (Accessed: 7 January 2007).
Chapter 11 Individual, Corporate, National, and International Resilience
179
• Terrorism • Proliferation of weapons of mass destruction • Regional conflicts • State failure • Organized crime In Australia and New Zealand the threats are identified much as they are in the UK.242 The threats are obviously related to each other and one can lead to another. Thus regional conflict can lead to state failure where organized crime flourishes. Organized crime can escalate into terrorism. The greatest threat to the world community is now terrorists armed with weapons of mass destruction.243 If these threats are looked at in the round then there is common understanding on: • Terrorism • Weapons of mass destruction • Regional conflicts • Organized crime • Espionage These are all, largely, asymmetric threats. The specific threats to Critical Infrastructure, Commerce and Critical Information Infrastructure from these general threats should be understood. As much of these are in private hands it must be the case that some sort of public–private partnership has to exist to counter them, if not at national then at federated or international level. Anyone with a working knowledge of the European Commission or any other federated bureaucracy will understand the extreme difficulty of operating effectively at such levels. To counter these threats all federations and states currently use a combination of Army, Navy, Air Force, Intelligence Services (including electronic eavesdropping), and Police. These are the traditional tools for Symmetrical or state vs. state warfare. Yet much of what this book has been about is the resilience critical infrastructure and Critical Information Infrastructure to asymmetric warfare – in both a political and economic context. The threats confirm this approach. Much Critical Infrastructure has no protection at all. Critical Information Infrastructure particularly outside the USA has little protection, because much of it is in commercial hands. There is clear evidence from a range of sources that terrorists of various kinds use Information Infrastructures for communication, thinking, planning, and delivery.
242
Threats available at http://www.australia.or.jp/english/seifu/pressreleases/index. html?pid=defense20030226b (Accessed: 7 January 2007). 243 Dorfer, I (2004) Old and New Security Threats to Europe. Available at http://www. afes-press.de/pdf/Doerfer_Mont_9.pdf (Accessed: January 2007).
180
Critical Information Infrastructures: Resilience and Protection
All this suggests a new type of defense model is required to meet the new threats. It is axiomatic that because much of the Critical Infrastructure and Critical Information Infrastructure is in commercial hands then a much closer liaison is required between federation/state and commerce than is normally understood to be the case. In this respect the USA may be much closer to a modern working operational model, given the extent of the military/ industrial/electronic complex, than many give it credit for. It is necessary for the western world, the OECD countries in particular, to be clear about how they are going to defend themselves against some very specific threats: • Use of terrorism against critical infrastructure and Critical Information Infrastructure • Use of weapons of mass destruction against critical infrastructure and Critical Information Infrastructure • Use of organized crime against critical infrastructure and Critical Information Infrastructure • Use of espionage against critical infrastructure and Critical Information Infrastructure These require either new or modified defense organizations. And the more general threats of • Regional conflicts • State vs. state warfare These require more traditional defense organizations. The lines between all these tend to blur, as they have done in Afghanistan. It follows that some sort of public/private defense partnership to protect both Critical Infrastructure and Critical Information Infrastructure is required. There are some clear candidates for inclusion in the different areas (and this book shows that the private sector has as much experience in dealing with asymmetric threats as the public sector). Two countries who might be imagined to be close on these sorts of subjects, the USA and the UK, have recently fallen out over the level of detail to be given to pilots operating the others’ planes on sorties into enemy territory in Afghanistan and Iraq. They have also fallen out over the level of intelligence to be provided to each. This does not auger well for the development of complementary defense models! Democracies, and particularly the British form of democracy, are often reluctant to impose restraints. Frequently, a series of checks and balances are encouraged. This sort of approach epitomized in the UK by the rather laissez-faire attitude of the Financial Services Agency as opposed to the Department for Homeland Security in the USA over disaster recovery advice for financial institutions. This will not work to protect the fabric of our societies. There must a level of responsibility and accountability that is more structured than today. (This does not necessarily mean it has to be less democratic or involve the imposition of more laws). Indeed from the way in which individuals are screened at airports to the way in which companies
Chapter 11 Individual, Corporate, National, and International Resilience
181
are involved in the defense of critical infrastructures there is a need to be more sophisticated not less. The technology, profiling, screening, and understanding is available to ensure that society keeps its values whilst fighting an enemy that rejoices when those values are amended. (The security screening at airports is the most obvious of these, and statistically and in any other way the most useless deterrent.) There is a potential model in the form of the UK Government’s fora for resilience, based at regional level in the UK. These are based in each of the nine English regions and three other countries of the UK, based on the requirements of the Civil Contingencies Act. Actually, these bodies do not do very much about resilience; they are about recovery and continuity more than they are about resilience. This said they represent, at a regional level, an appropriate body where these matters can be discussed. In the USA William Pelgrin’s work in New York State is a model that also could be extended. The New York Telecommunications Reliability Advisory Council (NYTRAC) has the following role: To consider and advise on how to maintain and improve the reliability of New York State’s current and future communications networks for the benefit of public and private users, and to further the economic security of the State of New York, its municipalities and its citizens . . . NYTRAC is a panel of public and private sector telecommunications experts who work to ensure an industry-wide exchange of information on emerging technologies and strategies to strengthen New York State’s telecommunications network. Ideally of course, the population, commercial sector, and defense should be woven in tightly to the political structure as it is in Switzerland, and to a lesser extent in Sweden. Using these two as examples then a suggested national model may look as follows:
The Public–Private Partnership However, in approaching an organization care must be taken not to repeat the mistakes of the past. Mistakes of the past include the void left on the creation of Serious Organized Crime Agency (SOCA) in the UK in the fight against crime, and currently, again in the UK, the reintegration of NISCC with the CNI in the UK, when it should be ascendant rather than subordinate. In the United States it is the proliferation of bodies with some sort of responsibility for Homeland Defense. The key to resilience in the OECD countries is a clear understanding of the threats, and how to counter those threats, a simple defense organization and a strategic approach at the commercial level. It will be obvious, by now, that this book is of the opinion that Critical Information Infrastructure is under protected and that new forms of defense are needed.
182
Critical Information Infrastructures: Resilience and Protection
A National Defense Model The national defense organization to counter these threats must start with a clear political statement of intent. This must concentrate as much on the preservation of national values as it does on the preservation of infrastructure. It would seem unnecessary to repeat structures that already exist, and to a certain extent this is a problem that all nations who have tried to deal with this problem have already faced. There is an unnecessary proliferation of bodies designed to look at this problem already.244 These do need to be streamlined. The organization itself needs a political master. It is fairly obvious that the defense of Critical Infrastructures should be the job of a Ministry of Defense. Just because this is a revisited (in terms of Critical Infrastructure) or new area (in terms of Critical Information Infrastructure) does not negate the threats (which would normally be dealt with by a Ministry of Defense) or the fact that this is a nationally important defense issue. Therefore the national model should be under the equivalent of a Ministry of Defense. The physical bodies such as the Army, Navy, Air Force, and Police need to be responsible for the physical infrastructure and artifacts of critical Infrastructures. At the moment no one, in any country with the possible exceptions of Sweden and Switzerland, seem to have complete control of their defense in terms of specific operational responsibility for defending specified pieces of national critical infrastructure. This is something that needs to be put right and should become, naturally, the responsibility of the Army, Navy, Air Force, and Police. There needs to be a continually understood approach to mapping boundaries and ownership of both Critical Infrastructures and Critical Information Infrastructures. This suggests some sort of mapping and intelligence gathering body. This can be an adjunct to existing Signal Intelligence and Human Intelligence gathering bodies plus those bodies that used to be known as Photographic Reconnaissance and Interpretation Units. A new defense force needs to be constructed for the purpose of Critical Information Infrastructure defense. This is not a new idea, per se. Once aircraft were established as both a threat and a weapon, during World War 1, then Air Forces were quickly added to existing army and naval defense force capability. This is very much a development in the same idiom. Note, it is as entirely inappropriate to treat Critical Information Infrastructure as a subset of critical infrastructures as it is to treat air forces as a subset of armies and navies. The corollary of Army Air Corps and Naval Air Arms is equally appropriate under certain circumstances. Finally, there must be responsibility in the private sector for both Critical Infrastructure and Critical Information Infrastructures. The formal responsibility for this can rest in appropriately constituted bodies. 244
Dunn, M and Wigert, I (2004) op. cit.
Chapter 11 Individual, Corporate, National, and International Resilience
183
So a national model for the protection, and thereby the increased resilience, of national infrastructures could look something like this:
Democratically Elected Govt ‘Ministry’ of Defense
Intelligence
Land Defense Force
Sea Defense
Public / Private Partnership
Air Defense Force
Information Infrastructure Defense Force Energy
Finance
Health
With similar links from all other Infrastructures to these other Forces.
Food Supply Government Services Law and Order National Icons Transport
Water
Waste Water
FIGURE 4.
A National Defense Model
184
Critical Information Infrastructures: Resilience and Protection
International Critical Infrastructure and Critical Information Infrastructures are no longer essentially national in nature. Critical Infrastructure remains more national, but even here there are major issues. One anecdotal example is the desire of the representative for Pas de Calais, France, to display her green credentials by campaigning for the abandonment of the region’s nuclear power plant at Gravelines. This was until it was realized that much was earned from the export of nuclear generated electricity form the Pas de Calais plant to neighboring Kent in the United Kingdom, some 40 kilometers away across the Channel. Critical Infrastructure is also much more private than it was 50 years ago – with a great shift of resources out of public ownership into private ownership. In terms of Critical Information Infrastructure it is difficult to see how this, in any way, is national in nature. It is international in nature – but dominated by USA owned Infrastructure and processes and concentrated, to date, in the OECD nations.245 The multinational organizations that cover the majority of the international aspects of both Critical Infrastructure and Critical Information Infrastructure, and their international geography, are relatively few. They are the OECD,246 the European Union,247 the Group of Eight (G8),248 NATO,249 and the UN.250 Each of these do have an approach to both Critical Infrastructure and Critical Information Infrastructure, but not all are in a position to do anything concrete about building Resilience in either. All of these organizations are political in nature. This is a positive attribute because it is necessary to have buy-in from all parts of the relevant political bodies. Some are for international discussion, cooperation and action. Only two have any real defensive mandate, one is NATO and the other is the UN. NATO does not cover all the geography; the UN covers the geography but, perhaps, without the respect. Each organization has a slightly different approach to the problem. The European Union has a number of concerns about Critical Infrastructure and Critical Information Infrastructure. These concerns are voiced both formally, in terms of the Lisbon Agenda251 and related Policies and ePolicies, and informally, within the Commission.
245
Proxy figures are available at http://www.websiteoptimization.com/bw/0510 (Accessed: 7 January 2007) and at http://www.oecd.org (Accessed: 7 January 2007). 246 Available at http://www.oecd.org (Accessed: 7 January 2007). 247 Available at http://www.europa.eu (Accessed: 7 January 2007). 248 Available at http://www.g7.utoronto.ca/what_isg8.html (Accessed: 7 January 2007). 249 Available at http://www.nato.int (Accessed: 7 January 2007). 250 Available at http://www.un.org (Accessed: 7 January 2007). 251 The Lisbon Agenda is available at http://www.euractiv.com/en/agenda2004/lisbonagenda/article_117510 (Accessed: 7 January 2007).
Chapter 11 Individual, Corporate, National, and International Resilience
185
Informally there is great concern over a number of vulnerabilities, evidenced by the slant given to various research projects, particularly on Security and eSecurity within both the Framework 6 and Framework 7 programs. The issue of Critical Infrastructure protection is dealt with under the various initiatives in the EU Budget to 2013.252 These are usefully summarized by Masera.253 The substance of his presentation is that the problems are recognized but have yet to be dealt with, although funds have been allocated to flesh out solutions. The major European agency established to deal with Critical Information Infrastructure protection is the European Network and Information Security Agency (ENISA).254 Despite the hope that was engendered by the establishment of ENISA, the reality is somewhat disappointing. First, the Agency is not operational; it has a coordinating, informative, and, sometimes, strategic brief. There was reluctance in the European Commission to give it an operational role because this would have interfered with a number of existing operational bodies at national and international level. Examples would be existing intelligence bodies and Europol. The second disappointment was the decision to establish it in Heraklion, Crete, Greece. This decision was driven by the need to allocate agencies ahead of the last round of country integration, and was a politically motivated decision rather than an operationally driven decision. As a result the Agency is both in the wrong place and, arguably, has the wrong brief. There is, overall, a lack of political will to deal with problems that are not immediately obvious to the electorate. Thus there is much concentration on the obvious requirements to combat the physical effects of terrorism, and it is true that this helps the protection of Critical Infrastructures in part, but there is little will to devote resources to the coordination of the, arguably more important, Information Infrastructures that now dominate the lives of all. The Group of Eight (G8)255 has a good history of recognizing the issues involved in the establishment of principles regarding both Critical Infrastructures and Critical Information Infrastructures. The G8 initially addressed the problem in 1995, developed ideas in 2000 with the Okinawa Charter on Global Information Society and, embodying the OECD Guidelines for Security of Information Systems. Importantly, this acknowledged the need for both public and private bodies to work together.
252 Information available at http://ec.europa.eu/enterprise/security/articles/article_ 2006-09-25-kf_en.htm (Accessed: 7 January 2007). 253 Masera, M (2005) Critical Infrastructures and European Policies. IRGC Conference, European Commission, Beijing, China. 20 September http://www.irgc.org/irgc/ knowledge_centre/irgceventmaterial/_b/contentFiles/IRGC%202005%20Gen%20Conf_ Marcelo%20Masera.pdf (Accessed: 7 January 2007). 254 ENISA information available at http://www.enisa.eu.int (Accessed: 7 December 2007). 255 Group of Eight information available at http://www.g8.utoronto.ca/summit/ 2003evian/press_statement_march24_2003.html (Accessed: 7 January 2007).
186
Critical Information Infrastructures: Resilience and Protection
In 2003 eleven principles were adopted. The G8 Principles for Protecting Critical Information Infrastructures256 are as follows: • The establishment of warning networks • Promoting partnerships • Maintaining crisis communication networks • Facilitating the tracing of attacks • Training and exercising • Having appropriate laws and trained personnel • International cooperation • Promoting appropriate research These are fine principles, but the G8 can only advise. It has no real capability to deliver. At the OECD the Working Party on Information Security and Privacy (WPISP) promotes a global approach. The resolutions and recommendations help both governments and businesses; awareness is raised through the publication of Information and statistics. In 2002 the OECD adopted Guidelines for the Security of Information Systems and Networks: Toward a Culture of Security. The guidelines are a result of consultation between industry, business, and society. In October 2003 the OECD Global Forum on Information Systems and Network Security257 met and had the following key outcomes: • Raising awareness of the importance of secure Information systems and networks for safeguarding Critical Infrastructures, as well as business and consumer Information • Increasing knowledge of the OECD Security Guidelines • Encouraging the development and the promotion of security architectures for organizations that effectively protect Information systems • Exploring the use of technology and security standards in safeguarding IT Infrastructures. The UN has not yet taken the same number of steps towards developing Information and policy on either Critical Infrastructures or Critical Information Infrastructures as other international bodies. It established a UN ICT Task Force in November 2001. In September 2002 the task force published a guide called “Information Security – A Survival Guide to the Uncharted Territories of Cyber-Threats and Cyber-Security.”258 This publication made 7 recommendations:
256 G8 Principles for Protecting Critical Information Infrastructures, in NISCC Quarterly, April–June 2003, p. 9, http://www.niscc.gov.uk/quarterly/NQ_April03_JUNE03.pdf (Accessed: 7 January 2007). 257 Information available at http://www.oecd.org.document/38/0,2340,en_21571361_ 36139259_16193702_1 (Accessed: 7 January 2007). 258 Information available at http://www.unicttaskforce.org/perl/documents.pl?id=1152 (Accessed: 7 January 2007).
Chapter 11 Individual, Corporate, National, and International Resilience
187
• Recommendation No: 1 - Become aware of the problem • Recommendation No: 2 – Devise an Information security strategy • Recommendation No: 3 – Implement some simpler remedial procedures immediately • Recommendation No: 4 – Seek professional help without delay • Recommendation No: 5 – Adopt international standards and other best practices. International standards like ISO 17799, and other tried and tested best practices can be of great help in securing your systems from external threats • Recommendation No: 6 – Identify the gaps in national legislation • Recommendation No: 7 – Encourage the United Nations to embark urgently on a Law of Cyber-Space. The almost complete absence of international law on this subject has created a phenomenal vacuum Finally it is worth having a close look at NATO. NATO is an interesting body in the context of Critical Infrastructures and Critical Information Infrastructures. This is because many OECD countries are members of NATO, and most of those who are not have some form of treaty alignment with NATO. It is because NATO has some teeth, in that it is a defense delivery organization as well as an Information disseminating and strategic body. It is because it has some remit to defend both Critical Infrastructures and Critical Information Infrastructures in line with its charter. Critical Infrastructure protection is partly covered in the Ministerial Guidance for NATO Civil Emergency Planning. The Senior Civil Emergency Planning Committee has recognized the need for more work on protecting Critical Infrastructures. The Civil Communication Planning Committee has published a number of documents on Critical Infrastructure Protection. The Civil Protection Committee, the Industrial Planning Committee, the Food and Agriculture Planning Committee, the Civil Aviation Planning Committee, the Planning Board for Inland Surface Transportation, and the Planning Board for Ocean Shipping are all involved in aspects of Critical Infrastructure and Planning. In the area of Critical Information Infrastructure things are less well developed. The NATO Counter-Terrorism Development Program recognizes the need for a technology response to current problems, and also recognizes the need for private sector contributions, and also comments as follows259: The global spread of technology that can be of use in the production of weapons may result in the greater availability of sophisticated military capabilities, permitting adversaries to acquire highly capable offensive and defensive air, land, and sea-borne systems, cruise missiles, and other advanced weaponry. In addition, state and non-state adversaries may try to exploit the Alliance’s growing reliance on Information systems through Information operations designed to disrupt such systems. They may attempt to use strategies of this kind to counter NATO’s superiority in traditional weaponry.
259
Information available at http://nc3a.info/nctdp (Accessed: 7 January 2007).
188
Critical Information Infrastructures: Resilience and Protection
At the NATO 2006 Riga Summit a number of general proposals were made: The Political Guidance for the summit included the following: the ability to protect Information systems of Critical importance to the Alliance against cyber attacks.260 The formal release of the summit included the following; work to develop a NATO Network Enabled Capability to share Information, data and intelligence reliably, securely and without delay in Alliance operations, while improving protection of our key Information systems against cyber attack. (Article 24)261 and the development of coherent and mutually reinforcing . . . civil emergency planning. (Article 41)262 Notes to the summit were more explicit regarding the increasing need to deter and defend against attacks on Critical Information Infrastructures. It is important to remember that implicit to the role of NATO is the protection of Physical Infrastructures. Other international bodies such as Interpol, the International Chambers of Commerce’s International Maritime Bureau and Cyber Crime Unit, etc. have an interest in different parts of the Critical Infrastructures, but largely focused on the criminal aspects of the use of these Infrastructures. This is subtly different form building resilient Infrastructures. For example Interpol’s chief initiatives in the area of financial and hightech crime focus on: • Payment cards • Money laundering • Intellectual property crime • Currency counterfeiting • New technologies263 At the International Chamber of Commerce Crime Services the Cyber Crime Unit set up in 1999 as a conduit for the exchange of information between commerce and law enforcement supports the activities of all Commercial Crime Bureaus. Cyber Crime Unit staff use their knowledge of fraudulent behavior to identify new scams and issue warnings to members. The Unit also provides commerce with several essential services:
260
Information available at http://www.nato.int/docu/basictxt/b061129e.htm (Accessed: 7 January 2007). 261 Information available at http://www.nato.int/docu/pr/2006/p06-150e.htm (Accessed: 7 January 2007). 262 Ibid. 263 Available at http://www.interpol.int/Public/FinancialCrime/Default.asp (Accessed: 7 January 2007).
Chapter 11 Individual, Corporate, National, and International Resilience
189
• Tracking and tracing bogus Web sites • Alerting ISPs that their systems are being used for illegal purposes • Alerting banks and businesses to the existence of copy-cat sites • Identifying criminal interference in computer networks • Providing advice on the security of Information systems • Conducting audits or wireless networks264 International law regarding both Critical Infrastructures and Critical Information Infrastructures is sparse. Indeed Dunn and Wigert (2004)265 go so far as to comment: Due to the inherently transnational character of Critical Infrastructure and Critical Information Infrastructure there is a need to harmonize national legal provisions and to enhance judicial and police co-operation. However, so far, the international legal framework has remained rather confused and is actually an obstacle to joint action by the actors involved. In the European Union the European Commission has started to make an effort to deal with the problem. The author has been both a Director for the Commission’s eJustice project and a member of the eDemocracy focused Politech Institute in Brussels. Both bodies have made substantive recommendations on various approaches to solving the problem. eJustice succeeded in its aims of: 1. Going beyond the state of the art in several Trust and Security technologies 2. Convincing key representatives of civil society that these technologies, and in particular biometry, do not represent a threat to the privacy of citizens when used within well-defined guidelines 3. Convincing major public authorities to adopt the results for their own use.266 But the project cannot, on its own, make these things happen. The Politech Institute, amongst other things, seeks to consult the different stakeholders in the development of electronic strategies and policies in the converging domains of political technologies.267 This includes law. But nor can it make things happen. There is a huge vacuum in International Law in regard to Critical Infrastructure and Critical Information Infrastructure protection. Elsewhere thought leaders in the subject of Resilience in Critical Infrastructure and Critical Information Infrastructures have been identified. In the international context it is important to have structures that have reach, respect, and resources. This gives a number of problems in regard to the USA and Europe in particular. This is because both are regarded has having vested interests, particularly in regard to Critical Information Infrastructures. It also 264
Available at http://www.icc-ccs.org/ccu/overview.php (Accessed: 7 January 2007). Dunn, M and Wigert, I (2004) op. cit. 266 Available at http://www.ejustice.eu.com (Accessed: 7 January 2007). 267 Information available at http://www.politech-institute.org/services.asp?dept=1 (Accessed: 7 January 2007). 265
190
Critical Information Infrastructures: Resilience and Protection
gives a problem in regard to the so-called neutral countries of Sweden and Switzerland. These countries may well be neutral in a political sense, and they may be neutral in a Critical Infrastructure sense, but they are not neutral in a Critical Information Infrastructure sense. This said there is no point in claiming a neutrality of view on behalf of the author either. The OECD plays a prominent role in fostering good governance in the public service and in corporate activity. It helps governments to ensure the responsiveness of key economic areas with sectoral monitoring. By deciphering emerging issues and identifying policies that work, it helps policymakers adopt strategic orientations. It is well known for its individual country surveys and reviews. The OECD produces internationally agreed instruments, decisions, and recommendations to promote rules of the game in areas where multilateral agreement is necessary for individual countries to make progress in a globalized economy. Sharing the benefits of growth is also crucial as shown in activities such as emerging economies, sustainable development, territorial economy, and aid. Dialogue, consensus, peer review, and pressure are at the very heart of OECD. Its governing body, the Council, is made up of representatives of member countries. It provides guidance on the work of OECD committees and decides on the annual budget. It is recommended that the OECD takes on the International Strategic Responsibility for Resilience in Critical Infrastructures and Critical Information Infrastructures. Its approach to Resilience should include direct liaison with the international thought leaders – particularly those in the UK (National Information Security Coordination Centre),268 Australia (Attorney General’s Department),269 New Zealand (Centre for Critical Infrastructure Protection),270 and the United States (Department for Homeland Security).271 It would thus have the reach, respect, and resources to deliver. NATO is the most experienced and effective body in the international defense arena. The first five articles of the treaty are as follows.
The North Atlantic Treaty Washington, DC – 4 April 1949 The Parties to this Treaty reaffirm their faith in the purposes and principles of the Charter of the United Nations and their desire to live in peace with all peoples and all governments. They are determined to safeguard the freedom, common heritage, and civilization of their peoples, founded on the principles of democracy, individual liberty, and the rule of law. They seek to promote stability and well-being in the North Atlantic area. 268
Information available at http://www.niscc.gov.uk (Accessed: 7 January 2007). Information available at http://www.ag.gov.au (Accessed: 7 January 2007). 270 Information available at http://www.ccip.govt.nz (Accessed: 7 January 2007). 271 Information available at http://www.dhs.gov (Accessed: 7 January 2007). 269
Chapter 11 Individual, Corporate, National, and International Resilience
191
They are resolved to unite their efforts for collective defense and for the preservation of peace and security. They therefore agree to this North Atlantic Treaty: Article 1 The Parties undertake, as set forth in the Charter of the United Nations, to settle any international dispute in which they may be involved by peaceful means in such a manner that international peace and security and justice are not endangered, and to refrain in their international relations from the threat or use of force in any manner inconsistent with the purposes of the United Nations. Article 2 The Parties will contribute toward the further development of peaceful and friendly international relations by strengthening their free institutions, by bringing about a better understanding of the principles upon which these institutions are founded, and by promoting conditions of stability and wellbeing. They will seek to eliminate conflict in their international economic policies and will encourage economic collaboration between any or all of them. Article 3 In order more effectively to achieve the objectives of this Treaty, the Parties, separately and jointly, by means of continuous and effective self-help and mutual aid, will maintain and develop their individual and collective capacity to resist armed attack. Article 4 The Parties will consult together whenever, in the opinion of any of them, the territorial integrity, political independence, or security of any of the Parties is threatened. Article 5 The Parties agree that an armed attack against one or more of them in Europe or North America shall be considered an attack against them all and consequently they agree that, if such an armed attack occurs, each of them, in exercise of the right of individual or collective self-defense recognized by Article 51 of the Charter of the United Nations, will assist the Party or Parties so attacked by taking forthwith, individually and in concert with the other Parties, such action as it deems necessary, including the use of armed force, to restore and maintain the security of the North Atlantic area. These first five articles can be used as a basis for the protection of international Critical Infrastructures and Critical Information Infrastructures. In the case of Critical Information Infrastructure the majority of international Infrastructure is already in the hands of existing NATO members. Various attempts have been made, both at the Riga summit and previously, to include reference to cyber-attacks. The basis of NATO is defense against armed attack. Armed attack is an increasingly dated term in the context of international and asymmetric warfare.
192
Critical Information Infrastructures: Resilience and Protection
It is recommended that NATO should become the operational arm for international Resilience in Critical Infrastructure and Critical Information Infrastructure Protection. It has the reach, respect, and resources to deliver. In terms of delivering on the ground then a number of agencies need to be coopted to work with the strategic and operational arms. In terms of coordinating different aspects of the task it could be suggested that: • Research can be undertaken by bodies such as ETH272 or I3P273 • International Law can be developed and amended under the auspices of the International Law Commission274 • The Politech Institute275 coordinates public sector views (because it already has an Infrastructure to do this) • The ICC Cyber Crime276 unit coordinates the private sector (because it already has an Infrastructure to do this) • ENISA277 coordinates the Critical Information Infrastructure input (because it already has an Infrastructure to do this)
Strategic Body (Based at OECD)
Law Internation law Commission
Research ETH, Zurich 13P, Dartmouth, NH
Operational Body (Based at NATO)
National Ministries of Defense
Public Sector (Politech Institute Brussels)
FIGURE 5.
272
Private Sector (ICC Cyber Crime Unit)
National Bodies Critical Information Infrastructures
National Bodies Critical Infrastructures
An International Defense Model
Information available at http://www.eth.cz (Accessed: 7 January 2007). Information available at http://www.thei3p.org (Accessed: 7 January 2007). 274 Information available at http://www.un.org/law/ilc (Accessed: 7 January 2007). 275 Information available at http://www.politech-institute.org (Accessed: 7 January 2007). 276 Information available at http://www.icc-ccs.org (Accessed: 7 January 2007). 277 Information available at http://www.enisa.europa.eu (Accessed: 7 January 2007). 273
Chapter 11 Individual, Corporate, National, and International Resilience
193
• NATO278 coordinates Critical Infrastructure input (because it already has an Infrastructure to do this) • The overall international Resilience in Critical Infrastructure and Critical Information Infrastructure could thus look something like the diagram above This is not to say that any international infrastructure management organization should look like this, but it is to say that it could look like this. There is no naiveté or impracticality in such suggestions – the political difficulties are well understood. It is necessary to have an international organization to look at this subject; it is necessary to construct one; it is recognized that this will cost money; it is recognized that some bodies will be better than others; it is recognized that some Infrastructures already exist that could help. Those mentioned are some that could help. Each has limitations, but so will any other suggestions. To conclude it is important to recognize that an international approach to Resilience in Critical Infrastructures and Critical Information Infrastructures is required. There is no current, coherent, structure that could do the job on its own. It is recommended that an international approach to Resilience in Critical Infrastructure and Critical Information Infrastructures be developed, based on existing Infrastructures at the OECD, NATO, the International Law Commission, existing research bodies at ETH and I3P, the Politech Institute, the ICC Cyber Crime Unit, and ENISA – or any other bodies that might willingly take on the task with the required reach, respect, and resources. There is a need for such an organization; what is required is the will to create it.
278
Information available at http://www.nato.int (Accessed: 7 January 2007).
Chapter 12 General Summary and Conclusions
Chapter 1 • Critical Infrastructure Protection is about Defense • Critical Infrastructures need to be Resilient Chapter 2 • Resilience is about the ability to “bounce back” • Critical Infrastructure Protection is not the same as Critical Information Infrastructure Protection • Critical Infrastructure Protection is essentially national; Critical Information Infrastructure is both national and “borderless.” • Both Critical Infrastructure Protection and Critical Information Infrastructure are inseparable from society’s core values in a political, social, economic, and technological sense. • There has been a migration of Critical Infrastructure from Government to Private hands over the last 50 years. • Fewer resources are devoted to the Defense of Critical infrastructure than 50 years ago. Chapter 3 • There is clear stated political support for Critical Infrastructure and Critical Information Infrastructure across all countries. • There is less clear definition of actual operational support for the protection of Critical Infrastructures and Critical Information Infrastructures across most countries. • A common set of Critical Infrastructures can be defined. • Risk management is important. • There are concerns with regard to the dominance of Information Technology in all Critical Infrastructures. • There are legal gaps at international and national level regarding both Critical Infrastructure and Critical Information Infrastructure. • Thought leadership in this subject area is not related to size of country or Infrastructures. 194
Chapter 12 General Summary and Conclusions
195
Chapter 4 • Every single Critical Infrastructure in the common list is under threat; none of them really display the characteristics of resilience. • Governments are clearly not paying enough attention to Critical Infrastructures, and they are not properly prioritized neither in any national sense, not of themselves. Chapter 5 • The Connectivity, Hosting, Security, Hardware, and Software industries combined, and in general, pay little heed to Critical Information Infrastructure protection. • There are no major international, European or national bodies addressing the subject operationally in an effective manner, although some of the telecommunication bodies are trying. • There are many Public–Private Partnership and Information Sharing Initiatives, but they tend to lack teeth. • Some Information Sharing initiatives are effective, e.g., CERTS and WARPs, and work well from the bottom up, as in the New York State example. Chapter 6 • The export of democracy has increased the threat to Critical Infrastructures, and led to the increased likelihood of Asymmetric and traditional war. • There is demonstrable resilience in the Economic field, but this is balanced by a lack of Obstructive Marketing techniques outside of friendly western style cultures. • Inequality and religion are the main social threats to Critical Infrastructures. • Technical Developments are both positive and negative for Critical Infrastructures, with a view that the future balance may be negative. • Global warming will have, at least in the short term, an almost universal negative effect on Critical Infrastructures. • Legal and regulatory controls are on the increase for Critical Infrastructures. • Risk management and the understanding of dependencies are increasingly important. • Critical Information Infrastructure’s primacy is confirmed. Chapter 7 • In less than 20 years the use of Critical Information Infrastructure in business has advanced beyond recognition. • Critical Information Infrastructure protection is now a key issue for business, led by the banks. • Many standards across the regulated and nonregulated business have been introduced. • These standards, including Sarbanes-Oxley, can be approached from a common base ISO 17999
196
Critical Information Infrastructures: Resilience and Protection
• Over time there has been a shift from the tactical issues of recovery and continuity towards the strategic idea of Resilience. • Regulation/Compliance/Asymmetric Warfare/Obstructive Marketing is driving Information Infrastructure Resilience in business. • Critical Information Infrastructure protection and Resilience is key to Business Information Security and hence Business Security. • A Chief Information Officer, a C-suite member, should be strategically responsible for Information Infrastructure in a corporate environment. • Common standards are reviewed against each other in a table. Chapter 8 • USA and Europe still have the ability to determine their own economic future. • Europe’s future growth is potentially at risk from a USA-driven twenty-first century information-based “East India Company,” dominating the world’s electronic economy. • Europe is concerned about this potential. • Working together the USA and Europe could fashion a sustainable electronic economy. • There are counter-arguments. For example, Sarbanes-Oxley has had some negative effects on business creation and growth as well as on regulation, compliance, and extraterritorial reach. • The idea underlines the importance of Critical Information Infrastructure, because without it the idea will not work. Chapter 9 • Call Centers are Information-Infrastructure-dependent businesses that have been increasingly outsourced over recent years. • Outsourcing without thinking through all the consequences in an holistic manner is dangerous. • Call Centers should not be located in areas of high political and economic risk. • Call Centers must have access to Information Infrastructure and Disaster Recovery and Business Continuity. • There can be international and national legal difficulties when outsourcing. • The difference between now and the future is increasingly Information Infrastructure. • Outsourcing demands Critical Information Infrastructure and Resilience. Chapter 10 • 2000 was a definitive year for Information Infrastructure, it was the year it was understood how vital it was. • Information Infrastructure is massively skewed to the OECD. • Dependencies need to be understood, as do the tools to find them.
Chapter 12 General Summary and Conclusions
197
• There is a continuing argument in favor of a greater defense role in managing Information Infrastructure at both a control and operational level. • Resilience is found in High Reliability Organizations such as submarines and aircraft carriers. • The features of resilience found both in High Reliability Organizations and resilient children needs to be replicated in Information Infrastructure and information people. • Security is the state of being free from danger or injury; resilience is about being able to return to an original form after deformation. • Information Infrastructure is now the Critical Infrastructure and all OECD economies are dependent upon it. • Asymmetric Warfare targets and uses the Critical Information Infrastructure. • Obstructive Marketing targets and uses the Critical Information Infrastructure. • The Corporate World has more success in dealing with Asymmetric and Obstructive Marketing challenges than the Political World. • The post Cold War vacuum was to be filled with democracy and globalization. It has not turned out quite like that. • The expansion of the financial system based on Information Infrastructure has not been absolutely matched by standards. • Commercial Information Infrastructure manufacturing companies are not helping resilience. • Information Infrastructure is now the bedrock of society and governments are not doing enough to protect it. • Political, economic, social, environmental, technological, and legal security all now depends on Information Infrastructure. • Cooperation is needed to build the required international, national, and corporate resilience. Chapter 11 • Resilience in children needs to be encouraged. • Resilience in adults needs to be encouraged. • Business needs to understand strategy, complexity, Obstructive Marketing, and Asymmetric Warfare – and specifically needs to assist in the defense of Critical Infrastructure • Threats are understood, and common. • Current armed forces are out of date. • Regional fora with a Public/Private partnership required. • National armed forces need a new “arm” to defend Critical Information Infrastructure in particular. • Internationally the OECD and NATO could potentially cooperate to defend the west/north (OECD) against attacks on both Critical Infrastructure and Critical Information Infrastructure.
Chapter 13 A Manifesto for Change
Resilience in Critical Infrastructure and Critical Information Infrastructure Protection has implications at international, national, local, corporate, individual, and political level. At an international level it must be recognized that some form of protection and defense strategy is required to both increase the resilience of international information infrastructure and deter its use for asymmetric warfare, obstructive marketing, and other unhelpful activities. There is a huge role for international law to be developed in this area. This should be seen as a priority. It has been recommended by this book that the OECD, NATO, the UN’s International Law Commission, and research bodies such as I3P and ETH are the sorts of bodies that should be involved in doing this. It does not matter too much who the bodies are, but the principal of international involvement in developing resilience is crucial. Without any doubt the defense of information infrastructure, and the development of the required resilience, must be treated as a new defense force. In the international context it is also important to recognize that the overall defense of infrastructures includes a need for negotiation between state and nonstate bodies; the latter becoming a more important part of the world’s communities than formerly. Eventually this may also include the need to negotiate with virtual communities. Much more attention needs to be given to solving and developing this issue than has been done to date. Nationally it is important to recognize the primacy of Critical Information Infrastructure. This primacy is based on the dependency of all Critical Infrastructures on Critical Information Infrastructure. This means that Government departments related to Critical Infrastructures should be led by those responsible for Critical Information Infrastructure. There is also a clear case for the creation of a new defense force, along the lines of an Army, Navy or Air Force, to cater for this new threat of attack through the Critical Information Infrastructure. Such a development would give both the emphasis and profile to a threat, which arguably is more of a threat to any nation state than physical terrorism. At a national level the priorities need to be understood. It is more important to protect the infrastructures than it is to deliver effective social services, because 198
Chapter 13 A Manifesto for Change
199
without the former there is no hope for the latter. Sight of these priorities should not be lost. It is only towards the end of this work that any mention of France has been made. However, it is clear that France has quietly maintained these priorities (with the possible exception of the protection of Information Infrastructure and Finance). Perhaps a lesson can be learned on national priorities from France. It is important that any national effort is a coordination of public and private sector. Locally the same principles apply as at a national level. The local perspective must mirror the national perspective in an appropriate manner. This may mean a rethink of the type of local/regional structures. The 43 UK Police Forces, for example, do not match the English regions, which themselves do not properly coordinate with the shire counties. This, over the long term, is a recipe for disaster. As more and more attacks on national and locals infrastructures are studied, more and more often it is the lack of coordination at such a level that allows events to happen, or makes them worse. Despite the bravery of the emergency services at both 9/11 and 7/07 it remains a recommendation of the reports into both incidents that there needs to be more coordination to handle attacks on infrastructures by local and regional bodies. This emphasizes the need for a different approach for both resilience and defense at local and regional level. In the Corporate environment there is almost a universal need to understand that information is the life-blood, more appropriately the DNA, of a business. Lack of proper management in this area will eventually kill the business – as any disease or neglect might do to the human body. The corollary of asymmetric warfare in the corporate environment, Obstructive Marketing, is on the increase. It is no longer really rational to hold people responsible at 2–4 levels away from the C-suite for the integrity of the business. The job needs to be done at a strategic level by recognized C-suite additions: the Chief Information Officers (CIO)s. That this has not happened so far is a potential reason why so many different approaches to governance, regulation, and compliance have been needed. If there was clear strategic responsibility for these issues, then maybe the range of controls would not have been needed or introduced. In almost every case that has demanded some sort of action by federal or national authorities the root cause of the problem has been some manipulation, interference, or lack or control of business information. Business information both sits on and is part of Information Infrastructure. At an individual level there must be a much wider understanding of what resilience means. At a practical level it means the ability to grow one’s own food through to the ability to manage a personal information infrastructure. Most of all, in an OECD society it means the personal responsibility to be educated and grow up with a set of values that make the individual resilient. This is therefore also a parental and political responsibility. As many of today’s parents have lost all understanding of how to be resilient themselves this comes back to the political agenda. The political context of this book is analogous to “Emperor’s New Clothes.” It is absolutely clear
200
Critical Information Infrastructures: Resilience and Protection
that international, national, local, and individual resilience is dependent on particular approaches to the common list of infrastructures and, in particular, Critical Information Infrastructure. However, the focus and priority of political activity is almost always on something that is not related to Critical Infrastructure –if it is it is the wrong priority. Although it will be said that the war on terror epitomizes the defense of infrastructures, it does not. It compromises most of the values of society in one way shape or form and has not allocated any real resources to the defense of Infrastructures, particularly Information Infrastructure. This book is littered with the paucity of political thought on Infrastructures. It does remain important to look after these other things, but not at the expense of exposing Infrastructures to potential damage. The preference for pandering to tabloid demands as opposed to addressing the real needs of a resilient society is to be deplored. This is not a left or right issue; it is the matter of a democratic government undertaking its primary duty, protecting citizens. There may be some party political differences in how to approach individual resilience. However, the fact of the matter is that no government has outlined the key attributes of resilient children; then, as matter of national priority, gone out to produce such attributes in children. The key priorities of the current political context must be to develop and maintain a resilient energy policy; to develop and maintain a sound financial infrastructure; to develop and maintain resilient food security in the short-, medium-, and long-term; to develop and maintain the nation’s health resilience; to develop and maintain effective and resilient government services; to maintain a resilient law and order structure; to develop and maintain a resilient manufacturing base; to develop and maintain national icons; to develop and maintain a resilient transport infrastructure; to develop and maintain resilient fresh water supplies; to develop and maintain effective waste water treatment (and waste disposal in general); to develop and maintain resilient people; and to develop and maintain a resilient education and intellectual property infrastructure. This is a challenge for our political masters. It is a particular challenge for the USA and the European Union. The former because of its international leadership position, the latter because it has now so much legislative responsibility that it must show the lead to European nations, and both because they are effectively the greater part of the OECD.
Appendix An Introductory Information Infrastructure Resilience, Recovery and Security Bibliography
Introduction This book promotes Resilience in Critical Infrastructure Protection. Primarily, Critical Information Infrastructure Protection (CIIP), combining computer and communication systems infrastructure, focusing on key issues as facilitators of CIIP efforts including: ● ● ● ● ●
Information sharing Data and network security IT governance Risk management Cyber terrorism
Information Infrastructure is a critical cross cutting factor, which other Critical Infrastructures depend upon. CIIP is as vital as power. This bibliography is designed to assist those who wish to understand the range of material published on subjects related to Information Infrastructure Resilience, Recovery, and Security. It does not claim to be comprehensive. Indeed the review of literature identifies a number of gaps. As will be seen reliance is placed on a wide range of associated areas of interest to bring together potentially relevant material. For those already involved with this subject as an academic, or a practitioner, then this bibliography may be basic. There may be other sources not included here. Please be kind enough to inform of any glaring omission or commission errors –
[email protected]. Most references before 1998 are excluded. This is a rapidly moving area where things quickly become out of date. However, where certain texts before 1998 are viewed as important they have been included. An effort has been made to include some tacit as well as explicit sources. Clearly, key text authors are important tacit resources. All Eric Goetz’s and Sujeet Shenoi’s colleagues and teams at 13P are, for example, good sources of tacit knowledge. Annotations are made where it is thought appropriate. 201
202
Appendix
The list of Internet links is a long one, and there is an emphasis on links in general. The subject is both relatively immature and very much concerned with online activity; therefore much of the information available is naturally online. The discerning will notice that the balance of content is very much in reverse order: security, recovery, and resilience. It is clear that much less effort has gone into making Information Infrastructure, systems, utilities, etc. resilient than there has into working out how to recover from disaster or plug the holes. This is a reflection of the way Information Infrastructure has developed over the last decade. It is also a reflection of the balance of risk equation, which is in favor of the recovery rather than the resilience. This is broadly as it should be in a market economy, if the risks have been well thought through. However, there is increasing evidence that this is not so, the risks have not been thought through. Privatization has led to a loss of linkage between Government and strategic resources. This trend has meant even those businesses previously considered quasinational, for example BT in the UK have lost their place in the national strategic order. This in turn means that not enough thought has gone into protecting vital national assets. This may be appropriate in an increasingly federal world, but not in an increasingly asymmetric world. So some redress of the balance on national strategic assets and their protection/resilience is required. This is the main lesson from this literature review.
Bibliographies/Lists/Directories/Surveys/ Search Engines Ares http://www.aresacademia.com/sistemas/pads/pads7.htm (Accessed: 3 January 2007) Spanish site, but bibliography in English. Asymmetric Warfare http://www.au.af.mil/au/aul/bibs/asm/asw.htm (Accessed: 3 January 2007). Asymmetric Warfare http://www.comw.org/rma/fulltext/asymmetric.html (Accessed: 3 January 2007). Air War College http://www.au.af.mil/au/awc/awcgate/awc-thry.htm#bibs (Accessed: 3 January 2007). Amazon http://www.amazon.com (Accessed: 3 January 2007) Amazon has lists of lists, which can add to the books listed in this document.
Appendix
203
British Computer Society Publications http://www.bcs.org/bcs/products/publications (Accessed: 3 January 2007). Business Continuity, etc. http://www.survive.com/Resources (Accessed: 3 January 2007). Cambridge Scientific Abstracts, Computers http://uk1.csa.com/csa/factsheets/computer.shtml (Accessed: 3 January 2007). Computer Emergency Response Team (CERT) Information Security Research Papers http://www.cert.org/research/papers.html. CESG (2004) Directory of INFOSEC Assured Products. UK, CESG. http://www.cesg.gov.uk (Accessed: 3 January 2007). Listings of security products that meet with UK Government approval. CESG ‘Cloud Cover’ Public Key Infrastructure Project Bibliography http://www.cesg.gov.uk/site/ast/index.cfm?menuSelected=1&displayPage=11 (Accessed: 3 January 2007). Computer Security Books http://www.epic.org/bookstore/security.html (Accessed: 3 January 2007). Usability of Computer Security http://www.sims.berkeley.edu/%7Erachna/security_usability.html (Accessed: 3 January 2007). Dunn, M and Wigert, I (2004) Critical Information Infrastructure Protection. Zurich, Switzerland. The Swiss Federal Institute of Technology, available at http://www.isn.ethz.ch/crn (Accessed: 3 January 2007). This has a wide ranging bibliography on Critical Information Infrastructure Protection for Australia, Austria, Canada, Finland, France, Germany, Italy, The Netherlands, New Zealand, Norway, Sweden, Switzerland, United Kingdom, United States, Critical Information Infrastructure Methods and Models, and a number of links. Cryptography and Security http://theory.lcs.mit.edu/~rivest/crypto-security.html (Accessed: 3 January 2007). Defense Information Access Network http://www.dianepublishingcentral. com/CustomerService.asp (Accessed: 3 January 2007). Department of Energy Information Security http://doe-is.llnl.gov (Accessed: 3 January 2007). Disaster Recovery, Emergency Planning Books http://www.binomial.com/bookstore/cg040001.htm (Accessed: 3 January 2007).
204
Appendix
Ernst and Young (2004) IT Security Solutions Directory. London, UK. Showtime Media Services. This is an annual publication by Showtime Media Services, sponsored in 2004 by Ernst and Young, which lists and tables vendor solutions to security problems. Google http://www.google.co.uk (Accessed: 3 January 2007) And other search engines. Google Scholar http://www.scholar.google.com (Accessed: 3 January 2007) And other search engines. The Information Security Policies/Computer Security Policies Directory http://www.information-security-policies-and-standards.com/ (Accessed: 3 January 2007). Information Warfare and Information Security on the Web http://www.fas.org/irp/wwwinfo.html (Accessed: 3 January 2007). Institute of Directors Publications http://www.iod.com/is-bin/INTERSHOP.enfinity/eCS/Store/en/-/GBP/IODStart (Accessed: 3 January 2007). Mainly books, articles, etc. on Corporate Governance and the security issues associated with Corporate Governance. http://www.iso17799software.com/ (Accessed: 3 January 2007) ISO17799 Directory of Software & Security Risk Analysis. Lancaster Index, The http://www.mpr.co.uk/scripts/sweb.dll/li_home (Accessed: 20 December2004) A listing/bibliography of defense and international security literature. Microsoft http://www.microsoft.com/resources/documentation/Windows/2000/server/ reskit/en-us/Default.asp?url=/resources/documentation/Windows/2000/ server/reskit/en-us/iisbook/c09_additional_resources.asp (Accessed: 3 January 2007) A Microsoft Security Resources List. National Transportation Library http://ntl.bts.gov/faq/sept11.html (Accessed: 3 January 2007). Network Security Reading http://www.spinics.net/linux/netsec.php (Accessed: 3 January 2007). Network Security Library http://secinf.net/ (Accessed: 3 January 2007).
Appendix
205
Perpetuity Press http://www.perpetuitypress.com (Accessed: 3 January 2007) Specialises in books, journals, and manuals in the fields of crime, risk, andsecurity. Qinetiq White Papers http://www.qinetiq.com/home/markets/security/securing_your_business/ information_and_network_security/white_paper_index.html (Accessed: 3 January 2007) A series of very relevant White Papers. The Qinetiq site is also a good source of tacit knowledge. Questia. An Online Library. http://www.questia.com (Accessed: 3 January 2007). Price Waterhouse Coopers (2004) Information Security Breaches Survey, London, UK. Department of Trade and Industry. An annual survey on Information Security breaches. Available at http://www.security-survey.gov.uk (Accessed: 3 January 2007). Rand Organization http://www.rand.org/publications (Accessed: 3 January 2007). Reliability Books and Related Subjects http://www.enre.umd.edu/rbooks.htm (Accessed: 3 January 2007). Reliability Engineering and Risk Management. Cranfield University’s Papers. http://www.cranfield.ac.uk/sims/reliability/rermcresearchcapability03.pdf (Accessed: 3 January 2007). Revolution in Military Affairs http://www.comw.org/rma/index.html (Accessed: 3 January 2007). RFID (Radio Frequency identification) Security and Privacy http://lasecwww.epfl.ch/~gavoine/rfid/ (Accessed: 3 January 2007). Risk Software and Computer Risks http://www.riskworld.com/BOOKS/topics/risksoft.htm (Accessed: 3 January 2007). The Rothstein Catalogue on Disaster Recovery http://www.rothstein.com/ (Accessed: 3 January 2007). Security Issues (Neil Johnson’s Bibliographies) http://www.jjtc.com/Security/bib (Accessed: 3 January 2007). Security and Cryptology http://liinwww.ira.uka.de/bibliography/Misc/ security.2.html (Accessed: 3 January 2007). SEMPER http://www.semper.org/sirene/collections/booklist.html (Accessed: 3 January 2007). This is a European R&D project on eCommerce. It has a substantial booklist. Terminated in 2002, so some book references are old.
206
Appendix
Books – Arranged Alphabetically by Subject All books on this subject tend to be, by nature, specialist and thus published by specialist companies or specialist subdivisions of major publishers. Therefore the book listings of these publishers are a further rich source of additional material and information. The books listed here are those that form the foundation of the resilience, recovery, and security press. Most can be found at the bookstores at the major conferences. Apache Apache is open software. http://www.apache.org (Accessed: 3 January 2007). Coar, K and Bowen, R (2003) Apache Cookbook. Farnham, UK. O’Reilly. Mobily, T, et al. (2003) Professional Apache Security. Indianapolis, Indiana, USA. Wrox Press Ltd. Wainwright, P (2004) Professional Apache. Berkeley, CA, USA. Apress. Auditing and Security Musaji, YF (2001) Auditing and Security: AS/400, NT, Unix, Networks and Disaster Recovery Plans. New York, USA. Wiley. Backup (In Terms of Backing Up Data on Computers) Desai, A (2000) SQL Server 2000 Backup and Recovery (Database Professional’s Library). Emeryville, CA, USA. Osborne McGraw-Hill. Freeman, R and Hart, M (2002) Oracle9i RMAN Backup and Recovery (Oracle Press S.). USA. Osborne McGraw-Hill. Hobbs, L, et al. (2000) OCP: Oracle8i DBA Architecture and Administration and Backup and Recovery Study Guide. CA, USA. Sybex International. Little, DB (2003) Implementing Backup and Recovery: The Readiness Guide for the Enterprise (VERITAS S.). New York, USA. Wiley. Stringfellow S, Klivansky M, and Barto, M (2000) Backup and Restore Practices for Sun Enterprise Servers (Sun Blueprints S.) Indianapolis, Indiana, USA. Prentice-Hall. Velpuri, R, et al. (2000) Oracle8i Backup and Recovery (Oracle Press S.). Emeryville, CA, USA. Osborne McGraw-Hill. Carnivore Carnivore is a FBI computer software program looking for malpractice on the Internet. Hatch, OG (2000) Carnivore Controversy: Electronic Surveillance and Privacy in the Digital Age: Hearing Before the Committee on the Judiciary, U.S. Senate. Collingdale, PA, USA. Diane Pub Co.
Appendix
207
Canady, CT (2000) Fourth Amendment Issues Raised by the FBI’s Carnivore Program: Hearing Before the Committee on the Judiciary, U.S. House of Representatives. Collingdale, PA, USA. Diane Pub Co. Certification for Security Professionals Note that material relevant to the Certificate of Information Security Management is contained in the links section. Behtash, B (2004) CCSP Self-Study: CISCO Secure PIX Firewall Advanced (CSPFA). USA. Cisco Press. Bragg, R (2002) MCSE Training Guide: (70-220) Designing Security. Indianapolis, Indiana, USA. Que. Bragg, R (2004) MCSE Windows Server 2003 (Exam 70-98): Designing Security for a Windows Server 2003 Network: Training Kit. USA. Microsoft Press International. Bragg, R and Tittel, E (2004) Designing Security for a Windows Server 2003 Network: Exam 70-298 (Exam Cram 2 S.). Indianapolis, Indiana, USA. Que. Carter, E (2004) CCSP Self-study: CISCO Secure Intrusion Detection System. USA. Cisco Press. Cockroft, L (2003) CCSP SECUR Exam Cram 2 (642-501). Indianapolis, Indiana, USA. Que. Dubrawski I and Grey P (2003) CCSP CSI Exam Certification Guide: CCSP Self-Study. USA. Cisco Press. Edwards, W, et al. (2003) CCSP Secure Pix and Secure VPN Study Guide (642-521 and 642-511): Secure PIX and Secure VPN Study Guide (642-521 and 642-511). CA, USA. Sybex International. Edwards, W, et al. (2004) CCSP Study Guide Kit (642-501, 642-511, 642521, 642-531, 642-541). CA, USA. Sybex International. Golubski, C and Heldman, W (2001) MCSE: ISA Server 2000 Administration Study Guide. USA. Cybex International. Hansche, S (2003) Official (ISC) 2 Guide To The CSSP Exam. USA. Auerbach Publishers Inc. Harris, S (2003) CISSP Certification All-In-One Guide, 2nd Edition. Emeryville, CA, USA. Osborne McGraw-Hill. Hausman, KK (2003) Security+ (Exam Cram SYO-101) (Exam Cram 2 S.). Indianapolis, Indiana, USA. Que. Hussain, Y (2004) CCIE Security Practice Labs (CCIE Self-study). USA. Cisco Press.
208
Appendix
Information Systems Audit and Control Association Staff (2001) CISA Review Manual 2002. Rolling Meadows, IL, USA. Information Systems Audit and Control Association. Kramer, J (2003) The CISA Prep Guide: mastering the Certified Information Systems Auditor Exam. Krutz, R and Vines, RD (2001) The CISSP Prep Guide: Mastering the Ten Domains of Computer Security. New York, USA. Wiley. Krutz, RL and Vines, RD (2003) Advanced CISSP Prep Guide: Exam Q and A. New York, USA. Wiley. Krutz, RL (2004) The CISSP Prep Guide: Mastering CISSP and ISSEP. New York, USA. Wiley. Menga, J (2003) CCSA NG Check Point Certified Security Administrator Study Guide (Certification Press). CA, USA. Sybex International. Microsoft Press (2003) MCSA/MCSE Self Paced Training Kit: Implementing and Maintaining Security in a Windows 2000 Network Infrastructure. USA, Microsoft Press International. Miller, LC and Gregory, PH (2002) CISSP for Dummies. New York, USA. Wiley. Molta, D and Akin, D (2003) CWSP Certified Wireless Security Professional: Official Study Guide (Exam PWO-200). Emeryville, CA, USA. Osborne McGraw-Hill. Newman, DP, et al. (2004) CSIDS Exam Cram 2: Exam 642-53. Indianapolis, Indiana, USA. Que. Newcomb, MJ (2004) CCSP SECUR Exam Certification Guide. USA. Cisco Press. Northrup, T (2004) MCSA/MCSE Self Paced Training Kit: Implementing and Administering Security in a Windows Server 2003 Network. USA. Microsoft Press International. Reisman, B and Ruebush, M (2004) MCSE: Windows Server 2003 Network Security Design Study Guide (70-298). CA, USA. Sybex International. Roland, J (2004) CCSP Self-study: Securing Cisco IOS Networks (SECUR). USA. Cisco Press. Schmied, W and Shimonski, RJ (2003) Mcsa/Mcse Managing and Maintaining a Windows Server 2003 Environment for an Mcsa Certified on Windows 2000 (Exam 70-292): Study Guide and DVD Training System. Rockland, MA, USA. Syngress Media. Shimonski, RJ and Shinder, DJ (2003) Security+ and Study Guide and DVD Training System. Rockland, MA, USA. Syngress Media.
Appendix
209
Skoudis, E (2002) The Network Security Training Course Desktop. Indianapolis, Indiana, USA. Prentice-Hall. Tittel, E, et al. (2004) CISSP: Certified Information Systems Security Professional Study Guide. CA, USA. Sybex International. CISCO CISCO along with a number of other key vendors, such as Microsoft, Intel, and Oracle have a wide range of resources dedicated to their products. This is because of the high market share each has in particular product areas, and their obvious desire to keep it that way. Sedayo, J (2001) Cisco IOS Access Lists. Farnham, UK. O’Reilly. Code (As In Computer Code) Sebastian Xambo-Descamps (2003) Block Error-correcting Codes: A Computational Primer (Universitext S.). Berlin, Germany. Springer. Hatton, L (1994) Safer C: Developing Software in High-integrity and Safety-critical Systems (McGraw-Hill International Series in Software Engineering). Emeryville, CA, USA. McGraw-Hill Publishing Co. Rubin, AD, et al. (2004). Exploiting Software: How to Break Code. Boston, MA, USA. Addison Wesley. Computer Security Amoroso, E (1994) Fundamentals of Computer Security Technology, New Jersey, USA. AT&T. Bishop, M (2002) Computer Security: Art and Science. Boston, MA, USA. Addison Wesley. Gollmann, D (1999) Computer Security. New York, USA. Wiley. Greene, TC (2004) Computer Security for the Home and Small Office. USA. Apress. Leveson, N (1995) Safeware: System Safety and Computers. Boston, MA, USA. Addison Wesley. Luber, A (2002) PC Fear Factor. Indianapolis, Indiana, USA. Que. Penfold, RRC (1998) Computer Security : Businesses at Risk. London, UK. Robert Hale Limited. Pieprzyk, J, et al. (2003) Fundamentals of Computer Security. Berlin, Germany. Springer. Zelkowitz, MV (ed.) (2004) Advances in Computers, Vols. 40–62. New York, USA. Elsevier. Corporate Security Alagna, T, et al. (2005) Larstan’s Black Book on Corporate Security. Potomac, Maryland, USA. Larstan.
210
Appendix
Crime/Forensics/Malice/Malware Akdeniz, Y (2003) Sex on the Net: The Dilemma of Policing Cyberspace (Behind the Headlines S.). USA. South Street Press. Benson, R (1996) Acquiring New ID: How to Easily Use the Latest Technology to Drop Out, Start Over and Get on with Your Life. Boulder, CO, USA. Paladin Press. Casey, E (2004) Digital Evidence and Computer Crime. USA. Academic Press. Casey, E (2001) Handbook of Computer Crime Investigation: Forensic Tools and Technology. USA. Academic Press. Endorf, C, et al. (2003) Intrusion, Detection and Prevention: The Authoritative Guide to Detecting Malicious Activity (Security). Emeryville, CA, USA. Osborne McGraw-Hill. Jewkes, Y (2003) Dot.cons: Crime, Deviance and Identity on the Internet. Cullompton, Devon, UK. Willan Publishing. Kruse II, WG and Heiser, J (2001) Computer Forensics Essentials. Boston, MA, USA. Addison Wesley. Levy, S (2002) Heroes of the Computer Revolution. UK. Penguin Books. Mintz, A and Mintz, AP (2002) Web of Deception: Misinformation on the Internet. Toronto, ON, Canada. Cyberage Books. Mitnick, KD and Simon, WL (2003) The Art of Deception: Controlling the Human Element of Security. New York, USA. Wiley. Parker, D (1998) Fighting Computer Crime: A New Framework for Protecting Information. New York, USA. Wiley. Negus, C (2004) Fedora Troubleshooting Bible. New York, USA. Wiley. Peikari, C and Chuvakin, A (2004) Security Warrior. Farnham, UK. O’Reilly. Prosise, C and Mandia, K (2003) Incident Response and Computer Forensics. Emeryville, CA, USA. Osborne McGraw-Hill. Russell R, and Beale, J (2004) Stealing the Network: How to Own a Continent. Rockland, MA, USA. Syngress Media. Russell, R (2003) Stealing the Network: How to Own the Box. Rockland, MA, USA. Syngress Media. Phillips, A, et al. (2004) Computer Forensics and Investigations. Boston, MA, USA. Course Technology. Sammes, AJ and Jenkinson, B (2000) Forensic Computing: A Practitioner’s Guide (Practitioner S.). Godalming, UK. Springer.
Appendix
211
Schneier, B (2004) Secrets and Lies: Digital Security in a Networked World. New York, USA. Wiley. Skoudi, E (2003) Malware: Fighting Malicious Code. Indianapolis, Indiana, USA. Prentice-Hall. Slatalla, M (1996) Masters of Deception: The Gang That Ruled Cyberspace. London, UK. HarperCollins. Stoll, C (2000) The Cuckoo’s Egg: Tracking a Spy Through the Maze of Computer Espionage. USA. New York, USA. Simon and Schuster Inc. Syngress (2004) Snort 2.1 Intrusion Detection. USA, Rockland, MA, USA. Syngress Media. The Honeynet Project (2004) Know Your Enemy: Revealing the Security Tools, Tactics, and Motives of the Blackhat Community. Boston, MA, USA. Addison Wesley. Thomas, D and Loader, BD (2000) Cybercrime: Law Enforcement, Security and Surveillance in the Information Age. London, UK. Routledge, an imprint of Taylor and Francis Books. Wang, W (2000) Steal This Computer Book 2: What They Won’t Tell You About the Internet. San Francisco, CA, USA. No Starch Press. Whittaker, J and Thompson, H (2003) How to Break Software Security. Boston, MA, USA. Addison Wesley. Critical Infrastructure Dacey, RF (2003) Critical Infrastructure Protection: Commercial Satellite Security Should Be More Fully Addressed. Collingdale, PA, USA. Diane Pub Co. Dunn, M and Wigert, I (2004) Critical Information Infrastructure Protection, The International CIIP Handbook 2004. Zurich, Switzerland. Centre for Security Studies. Available at http://www.isn.ethz.ch/crn/publications/publications_crn. cfm?pubid=224 (Accessed: 20 December 2004). Ware, WH (1998) The Cyber-Posture of the National Information Infrastructure. Santa Monica, CA, USA. Rand Corporation. Cryptography Cryptography is the process of encoding information in such a way that only the person (or computer) with the appropriate key can decode it. Delfs, H and Knebl, H (2001) Introduction to Cryptography: Principles and Applications (Information Security and Cryptography). Berlin, Germany. Springer.
212
Appendix
Ferguson, N and Schneier, B (2003) Practical Cryptography. New York, USA. Wiley. Hershey, J (2002) Cryptography demystified. Emeryville, CA, USA. McGraw-Hill Education. Mao, W (2003) Modern Cryptography: Theory and Practice. Indianapolis, Indiana, USA. Prentice-Hall. Mel, HX, et al. (2000) Cryptography Decrypted. Boston, MA, USA. Addison Wesley. Menezes, AJ, et al. (1996) Handbook of Applied Cryptography. Boca Raton, FL, USA.CRC Press. Rhee, MY (2003) Internet Security: Cryptographic Principles, Algorithms and Protocols. London. Wiley. Rhee, MY (1994) Cryptography and Secure Communications (The McGraw-Hill Series on Computer Communications). Emeryville, CA, USA. McGraw-Hill Education (ISE Editions). Schneier, B (1995) Applied Cryptography: Protocols, Algorithms and Source Code in C. New York, USA. Wiley. Trappe, W and Washington, LC (2002) Introduction to Cryptography with Coding Theory. Indianapolis, Indiana, USA. Prentice-Hall. Van Der Lubbe, JCA and Gee, S (1998) Basic Methods of Cryptograph. Cambridge, UK. Cambridge University Press. Weiss, J (2004) Java Cryptography Extensions: Practical Guide for Programmers. San Francisco, CA, USA. Morgan Kaufmann. Young, A and Yung, M (2004) Malicious Cryptography: Exposing Cryptovirology. New York, USA. Wiley. Data/Databases and Related Issues Gary, J (2000) Database: Principles, Programming, Performance. San Francisco, CA, USA. Morgan Kaufmann. Gill, T, et al. (1998) Introduction to Metadata. Los Angeles, CA, USA. Getty Education Institute for the Arts. King, D and Newson, D (1999) Data Network Engineering (BT Telecommunications S.). Berlin, Germany. Kluwer (Springer-Verlag) Academic Publishers. Klosek, J (2000) Data Privacy in the Information Age. Westport, USA. Quorum Press. Knox, D (2004) Effective Oracle Databases 10g Security by Design (Oracle Press S.). Emeryville, CA, USA. Osborne McGraw-Hill.
Appendix
213
Sayood, K (2000) Introduction to Data Compression (The Morgan Kaufmann Series in Multimedia Information and Systems). San Francisco, CA, USA. Morgan Kaufmann. Shani, S (2004) Data Structures, Algorithms, and Applications in C++. Summit, NJ, USA. Silicon Press. Wang, RY, et al. (2000) Data Quality (The Kluwer International Series on Advances in Database Systems). Berlin, Germany. Kluwer (SpringerVerlag) Academic Publishers. White, G (2001) Data and Voice Security. Indianapolis, Indiana, USA. Sams. Data Mining (The Process of Searching Data for Specific Information) Berry, MJA (2004) Data Mining Techniques, Second Edition: for Marketing, Sales, and Customer Relationship Management. New York, USA. Wiley. Mohammadian, M (2004) Intelligent Agents for Data Mining and Information Retrieval. Hershey, PA, USA. Idea Group Inc. Witten, IH and Eibe, F (1999) Tools for Data Mining, Practical Machine Learning Tools and Techniques (The Morgan Kaufmann Series in Data Management Systems). San Francisco, CA, USA. Morgan Kaufman. Disaster Recovery and Contingency Planning (Relevant To Technology) Arnell, A and Davis, D (1989) Handbook of Disaster Recovery Planning. Emeryville, CA, USA. McGraw-Hill Education. Bernan Associates (2003) Planning for Post-disaster Recovery and Reconstruction. Lanham, MD, USA. Bernan Associates. Broby, L (2002) Disaster Recovery and Corporate Survival Strategies: Pre-Emptive Procedures and Countermeasures (Financial Times Executive Briefings). London, UK. Financial Times/Prentice-Hall. Brooks, C and IBM (2002) Disaster Recovery Strategies with Tivoli Storage Management (IBM Redbooks). USA. Vervante. Buchanan, RW (2002) Network Disaster Recovery: Planning for Business Continuity and System Performance (Professional Telecommunications S.). Emeryville, CA, USA. McGraw-Hill Education. Chase, K (2002) PC Disaster and Recovery. CA, USA. Sybex International. Childs, DR and Dietrich, S (2002) Contingency Planning and Disaster Recovery: A Small Business Guide. New York, USA. Wiley. Christensen, B (1999) From Management to Leadership: A History of Recovery from Disaster and Learning from the Experience. Boca Raton, FL, USA. uPublish.com.
214
Appendix
Christopher, J (2004) Full recovery: Protect Your Small Business from Disasters and Unforeseen Events. Berkeley, CA, USA. Peachpit Press. Cougias, DJ, et al. (2003) Backup Book, The. USA. Schaser-Varten Books. CTRC (1997) Contingency Planning and Disaster Recovery: Protecting Your Organization’s Resource. UK. CTRC Computer Technology Research Corporation. Erbschloe, M and Vacca, JR (2003) Guide to Disaster Recovery. Boston, MA, USA. Course Technology. Evan, W and Manion, M (2002) Minding the Machines: Preventing Technological Disasters. Indianapolis, Indiana, USA. Prentice-Hall. Grigonis, R (2002) Disaster Survival Guide for Business Communications Networks Emeryville, CA, USA. Osborne McGraw-Hill. Gustin, J (2002) Disaster Recovery Planning: A Guide for Facility Managers. Indianapolis, Indiana, USA. Prentice-Hall. Hiatt, C (2000) A Primer for Disaster Recovery Planning in an IT Environment. Hershey, PA, USA. Idea Group Inc. IBM (1999) Sap R/3 on DB2 for Os/390: Disaster Recovery. USA. Vervante. IBM (2000) Disaster Recovery Using Hageo and Georm. USA. Vervante. Lewis, S (2004) Disaster Recovery Yellow Pages. Newton, MA, USA. Systems Audit Group Inc. Lang, A and Larkin, R (2001) Disaster Preparedness and Recovery: A Guide for Nonprofit Board Members and Executives. Washington, DC, USA. Board Source. Mahdy, GE (2001) Disaster Management in Telecommunications, Broadcasting and Computer Systems. London, UK. Wiley. Maiwald E, and Sieglein, W (2002) Security Planning and Disaster Recovery. Emeryville, CA, USA. Osborne McGraw-Hill. Miora, M (2000) NCSA Guide to Enterprise Disaster Recovery Planning. Emeryville, CA, USA. McGraw-Hill Education. Mellish, B and IBM (2002) IBM Total Solutions for Disaster Recovery (IBM Redbooks). USA. Vervante. Mellish, B and IBM (2002) IBM Total Storage. USA. Vervante. Neaga, G (1997) Fire in the Computer Room, What Now ? Disaster Recovery Handbook (IBM Books). Indianapolis, Indiana, USA. Pearson Education.
Appendix
215
NIIT (2002) Disaster Recovery. Portland, OR, USA. Premier Press. Pedersen, A (1998) NAFCU’s Contingency Planning, Disaster Recovery, and Record Retention for Credit Unions. Arlington, VA, USA. AS Pratt. Preston, WC (1999) UNIX Backup and Recovery. Farnham, UK. O’Reilly. QED (1995) Disaster Recovery: Contingency Planning and Programme Analysis. Boston, MA, USA. QED Technical Publishing Group. Robinson, MK (2003) Disaster Recovery for Nonprofits. Lanham, MD, USA. University Press of America. TechRepublic (2003) Administrator’s Guide to Disaster Planning and Recovery, Vol. 2. USA. TechRepublic. Toigo, J (2002) Disaster Recovery Planning: Preparing for the Unthinkable. Indianapolis, Indiana, USA. Prentice-Hall. Vacca, J (2004) The Business Case for Network Disaster Recovery Planning. USA. CISCO Press. Wallace, M and Webber, L (2004). The Disaster Recovery Handbook. London, UK. Amacom. Warrick, C and IBM (2004) IBM Totalstorage Solutions for Disaster Recovery. Palos Verdes, CA, USA. Vervante. Wold, RL (1989) Disaster Recovery for Banks. Emeryville, CA, USA. William C Brown. Zaenglein, N (1998) Disk Detective: Secrets You Must Know to Recover Information from a Computer. Boulder, Co, USA. Paladin Press. eBusiness Ghosh, AK (2001) Security and Privacy for e-Business. New York, USA. Wiley. Matsura, JH (2001) Security, Rights and Liabilities in E-Commerce (Telecommunications Library) Norwood, MA, USA. Artech House Books. Firewalls Firewalls are electronic barriers designed to keep destructive forces from compromising computers in particular. Callisma (2002) Cisco Security Specialists Guide to Pix Firewall. Rockland, MA, USA. Syngress Media. Deal, R (2002) Cisco PIX Firewalls. Emeryville, CA, USA. Osborne McGraw-Hill. Komar, B, et al. (2003) Firewalls For Dummies. New York, USA. Wiley. Kopparpu, C (2002) Load Balancing Servers, Fire Walls and Caches. New York, USA. Wiley.
216
Appendix
Mason, A, et al. (2003) Check Point NG FireWall-1/VPN-1 Administration (Network Professional’s Library). Emeryville, CA, USA. Osborne McGraw-Hill. McCarty, B (2002) Red Hat Linux Firewalls. New York, USA. Wiley. Northcutt, S (2002) Inside Network Perimeter Security: The Definitive Guide to Firewalls, Virtual Private Networks, Routers and Network Intrusion Detection. USA. New Riders. Strassberg, K, et al. (2002) Firewalls: The Complete Reference (Complete Reference S.). Emeryville, CA, USA. Osborne McGraw-Hill. Welch–Abernathy, D (2004) Essential Check Point Firewall 1 NG: An Installation, Configuration and Troubleshooting Guide. Boston, MA, USA. Addison Wesley. Ziegler, R and Constantine, C (2001) Linux Firewalls. USA. New Riders. Zwicky, ED, et al. (2000) Building Internet Firewalls. Farnham, UK. O’Reilly. Hacking The pejorative sense of hacker is becoming more prominent largely because the popular press has coopted the term to refer to individuals who gain unaccess to computer systems for the purpose of stealing and corrupting data. Hackers, themselves, maintain that the proper term for such individuals is cracker (Webopedia). Beaver, K (2004) Hacking for Dummies. New York, USA. Wiley. Dr-K. (2002) A Complete Hacker’s Handbook. UK, Carlton Books. Dr-K. (2004) Hackers’ Tales: Stories from the Electronic Front Line. London, UK. Carlton Books. EC-Council (2004) Ethical Hacking. Chicago, IL, USA. Independent Publishers Group. OSB Publisher Pte Ltd. Erickson, J (2003) Hacking the Art of Exploitation. San Francisco, CA, USA. No Starch Press. Flickenger, R (2003) Linux Server Hacks. Farnham, UK. O’Reilly. Graham, P (2004) Hackers and Painters: Essays on the Art of Programming. Farnham, UK. O’Reilly. Gunkel, DJ (2001) Hacking Cyberspace. Boulder, CO, USA. Westview Press. Hatch, B, et al. (2002) Hacking Exposed Linux: Linux Security Secrets and Solutions. Emeryville, CA, USA. Osborne McGraw-Hill. Hemenway, K and Calishain, T (2003) Spidering Hacks. Farnham, UK. O’Reilly.
Appendix
217
Huang, A (2003) Hacking the Xbox: An Introduction to Reverse Engineering. San Francisco, CA, USA. No Starch Press. Jones, K, et al. (2003) Anti-Hacker Tool Kit (Anti-Hacker Tool Kit). Emeryville, CA, USA. Osborne McGraw-Hill. Kaspersky, K (2003) Hacker Disassembling Uncovered. UK. Computer Bookshops. Klevinsky, TJ, et al. (2004) Hack I.T.: Security Through Penetration Testing. Boston, MA, USA. Addison Wesley. Lockhart, A. (2004) Network Security Hacks. Farnham, UK. O’Reilly. Mclure, S, et al. (2003) Hacking Exposed: Network Security Secrets and Solutions, 4th edition. Emeryville, CA, USA. Osborne McGraw-Hill. Mutton, P (2004) IRC Hacks. Farnham, UK. O’Reilly. Parker, T, et al. (2004) Cyber Adversary Characterization: Auditing the Hacker Mind. Rockland, MA, USA. Syngress Media. Scambray, J and McClure, S (2003) Hacking Exposed Windows Server 2003 (Hacking Exposed). Emeryville, CA, USA. Osborne McGraw-Hill. Scambray, J, et al. (2002) Hacking Exposed: Web Applications (Hacking Exposed). Emeryville, CA, USA. Osborne McGraw Hill. Schiffman, M. (2001) Hacker’s Challenge: Test Your Incident Response Skills Using 20 Scenarios. Emeryville, CA, USA. Osborne McGraw-Hill. Schiffman, M, et al. (2003) Hacker’s Challenge 2: Test Your Network Security and Forensic Skills (Hacking Exposed S.). Emeryville, CA, USA. Osborne McGraw-Hill. Skoudis, E (2001) Counter Hack: A Step-by-Step Guide to Computer Attacks and Effective Defense. Indianapolis, Indiana, USA. Prentice-Hall. Syngress (2004). Hardware Hacking: Have Fun While Voiding Your Warranty. Rockland, MA, USA. Syngress Media. Tulloch, M (2004) Windows Server Hacks. Farnham, UK. O’Reilly. Vladimirov, A (2004) WI-FOO: The Secrets of Wireless Hacking. Boston, MA, USA. Addison Wesley. Warren, HS (2002) Hacker’s Delight. Boston, MA, USA. Addison Wesley. Hardening Hardening is the process of making hardware and software more resilient and resistant to damage, intrusion, and attack. Initially used in the sense of preventing electromagnetic bursts from nuclear bombs destroying computer systems. The term’s use has now widened to deal with more prosaic issues.
218
Appendix
Akin, T (2002) Hardening Cisco Routers. Farnham, UK. O’Reilly. Bragg, R (2004) Hardening Windows System. Emeryville, CA, USA. Osborne McGraw-Hill. Gharajedaghi, J (1999) Systems Thinking: Managing Chaos and Complexity. Woburn, MA, USA. Butterworth-Heinemann. Hallows, JE (2004) Information Systems Project Management: How to Deliver Function and Value in Information Technology Projects. Hassell, J (2004) Hardening Windows. Berkeley, CA, USA. Apress. Mobily, T (2004) Hardening Apache. Berkeley, CA, USA. Apress. Noona, W (2004) Hardening Network Infrastructure. Emeryville, CA, USA. Osborne McGraw-Hill. Terpstra, JH, et al. (2004) Hardening Linux. Emeryville, CA, USA. Osborne McGraw-Hill. Turnbull, J (2004) Hardening Linux. Berkeley, CA, USA. Apress. Incident Response. Schultz, EE and Shumway, R (2001) Incident Response. USA. New Riders. Mandia K, et al. (2003) Incident Response. Emeryville, CA, USA. OsborneMcGraw Hill. Information/Information Technology Security and Assurance Barman, S (2001) Writing Information Security Policies. USA. New Riders. Bhargava, VK, et al. (2003) Communications, Information and Network Security. Berlin, Germany. Kluwer (Springer-Verlag) Academic Publishers. British Chambers of Commerce (2003) The British Chambers of Commerce Guide to IT Security. UK. Microsoft Corporation. Calder, A and Watkins, S (2003) IT Governance: A Managers Guide to Data Security and BS 7799/ISO 17799. London, UK. Kogan Page. CSIA (2004) Protecting Our Information Systems. London, UK. Cabinet Office, UK Government. Desman, MB (2001) Building and Information Security Awareness Program. Boca Raton. Auerbach Publishing. Doswell, B (2000) A Guide to Information Security Management. UK. Perpetuity Press. Doswell, B (2000) A Guide to Business Continuity Management. UK. Perpetuity Press. Herrmann, DS (2001) A Practical Guide to Security Engineering and Information Assurance. Boca Raton, FL, USA. Auerbach Publishers.
Appendix
219
Hughes, L (1995) Actually Useful Internet Security Techniques. Indianapolis. Indiana, USA. New Riders. Hunter, JMD (2001) An Information Security Handbook. Berlin, Germany. Springer. IEEE (2001) 2001 Information Survivability Exposition 11(DI: Discex’01: Proceedings, 12–14 June 2001, Anaheim, California), V.1-2. Piscataway, NJ, USA. IEEE Computer Society Press. Institute of Directors (2004) IT Security. UK. Institute of Directors/McAfee. Kovacich, GL (1998) The Information Systems Security Officer’s Guide: Establishing and Managing an Information Protection Program, 2nd Edition. Woburn, MA, USA. Butterworth-Heinemann. Krause, M and Tipton, HF (2000) Information Security Management Handbook. Boca Raton, Fl, USA. Auerbach Publishers. Peltier, TR (2001) Information Security Policies, Procedures and Standards: Guidelines for Effective Information Security Management. Boca Raton, FL, USA. Auerbach Publishers. Pipkin, D (2000) Information Security. Indianapolis, Indiana, USA. Prentice-Hall. Proctor, PE and Byrnes, FC (2002) The Secured Enterprise: Protecting Your Information Assets. Upper Saddle River, NJ, USA. Prentice-Hall. Tudor, JK (2004) Information Security Architecture. Boca Raton, FL, USA. Auerbach Publishers. Tudor, JK (2000) Information Security Architecture: An Integrated Approach to Security in the Organization. Boca Raton, FL, USA. Auerbach Publishers. Java A high-level programming language developed by Sun Microsystems. Java was originally called OAK, and was designed for handheld devices and set-top boxes. OAK was unsuccessful so in 1995 Sun changed the name to Java and modified the language to take advantage of the burgeoning World Wide Web. Java is an object-oriented language similar to C++, but simplified to eliminate language features that cause common programming errors (Webopedia). Oaks, S (2001) Java Security. Farnham, UK. O’Reilly. Berg, C (2003) Designing Secure J2EE Applications and Web Services (Sun Microsystems Press Java S.). Indianapolis, Indiana, USA. Prentice-Hall. Taylor, A, et al. (2002) J2EE and Java: Developing Secure Web Applications with Java Technology (Hacking Exposed). Emeryville, CA, USA. Osborne McGraw-Hill.
220
Appendix
Kerberos An authentication system developed at the Massachusetts Institute of Technology (MIT). Kerberos is designed to enable two parties to exchange private information across an otherwise open network. (Webopedia). Garman, J (2003) Kerberos: The Definitive Guide. Farnham, UK. O’Reilly. Linux Pronounced lee-nucks or lih-nucks. A freely distributable open source operating system that runs on a number of hardware platforms. The Linux kernel was developed mainly by Linus Torvalds. Because it’s free, and because it runs on many platforms, including PCs and Macintoshes, Linux has become an extremely popular alternative to proprietary operating systems (Webopedia). Bauer, MD (2002) Building Secure Servers with Linux. Farnham, UK. O’Reilly. Collings, T and Wall, K (2004) Red Hat Linux Networking and System Administration. New York, USA. Wiley. Purdy, GN (2004) Linux IPTables Pocket Reference. Farnham, UK. O’Reilly. Microsoft and Microsoft Windows General Alexander, Z (2001) Microsoft ISA Server 2000. Indianapolis, Indiana, USA. Sams. Bott, E (2002) Windows XP/2000 Security Inside Out. USA. Microsoft Press International. Brown, K (2000) Programming Windows Security. New Jersey, USA. Pearson. Brown, T (2001) Windows 2000 Network Disaster Recovery. Indianapolis, Indiana, USA. Sams. Craft, M (2002) Configuring Citrix MetaFrame XP for Windows. Rockland, MA, USA. Syngress Media. Daily, SK (2001) Admin 911 Windows 2000 Disaster Recovery. Emeryville, CA, USA. McGraw-Hill Osborne Media. De Clerq, J (2003) Windows Server 2003 Security Infrastructures: Core Security Features of Windows.Net. Woburn, MA, USA. Butterworth Heinemann. Komar, B (2004) Windows Server 2003 PKI and Certificate Security. USA. Microsoft Press International. Microsoft Press (2001) Internet Security and Acceleration Server 2000 (MCSE Training Kit). USA. Microsoft Press International.
Appendix
221
Swiderski, F (2004) Threat Modeling. USA. Microsoft Press International. Robinson, G (2003) Real World Microsoft Access Database Protection and Security. Berkeley, CA, USA. Apress. Walther, H and Santry, P (2004) CYA Securing Exchange Server 2003 and Outlook Web Access. Rockland, MA, USA. Syngress Media. Mobile Communications/Mobility Al-Mualla, M, et al. (2002) Video Coding for Mobile Communications: Efficiency, Complexity and Resilience (Signal Processing and Its Applications). New Jersey, USA. Academic Press. Davies, I (2002) Security Interests in Mobile Equipment. Aldershot, UK. Dartmouth. Grimes, RA (2001) Malicious Mobile Code: Virus Protection for Windows. Farnham, UK. O’Reilly. McGraw G, and Felten, EW (1998) Getting Down to Business with Mobile Code: A Guide to Creating and Managing Secure Mobile Code. New York, USA. Wiley. Mitchell, C (2003) Security for Mobility (Telecommunications S.). London, IEE. Vigna, G (1998) Mobile Agents and Security (Lecture Notes in Computer Science S.). Berlin, Germany. Springer. .NET .NET is a widely used networking software product. Brown, K (2004) The .NET Developer’s Guide to Windows Security. Boston, MA, USA. Addison Wesley. Freeman, A and Jones, A (2003) Programming .NET Security. Farnham, UK. O’Reilly. Gaster, B, et al. (2002) ASP.NET Security. Indianapolis, Indiana, USA. Wrox Press Ltd. Microsoft Press (2003) Building Secure ASP.NET Applications. USA. Microsoft Press International. Network Security Allen, JH (2001) The CERT Guide to System and Network Security Practices. Boston, MA, USA. Addison Wesley. Brenton, C and Hunt, C (1999) Active Defense, A Comprehensive Guide To Network Security. CA, USA. Sybex International.
222
Appendix
Buchanan, RW (2002) Network Disaster Recovery: Planning for Business Continuity and System Performance (Professional Telecommunications S.) Emeryville, CA, USA McGraw-Hill Education. Canavan, JE (2001) Fundamentals of Network Security (Telecommunications Library). Norwood, MA, USA. Artech House Books. Chey, C (2002) Network Security for Dummies (For Dummies S.). New York, USA. Wiley. Cisco Systems Inc., Cisco Networking Academy Program. (2003) Cisco Networking Academy Program Fundamentals of Network Security: Companion Guide. USA, Cisco Press. Harris, J (2002) Cisco Network Security Little Black Book. Phoenix, AZ, USA. Paraglyph Press. Hendry, M (1995) Practical Computer Network Security. Norwood, MA, USA. Artech. House Kaeo, M (2004) Designing Network Security. New Zealand. Penguin Books (NZ). Liotine, M (2003) Mission Critical Network Planning (Telecommunications Library) Norwood, MA, USA. Artech House Books. Maiwald, E (2001) Network Security: A Beginner’s Guide. Emeryville, CA, USA. McGraw-Hill. Maxwell, D and Amon, C (2002) Nokia Network Security Solutions Handbook. Rockland, MA, USA. Syngress Media. MCI (2002) Business Continuity Guide. UK. MCI Available at http:// www.mci.com/uk/bcinterest (Accessed: 3 December 2004). Mikalsen, A and Borgesen, P (2002) Local Area Network Management, Design and Security: A Practical Approach. London, UK. Wiley. McNab, C (2004) Network Security Assessment. Farnham, UK. O’Reilly. Panko, R (2003) Corporate Computer and Network Security. Indianapolis, Indiana, USA. Prentice-Hall. Powell, G and Bejtlich, R (2004) The Tao of Network Security Monitoring: Beyond Intrusion Detection. Boston, MA, USA. Addison Wesley. Rozenblit, M (2000) Security for Telecommunications Network Management. New York, USA. Wiley. Sonnenreich, W and Albanese, J (2003). Network Security Illustrated. Emeryville, CA, USA. McGraw-Hill Education. Stallings, W (2002) Network Security Essentials:(United States Edition). Indianapolis, Indiana, USA. Prentice-Hall.
Appendix
223
Thomas, T (2004) Network Security First-Step (First Step S.). Cisco Press. Viega, J, et al. (2002) Network Security with OpenSSL. Farnham, UK. O’Reilly. Wilson, J, et al. (1998) Telecom and Network Security: Telecommunications Reports Toll Fraud and Telabuse Update. New York, USA. Telecommunications Reports. Operational Risk Frost, C, et al.(2001). Operational Risk and Resilience. USA. Butterworth-Heinemann. Public Key Infrastructure (PKI). A system of digital certificates, Certificate Authorities, and other registration authorities that verify and authenticate the validity of each party involved in an Internet transaction (Webopedia). Austin, T (2001) PKI. New York, USA. Wiley. Adans, C and Lloyd, S (2002) Understanding PKI: Concepts, Standards, and Deployment Consideration. Indianapolis, Indiana, USA. Sams. Positive Messages Purba, S (2003) High-Value IT Consulting: 12 Keys to a Thriving Practice. Emeryville, CA, USA. Osborne McGraw-Hill. Reeher, G, et al. (2002) Click on Democracy: The Internet’s Power to Change Political Apathy into Civic Action. Boulder, CO, USA. Westview Press. Reliability Kececioglu, D (1995) Reliability Engineering Handbook. Indianapolis, Indiana, USA. Prentice-Hall. Radio Frequency Identification (RFID) Finkenzeller, K (2003) RFID Handbook. New York, USA.Wiley. Securing and Security Ahuja, V (1996) Secure Commerce on the Internet. Orlando, FL, USA. AP Professional. Amon, C (2004) Check Point Next Generation with Application Intelligence Security Administration. Rockland, MA, USA. Syngress Media. Amoroso, E (1999) Intrusion Detection. New Jersey, USA. AT&T. Anderson, R (2001) Security Engineering: A Guide to Building Dependable Distributed Systems. New York, USA. Wiley. A key text. Bace, R and Melnick, D (2003) PDA Security: Incorporating Handhelds into Your Enterprise. Emeryville, CA, USA. McGraw-Hill Education. Ballard, J (2002) Internet Security and Acceleration Server 2000 Technical Reference. USA. Microsoft Press International.
224
Appendix
Barratt, DJ, et al. (2003) Linux Security Cookbook. Farnham, UK. O’Reilly. Barrett, DJ, et al. (2001) SSH, the Secure Shell: The Definitive Guide. Farnham, UK. O’Reilly. Birkholz, EP, et al. (2004) Security Sage’s Guide to Hardening the Network Infrastructure. Rockland, MA, USA. Syngress Media. Carter, J (2004) The Expert Guide to PeopleSoft Security. Lincoln, NE, USA. iUniverse Inc. Carroll, B (2004) Cisco Access Control Security: AAA Administration Services. Indiana, USA. Cisco Press. Cheah, CH, et al. (2004) CYA Securing IIS 6.0. Rockland, MA, USA. Syngress Media. Cox, KJ and Gerg, C (2004) Managing Security with SNORT and IDS Tools. Farnham, UK. O’Reilly. Delp, EJ and Wong, PW (2003) Security and Watermarking of Multimedia Contents: V (Proceedings of SPIE). Bellingham, WA, USA. Society of Photo-Optical Instrumentation Engineers (SPIE). Dournaee, B. (2004) XML Security. Emeryville, CA, USA. McGraw-Hill. Drew, G, et al. (1998) Using SET for Secure Electronic Transactions. Indianapolis, Indiana, USA. Prentice-Hall. Dwivedi, H (2003) Implementing SSH: Strategies for Optimizing the Secure Shell. New York, USA. Wiley. France, P (2003) Local Access Network Technologies (Telecommunications S.). Stevenage, UK. IEE. Graff, MG and Van Wyk, KR (2003) Secure Coding: Principles and Practices. Farnham, UK. O’Reilly. Gehrmann, C, et al. (2004) Bluetooth Security. Norwood, MA, USA. Artech House Books. Gritzalis, D, et al. (2003) Security and Privacy in the Age of Uncertainty (IFIP International Federation for Information Processing S.). Berlin, Germany. Kluwer (Springer-Verlag) Academic Publishers. Gupta, A and Laliberte, S (2004) Defend I.T.: Security by Example. Boston, MA, USA. Addison Wesley. Hendry, M (2001) Smart Card Security and Applications (Telecommunications Library). Norwood, MA, USA. Artech House Books. Hope, P (2004) Freebsd and Openbsd Security Solutions. Indianapolis, Indiana, USA. Sams.
Appendix
225
Howard, M (2002) Writing Secure Code. USA, Microsoft Press International. Howlett, T (2004) Open Source Security Tools: Securing Your Unix or Windows Systems. Boston, MA, USA. Addison Wesley. IEEE Computer Society Staff. (2003) 16th Computer Security Foundations Workshop (Csfw 16–2003). Piscataway, NJ, USA. IEEE Press. Jancezewski, L (2000) Internet and Intranet Security, Management, Risks and Solutions. Hershey, PA, USA. Idea Group Inc. Kabatiansky, G (2004) Error Correcting Coding and Security for Data Networks: Analysis of the Superchannel Concept. London, UK. Wiley. Koziol, J (2004) The Shellcoder’s Handbook: Discovering and Exploiting Security Holes. New York, USA. Wiley. Kuhn, RD (2003) PBX Vulnerability: Finding Holes In Your PBX Before Someone Else Does. Collingdale, PA, USA. Diane Pub Co. Kuhn, DR (2003) Role-Based Access Control (Artech House Computer Security Series) Norwood, MA, USA. Artech House Books. Kuhn, RD, et al. (2003) Security for Telecommuting and Broadband Communications: Recommendations of the National Institute of Standards and Technology. Collingdale, PA, USA. Diane Pub Co. Lail, BM (2002) Broadband Network and Device Security (RSA Press S.). Emeryville, CA, USA. Osborne McGraw-Hill. Lippert, E (2002) Visual Basic.NET Code Security Handbook. Indinapolis, Indiana, USA. Wrox Press Ltd. Nazario, J and Palmer, B (2004) Secure Architectures: With OpenBSD. Boston, MA, USA. Addison Wesley. Niemi, V and Nyberg, K (2003) UMTS Security. London, UK. Wiley. Oppliger, R (2000) Secure Messaging with PGP and S/MIME (Artech House Computer Security Series). Norwood, MA, USA. Artech House Books. Pansini, AJ (2004) Transmission Line Reliability and Security. New York, USA. Marcel Dekker. Phaltankar, KM (2000) Implementing Secure Intranets and Extranets (Telecommunications Library). Norwood, MA, USA. Artech House Books. Polk, WT (2000) Anti Virus Tools and Techniques for Computer Systems (Advanced Computing and Telecommunications Series). Norwich, New York, USA. Noyes Publications. Ranum, MJ (2003) Myth of Homeland Security. New York, USA. Wiley.
226
Appendix
Rescorla, E (2000) SSL and TLS: Building and Designing Secure Systems. Boston, MA, USA. Addison Wesley. Rockley, A, et al. (2002) Managing Enterprise Content: A Unified Content Strategy. USA. New Riders. Rosenberg, J and Remy, D (2004) Securing Web Services with WS-Security: Demystifying WS-Security, WS-Policy, SAML, XML Signature and XML Encryption. Indianapolis, Indiana, USA. Que. Shinder, TW and Shimonski, RJ (2003) Building DMZs for Enterprise Networks. Rockland, MA, USA. Syngress Media. Sutton, R (2001) Secure Communications: Applications and Management (Wiley Series in Communications Networking). London, UK. Wiley. Thomas, S (2000) SSL and TLS Essentials: Securing the Web. New York, USA. Wiley. Tolchin, M and SJ (1992) Selling Our Security. New York, USA. Knopf. Trudel, R and Convery, S (2004) Designing Secure Enterprise NE. USA. Cisco Press. Viega, J and McGraw, G (2001) Building Secure Software: How to Avoid Security Problems the Right Way. Boston, MA, USA. Addison Wesley. Sniffing A sniffer analyzes networks and protocols and ‘smells’ what’s coming in and out of the network, good, and bad. Orebaugh, AD, et al. (2004) Ethereal Packet Sniffing. Rockland, MA, USA. Syngress Media. Shimonski, R (2002) Sniffer Network Optimization and Troubleshooting Handbook. Rockland, MA, USA. Syngress Media. Spam Electronic junk mail or junk newsgroup postings. Some people define spam even more generally as any unsolicited e-mail (Webopedia). Feinstein, K and McAneny, M (2004) How to Do Everything to Fight Spam, Viruses, Pop-ups and Spyware (How to Do Everything S.). Emeryville, CA, USA. Osborne McGraw-Hill. Schwartz, A (2004) SpamAssassin. Farnham, UK. O’Reilly. Scott, C, et al. (2004) Anti-Spam Tool Kit. Emeryville, CA, USA. Osborne McGraw-Hill. Steganography The process of hiding messages or files in other messages or files. For example hiding a document in a photograph.
Appendix
227
Petitcolas, F, et al. (1999) Information Hiding Techniques for Steganography and Digital Watermarking (Computing S.). Norwood, MA, USA. Artech House Books. Virtual Private Networks (VPNs) Davis, C (2001) IPSec: Securing VPNs (RSA Press S.). Emeryville, CA, USA. Osborne McGraw-Hill. Mairs, J (2001) VPNs: A Beginner’s Guide (Network Professional’s Library) Emeryville, CA, USA. Osborne McGraw-Hill. Tan, NK (2003) Building VPNs: With IPSec and MPLS (Pro Tel S.) Emeryville, CA, USA. McGraw-Hill Education. Warfare and Politics Berkowitz, B (2003) The New Face of War: How War Will Be Fought in the 21st Century. New York, USA. Simon and Schuster International. Cheswick, WR and Brabigan, S (2004) High-Tech Crimes Revealed: Cyberwar Stories from the Digital Front. Boston, MA, USA. Addison Wesley. Fialka, JJ (1997) War By Other Means. New York, USA. Norton. Golden, JR (1994) Economics and National Strategy in the Information Age: Global Networks, Technology Policy and Cooperative Competition. Oxford, UK. Praeger Publishers. Gongora, T and Von Riekhoff, H (2000) Toward a Revolution in Military Affairs? Defense and Security at the Dawn of the Twenty-First Century. Oxford, UK. Greenwood Press. Nichols, R, et al. (2002) Infowar: Protecting Telecom and Information Systems (ProTel). Emeryville, CA, USA. McGraw-Hill. Petrakis, GJ (1998) Are You Ready for Information Warfare?: Security for Personal Computers, Networks and Telecommunications Systems. Toronto, ONT, Canada. Productive Publications. Poisel, RA (2002) Introduction to Communication Electronic Warfare Systems (Artech House Information Warfare Library). Norwood, MA, USA. Artech House Books. Stacy, JR (2001) Inside 911. Philadelphia, PA, USA. Xlibris Corporation. Wilkin, P (2001) The Political Economy of Global Communication: An Introduction (Human Security in the Global Economy S.). Sydney, Australia. Pluto Press Limited. Yourdon, E (2002) Byte Wars: The Impact of September 11 on Information Technology. Indianapolis, Indiana, USA. Prentice-Hall.
228
Appendix
Wireless Barken, L (2003) How Secure is Your Wireless Network?: Safeguarding Your WI-Fi LAN. Indianapolis, Indiana, USA. PrenticeHall. Carter, B and Shumway, R (2002) Wireless Security End to End (End to End). New York, USA. Wiley. Edney, J and Arbaugh, B (2003) Real 802.11 Security: Wi-Fi Protected Access and 802.11i. Boston, MA, USA. Addison Wesley. Held, G (2003) Securing Wireless LANs: A Practical Guide for Network Managers, LAN Administrators and the Home Office User. London, UK. Wiley. Hurley, C, et al. (2004) Wardriving - Drive, Detect, Defend: A Guide to Wireless Security. Rockland, MA, USA. Syngress Media. Maxim, M and Pollino, D (2002) Wireless Security. Emeryville, CA, USA. McGraw-Hill. Miller, S (2003) WiFi Security. Emeryville, CA, USA. McGraw-Hill Education. Nichols, RK, et al. (2004) Wireless Security: Models, Threats, and Solutions. Emeryville, CA, USA. McGraw-Hill. Nichols, R and Lekkas, P (2001) Wireless Security: Models, Threats and Solutions (McGraw-Hill Telecom Professional S.). Emeryville, CA, USA. McGraw-Hill. Perrig, A and Tygar, JD (2002) Secure Broadcast Communication: In Wired and Wireless Networks ? Berlin, Germany. Kluwer (Springer-Verlag) Academic Publishers. Potter, B and Fleck, B (2003) 802.11 Security. Farnham, UK. O’Reilly. Schaefer, G (2004) Security in Fixed and Wireless Networks: An Introduction to Securing Data Communications. London, UK. Wiley. Swaminatha, T and Elden, C (2002) Wireless Security and Privacy: Best Practices and Design Techniques. Boston, MA, USA. Addison Wesley. Temple, R and Regnault, J (2002) Internet and Wireless Security (BTexact Communications Technology S.). Stevenage, UK. IEE. WordPerfect Acklen, L (2004) Absolute Beginner’s Guide to WordPerfect 12. Indianapolis, Indiana, USA. Que.
Articles – Arranged Alphabetically By Subject This is by no means a definitive list of articles. However, these articles give an insight into different aspects of the subject, sometimes quite obtuse. They can be used as a starting to point to explore for different authors and articles on similar subjects.
Appendix
229
Asymmetric Warfare Allen, RH (1997) Asymmetric Warfare: Is the Army ready? Available at http://www.amsc.belvoir.army.mil/asymmetric_warfare.htm (Accessed: 14 November 2004). Corbin, M (2001) Reshaping the Military for Asymmetric Warfare’ Center for Defense Information 5 October. Available at http://www.cdi.org/terrorism/ asymmetric.cfm (Accessed: 14 November 2004). Goulding, JG (2000) Back to the Future with Asymmetric Warfare, Parameters, Winter. Available at http://carlisle-www.army.mil/usawc/ Parameters/00Winter/goulding.htm (Accessed: 3 January 2007). Staten, CL (1999) Asymmetric Warfare, the Evolution and devolution of Terrorism: The Coming Challenge for Emergency and National Security Forces. Journal of Counterterrorism and Security International, Winter. Available at http://www.emergency.com/asymetrc.htm (Accessed: 3 January 2007). Hyslop, MP (2003) Asymmetric Warfare, Proceedings International Conference on Politics and Information Systems: Technologies and Applications (PISTA ’03), Orlando, Florida, USA. 31 July 2003 – 2 August 2003. Banking Banking Development Department Hong Kong Monetary Authority (2002) Business Continuity Planning After 9/11, Hong Kong Monetary Authority Quarterly Bulletin, 11. BS7799 ISO/IEC 17799: Code of Practice for Information Security Management is a generic set of best practices for the security of information systems. Considered the foremost security specification document in the world, the code of practice includes guidelines for all organizations, no matter what their size or purpose. 17799 was originally published in the United Kingdom as a Department of Trade and Industry Code of Practice, and then later as BS 7799. There are many available articles on BS 7799. eEye Digital Security and ECSC Limited (2004) Attaining BS7799 Compliance with Retina Vulnerability Assessment Technology, ECSC Limited Whitepaper. ECSC. Critical Infrastructure Robinson, PC, et al. (1998) Critical Infrastructure. Issues in Science and Technology, Vol. 15, Fall. Cryptography The art of protecting information by transforming it (encrypting it) into an unreadable format, called cipher text. Only those who possess a secret key can decipher (or decrypt) the message into plain text (Webopedia).
230
Appendix
Dam, KW (1997) The Role of Private Groups in Public Policy: Cryptography and the National Research Council. University of Chicago Law School Occasional Paper No.38. Stansfield, EV and Walker, M (1995) Coding and Cryptography for Speech and Vision, Proc. 5th Cryptography and Coding IMA Conference, pp. 213–236. Computer Crime and Security Cadoree, M (1994) Computer Crime and Security. Resource Materials, Library of Congress, Library of Congress. Cyberwar and Netwar Arquilla, JJ and Ronfeldt, DF (1995) Cyberwar and Netwar: New Modes, Old Concepts, of Conflict Rand Research Review, Fall. Clash of Civilizations Huntington, SP (1993) The Clash of Civilizations, Foreign Affairs. Summer, v72, n3, p22(28). Data Related Ware, WH (1994) Policy Considerations for Data Networks. Computing Systems, 7(1), Winter, pp. 1–44 Yeung, PC (1986) The environment and the implementation of data security in the world of telecommunications. Technical Report, University of Kansas, Computer Science. Defense UK Ministry of Defense (2004) The Future Strategic Context for Defense. Available at http://www.mod.uk/issues/strategic_context/military.htm (Accessed: 3 January 2007). Digital Development Hammond, A (2001) Digitally Empowered Development, Foreign Affairs pp. 96–106. Dot Com Dreams Bloor, R (2000) The Destruction of Dot Com Dreams. Available at http:// www.it-analysis.com/article.php?articleid=1429 (Accessed: 3 January 2007). Elections Cramer, R, et al. (1997) A Secure and Optimally Efficient Multi-Authority Election Scheme. European Transactions on Telecommunications, 8(5), September. Electronic Intrusion Frizzell, J, Phillips, T, and Groover, T (1994) The Electronic Intrusion Threat to National Security and Emergency Preparedness Telecommunications: An Awareness Document. Proc. 17th NIST-NCSC National Computer Security Conference, pp. 378–399.
Appendix
231
Electronic Mail Jones, RL (1995) Client Confidentiality: A Lawyer’s Duties with Regard to Internet E-Mail. Computer Law Section of the State Bar of Georgia, August 16, 1995. United States. Congress. House. Committee on Commerce. Subcommittee on Telecommunications, Trade, and Consumer Protection (1997) The Security and Freedom through Encryption (SAFE) Act: Hearing before the Subcommittee on Telecommunications, Trade, and Consumer Protection of the Committee on Commerce, House of Representatives, One Hundred Fifth Congress, first session, on H.R. 695, September 4, 1997. Technical Report, United States Government Printing Office, Number Serial no. 105–39 (United States. Congress. House. Committee on Commerce), p. iii + 121, United States Government Printing Office, 1997. Electronic Signature European Telecommunications Standards Institute. Electronic Signature Standardization for Business Transactions, August 1999. Available at http://webapp.etsi.org/workprogram/Report_WorkItem.asp?WKI_ID=13387 (Accessed: 3 January 2007). Erlang A unit of measurement of traffic density in a telecommunications system. The erlang describes the total traffic volume of one hour, or 3600 seconds. Castro, M (2000) Design Issues for a High Reliability Environment for Erlang, 12 November. Available at http://www.erlang-projects.org/Public/documentation/serc/?pp=1 (Accessed: 3 January 2007). Environment Homer-Dixon, TF (1991) On the Threshold: Environmental Changes as Causes of Acute Conflict, Trudeau Centre for Peace and Conflict Studies, University of Toronto International Security, Vol. 16, No. 2 (Fall) pp. 76–116. Freedom of Information Aftergood, S. Making Sense of Government Information restrictions: Panic After September 11 Led to Bad Policy. Issues in Science and Technology, Vol. 18, Summer. Gompert, DC (1998) Right Makes Might: Freedom and Power in the Information Age, McNair paper 59, Chap. 3, May. Available at http:// www.rand.org/publications/MR/MR1016/MR1016.chap3.pdf (Accessed: 3 January 2007). Lewis, C (2002) Freedom of Information under Attack. Nieman Reports, Vol. 56.
232
Appendix
Fuel Crisis Townsend, M and Bright, M. Army Guard on Food if Fuel Crisis Flares, The Observer, 6 June 2004. Information Security and Warfare, etc. Lohmeyer, DF, et al. (2002) Managing Information Security. The McKinsey Quarterly, Summer. Nearon, BH (2000) Information Technology Security Engagements: An Evolving Specialty. The CPA Journal, Vol. 70. Small, DW (1997) Information Security Awareness for Small to Medium Sized Telecommunications Organizations. Technical Report, Saint Mary’s University of Minnesota. United States. Congress. House. Committee on Energy and Commerce. Subcommittee on Telecommunications and Finance. Computer security: virus highlights need for improved Internet management: report to the chairman, Subcommittee on Telecommunications and Finance, Committee on Energy and Commerce, House of Representatives. Technical Report, U.S. General Accounting Office, p. 48, U.S. General Accounting Office, 1989. Fogleman, RR, et al. (2003) Cornerstones of Information Warfare. Available at http://www.af.mil/lib/corner.html (Accessed: 3 January 2007). MI5 (2004) Protecting Your Information. Available at http://www.mi5.gov.uk/output/Page236.html (Accessed: 3 January 2007). Whitaker, R (1998) Information Warfare. Available at http://www.informatik. umu.se/~rwhit/IW.html (Accessed: 3 January 2007). WIPRO. Information Security Challenges in the Energy industry. WIPRO White Paper. USA/India. Available at http://www.wipro.com/insights/ infosecuritychallenges.htm (Accessed: 3 January 2007). Zekos, G (1999), Internet or Electronic Technology: A Threat to State Sovereignty, Commentary, The Journal of Information, Law and Technology (JILT (3) ). Available at http://elj.warwick.ac.uk/jilt/99-3/zekos.html (Accessed: 3 January 2007). Java A definition of Java is in the book section. Garthwaite, A and Nettles, S (1998) Transactions for Java. Proceedings of the 1998 International Conference on Computer Languages. IEEE Computer Society Press. pp. 16–27.
Appendix
233
Microsoft and Cisco Reardon, M (2004) Microsoft and Cisco Clash on Security. CNET.news.com, 17 September. Available at http://insight.zdnet.co.uk/internet/ security/0,39020457,39166968,00.htm (Accessed: 3 January 2007). National Information Infrastructure United States. House of Representatives (1996) The Cyber-Posture of the National Information Infrastructure. Washington. Chairman: Wlillis H Ware. Available at http://www.rand.org/publications/MR/MR976/mr976.html. (Accessed: 3 January 2007). Network Security Cirrincione, G, Cirrincione, M, and Piglione, F. (1996) A neural network architecture for static security mapping in power systems. MELECON ’96. 8th Mediterranean Electrotechnical Conference. Industrial Applications in Power Systems, Computer Science and Telecommunications. Proceedings, Vol. 3, IEEE. pp. 1611–14. Shenoy, DR and Medhi, D (1999) A network management framework for multiple layer survivable networks: Protocol development and implementation. Technical Report, Computer Science Telecommunications Program. University of Missouri, Kansas City, 1999. SafeNet (2004) Delivering Government Approved Security. Safenet White Paper. USA. SafeNet. Available at http://www.safenet-inc.com (Accessed: 3 January 2007). Optimistic Message Logging Wang, YM and Huang, Y. (1995) Why Optimistic Message Logging Has Not Been Used in Telecommunications Systems. Institute of Electrical and Electronics Engineers, Inc., June. Open Systems Anderson, R (2002) Security In Open versus Closed Systems – The Dance of Boltzmann, Coase and Moore. Available at http://www.ftp.cl.cam.ac.uk/ ftp/users/rja14/toulouse.pdf (Accessed: 3 January 2007). An important paper, as is his recent work on economics as the basis of security. Obstructive Marketing Hyslop, MP (1999) Obstructive Marketing: Challenges to Globalizing Companies, M.Sc. Thesis, Huddersfield University Business School/ Chartered Institute of Marketing. Resilience, Robustness, Reliability Grotberg, E (1998) The International Resilience Project, 55th Annual Convention, International Council of Psychologists, Graz Austria, July 14–18, 1997 (published 1998).
234
Appendix
Kendra, JM, et al. (2003) Elements of Resilience After the World Trade Centre Disaster: Reconstituting New York City’s Emergency Operations Centre. Disasters, 27(1) pp 37–53. Little, RG (2002) Toward More Robust Infrastructure: Observations on Improving the Resilience and Reliability of Critical Systems. Proceedings of the 36th Hawaii International Conference on Systems Access, Hawaii, January 06–09, 2003. Rochlin, GI, et al. (1987) The Self-Designing High reliability Organization: Aircraft Carrier Flight Operations at Sea, Naval War College Review, Autumn. Saffre, F and Ghanea Hercock, R (2000) Increasing Robustness Of Future Telecommunications Networks. Available at http://discuss.santafe.edu/ robustness/stories (Accessed: 3 January 2007), also a site with similar articles. Radio Frequency Identification (RFID) Claburn, T and Hulme, GV (2004) RFID Security Information Week, 15 November. Available at http://www.informationweek.com/story/showArticle. jhtml?articleID=52601030&tid=13690 (Accessed: 3 January 2007). Security, etc. Arbaugh, WA, Davin, JR, Farber, DJ, Smith JM (1998) Security for Virtual Private Intranets. Computer, 31(9), pp. 48–54. Dasgupta, P, et al. (2000) The Security Architecture for MAgNET: A Mobile Agent E-commerce System. Third International Conference on Telecommunications and E-commerce. Donnelly, C (2003) Security in the 21st Century – New Challenges and Responses. 1st ETR2A Conference, Newcastle-upon-Tyne, UK, 23 June 2003. Available at http://www.etr2a.org (Accessed: 3 January 2007). Hendry, M (2001) Smart Card Security and Applications. The Artech House Telecommunications Library, p. xviii + 305, Artech House Inc. Hill, P (2002) Bankrupt Worldcom Called a Security Risk. The Washington Times, July 3. Lacoste, G, Steiner, M (1999) SEMPER: A Security Framework for the Global Electronic Marketplace. COMTEC – the magazine for telecommunications technology, 77(9), pp. 56–63, September 1999. Murray, WH (1984) Security Considerations for Personal Computers. IBM Systems Journal, 23(3), pp. 297–304. Today (2004) Will the Number of Casinos Rise After the Changes to the Gambling Bill, BBC Radio 4, 19 October 2004, 07.32 hours. Available at http://www.bbc.co.uk (Accessed: 3 January 2007).
Appendix
235
Popp, R, Froehlich, M, Jefferies, N (1995) Security Services for Telecommunications Users. Lecture Notes in Computer Science, Vol. 998, pp. 28ff. Wong, A (2003) Before and Beyond Systems: An Empirical Modeling Approach, Ph.D. Thesis. Department of Computer Science, University of Warwick, UK, January. Available at http://www.dcs.warwick.ac.uk/~allan (Accessed: 3 January 2007). Strategic Information Warfare The Futurist (1997) Strategic Information Warfare. Vol. 31, September. Telecommunications Networks Ahn, I (1994) Database Issues in Telecommunications Network Management SIGMOD Record (ACM Special Interest Group on Management of Data), 23(2), pp. 37–43, June 1994. Chuah, MC, et al. Performance of two TCP implementations in mobile computing environments. Conference Record/IEEE Global Telecommunications Conference, Vol. 1, pp. 339–344, 1996. Fowler, J, Seate, RC (1997) Threats and Vulnerabilities for C4I in Commercial Telecommunications: A Paradigm for Mitigation. Proc. 20th NIST-NCSC National Information Systems Security Conference, pp. 612–618. Varadharajan, V (1994) Security Requirements for Customer Network Management in Telecommunications. Proc. 17th NIST-NCSC National Computer Security Conference, pp. 327–338. Sinclair, MC (1992) Single-moment analysis of unreliable trunk networks employing $K$-shortest-path routing. Proc. IEE Colloq. Resilience in Optical Networks, p. 3/1–6, Oct 1992. Trusted Computing Anderson, R (2004) Trusted Computing. Available at http://www.cl.cam. ac.uk/~rja14/tcpa-faq.html (Accessed: 3 January 2007). URL (Uniform or Universal Resource Locator – Web Address) Security Wernick, P (1995) British Telecom URL Security: Project Outline, BT, November Utilities Hyslop (2004) How Can the Financial Sector Be Reassured That in the Event of an Incident, Their Utilities Supplies Will Be Uninterrupted? Is This a Viable and Feasible Request? Comments to the Resilience (2004) Conference, Millennium Hotel, London. 22/23/24, September 2004
236
Appendix
Video Coding Faerber, N, et al. (1999) Analysis of Error Propagation in Hybrid Video Coding with Application to Error Resilience, Proceedings of the 1999 International Conference on Image Processing (ICIP-99, pp. 550–554, IEEE, Oct 24–28, 1999. Wire Pirates Wallich, P (1994) Wire Pirates, Scientific American, 270(3), pp. 90ff (Intl. ed. pp72ff), March 1994. Year 2000 Issues (Y2K) The Eos Life – Work Resource Centre Y2K Update. Available at http://www. eoslifework.co.uk/Y2Kupdate.htm (Accessed: 3 January 2007).
Regular Publications – Arranged Alphabetically By Title Business Facilities and associated titles http://www.busfac.com (Accessed: 3 January 2007). Online Advice for Economic Development http://www.facilitycity.com (Accessed: 3 January 2007). Call Center Magazine http://www.callcentermagazine.com (Accessed: 3 January 2007). CIO (Chief Information Officer) Magazine http://www.cio.com (Accessed: 3 January 2007). Communication News Magazine http://www.comnews.com (Accessed: 3 January 2007). Computer World http://www.computerworld.com (Accessed: 3 January 2007). Consulting Specifying Engineering Magazine http://www.csemag.com (Accessed: 3 January 2007). CPA (Certified Public Accountant) Journal, The http://www.capamag.com (Accessed: 3 January 2007). Crime Prevention http://www.perpetuitypress.com/acatalog/Crime_Prevention_and_ Community_Safety.html (Accessed: 3 January 2007). Continuity and Risk Magazine http://www.cirmagazine.com (Accessed: 3 January 2007). CSO (Chief Security Officer) Magazine http://www.csoonline.com (Accessed: 3 January 2007).
Appendix
Economist, The http://www.economist.com (Accessed: 3 January 2007). EDPACS (Electronic Data Processing Audit, Control and Security Newsletter) http://www.info-edge.com/product_detail.asp?sku1=418& (Accessed: 3 January 2007). Financial Times, The Online IT pages. http://news.ft.com/reports/ftit (Accessed: 3 January 2007). Financial Times, FT Corporate Security. http://www.ft.com/corporatesecurity2004 and related items at http://www.ft.com/specialreports (Accessed: 3 January 2007). Futurist, The http://www.wfs.org/futurist.htm (Accessed: 3 January 2007). Government Technology http://www.govtech.net (Accessed: 3 January 2007). Harvard Business Online http://harvardbusinessonline.com (Accessed: 3 January 2007). HotWire http://www.weibull.com/hotwire (Accessed: 3 January 2007). Government Security News http://www.gsnmagazine.com (Accessed: 3 January 2007). Information and Communications Technology Law http://journalsonline.tandf.co.uk (Accessed: 3 January 2007). Information, Communication and Society http://journalsonline.tandf.co.uk (Accessed: 3 January 2007). Information Security http://infosecuritymag.techtarget.com (Accessed: 3 January 2007). Information Technology http://journalsonline.tandf.co.uk (Accessed: 3 January 2007). Information Storage and Security Journal http://www.issjournal.com (Accessed: 3 January 2007). Information Systems Management http://www.auerbach-publications.com/home.asp (Accessed: 3 January 2007). Information Systems Security http://www.auerbach-publications.com/home.asp (Accessed: 3 January 2007).
237
238
Appendix
International Review of Law, Computers and Technology http://journalsonline.tandf.co.uk (Accessed: Accessed: 20 December 2004). Internet Works http://www.iwks.com (Accessed: 3 January 2007). Intersec http://www.intersec.co.uk/ns/ddjune.html (Accessed: 3 January 2007). Journal of Technology Law and Policy, University of Florida http://journal.law.ufl.edu/~techlaw/ (Accessed: 3 January 2007). Linux Magazine http://www.linux-mag.com (Accessed: 3 January 2007). McKinsey Quarterly http://www.mckinseyquarterly.com (Accessed: 3 January 2007). .NET http://www.netmag.co.uk (Accessed: 3 January 2007). New Scientist http://www.newscientist.com (Accessed: 3 January 2007). Operational Risk http://www.operationalriskonline.com (Accessed: 3 January 2007). PC (Personal Computer) magazine http://www.pcmag.com (Accessed: 3 January 2007). PC (Personal Computer) World http://www.pcworld.com (Accessed: 3 January 2007). Public CIO (Chief Information Officer) http://www.public-cio.com (Accessed: 3 January 2007). Review of Business http://www.questia.com (Accessed: 3 January 2007). Risk Management http://www.perpetuitypress.com/acatalog/Risk_Management_An_ International_Journal.html (Accessed: 3 January 2007). SC magazine http://www.infosecnews.com/home/index.cfm (Accessed: 3 January 2007). Security Magazine http://www.securitymagazine.com (Accessed: 3 January 2007). Security Journal http://www.perpetuitypress.com/acatalog/Security_Journal_Volume_17_ number_3_Abstracts.html (Accessed: 3 January 2007).
Appendix
Security Studies http://journalsonline.tandf.co.uk (Accessed: 3 January 2007). Sys Admin http://www.samag.com (Accessed: 3 January 2007). Telecommunications Magazine http://www.telecommagazine.com (Accessed: 3 January 2007). The Information Society http://journalsonline.tandf.co.uk (Accessed: 3 January 2007). The Information Week http://www.informationweek.securitypipeline.com (Accessed: 3 January 2007). Wireless Business and Technology http://www.sys-con.com (Accessed: 3 January 2007).
Links – Arranged Alphabetically by Subject and Site Name Academia http://www.cerias.purdue.edu/ (Accessed: 3 January 2007). CERIAS/Purdue University Information Security Site. http://www.cerias.purdue.edu/about/history/coast/ (Accessed: 3 January 2007). Centre of Education and Research on Information Assurance and Security at the University of Purdue. http://www.cerias.purdue.edu/about/history/coast_resources/firewalls/ (Accessed: 3 January 2007). Definitive guide to Firewalls. http://ftp.cerias.purdue.edu/pub/papers/taimur-aslam/aslam-krsulspaf-taxonomy.pdf (Accessed: 3 January 2007). A taxonomy of Security Faults. http://www.cs.columbia.edu.ids (Accessed: 3 January 2007). University of Columbia in New York. http://www.ee.columbia.edu/~liebenau/E6901.html (Accessed: 3 January 2007). Topics in EE: Resilient Communication Networks. http://www.ftp.cl.cam.ac.uk/ftp/users/rja14/guidelines.txt (Accessed: 3 January 2007). Clinical System Security. http://www.cl.cam.ac.uk/users/rja14 (Accessed: 3 January 2007). The Web site of Ross Anderson – A leading Computer Security Academic.
239
240
Appendix
http://www.cl.cam.ac.uk/users/rja14/ Med (Accessed: 3 January 2007). Security of Medical Information Systems and other Notes from Ross Anderson at University of Cambridge Computer Laboratory (EU/UK). http://www.coventry.ac.uk/cms/jsp/polopoly.jsp?d=957&a=7974 (Accessed: 3 January 2007). Coventry University’s Disaster Management Site. http://dit.unitn.it/research/seminario?id=02-016 (Accessed: 3 January 2007). A 2002 Seminar on ‘Theoretical questions in practical network reliability analysis’ given by Dr. Laszlo Jereb of Budapest University at the University of Trento. http://www.rmcs.cranfield.ac.uk/ddmsa/index_html/view (Accessed: 3 January 2007). Cranfield University’s Relevant Site. http://iip.ist.psu.edu/faculties/vs.htm (Accessed: 3 January 2007). Website of Dr Bin Zhang – Chinese Visiting Scholar to Penn State University Institute for Information Policy – a leading Chinese Scholar. Also an access point for other Penn State Information Policy information. http://www.isg.rhul.ac.uk/ (Accessed: 3 January 2007). Information Security group at Royal Holloway College, University of London. http://www.ja.net/CERT/JANET-CERT/incidents/coping-withintrusions.html (Accessed: 3 January 2007). JANET’s (UK Joint Academic Network) Computer Emergency Response Team. http://www.ja.net/documents/gn-ddos.pdf (Accessed: 3 January 2007). JANET’s (UK Joint Academic Network) guide to denial of service attacks. http://online.northumbria.ac.uk/geography_research/ddc (Accessed: 3 January 2007). Disaster and Development Centre at Northumbria University. http://law.richmond.edu/jolt/index.asp (Accessed: 3 January 2007). Richmond Online Law Review – Contains Some Articles on Security (USA). http://www.som.cranfield.ac.uk/som/scr (Accessed: 3 January 2007). Concerns have surfaced in recent years that an eagerness to reduce waste, and thereby the risks associated with suboptimal supply chain performance, has meant that other less obvious risks to supply chains have been overlooked. This Web site deals with the issue.
Appendix
241
http://theory.lcs.mit.edu/~cis/ (Accessed: 3 January 2007). Massachusetts Institute of Technology, Cryptography and Information Security Group. http://www.yale.edu/its/security/disaster.htm Disaster Recovery Tips for New PC Owners. Associations/Institutes/Societies/Organizations, etc. http://www.antiphishing.org (Accessed: 3 January 2007). Anti-Phishing Working Group. http://www.bsi-global.com (Accessed: 3 January 2007). British Standards Institute. http://www.business-continuity-online.com/ (Accessed: 3 January 2007). Online business continuity exhibition. http://www.disasterrecoveryworld.com (Accessed: 3 January 2007). The Business Continuity Planning and Disaster Recovery Planning Directory. http://www.ddsi.org (Accessed: 3 January 2007). Dependability Development Support Initiative. http://www.ewis.jrc.it (Accessed: 3 January 2007). European Warning and Information System Forum. http://www.fas.org/irp/nsa/rainbow.htm (Accessed: 3 January 2007). Federation of American Scientists access point to the ‘Rainbow’ Series, which is defined as the following: The Rainbow Series is six-foot tall stack of books on evaluating ‘Trusted Computer Systems’ according to the National Security Agency. The term ‘Rainbow Series’ comes from the fact that each book is a different colour. The main book (upon which all other expand) is the Orange Book. http://www.gbde.org (Accessed: 3 January 2007). Global Business Dialogue on Electronic Commerce. http://www.hipaa.org (Accessed: 3 January 2007). The Health Insurance Portability and Accountability Act of 1996. www.iaac.org.uk/initiatives/BT_IAAC.pdf (Accessed: 3 January 2007). Information Assurance Guidelines for Boards and Senior Managers. http://www.idra.com (Accessed: 3 January 2007). International Disaster Recovery Association (IDRA) is a group originally comprised of those having a special interest in the voice, data, image, and sensory telecommunications aspects of Disaster Recovery Planning (DRP), Contingency Planning and Business Continuation.
242
Appendix
http://www.insme.info/documenti/ 040707%20Draft%20Program%20GF%202004.pdf (Accessed: 3 January 2007). Global IT Forum 2004 – The Broad Convergence. http://www.isaca.org (Accessed: 3 January 2007). The home site of the Information Systems Audit and Control Association (ISACA). http://www.isaca.org/Template.cfm?Section=CISM_Certification (Accessed: 3 January 2007). Certified Information Security Manager, ISACA’s next generation qualification for Information Security now gaining widespread acceptance, information site. http://www.isc2.org (Accessed: 3 January 2007). Training and education. Promoting 2005 as the year of the Information Security Professional. http://www.iwf.org.uk (Accessed: 3 January 2007). Internet Watch Foundation. http://nerc.com/~oc/twg.html (Accessed: 3 January 2007). North American Electric Reliability Council Telecommunications Working Group. http://www.rusi.org (Accessed: 3 January 2007). The Royal United Services Institute’s purpose is to study, promote debate, report and provide options on all issues relating to national and international defense and security. http://www.sans.org/rr/ (Accessed: 3 January 2007). SANS (SysAdmin, Audit, Network, Security) Information Security Reading Room. http://www.seattlewireless.net/index.cgi/LinksysWrt54g (Accessed: 3 January 2007). Wireless Community Support Site including Security. http://www.securityforum.org/html/frameset.htm (Accessed: 3 January 2007). Information Security Forum. http://www.securitypark.co.uk (Accessed: 3 January 2007). Security Park – Online news for security professionals. http://www.survive.com (Accessed: 3 January 2007). A Business Continuity Association. http://www.thebci.org/ (Accessed: 3 January 2007). The Business Continuity Institute. http://www.theirm.org/ (Accessed: 3 January 2007). The Institute of Risk Management.
Appendix
243
http://www.thebci.org/PAS56.html (Accessed: 3 January 2007). The NEW Guide to Business Continuity Management from the British Standards Institute. http://www.the-eps.org/ (Accessed: 3 January 2007). The Emergency Planning Society. http://www.terena.nl/ (Accessed: 3 January 2007). Trans European Research and Education Networking Association. TERENA carries out technical activities and provides a platform for discussion to encourage the development of a high-quality computernetworking infrastructure for the European research community. http://www.w3.org/(Accessed: 3 January 2007). The World Wide Web Consortium. Asymmetric and Information Warfare http://www.amsc.belvoir.army.mil/asymmetric_warfare.htm (Accessed: 3 January 2007). US Army Management Staff College – Asymmetric Warfare. http://www.au.af.mil/au/aul/bibs/asw/asw.htm (Accessed: 3 January 2007). Asymmetric Warfare. http://www.comw.org/rma/fulltext/asymmetric.html (Accessed: 3 January 2007). Revolution in Military Affairs – Asymmetric Warfare. http://www.ctrasymwarfare.org (Accessed: 3 January 2007). A Centre for Asymmetric Warfare. http://carlisle-www.army.mil/ (Accessed: 3 January 2007). Asymmetric Warfare. http://emergency.com (Accessed: 3 January 2007). Asymmetric warfare. Emergency Response and Research Institute. Crisis, Conflict, and Emergency Service News, Analysis and Reference. http://europa.eu.int/scadplus/leg/en/lvb/l33193.htm (Accessed: 3 January 2007). Attacks Against Information Systems: To strengthen criminal judicial cooperation on attacks against information systems by developing effective tools and procedures. http://www.fas.org/irp/wwwinfo.html (Accessed: 3 January 2007). Information Warfare, Information Security Resource. http://www.iwar.org.uk/comsec (Accessed: 3 January 2007). Information Warfare Site. http://nationalstrategy.com (Accessed: 3 January 2007). Asymmetric Warfare.
244
Appendix
http://www.psycom.net/iwar.1.html (Accessed: 3 January 2007). Institute for the Advanced Study of Information Warfare. http://www.theestimate.com/public/110300.html (Accessed: 3 January 2007). Asymmetric Warfare. Australia http://www.ag.gov.au (Accessed: 3 January 2007). Australian Attorney General’s site. http://www.isn.ethz.ch/dossiers/ciip/index.cfm (Accessed: 3 January 2007). Defining Critical Information Infrastructure Protection. http://www.auscert.org.au (Accessed: 3 January 2007). Australian Computer Emergency Response Team. http://www.asio.gov.au (Accessed: 3 January 2007). Australian Security Intelligence Organization. http://www.ahtcc.gov.au (Accessed: 3 January 2007). Australian High Tech Crime Centre. http://www.dsto.defense.gov.au (Accessed: 3 January 2007). Australian Defense Science and Technology Organization. http://noie.gov.au (Accessed: 3 January 2007). Australian National Office for the Information Economy. http://www.defense.gov.au/predict (Accessed: 3 January 2007). Australian Infrastructure Core Requirements Tool. http://www7.health.gov.au/hsdd/gp/phim.htm (Accessed: 3 January 2007). Australian Personal Health Information Management in General Practice. http://www.pm.gov.au (Accessed: 3 January 2007). Australia’s Prime Minister Site. http://www.stratwise.com (Accessed: 3 January 2007). Australian Strategic Intelligence Site. http://www.cript.gov.au (Accessed: 3 January 2007). Trusted Information Sharing Network for Critical Infrastructure Protection. Austria Austria is an important reference country for this subject because it leads Europe, and the world, in terms of placing legislation online. http://www.cio.gv.at (Accessed: 3 January 2007). Austrian Chief Information Office.
Appendix
245
http://www.bmi.gv.at (Accessed: 3 January 2007). Austrian Internal Ministry. http://www.circa.at/index.html (Accessed: 3 January 2007). Austrian Computer Incident Response Co-ordination. http://www.bka.gv.at (Accessed: 3 January 2007). Austrian Chancellery. http://www.a-sit.at (Accessed: 3 January 2007). Austrian Centre for Information Technology. Canada Canada has been at the forefront of the information technology revolution. http://www.cancert.ca (Accessed: 3 January 2007). Canada’s National Computer Emergency Response Team. http://www.nrc.ca (Accessed: 3 January 2007). Canadian National research Council. http://www.crc.ca (Accessed: 3 January 2007). Canada’s Communication Research Centre. http://www.dnd.ca (Accessed: 3 January 2007). Canada Defense Net. http://www.faso-afrs.ca (Accessed: 3 January 2007). Canadian federal Association of Security Officials. http://www.gol-ged.gc.ca (Accessed: 3 January 2007). Canadian Government Online. http://www.iit.nrc.ca (Accessed: 3 January 2007). Canadian Institute for Information Technology. http://www.nce.gc.ca (Accessed: 3 January 2007). Canadian Networks of centers of Excellence. http://www.ocipep-bgiepc.gc.ca (Accessed: 3 January 2007). Canada’s Office of Critical Infrastructure Protection and Emergency Preparedness. http://www.tbs-sct.gc.ca (Accessed: 3 January 2007). Canada’s Treasury Board Secretariat. European Union The European Union places the subject of information security amongst its highest priorities. http://www.cert.dfn.de/eng/csir/europe/certs.html (Accessed: 3 January 2007). List of some European Computer Emergency Response Teams (CERTs).
246
Appendix
http://www.etsi.com (Accessed: 3 January 2007). European Telecommunications Standards Institute (EU). http://www.etr2a.org (Accessed: 3 January 2007). The Web site of the European Telecommunications Resilience and Recovery Network (EU). http://www.europa.eu.int/abc/index2_en.htm (Accessed: 3 January 2007). The Europa Web site re European Commission. http://europa.eu.int/egovernment-research (Accessed: 3 January 2007). eGovernment Website. http://www.europol.eu.int (Accessed: 3 January 2007). The Europol Site – With Information on Crime (EU). http://www.eurosmart.com (Accessed: 3 January 2007). The Voice of the European Smart Card Industry (EU). http://www.ejustice.eu.com/index.html (Accessed: 3 January 2007). An EC Framework 6 project looking at different, justice related, approaches to information and computer security. http://europa.eu.int/scadplus/leg/en/lvb/l33164.htm (Accessed: 3 January 2007). Organised crime: Council of Europe Convention on Cyber Crime: To combat misuse of new technologies (EU). http://europa.eu.int/scadplus/leg/en/lvb/l24153.htm (Accessed: 3 January 2007). Establishment of a European Network and Information Security Agency (ENISA). Communication networks and information systems have become ubiquitous utilities and their security is of increasing concern to society. In order to guarantee users the best possible security, the European Union has decided to establish a European Network and Information Security Agency (ENISA) to advise Member States and coordinate measures they are taking to secure their networks and information systems. Its objective will also be to enhance cooperation between different actors operating in this field, and particularly between the Commission and the Member States, in order to prevent, address and respond to network and information security problems (EU). http://www.eurim.org/ (Accessed: 3 January 2007). The European Information Society Group (EU). Finland Finland has completely reinvented itself as a consequence of pursuing the information and telecommunications revolution.
Appendix
247
http://www.nesa.fi (Accessed: 3 January 2007). Finland’s National Emergency Supply Agency. http://www.ficora.fi (Accessed: 3 January 2007). Finnish Communications Regulatory Authority. http://www.ficora.fi/englanti/tietoturva/certfi.htm (Accessed: 3 January 2007). Finland’s Computer Emergency Response Team. http://www.tieke.fi (Accessed: 3 January 2007). Finland’s Information Society development Centre. http://www.tietoyhteiskuntaohjelma.fi (Accessed: 3 January 2007). Finland’s information society site. http://www.valtioneuvosto.fi/vn/liston/base.lsp?k=en (Accessed: 3 January 2007). Finland’s Government Site. http://www.e.finland.fi/ (Accessed: 3 January 2007). eFinland. http://www.defmin.fi (Accessed: 3 January 2007). Finland’s Ministry of Defense. France France is developing very sophisticated information security tools. http://www.clusif.asso.fr/en/clusif/present/ (Accessed: 3 January 2007). French Association for Information Security Systems. http://www.certa.ssi.gouv.fr/ (Accessed: 3 January 2007). French Computer Emergency Response Team. http://www.cert-ist.com (Accessed: 3 January 2007). French Computer Emergency response team: Industry, Services and Trade. http://www.internet.gouv.fr/ (Accessed: 3 January 2007). France’s information society site. http://www.renater.fr/ (Accessed: 3 January 2007). French National Network of Telecommunications for Technology, Education and Research. http://www.ssi.gouv.fr/fr/index.html (Accessed: 3 January 2007). French Site on Security of Information Systems. http://csti.pm.gouv.fr (Accessed: 3 January 2007). French Strategic Advisory Board on Information Technologies. Germany Germany is a leader in the academic field of information security.
248
Appendix
http://www.aksis.de (Accessed: 3 January 2007). German Infrastructure Protection Group. http://www.bka.de (Accessed: 3 January 2007). German Federal Law Enforcement Agency. http://www.bsi.de (Accessed: 3 January 2007). German Information Security Site. http://www.bitkom.org (Accessed: 3 January 2007). BITKOM. http://www.bsi.bund.de/certbund/index.htm (Accessed: 3 January 2007). German Computer Emergency Response Team. http://www.econbiz.de/fach/FS_VWL0190300.shtml?step=20&l0=0 (Accessed: 3 January 2007). Germany’s Risk Management Site. http://www.bundestag.de (Accessed: 3 January 2007). Deutscher Bundestag. http://www.cert.dfn.de (Accessed: 3 January 2007). DFN-CERT. http://www.eurubits.de (Accessed: 3 January 2007). European Institute for Information Security. http://www.denis.bund.de (Accessed: 3 January 2007). German Emergency Preparedness Information System. http://www.bmi.bund.de (Accessed: 3 January 2007). German Ministry of the Interior. http://www.iid.de/iukdg/ (Accessed: 3 January 2007). German Information and Communication Site. http://www.initiatived21.de (Accessed: 3 January 2007). Initiative D21. http://www.iid.de (Accessed: 3 January 2007). German Information Initiative. http://www.juris.de (Accessed: 3 January 2007). Juris Gmbh. http://rayserv.upb.de/FIFF/Veroeffentlichungen/Extern/ Fortress_Europe_36.html (Accessed: 3 January 2007). Fortress Europe No. 36: Germany curtails unobserved telecommunications. http://www.regtp.de/en/index.html (Accessed: 3 January 2007). German Regulatory Agency for Telecommunications and Posts.
Appendix
249
http://www.secunet.de (Accessed: 3 January 2007). Secunet Security Networks. http://www.sicherheit-im-internet.de (Accessed: 3 January 2007). Internet Security. http://www.s-cert.de (Accessed: 3 January 2007). Financial services CERT. http://www.telekom.de (Accessed: 3 January 2007). Deutsche Telekom AG. http://www.thw.de/english/ (Accessed: 3 January 2007). An informative site in English. International Organizations http://www.cosin.org/ (Accessed: 3 January 2007). Coevolution and Self-Organization in Dynamical Networks. http://www.ctose.org (Accessed: 3 January 2007). Cyber Tools On-Line Search for Evidence. http://www.e-europestandards.org (Accessed: 3 January 2007). eEurope Standards. http://cybercrime-forum.jrc.it/default/ (Accessed: 3 January 2007). EU Forum on Cybercrime. http://coras.sourceforge.net/ (Accessed: 3 January 2007). EU-funded CORAS project. http://www.iabg.de/acip.index.html (Accessed: 3 January 2007). Analysis and Assessment for critical infrastructure Protection. http://www.itu.int (Accessed: 3 January 2007). International Telecommunications Union. http://www.oecd.org/document/42/0,2340,en_2649_33703_15582250_1_1_1_ 1,00.html (Accessed: 3 January 2007). OECD Guidelines for the Security of Information Systems and Networks: Towards a Culture of Security (adopted as a recommendation by the OECD Council at its 1037th Session 25 July 2002). http://info.worldbandk.org.ict/ICT_ssp.html (Accessed: 3 January 2007). Information and Communication Technologies – A World Bank Group Strategy. http://www.worldbank.org/mdf/mdf1/modern.htm (Accessed: 3 January 2007). Modernising telecommunications through public–private partnerships. http://rru.worldbank.org/toolkits/telecomsregulation/details.aspx (Accessed: 3 January 2007). Privatisation toolkit telecommunications regulation.
250
Appendix
Italy Italy leads a number of the European Union’s network and security policies. http://www.dico.unimi.it (Accessed: 3 January 2007). Italian department of Informatics and Communications. http://www.iritaly.org (Accessed: 3 January 2007). Italian Incident Response. http://www.clusit.it/indexe.htm (Accessed: 3 January 2007). Italian Association for Security in Informatics. http://www.innovazione.gov.it/ (Accessed: 3 January 2007). Italy’s information society site. http://www.innovazione.gov.it/eng/ (Accessed: 3 January 2007). Italian Ministry for Innovation and Technologies. http://www.communicazioni.it/en (Accessed: 3 January 2007). Italian Ministry of Communication. http://www.cnipa.gov.it (Accessed: 3 January 2007). National centre for Informatics in the Public Administration. http://www.poliziadistato.it/pds/english/ (Accessed: 3 January 2007). Italian State Security System. Lawyers It’s a little invidious to single out particular law practices. Most large, international firms, have strong telecommunication practices. Here are a few others that have provided some very innovative approaches to difficult problems. http://www.dickinson-dees.co.uk (Accessed: 3 January 2007). Law Firm with top security specialist. http://www.eversheds.com (Accessed: 3 January 2007). Leading International Electronic Law Firm. http://www.faegreandbenson.com (Accessed: 3 January 2007). Leading USA Electronic Law Firm. http://www.robertmuckle.co.uk (Accessed: 3 January 2007). Leading Uk Electronic/Technology Law Firm. http://www.wardhadaway.com (Accessed: 3 January 2007). Leading UK Electronic Law Firm. Police http://www.europol.net (Accessed: 3 January 2007). Access to all European National Police Sites – And Information on Crime. http://www.interpol.int (Accessed: 3 January 2007). International Crime Intelligence Site.
Appendix
http://www.nhtcu.org/ (Accessed: 3 January 2007). National Hi-Tech Crime Unit. http://www.police.uk (Accessed: 3 January 2007). UK Police Site. http://www.pito.org.uk/ (Accessed: 3 January 2007). UK Police Information Technology Organization. The Netherlands During its presidency of the European Union in 2004, the Netherlands launched a number of significant information security initiatives. http://www.fas.org/irp/world/netherlands/bvd.htm (Accessed: 3 January 2007). Netherlands National Intelligence and Security Agency. http://www.www.nlip.nl (Accessed: 3 January 2007). Dutch Internet Providers Consortium. http://www.minvenw.nl/dgtp/home/ (Accessed: 3 January 2007). Dutch Directorate General of Post and Telecommunications. http://www.Govcert.nl (Accessed: 3 January 2007). Dutch Government Computer Emergency Response Team. http://www.infodrome.nl (Accessed: 3 January 2007). INFODROME. http://www.kwint.org (Accessed: 3 January 2007). KWINT. http://www.minvenw.nl (Accessed: 3 January 2007). Dutch Ministry of Water and Sewage. http://www.minbzk.nl (Accessed: 3 January 2007). Dutch Ministry of the Interior. http://www.Nlip.nl (Accessed: 3 January 2007). Dutch Internet providers. http://cert-nl.surnet.nl/home-eng.html (Accessed: 3 January 2007). SURFnet Computer Security Incident Response Team. http://www.aivd.nl (Accessed: 3 January 2007). Dutch General Intelligence and Security Service. http://www.ecp.nl/ENGLISH/index.html (Accessed: 3 January 2007). Dutch Electronic Business Site. http://www.tno.nl (Accessed: 3 January 2007). TNO. http://www.waarschuwingsdienst.nl (Accessed: 3 January 2007). Waarschuwingsdienst – A Computer Emergency Response Team.
251
252
Appendix
New Zealand New Zealand, with Australia, has led much information security development. http://www.security.govt.nz (Accessed: 3 January 2007). New Zealand Security Policy and Guidance. http://www.standards.co.nz (Accessed: 3 January 2007). Standards New Zealand. http://www.ccip.govt.nz (Accessed: 3 January 2007). New Zealand Centre for Critical Infrastructure Protection. http://www.defense.govt.nz (Accessed: 3 January 2007). New Zealand Ministry of Defense. http://www.executive.govt.nz (Accessed: 3 January 2007). New Zealand Cabinet. http://www.gcsb.govt.nz (Accessed: 3 January 2007). New Zealand Government Communications Security Bureau. http://www.dpmc.govt.nz (Accessed: 3 January 2007). Department of the Prime Minister and Cabinet. http://www.ssc.govt (Accessed: 3 January 2007). State Services Commission. http://www.nzcs.org.nz (Accessed: 3 January 2007). New Zealand Computer Society. http://www.auscert.org.au (Accessed: 3 January 2007). Australian Computer Emergency response Team (JV with New Zealand). http://www.cologic.co.nz (Accessed: 3 January 2007). New Zealand E-Secure-IT ALERT and Early Warning Service. Norway Norway leads on a number of critical infrastructure processes. http://www.norsis.no/indexe.php (Accessed: 3 January 2007). Norwegian Centre for Information Security. http://www.dsb.no (Accessed: 3 January 2007). Norwegian Directorate for Civil Protection and Emergency Planning. http://odin.dep.no/nhd/engeslsk/ (Accessed: 3 January 2007). Norwegian Ministry of Trade and Industry. http://www.ntia.doc.gov (Accessed: 3 January 2007). Norwegian telecommunications and Information Administration. http://www.nsm.stat.no/index.html (Accessed: 3 January 2007). Norwegian National Security.
Appendix
253
http://www.okokrim.no (Accessed: 3 January 2007). The Norwegian National Authority for Investigation and Prosecution of Economic and Environmental Crime. http://cert.uninett.no (Accessed: 3 January 2007). The Norwegian Network for Research and Education. Russia http://president.kremlin.ru/eng/articles/institut04.shtml (Accessed: 3 January 2007). Responsibility for Information Security in Russia. Sweden Sweden has one of the most active information security sectors. http://forsvar.regeringen.se (Accessed: 3 January 2007). Swedish Ministry of Defense. http://kth.se/eng (Accessed: 3 January 2007). Swedish Royal Institute of Technology. http://www.ocb.se (Accessed: 3 January 2007). Part of the warning system of the Swedish Emergency Management Agency. http://www.gea.nu (Accessed: 3 January 2007). Swedish Alliance for Electronic Commerce. http://www.fmv.se (Accessed: 3 January 2007). Swedish Defense Material Administration. http://www.foi.se/english/ (Accessed: 3 January 2007). Swedish Defense Research Agency. http://www.krisberedskapsmyndigheten.se/english/index.jsp (Accessed: 3 January 2007). Swedish Emergency Management Agency. http://www.sitic.se (Accessed: 3 January 2007). Swedish IT Incident Centre. http://www.fhs.se (Accessed: 3 January 2007). Swedish national Defense College. http://www.fra.se/english.shtml (Accessed: 3 January 2007). Swedish National Defense Radio Establishment. http://www.psycdef.se/english/ (Accessed: 3 January 2007). The National Board of Psychological Defense. Switzerland Switzerland the academic home of the Critical Information Infrastructure Handbook. http://www.bbt.admin.ch (Accessed: 3 January 2007). Swiss Federal Office for Professional Education and Technology.
254
Appendix
http://www.empa.ch/plugin/template/empa/*/4523/—/1=2 (Accessed: 3 January 2007). Reliability of Telecommunications Networks (Switzerland). http://www.switch.ch/cert/ (Accessed: 3 January 2007). Swiss Computer Emergency Response Team SWITCH. http://www.fsk.ehtz.ch (Accessed: 3 January 2007). Swiss centre for Security Studies. http://www.snhta.ch/www-support/institutions/cti-fopet.htm (Accessed: 3 January 2007). Swiss Commission for Technology and Innovation. http://www.isn.ethz.ch/crn/ (Accessed: 3 January 2007). Swiss Comprehensive Risk Analysis and Management Network. http://www.vbs.admin.ch/internet/GST/AIOS/e/index.htm (Accessed: 3 January 2007). Swiss Division for Information Security and Facility Protection. http://www.bakom.ch/en/index.html (Accessed: 3 January 2007). Swiss Federal Office for Communication. http://www.bwl.admin.ch/ (Accessed: 3 January 2007). Swiss Federal Office for National Economic Supply. http://internet.bap.admin.ch (Accessed: 3 January 2007). Swiss Federal Office for Police. http://www.informatik.admin.ch/ (Accessed: 3 January 2007). Swiss Federal Office of Information Technology, Systems and Telecommunications. http://www.isb.admin.ch/ (Accessed: 3 January 2007). Swiss Federal Strategy Unit for Information Technology. http://www.infosurance.org (Accessed: 3 January 2007). Swiss Infosurance Foundation. http://www.zurich.ibm.com (Accessed: 3 January 2007). IBM Zurich Research Laboratory. http://www.ifi.unizh.ch/ikm/research.html (Accessed: 3 January 2007). Swiss Information and Communication Management Research Group. http://www.isps.ch (Accessed: 3 January 2007). Swiss Information Society Co-ordination group. http://www.isn.ethz.ch (Accessed: 3 January 2007). Swiss International Relations and Security Network. http://www.naz.ch (Accessed: 3 January 2007). Swiss National Emergency Operations Centre.
Appendix
255
http://www.lasecwww.epfl.ch (Accessed: 3 January 2007). Swiss Security and Cryptography Laboratory. http://www.softnet.ch (Accessed: 3 January 2007). Softnet – Related Swiss Federal Project. http://www.sfa.admin.ch (Accessed: 3 January 2007). Strategic Leadership Training. http://www.cybercrime.admin.ch (Accessed: 3 January 2007). Swiss Co-ordination Unit for Cybercrime. http://www.privacy-security.ch (Accessed: 3 January 2007). Symposium on Privacy and Security. United Kingdom The United Kingdom has one of the most developed environments for information and critical infrastructure protection. http://www.cabinet-office.gov.uk/CSIA (Accessed: 3 January 2007). The Web site of the Central Sponsor for Information Assurance. http://www.cesg.gov.uk (Accessed: 3 January 2007). UK National Technical Authority for Information Assurance. http://www.dti.gov.uk/bestpractice/technology/index.htm (Accessed: 3 January 2007). The Department of Trade and Industry (EU/UK) IT and Security best practice site – includes information previously contained on the UK online for business site. http://www.dti.gov.uk/industries/information_security (Accessed: 3 January 2007). Information Security overview. http://www.epcollege.gov.uk (Accessed: 3 January 2007). Emergency Planning College (EU). http://www.financialsectorcontinuity.gov.uk (Accessed: 3 January 2007). This Web site has been established by the UK’s tripartite financial authorities (HM Treasury, the Bank of England and the Financial Services Authority) to provide a central point of information about work on continuity planning that is relevant to the UK’s financial sector (EU/UK). http://www.go-ne.gov.uk/resilience/resilience_business_continuity.htm (Accessed: 3 January 2007). Each regional government office in the UK has a resilience page like this one. http://homeoffice.gov.uk (Accessed: 3 January 2007). Information on a range of relevant subjects in the publications section. http://www.londonprepared.gov.uk/ (Accessed: 3 January 2007). Information and advice on London’s resilience and preparations for, and responses to, major incidents and emergencies.
256
Appendix
http://www.niscc.gov.uk/ (Accessed: 3 January 2007). National Infrastructure Security Coordination Centre – includes a business good practice guide for telecommunications resilience. http://www.security-survey.gov.uk (Accessed: 3 January 2007). DTI Information Security Breaches Survey. http://www.uniras.gov.uk (Accessed: 3 January 2007). Unified Incident Reporting and Alert Scheme. http://www.ukonlineforbusiness.gov.uk has been superseded by http://www.dti.gov.uk/bestpractice (Accessed: 3 January 2007). http://www.ukresilience.info/ (Accessed: 3 January 2007). UK Resilience, Civil Contingencies Secretariat. Information on the Civil Contingencies Bill is at http://www.ukresilience.info/ccbill/index.htm http://www.warp.gov.uk (Accessed: 3 January 2007) UK Government Warning Advice and Reporting Point site for co-ordinating reaction to information security breaches, etc. United States It’s a cliché but since 11 September 2001 the USA has paid much more attention to some of the very original research in its Government departments and Industrial Sectors regarding information and critical infrastructure protection. http://www.alw.nih.gov/Security/Docs/passwd.html (Accessed: 3 January 2007). Selecting good passwords. http://www.alw.nih.gov/Security/Docs/admin-guide-to-cracking.101.html (Accessed: 3 January 2007). Improving the Security of Your Site by Breaking into It. http://www.cdt.org (Accessed: 3 January 2007). USA Centre for Democracy and Technology. http://www.cert.org (Accessed: 3 January 2007). USA Computer Emergency Response Team. http://www.cia.gov/cia/publications/factbook (Accessed: 3 January 2007). For number of Internet users by country. http://www.ciao.org (Accessed: 3 January 2007). USA Critical Infrastructure Assurance Office. http://www.cybercrime.gov (Accessed: 3 January 2007). Government Cybercrime Site. http://shield.dmpsi.dc.gov (Accessed: 3 January 2007). http://www.ftc.gov/privacy/glbact/ (Accessed: 3 January 2007). Financial Modernisation Act of 1999.
Appendix
257
http://www.ftc.gov/privacy/index.html (Accessed: 3 January 2007). USA Federal Trade Commission. http://csrc.ncsl.nist.gov/secpubs/ (Accessed: 3 January 2007). Listing of Publications on Computer Security from National Institute of Standards and Technology Sources. http://csrc.ncsl.nist.gov/secpubs/rainbow/ (Accessed: 3 January 2007). National Institute of Standards and Technology (NIST) listing of the ‘Rainbow Series.’ The Rainbow Series is six-foot tall stack of books on evaluating ‘Trusted Computer Systems’ according to the National Security Agency. The term ‘Rainbow Series’ comes from the fact that each book is a different color. The main book (upon which all other expound) is the Orange Book. http://www.whitehouse.gov/deptofhomeland (Accessed: 3 January 2007). USA Department of Homeland Security. http://www.eia.doe.gov/emeu/security/ (Accessed: 3 January 2007). Energy Information Agency – all types of security attacks on worldwide energy resources. http://www.energyisac.com (Accessed: 3 January 2007). USA Energy Information Sharing and Analysis Centre. http://www.ey.com/security (Accessed: 3 January 2007). Ernst and Young Security Site. http://www.fbi.gov (Accessed: 3 January 2007). USA Federal Bureau of Investigation. http://www.fedcirc.gov (Accessed: 3 January 2007). USA Federal Computer Incident Response Centre. http://www.fas.org (Accessed: 3 January 2007). USA Federation of American Scientists. http://www.fsisac.co (Accessed: 3 January 2007). USA Financial Services Information Sharing and Analysis Centre. http://www.ftc.gov/infosecurity/ (Accessed: 3 January 2007). The Federal Trade Commission has created this Web site for consumers and businesses as a source of information about computer security and safeguarding personal information. http://www.hhs.gov/ocr/hipaa/ (Accessed: 3 January 2007). Medical Privacy – National Standards to Protect the Privacy of Personal Health Information. http://www.it-isac.org (Accessed: 3 January 2007). USA Information Technology Sharing and Analysis Centre.
258
Appendix
http://www.ncs.gov/ncc/ (Accessed: 3 January 2007). USA National Co-ordinating Centre for Telecommunications. http://www.nipc.org (Accessed: 3 January 2007). USA National Infrastructure Protection Centre. http://www.nerc.com (Accessed: 3 January 2007). North American Electric Reliability Council. http://www.oag.state.ny.us/ (Accessed: 3 January 2007). Eliot Spitzer – New York State Attorney General Site re Governance. http://www.ostp.gov/ (Accessed: 3 January 2007). USA Office of Science and Technology Policy. http://www.cert.otg/octave/ (Accessed: 3 January 2007). USA Operationally Critical Threat, Asset and Vulnerability Evaluation. http://www.pcis.org (Accessed: 3 January 2007). USA Partnership for Critical Infrastructure Protection. http://www.staysafeonline.info (Accessed: 3 January 2007). USA Stay Safe Online. http://www.sec.gov/news/testimony/021203tsrc.htm (Accessed: 3 January 2007). Protecting Capital Markets Against Terrorism. http://www.surfacetransportationisac.org (Accessed: 3 January 2007). USA Surface Transportation Information Sharing and Analysis Centre. http://www.dhs.gov (Accessed: 3 January 2007). USA Department of Homeland Security. http://www.us-cert.gov/federal/ (Accessed: 3 January 2007). United States Computer Emergency Readiness Team. http://www.whitehouse.gov (Accessed: 3 January 2007). USA White House. Vendor Sites There are of course many more vendors than are listed here. There has been no selection process. These links are those known to be of interest to this subject area. http://www.almaden.ibm.com (Accessed: 3 January 2007). IBM Research Establishment. http://www.availability.sungard.com/ (Accessed: 3 January 2007). Sungard Data Recovery/Disaster Recovery. http://www.business-systems.bt.com/ (Accessed: 3 January 2007). BT Solutions.
Appendix
http://www.bt.com/business/broadband (Accessed: 3 January 2007). BT Data Recovery/Disaster Recovery. http://www.bt.com/commsure (Accessed: 3 January 2007). BT CommSure – Total Business Continuity. http://www.buysunonline.com/ (Accessed: 3 January 2007). Sun Microsystems Data Recovery. http://www.crg.com (Accessed: 3 January 2007). Control Risk Group – international business risk consultants. http://www.datamobilitygroup.com (Accessed: 3 January 2007). Data and Storage second opinions. http://www.disklabs.com/ (Accessed: 3 January 2007). DiskLabs Data recovery. http://www.drsolomon.com/ (Accessed: 3 January 2007). Dr Solomon, a McAfee Company Anti Virus Centre. http://www.datafellows.com/ (Accessed: 3 January 2007). F-PROT Virus Protector. http://www.easynet.com/ (Accessed: 3 January 2007). Easynet Data Recovery. http://www.etsec.com (Accessed: 3 January 2007). ETSEC Staying ahead of the Security Curve. http://www.foundstone.com (Accessed: 3 January 2007). Security Products. http://www.hp.com (Accessed: 3 January 2007). Hewlett Packard’s Site – HP Trust and Security. http://www.intel.com (Accessed: 3 January 2007). Intel includes security advice. http://www.intersolve-tech.com (Accessed: 3 January 2007). Advanced Security with FINREAD CSP. http://www.jjtc.com (Accessed: 3 January 2007). Johnson and Johnson (Consultants) Computer Security. http://www.kavado.com (Accessed: 3 January 2007). ScanDo from Kavado. http://www.mcafee.com/uk/ (Accessed: 3 January 2007). McAfee Computer Security Products. http://www.mci.com/uk/bcinterest (Accessed: 3 January 2007). Business Continuity the MCI way.
259
260
Appendix
http://research.microsoft.com/security/ (Accessed: 3 January 2007). Microsoft Research. http://www.microsoft.com/security/default.mspx (Accessed: 3 January 2007). Microsoft Security Site. http://www.microsoft.com/technet/security/sourcead.asp (Accessed: 3 January 2007). Microsoft TechNet, Source Address Spoofing. http://www.microsoft.com/technet/security/topics/hardsys/default.mspx (Accessed: 3 January 2007). Hardening. http://www.pinkertons.com (Accessed: 3 January 2007). Pinkertons. http://www.qinetiq.com/home/markets/security.html (Accessed: 3 January 2007). Qinetiq’s Introduction to Security. http://www.qinetiq.com/home/markets/security/securing_your _business/information_and_network_security.html (Accessed: 3 January 2007). Qinetiq Information Security. http://www.rsasecurity.com/ (Accessed: 3 January 2007). RSA Security USA Security Consultants. http://www.sanctum.com (Accessed: 3 January 2007). Appscan from Sanctum/Watchfire – Vendor. http://www.safenet-inc.com/ (Accessed: 3 January 2007). The ‘Foundation’ of Information Security. http://www.sapphire.net/(Accessed: 3 January 2007). Information technology security company. http://securityresponse.symantec.com (Accessed: 3 January 2007). Symantec Computer Security Site. http://www.spiresecurity.com (Accessed: 3 January 2007). Spire Security. http://www.srm-solutions.com (Accessed: 3 January 2007). Security Risk Management Limited. http://www.spidynamics.com (Accessed: 3 January 2007). WebInspect from SPI Dynamics. http://www.stiller.com/ (Accessed: 3 January 2007). Stiller Research, Computer Security.
Appendix
261
http://www.symantec.com/avcenter/ (Accessed: 3 January 2007). Symantec Anti Virus Centre. http://community.whitehatsec.com (Accessed: 3 January 2007). Sentinel from White Hat Security. http://www.xerxes.com/security.html (Accessed: 3 January 2007). Xerxes Security Site. http://www.zonelabs.com (Accessed: 3 January 2007). ZoneAlarm, Computer Security Protection. General Information – Alphabetically by Site http://www.as400security.net/ AS/400 (an IBM mid-range product) Security Portal. http://www.bofh.sh/CodeRed/index.html (Accessed: 3 January 2007). Re: the CodeRed Worm. http://www.cert.org (Accessed: 3 January 2007). CERT (Computer Emergency Response Teams) Coordination Centre. http://www.continuitycentral.com (Accessed: 3 January 2007). Portal Publishing Limited’s excellent site on business continuity and security matters of all kinds. http://www.cigital.com/javasecurity/links.html (Accessed: 3 January 2007). Java Security Hotlist. http://cgi.nessus.org/plugins/dump.php3?family=Backdoors (Accessed: 3 January 2007). A current list of ‘backdoors’ recognized by Nessus. The ‘Nessus’ Project aims to provide to the Internet community a free, powerful, up-to-date and easy to use remote security scanner. http://www.continuitycentral.com/ (Accessed: 3 January 2007). Online Site about all things Business Continuity. http://www.computer-security.qck.com/(Accessed: 3 January 2007). Computer Security reference site. http://www.crisis.solutions.com (Accessed: 3 January 2007). http://www.crm-strategy.net/ (Accessed: 3 January 2007). Customer Relationship Management Resources. http://www.denialinfo.com/ (Accessed: 3 January 2007). Links and links and links on Denial of Service attacks. http://encyclopedia.thefreedictionary.com/Telecommunications%20service (Accessed: 3 January 2007). Free Dictionary with wide ranging definitions.
262
Appendix
http://www.enteract.com/~lspitz/linux.html (Accessed: 3 January 2007). Armoring Linux. http://www.eon-commerce.com/riskanalysis/index.htm (Accessed: 3 January 2007). Alternative Risk Analysis Site. http://www.epic.org/privacy/carnivore (Accessed: 3 January 2007) EPIC 2002, The Carnivore FOIA Litigation. http://www.e-securityworld.com/ (Accessed: 3 January 2007). Unix, Linux, iSeries, NT and OS/390 Security Specialists. http://www.freecpd.co.uk/learning_materials/information_technology/ identifying_and_assessing_risk_in_it_systems__1 (Accessed: 3 January 2007). Identifying and Assessing Risk in IT Systems. http://www.globalcontinuity.com (Accessed: 3 January 2007). This site is a Web-portal focused exclusively on business continuity issues. http://www.globalsecurity.org/org/staff/pike.htm (Accessed:3 January 2007). John Pike, one of the world’s leading experts on defense, space and intelligence policy. http://www.gocsi.com (Accessed: 3 January 2007). Computer Security Institute. http://grc.com/dos/grcdos.htm (Accessed: 3 January 2007). The story of a Denial of Service Attack. http://www.ukhomecomputing.co.uk (Accessed: 3 January 2007). Home Computing Initiatives. http://icm-computer.co.uk/risks (Accessed: 3 January 2007). http://www.idc.com (Accessed: 3 January 2007). IT and telecommunications global market intelligence and advice. http://www.identityrestore.com (Accessed: 3 January 2007). Getting your stolen electronic identity back. http://www.infosec.co.uk (Accessed: 3 January 2007). Infosecurity Europe (annual security event). http://www.it-analysis.com/column.php?section=24 (Accessed: 3 January 2007). Robin Bloor’s Home Page – for a different view on Security. http://www.internetsecuritynews.com/ (Accessed: 3 January 2007). Computer security related news, analysis and assessments. http://www.internetworldstats.com/stats.htm(Accessed: 3 January 2007). Internet World Statistics.
Appendix
263
http://www.jjtc.com/Steganography/ (Accessed: 3 January 2007). Johnson and Johnson’s (Consultants) introduction to Steganography. http://web.mit.edu/kerberos/www/#what_is (Accessed: 3 January 2007). Kerberos is a network authentication protocol, this site explains it. http://library.ahima.org/xpedio/groups/public/documents/ahima/ pub_bok1_021875.html (Accessed: 3 January 2007). Medical Practice Brief: Information Security-An Overview. http://www.lockdown.co.uk/ (Accessed: 3 January 2007). Lockdown – The Home Computer Security Centre. http://www.nessus.org/index2.html (Accessed: 3 January 2007). The ‘Nessus’ Project aims to provide to the Internet community a free, powerful, up-to-date and easy to use remote security scanner. http://www.netsurf.com/nsf/ (Accessed: 3 January 2007). Netsurfer Focus. A chronicle on Internet Players. http://networkintrusion.co.uk (Accessed: 3 January 2007). Talisker Security Wizardry Portal – Excellent Summary of the global state of network intrusion attacks. http://www.newsfactor.com (Accessed: 3 January 2007). Technical News Site. http://www.nscwip.info/ (Accessed: 3 January 2007). National Steering Committee for Warning and Informing the Public (EU). http://www.nym-infragard.us/ (Accessed: 3 January 2007). InfraGard is an FBI program dedicated to promoting ongoing dialogue and timely communication between the private sector and the FBI concerning critical infrastructure protection issues. http://www.openenterprise.ca (Accessed: 3 January 2007). Open Enterprise Solutions including security. http://owasp.org (Accessed: 3 January 2007). Open Web Application Security Project. http://research.lumeta.com/ches/map/index.html (Accessed: 3 January 2007). Internet mapping project. http://retailindustry.about.com/cs/security/ (Accessed: 3 January 2007). The rather limited approach of the retail industry. http://www.riskserver.co.uk/bs7799/ (Accessed: 3 January 2007). The BS7799 Launch Pad. http://www.securityfocus.com (Accessed: 3 January 2007). Security site dealing comprehensively with Computer Security threats.
264
Appendix
http://www.securitypolicy.co.uk/bs-7799/index.htm (Accessed: 3 January 2007). Another Alternative for compliance with BS 7799. http://www.schneier.com (Accessed: 3 January 2007). Leading Cryptography Author, Bruce Schneier (USA). http://www.sgrm.com/Resources.htm (Accessed: 3 January 2007). A collection of computer crime and security references that is particularly strong regarding white-collar computer-related crime (Canada). http://www.snort.org (Accessed: 3 January 2007). Snort – the Lightweight Network Intrusion Detection System. http://sunsolve.sun.com/pub-cgi/show.pl?target=content/content7 (Accessed: 3 January 2007). Sunsolve: The Solaris Fingerprint Database. http://techrepublic.com.com/ (Accessed: 3 January 2007). Part of CDnet and a good site for current threats. http://www.theregister.co.uk/2004/04/30/spam_biz/ (Accessed: 3 January 2007). The Register is an alternative security site carrying much useful information. http://www.searchsecurity.techtarget.com (Accessed: 3 January 2007). Information technology and related definitions/explanations. http://www.securityauditor.net/ (Accessed: 3 January 2007). Resources for Security Policies, Security Audit & Security Risk Analysis. http://www.security.kirion.net/securitypolicy/ (Accessed: 3 January 2007). Compliance with Internal Security Policies. http://www.sysd.com (Accessed: 3 January 2007). System Threat Detection. http://tms.symantec.com/documents/040617-AnalysisFinancialInstitutionCompromise.pdf (Accessed: 3 January 2007). Analysis of a Compromised Laptop. http://ue.eu.int/uedocs/cmsUpload/79635.pdf (Accessed: 3 January 2007). The View of the EU on Combating Terrorism. http://www.vmyths.com/ (Accessed: 3 January 2007). Computer Virus Myths (USA). http://www.vnunet.com/security (Accessed: 3 January 2007). VNUnet – Computer/Security Publisher’s security support site. http://www.webopedia.com (Accessed: 3 January 2007). Information technology and related definitions. http://www.weibull.com/hotwire/issue3/hottopics3.htm (Accessed: 3 January 2007). Determining Reliability for Complex Systems.
Appendix
265
http://www.whitehats.com (Accessed: 3 January 2007). Whitehats.com is an online community resource to provide support for those who are interested in network security, including network and security administrators. Whitehats Network Security Resource: online community resource to provide support for those who are interested in network security. http://www.wired.com (Accessed: 3 January 2007). A Lycos technology news site. http://world.std.com/~franl/crypto/cryptography.html (Accessed: 3 January 2007). Introduction to Cryptography. http://www.ynet.co.il (Accessed: 3 January 2007). Israeli news-site (A knowledge of Hebrew helps). http://www.y2k.com (Accessed: 3 January 2007). Some issues, including alternative, on the Y2K problem. http://www.year2000.com (Accessed: 3 January 2007). Information about the Y2K issues, includes some links to White Papers on security and recovery. http://www.zdnet.com (Accessed: 3 January 2007). A premier technology and security News Site.
Index
11 September 2001, 20, 99, 100, 159, 160, 161, 169, 174, 256 7/07, 199 9/11, 19, 154, 160, 199, 229 A Administration, 31, 35, 78 Advice Brokering Service, 74 Afghanistan, 4, 54, 77, 80, 164, 180 Africa, 48, 95, 157 Agents, 37, 38, 154, 155 AIDS, 49, 59 Air Force(s), 3, 17, 179, 182, 198 Aircraft carriers, 2, 162, 197 Airport, 5 Al Qaeda, 165 Alarms, 3 Algeria, 53 Ambulance, 16 Amsterdam, 151 Anderson, R., 64, 160, 161, 164, 169, 223, 233, 235, 239, 240 Antarctic, 54 Anti-spam service, 72 Anti-terror legislation, 5 APEC, 42 Arab- Israeli, 56 Armed conflict, 2 Armed forces, 6, 43 Armed might, 1 Armies, 3, 42, 182 Arms, 14, 192 Army, ix, 10, 11, 17, 170, 179, 182, 198, 229, 232, 243 Asia-Pacific Economic Co-Operation, 42
Assets, 3, 6, 20–24, 26, 27, 31, 36, 64, 67, 69, 88, 108, 109, 127, 128, 174, 202 Asymmetric warfare, 2–6, 51, 79, 100, 102, 155, 158, 164–167, 170, 174, 175, 177, 179, 191, 196–199, 202, 229, 243, 244 Atlantic ocean, 46 Attack, 3, 31, 37–39, 41, 50, 54, 60, 69, 70, 72, 73, 75, 79, 80, 87, 92, 98, 100, 170–172, 174, 188, 191, 217 Attitude, 5, 50, 81, 180 Australia, 1, 8, 19, 33, 34, 40, 48, 179, 190, 203, 227, 244, 252 Authentication, 39, 42, 118, 137, 138, 220, 263 Automation, 40, 156 Automotive, 53 Avalon project, 55 Avian flu, 49 B B2B, 158 Balance, 4, 44, 57, 83, 105, 156, 164, 195, 202 Bank(s), 16, 20, 41, 49, 63, 86, 88–90, 95, 102, 189, 195 Bank of England, 16, 88, 255 Banking, 19, 27, 28, 35, 41, 62, 79, 94, 95, 97 Barcelona, 54 Barley, 48 Basel II, 126–144 Basle, 88–90, 174 Battle, 2, 3 Battleground, 3 267
268
Index
Behavior, 9, 12, 32, 81, 92, 188 Belgium, 1, 152, 154 Berlin wall, 1, 54, 168 Bloomberg, 158 Bloor, 158, 230, 262 Border controls, 5 Botnets, 42 BP, 16 Bridges, 19 Britain, 3, 15, 54, 145, 170, 172 British, 3, 49, 97, 145, 147, 159, 163, 171, 180, 203, 218, 235, 241, 243 British Standard, 77, 97, 99 Broadband, 42, 156, 157, 259 Brussels, 189 BS 25999, 94, 97, 163 BT, 16, 63, 202, 212, 235, 241, 258, 259 Buddhist, 54 Bulgaria, 52 Bureaucrats, 6 Burtles, J., 86 Bush, G.W., 77 Business, 4, 9, 15, 18, 20–22, 33–35, 39, 47, 53, 55, 60, 62, 63, 65, 74, 81, 82, 84, 88–92, 94, 95, 97–103, 105, 106, 116, 117, 120, 123, 140, 142, 147, 149, 150, 152, 153, 156, 163, 164, 166, 172, 174, 177, 186, 195, 196, 205, 241, 255, 256, 258–262 Business continuity, 9, 94, 97–100, 105, 123, 130, 132, 134, 142, 160, 163, 196, 203, 213, 218, 222, 229, 241–243, 259, 261 Business effectiveness, 3 Business week, 158 Buyer, 83 C Cadmium, 59 Call centers, 150, 154 Campaign, 3, 4, 72, 164 Canterbury cathedral, 54 Capitalism, 4, 13, 15, 16, 77, 81, 99, 102, 145, 146, 165, 166, 168, 169, 174 Catastrophe, 9, 18 CERTS, 71, 73, 175, 195 Checkpoint, 63 Chicago, 99, 216, 230
China, 46–48, 52–54, 58, 59, 63, 81, 82, 88, 102, 146–148, 150, 167, 168, 185 Chips, 40, 64 Christian, 15, 84, 145, 146 CIA, 44 CIP, 5, 11, 12, 33, 34 Cisco, 39, 64, 161, 169, 207–209, 215, 218, 222–224, 226, 233 Citizens, 14, 18, 32, 52, 56, 64, 75, 170, 173, 181, 189 Civil Contingencies Act, 52, 77, 86, 87, 170, 181 Civil service, 17 Clausewitz, Karl von, 18, 79, 80 Climate change, 7, 46 Coal, 45, 170 COBIT, 103, 104, 126 Cold war, 1, 81, 87, 146, 197 Colorado, 151 Communications, 4, 12, 16, 23, 25, 27, 30–34, 63, 73, 97, 103, 104, 113–116, 132–135, 152, 165, 171, 173, 179, 186, 201, 212, 214, 218, 221, 225, 226, 228, 237, 247, 250, 252, 263 Community , 6, 23, 25, 28, 31, 56, 74, 75, 172, 175, 211, 236, 242 Companies, 2, 16, 41, 52, 53, 58, 63, 65, 66, 70, 81–83, 89–91, 94, 95, 97, 100, 102, 106, 146, 147, 151, 153–157, 163, 169, 171–174, 180, 197, 206 Complexity, 40, 177, 197 Compliance, 87, 89, 90, 97, 100, 102, 105, 123–125, 127, 128, 143, 144, 156, 196, 199, 229, 264 Computer, 12, 18, 26, 32, 35, 39–41, 71, 72, 79, 83, 92, 95, 96, 110, 115, 117–122, 136–138, 151, 158, 189, 201, 203, 206, 211, 216, 217, 243, 246, 257, 261, 262, 264 Computer Emergency Response Team (s), 71, 72, 203, 240, 244, 245, 247, 248, 251, 254, 256, 261 Conduit, 4, 165, 188 Conflict, 2, 56, 79, 91, 179, 191 Connectivity, 11, 12, 62, 63, 76 Constitution, 14, 15, 20
Index Consultants, 40, 64, 259 Contingency planning, 46 Contractors, 37, 40, 95 Control risks, 94 Cooperation, 21, 24, 27, 29, 33, 34, 67, 148, 175, 178, 243, 246 Copenhagen, 84 Cork, 154 Corn, 48 Corporate governance, 88–90 CorpTracker, 53 Cost, 27, 39, 52, 53, 74, 83, 89, 91, 146, 151, 153–157, 193 Crete, 185 Crime prevention, 33 Criminal law, 40 Critical Information Infrastructure, 1, 7, 8, 10–13, 15, 18, 20, 31, 32, 42, 43, 61–64, 66, 69–71, 76, 77, 93, 106, 145, 177, 179–182, 184, 185, 187, 189–198, 200–203, 211, 244, 253 Critical Information Infrastructure Protection, 198 Critical Infrastructure(s), 1–10, 12, 13, 16–23, 25, 30–34, 36, 37, 41–45, 50–52, 59–62, 64, 70, 76, 77, 79, 80, 83–88, 93, 94, 159, 176, 178–180, 182, 184–198, 200, 201, 211, 229, 244, 245, 252, 256, 258 Critical mass, 146 Critical National Infrastructure, 13, 31, 69, 73, 86 Customer(s), 4, 35, 41, 62, 64, 66, 91, 154–156, 165, 166, 169, 175 Cybercrime, 40, 249, 255, 256 Cyber-threats, 11, 12 Czech Republic, 1, 52, 152 D Dams, 20 Dartmouth, 69, 221 Data, 8, 16, 30, 43, 63, 68, 72, 85, 91, 94–100, 111, 112, 115–117, 121, 124–144, 146, 147, 153, 155, 156, 172, 188, 216, 230, 241 Debt, 47, 80 Declaration of Independence, 13, 15 Decoys, 3
269
Defense, 1–4, 6, 7, 10, 14, 15, 20, 21, 31–34, 42–44, 51, 52, 83, 161, 163, 169, 177, 178, 180–182, 187, 190, 191, 197–200, 204, 242, 244, 252, 262 Defense of the Realm, 2 Dell, 64 Deloitte, 64 Democracy, 1, 13, 77–79, 83, 173, 180, 190, 195, 197 Denial of service, 38, 41, 42, 240 Department, 21, 22, 28, 31–34, 42, 43, 49, 51, 59, 84, 250 Department of Homeland Security, 31, 66, 257, 258 Detroit, 83 Deutsche Bank, 48 Digital technology, 1, 39 Digital world, 1 Disaster, 34, 91, 92, 94, 97, 99, 100, 151, 152, 156, 161, 163, 180, 202, 213, 241 Disaster recovery, 9, 94, 152, 196, 203, 205, 206, 213–215, 220, 222, 241, 258, 259 Diseases, 2, 49, 50, 59 Disposable income, 151 Distribution, 4, 35, 47, 56, 57, 67, 72, 81, 165, 166 Disturbance, 8, 9 DNA, 99, 105, 199 Doswell, B., 97 Dublin, 151 Dunn, M., 10–12, 20, 43, 76, 182, 189 E Ecology, 9 ecommerce, 147, 205 Economic, 2, 4–6, 10, 11, 15, 16, 20, 26, 31, 34, 42, 52, 55, 57, 58, 60, 77, 80, 81, 84, 88, 91, 93, 145, 146, 149, 151, 153, 159, 161, 164, 167–170, 172, 173, 179, 181, 190, 191, 194, 196, 197 Economist, The, 158, 177 EDS, 163 Education, 3, 10, 59–61, 73, 84, 85, 110, 117, 153, 165, 166, 176, 212–214, 222, 223, 227, 228, 239, 242, 243, 247, 253
270
Index
Education/intellectual Property, 10 Effort, 4, 11, 31, 32, 70, 164, 166, 189, 201, 202 eGovernment, 50, 246 Egypt, 53, 57, 58 Electricity, 3, 33, 35, 38, 46, 85, 170, 184 Electricity pylons, 3 Electronic, 1, 2, 31, 40, 42, 62, 67, 69, 73, 75, 80, 95, 99, 100, 102, 110, 117, 126–144, 149, 164, 174, 175, 178–180, 189, 196, 215, 262 Electronic environment, 2, 178 Email, 95 Emergency services, 16, 31 Enemies, 2, 54, 171 Energy, 9, 16, 18, 19, 21, 23, 25, 27, 28, 31, 45–47, 56, 61, 62, 85, 102, 203, 232, 257 English, 150–153, 157, 173, 181, 202, 249 ENISA, 69, 185, 192, 193, 246 Enron, 89, 99, 100, 149 Entrepreneurs, 6 Environment, 2, 40, 42, 43, 58, 59, 74, 81, 87, 92, 102, 132, 145, 146, 151, 153, 169, 171, 175, 177, 196, 230 Environment Agency, 58 Environmental, 31, 77, 93, 111, 112, 131, 146, 153, 161, 170, 173, 197 Equipment, 39, 62, 63, 83, 92, 95, 96, 117, 118, 131, 137, 163 Ernst & Young, 52, 83, 204 ETH, 192, 193, 198 Euphrates, 57 Europa, 158, 171, 246 Europe, 8, 19, 33, 40, 46, 48, 50, 52–55, 58, 69, 71, 82, 89, 90, 94, 95, 99, 100, 102, 146–149, 151, 155, 168, 171, 178, 179, 189, 191, 196, 244, 246, 248, 262 European Commission, 32, 33, 56, 88, 90, 148, 179, 185, 189, 246 European Investment Monitor, 52 European Network and Information SecurityAgency, 185, 246 European Telecommunications Resilience and Recovery Association, 145 European Union (EU), 32, 33, 40, 46, 48, 51, 52, 55, 56, 88, 90, 100, 103,
105, 126, 146, 148, 171, 184, 185, 189, 240, 245, 246, 249–251, 255, 263, 264 Europol, 185, 246 Evaluation, 32, 124, 258 Evolution, 12, 169 Executive Club of Chicago, 99 Executive order, 20, 24, 27, 28, 30, 31, 65, 66 Exercise, 14, 49, 50, 87, 171, 173, 177, 191 F Faegre and Benson, 174 Far east, 52, 53, 99, 145, 146 FCC, 66 FDA 21 CFR, 97, 107 Fences, 3 FERC/NERC, 104, 105, 107 FFIEC & GLBA, 126 Fialka, 169, 227 Fiber, 11, 63 Fiber optic, 11, 151 Filtered Warning Service, 74 Finance, 10, 16, 31, 52, 61, 62, 83, 85, 232 Financial Services Authority, 88, 255 Fire, 16, 63, 214, 215 Fire stations, 20 Fish and Chips, 3, 54 Fish stocks, 59 Flanders, 154 Flood, 2, 98 Food, ix, 2, 5, 6, 10, 16, 31, 45, 47–49, 57–59, 61, 62, 83, 85, 98, 102, 152, 165, 170, 177, 187, 199, 200, 232 Food supply, 10, 61, 85 Foreign exchange, 57 Formula, 1, 3 Framework, 32, 33, 80, 87, 88, 102, 107, 126, 189, 233 France, 1, 51, 184, 199, 203, 224, 247 Frankfurt, 99 Free trade, 55 Freedom of speech, 14 Friedman, T.L., 15, 82 Fuel, 5, 46, 48, 56, 85, 87, 170, 232 Funding, 17, 32, 58
Index G G8, 152, 184–186 Gas, 19, 33, 45, 46, 56, 58, 83, 170 GDP, 80, 82, 151 Germans, 2 Glasnost, 54 Global Crossing, 63 Global warming, 45, 50, 84 Globalization, 1, 2, 12, 53, 81, 82, 99, 145, 159, 166, 168, 197 Goetz, Eric, 201 Gompert, 173, 231 Goods, 4, 16, 52, 55, 63, 83, 146, 150, 151, 154, 166 Governance, 3, 6, 82, 88–90, 147, 149, 190, 199, 201, 204, 218, 258 Government, 2, 3, 6, 10, 13, 14, 16, 17, 19, 21–29, 31–36, 40–42, 50, 51, 53, 60, 61, 65–70, 73, 75, 77, 79, 85–87, 146, 152, 154, 170–172, 181, 194, 202, 203, 218, 231, 233, 237, 245, 247, 251, 252, 255, 256 Government Department, 3, 17 Graduates, 54, 59, 60 Grain, 13, 48 Gravelines, 184 Greece, 1, 185 Greeley, 154 Grotberg, 162, 163, 176, 233 Group of Eight, 184, 185 H Hackers, 37 Hacking, 32, 38, 40 Hague Convention, 54 Hammond, A., 172, 230 Happiness, 14, 78 Hardware, 62, 64, 76, 91, 92, 152, 169, 217, 220 Hayek, 15 Hazards, 34, 111, 112, 131 Health, 2, 10, 17, 19, 21, 23, 25, 31, 34, 47, 49, 50, 59, 61, 84, 85, 89, 102, 118, 241, 244, 257 Heathrow, 55 Heraklion, 185 Hewlett Packard, 63, 259 HIPAA, 102, 104, 107 Home Office, 170, 228
271
Home workers, 156 Homeland, 10, 20, 66, 67 Homer-Dixon, 173, 231 Hong Kong, 99, 160, 229 Horses, 2, 6, 38 Hospitals, 19, 35 Hosting, 62 House of Representatives, 161, 174, 207, 231–233 Humanitarian, 7, 46 Hungary, 1, 52 Huntington, 169, 230 Hussein, S., 54 Hyslop, M., 2, 4, 56, 81, 99, 164, 165, 167, 168, 171, 172, 174, 177, 229, 233, 235 I I3P, xi, 69, 192, 193, 198 ICC Cyber Crime, 192, 193 Icons, 10, 54, 61, 85 Identity theft, 42 Ideological, 15 IDM, 42 Illness, 2 IMF, 86 Impact assessment, 91 India, 47, 48, 52–54, 58, 59, 82, 88, 102, 145–149, 154, 156, 157, 196, 232 Industry associations, 33, 34 Inequality, 84 Information, 1, 5, 10–12, 16, 18–24, 26–30, 33, 34, 39, 41, 42, 44, 48, 49, 55, 62–75, 77, 79, 80, 85, 86, 88–90, 94, 95, 97–100, 105–110, 112, 117, 120, 121, 124, 126–128, 130, 132, 136, 139–141, 143, 147, 148, 155, 157, 163, 171–175, 181, 185, 196, 197, 202, 204–206, 211, 220, 229, 240, 242, 243, 245–247, 250–253, 255–257, 260, 262, 264 Information Infrastructure, 1, 11–13, 15, 18, 24, 27, 29, 43, 44, 50, 61–64, 69, 76, 88, 91, 94, 106, 150, 153, 158–161, 163–165, 169–175, 178, 179, 182, 184, 196, 197, 201–203, 211, 233 Infrastructure, 4, 6, 11, 12, 18–24, 26–29, 32–41, 45, 50–52, 56, 66–68, 70, 76, 79, 91, 120, 132, 140, 151, 152, 154,
272
Index
Infrastructure (continued) 156, 157, 160, 161, 164, 165, 169, 171, 179, 180, 182, 194, 201, 243, 249, 252, 255, 256, 263 In-house, 154 Institut Pericles, 145 Institutions, 2, 20, 80, 86, 88, 171, 180, 191, 254 Insurance, 23, 46, 47, 63 Intel, 64, 209, 259 Intellectual property, 2, 59, 60 Intelligence, 5, 30, 60, 65–69, 171, 172, 180, 182, 185, 188, 262 Interconnectors, 56 International, 4–6, 12, 16, 18, 24, 27, 34, 40, 41, 43, 45–48, 50, 51, 53–59, 62, 66, 70, 76, 81, 84, 88–90, 95, 146, 151, 153, 166, 173, 174, 176, 179, 184–197, 204, 242, 250, 259 International Financial Reporting Standard, 90, 91 International Law Commission, 192 International relations, 4, 58, 166, 191 Internet, 4, 6, 11, 12, 15, 33, 38, 39, 41, 42, 62, 63, 72, 75, 83, 99, 147, 148, 165, 169, 171–173, 175, 202, 206, 210–212, 216, 219, 220, 223, 225, 228, 231, 232, 238, 242, 251, 256, 261–263 Iran, 78 Iraq, 4, 51, 52, 54, 57, 77, 80, 164, 180 Ireland, 1, 152–154, 178 Islam, 84, 166 ISO 17799, 97, 98, 102–105, 107, 126, 187, 218 Israel, 57 Issue groups, 38 IT, 12, 35, 37–41, 71, 72, 91, 94, 126, 128, 132, 143, 144, 156, 172, 186, 201, 204, 214, 218, 219, 223, 237, 242, 252, 253, 255, 262 ITIL, 103, 104, 126, 129, 131, 134, 136, 137, 140–142 ITU, 62 J JANET-CERT, 71, 240 Japan, 1, 53, 78 Jordan, 57 Judiciary, 51, 206, 207 Just in Time, 5, 6
K Kennedy, J., 19 Kendra, J.M., 161–163, 234 Kent, 184 Ki work, 155–157 Knowledge, 38, 40, 49, 64, 75, 106, 146, 148, 175, 179, 185, 186, 188, 205, 265 Knowledge Economy, 52 Korea, 1, 53 Kroll, 94 L Langchao, 63 Law and order, 10, 51, 61, 85 Law enforcement, 19, 24, 33, 41, 66–70, 86, 188 Lebanon, 57 Leeds, 151 Lefever, Ernest W., 77 Legal, 4, 23, 41, 77, 81, 93, 102, 146, 161, 165, 166, 170, 189, 194, 196, 197 Lenin, 54 Liberalization, 33 Liberty, 14, 77, 78, 190 Libya, 57 Life, 5, 8, 14, 16, 31, 50, 52, 56, 57, 87, 156, 159, 176 Lincoln, A., 78 Linux, 73, 216, 218, 220, 224, 238, 262 Lisbon, 146, 148, 149, 184 Literacy, 176 London, 33, 47, 60, 75, 85, 94, 95, 97, 99, 149, 174, 204, 205, 209, 211–216, 218, 221, 222, 225, 226, 228, 235, 240, 255 London Stock Exchange, 149 Lucent, 19 M Madrid, 33 Magna Carta, 3, 51, 54 Malthusian, 59 Malware, 38, 42, 65 MAN-CERT, 71, 72 Manchester, 63, 73 Manchester University, 71 Manufacturer, 4, 63, 81, 153, 165, 166
Index Manufacturing, 10, 21, 28, 52–54, 61, 62, 83, 85, 146, 148, 197 Market forces, 12 Market research, 91, 151, 153 Marketing, 4, 53, 81, 82, 100, 102, 151–153, 158, 166, 178 Marsh, 63 Marx, K., 15 Marxism, 16 Masera, M., 185 Mass migrations, 55 Materials science, 9 Mecca, 54 Media, 12, 80, 94, 109, 112, 115 Medical, 53 Mexico, 1, 157 MI5, 31, 171, 178, 232 Microsoft, 39, 40, 64, 65, 82, 161, 169, 204, 207–209, 218, 220, 221, 223, 225, 233, 260 Middle East, 56–58, 147 Militia, 14 Ministry of Defense, 2, 171, 182, 230, 247, 252, 253 Mobile, 43, 120, 139, 150, 153, 169, 235 Model, 15, 36, 83, 91–93, 146, 148, 149, 178, 180–183 Monarchy, 3 Money, 15, 16, 47, 58, 86, 88, 93, 146, 150, 151, 157, 166, 169, 178, 193 Monitoring, 32, 88, 139, 190 Moore’s Law, 83 Morocco, 53 MRSA, 49 N Nation states, 1, 13, 55 National Guard, 10 National Information Security Co-ordination Centre, 12, 190 National interest, 6 NATO, 6, 50, 184, 187, 188, 190–193, 197, 198 Navies, 3, 182 Navy, 17, 179, 182, 198 Nelson’s Column, 3, 54 Netherlands, 1, 15, 55, 152, 154, 203, 251
273
Network (s), 11, 12, 21, 23, 26, 30, 33–35, 38, 39, 43, 63, 64, 73, 95, 96, 115, 119, 121, 124, 125, 134–137, 156, 157, 160, 161, 163, 169, 173–175, 181, 186, 189, 205, 220, 226, 233, 235, 240, 246, 249, 250, 260, 263, 265 New World, 1, 83 New York, 69, 82, 95, 97, 99, 159, 161, 169, 173, 181, 195, 206, 208–213, 215, 216, 220–228, 234, 239, 258 New Zealand, 1, 8, 19, 35, 36, 38, 39–42, 179, 190, 203, 222, 252 Newcastle-upon-Tyne, 54, 234 Nice, 145, 146 Niebuhr, R., 79 Nigeria, 49 Nile, 56, 57 NISCC, 69, 70, 73–75, 181, 186 Noord-Brabant, 154 North, 46, 53, 102, 152, 190, 191, 242, 258 North Sea, 46 Northumberland, 51 Northumbria, 145, 146, 240 Nottinghamshire, 51 Nuclear energy, 45 Numeracy, 176 O Obesity, 49 Obstructive marketing, 2–6, 81, 82, 84, 93, 102, 164–167, 170, 174, 175, 177, 178, 195–199, 233 OECD, 1, 8, 9, 13, 15, 16, 18, 42–44, 46–50, 52, 54, 61, 70, 71, 77, 84, 97, 99, 145, 149, 159, 164, 169, 172, 173, 176, 178, 180, 181, 184–187, 190, 193, 196–200, 249 OFCOM, 70 Oil, 16, 19, 45, 46, 50, 56, 57, 102, 147 Operating systems, 39, 71, 220 Organization, 9, 18, 51, 74, 82, 91–93, 95, 99, 106–108, 126, 128, 137, 162, 172, 177, 181, 182, 184, 187, 193 Organized crime, 38, 166, 168, 179, 180 Outsource service providers, 156, 157 Outsourced, 35, 108, 128, 150, 154, 196 Outsourcing, 6, 150, 154, 155, 196
274
Index
Ownership, 16, 17, 35 Oxford Intelligence, 52, 53 P Parliament, 3, 87 Partnership, 3, 5, 6, 21, 29, 34, 179, 180, 197 Pas de Calais, 184 Passport, 55, 102 Password(s), 38, 71, 96, 117–119, 137, 138, 256 Patriot Act, 77, 86 PC, 64, 73, 83, 96, 209, 213, 229, 230, 238, 241 Pearson, B., 177 Pearson, T., 214 Pelgrin, W., 69 People, 10, 13, 14, 60, 61, 73, 85 Perturbation, 9 Peter Le Magnen, 52 Petrochemical(s), 59, 62 Petroleum industry, 62 Petroleum institute, 62 Philippines, 154, 157 Phishing, 42, 63 Pipelines, 20, 56 Pipes, 3 Planes, 5, 180 Poland, 1, 52, 152 Poles, 2, 6 Police, 16, 17, 35, 41, 179, 182, 250, 251, 254 Police forces, 3 Policy, 19–21, 32, 33, 41, 42, 79, 87, 92, 106, 107, 110, 119, 126, 130, 133, 139, 186, 190, 262 Polio, 49 Politech institute, 189, 192, 193 Political, 1, 2, 12, 13, 16, 18, 31, 47, 55, 57, 58, 60, 77–79, 84, 87, 93, 146, 147, 151, 161, 167–173, 179, 181, 182, 184, 185, 189, 190, 191, 193, 194, 196 Political will, 1, 47, 185 Politics, 4, 18, 79, 166 Ports, 20 Post Office, 16 Power distribution, 5
Power plants, 19 President, 19–22, 24–26, 28–30, 56, 77, 78 PriceWaterhouseCoopers, 64 Private, 5, 12, 14–18, 21–23, 26, 28, 29, 35, 41, 42, 44, 56, 58, 62, 66–71, 80, 82, 87, 88, 94, 95, 150, 175, 179–182, 184, 185, 187, 192, 220, 249, 263 Private property, 14 Private sector, 3, 5, 22, 26, 73 Privatization, 5, 56 Privatized, 3, 170 Processes, 3, 5, 9, 53, 62, 81, 88, 93, 97, 106, 123, 124, 126, 142, 143, 156, 184, 252 Professional bodies, 33, 34 Protected, 2, 3, 5, 31, 34, 35, 68, 111, 112, 131, 170, 181 Protection, v, 2, 3, 5–7, 10–12, 14, 15, 18, 20–26, 28, 30, 32–34, 37, 42, 43, 63–65, 69, 70, 76, 86, 87, 103, 104, 106–129, 133, 135, 155, 175, 179, 183, 185, 187–192, 194–196, 201–203, 211, 219, 231, 244, 245, 248, 249, 252, 254, 255, 256, 258, 261, 263 Psychology, 9 Public, 5, 14, 16–19, 21, 29, 31, 33, 34, 41, 42, 44, 56, 58, 62, 65, 67, 69, 71, 80, 82, 87, 115, 121, 134, 175, 179–181, 184, 185, 189, 190, 192, 238, 244, 249, 263 Public safety, 17, 31 Public sector, 41, 180 Public service, 17, 31 Public transit operators, 20 Public-private partnership, 3, 5, 181, 195 Q Qinetiq, 163, 205, 260 Quangos, 17 R Rail, 55, 56 Rand, A., 15 Reagan, R., 78 Reardon, M., 161, 169, 233 Recovery, 5, 23, 24, 33, 91, 94, 95, 97–100, 105, 106, 114, 123,
Index 150–152, 156, 158, 160, 163, 164, 170, 174, 175, 180, 181, 196, 202, 206, 214, 241, 259, 265 Redundancy, 5, 162–164 Regulation, 34, 88, 94, 97, 100, 146, 196, 199, 249 Regulator(s), 33, 34, 70, 88 Religion, 14, 54, 195 Research and development, 24, 53, 54, 64, 173 Resilience, 1, 5, 7–9, 13, 14, 16, 18, 20, 31, 32, 33, 34, 42, 43, 44, 46, 47, 49, 50, 51, 54, 55, 58, 59, 60, 63, 66, 69, 76, 77, 86, 91, 94, 99, 100, 102, 105, 106, 145, 150, 156, 158, 160, 161, 162, 163, 164, 170, 174, 175, 176, 177, 179, 181, 183, 184, 189, 190, 192–202, 206, 221, 223, 233, 234, 235, 236, 246, 255, 256 Resiliency, 9 Resilient, 2, 5, 7, 18, 55, 60, 80, 92, 100, 106, 160, 162–164, 170, 175, 176, 188, 197, 202, 217 Resources, 2, 4, 28, 34, 38, 46, 57, 58, 66, 67, 70, 72, 79, 80, 87, 96, 113, 119, 124–126, 129, 132, 133, 147, 148, 164, 168, 170, 173, 174, 184, 185, 189, 190, 192–194, 201, 202, 204, 209, 239, 257, 261 Revolution, 18, 21, 58, 83, 168, 169, 171, 173, 245, 246 RFID, 43, 205, 223, 234 Riccardo, D., 15 Rice, C., 78 Riga, 188, 191 Risk, 5, 29, 32–34, 36–38, 40, 41, 43, 46, 65, 66, 69, 74, 75, 77, 88, 90–94, 102, 106, 121, 131, 141, 147, 151, 153, 172, 196, 202, 205, 259, 262 Risk management, 6, 92, 194, 195 Rivers, 57–59 Road, 55, 56, 64, 65 Rochlin, 162, 163, 177, 234 Romania, 52 RSA, 63, 225, 227, 260 Russia, 46, 47, 52, 58, 82, 147, 148, 253
275
S Sadat, A., 56 Safety, 2, 34, 85, 89, 178 Sarbanes-Oxley, 82, 88, 89, 107 Satellites, 11, 67 Saudi, 57 Schipol, 55 Scotland, 152 Sect, 57 Sector, 11, 12, 17, 21–23, 26, 28, 29, 32, 35, 41, 53, 66–70, 74, 88, 94, 150, 155, 174, 175, 180–182, 187, 192, 255, 263 Secunia, 71 Security, 3, 5, 10, 12, 14, 19–28, 30–34, 36, 38–43, , 62–65, 67, 68, 71–74, 76, 79, 88, 90, 94–98, 102–105, 107–144, 146, 147, 158, 160, 161, 163, 164, 169, 171–175, 178–181, 185–187, 189– 191, 195–197, 200–265 Self-sufficiency, 46 Seller, 83 Service provider, 4, 81, 165, 166 Services, 2, 4, 9, 11, 12, 19, 21, 23, 28, 30, 31, 34, 36, 50–53, 55, 62, 69, 71, 74, 75, 83, 87, 88, 95, 97, 106, 117, 126–144, 150–155, 166, 171, 172, 188, 189, 249 Sewage, 2, 58, 251 Shakespeare, 79 Shareholder, 41, 168 Shaw, G.B., 6 Shell, 46, 224 Shenoi, Sujeet, 201 Shock, 8 Siberia, 46 Silicon Valley, 154 Smith, A., 15 Sniffers, 5 Social, 6, 10, 16, 20, 31, 51, 58, 60, 77, 84, 93, 146–149, 161, 170, 172, 173, 194, 195, 197 Society, 2, 3, 5, 8, 13, 15, 18, 23, 45, 50, 51, 54, 56, 59, 60, 69, 84, 161, 171, 177, 181, 186, 189, 194, 197, 246, 247, 250 Software, 11, 42, 62, 64–66, 74, 76, 91, 96, 98, 114–116, 133, 135, 140, 152, 160, 164, 169, 206, 217, 221
276
Index
South America, 48, 58, 147, 157 Soviet Union, 54 Spain, 1, 54 Spanish, 157, 202 Staff, 26, 30, 37, 38, 40, 155, 156, 172, 188, 262 Stakeholders, 31, 33, 87, 189 Stalin, 59, 150 Standard of living, 2, 146, 148 Steel, 79, 170 Steganographic, 4 Stockpiles, 3, 5, 48 Strategic National Asset, 3 Stress, 9, 18, 156, 162 Sudan, 58 Sun Microsystems, 63, 219, 259 Sunderland, 154 SunGard, 63 Supermarkets, 48, 170 Supply chain(s), 34, 62, 83, 147, 178, 240 Survival, 1, 3, 56, 98, 100, 158 Sweden, 1, 11, 43, 181, 182, 190, 203, 253 Swiss, 12, 43, 203, 253–255 Switzerland, 1, 10, 43, 181, 182, 190, 203, 211, 253, 254 Syria, 57 T Tags, 43 Taliban, 54 Tanks, 2, 148 Target, 4, 77, 165, 264 Tea, 3 Technological, 5, 11–13, 40, 42, 46, 51, 52, 57, 67, 77, 153, 161, 170, 173, 194, 197 Technology, 1, 8, 12, 16, 18, 21, 23–25, 30, 39, 40, 43, 51, 53, 64, 65, 67, 68, 74, 83, 85, 90, 98–100, 103, 140, 146, 147, 150–152, 154–156, 165–167, 169–173, 181, 186, 187, 194, 203, 209, 210, 213, 214, 218–220, 225, 227–229, 231, 232, 234, 237–239, 241, 244, 245, 247, 250, 251, 253–258, 260, 262, 264, 265 Telecom, 35, 223, 227, 228, 235 Telecommunications, 1, 5, 8, 11, 16, 18, 21, 23, 29, 35, 38, 62, 67, 69, 70, 76, 90, 91, 150, 153, 158, 160, 163, 181,
230–232, 234, 241, 246, 248, 249, 252, 256, 262 Telephone, 19, 83, 95, 96, 154, 169, 178 Telephony, 39 Telstra Saturn, 35 Ten Commandments, 15 Territorial Army, 10 Terrorism, 5, 20, 32–34, 42, 66, 68, 77, 79, 98, 165, 178–180, 185, 187, 198, 201, 229, 258, 264 Terrorist groups, 2 Theft, 37, 38, 40, 42, 110, 112, 115, 129, 132, 135, 171 Tigris, 57 Timing, 4, 164 Tolchin, M., 173 Tolchin, S.J., 173 Tompkins, J., 86 Townsend, 170, 232 Trains, 5 Transport, 10, 17, 31, 56, 61, 62, 85 Transportation, 2, 19, 21, 23, 28, 55, 56 Trendle, 173 Trial, 14, 15 Troy, 154 Trudeau centre, 173, 231 Trusted Sharing Service, 74 Tunisia, 53 Turkey, 1, 57 Tyco, 89 U UN’s International Law Commission, 198 Uncertainty, 82, 83, 91, 173 United Kingdom (UK), 1, 2, 5, 6, 8, 11, 12, 16–19, 31, 32, 46–51, 53–56, 58–60, 62, 63, 69–73, 77, 82, 86–90, 94, 97, 100, 103, 126, 152, 154, 155, 160, 170–173, 175, 178–181, 184, 190, 202–206, 209–230, 234, 235, 240, 250, 251, 255, 256 United Nations(UN), 78, 84, 146, 184, 186, 187, 190, 191 United States of America (USA), 2–5, 8, 10, 13–15, 19, 20, 47, 51, 52, 63, 65, 70, 76, 77, 79, 80–83, 86, 88, 89, 97, 99, 100, 102, 106, 146–149, 151, 152, 154, 155, 158, 164, 167,
Index 171, 173–175, 178–181, 184, 189, 196, 206–229, 232, 233, 240, 250, 256–258, 260, 264 Universities, 3, 145, 146, 153 University of Toronto, 173, 231 Unix, 39, 73, 206, 225, 262 Utah, 151 Utilities, 5, 96, 174, 202, 246 V Vatican, 54 Verizon, 63 Viruses, 38, 50, 169 W Walls, 3 War, 2, 4, 14, 18, 45, 46, 49, 51, 54–56, 78–80, 146, 148, 162, 164, 168–170, 182, 195, 202, 227, 234 War Office, 2 Warning Action and Reporting Points, 73 WARPs, 71, 73–76, 195 Washington Times, 77, 234 Water, ix, 2, 19, 21, 23, 45, 47, 56–59, 79, 85, 98, 200 Water, 10, 17, 32, 56–59, 61, 85, 165, 251 Way of life, 2, 3, 5, 13, 15, 51 Weapons, 19, 81, 179, 180, 187 Weapons of Mass Destruction, 178, 179 Wembley, 3, 54 Wenger and Metzger, 76 Wheat, 47, 48 Wigert, I., 10–12, 20, 43, 76, 182, 189
277
Windows, 39, 40, 204, 207, 208, 217, 218, 220, 221, 225 Wireless, 12, 43, 151, 152, 189 Wong, A., 160, 235 Wong, P.W., 224 Wood, 177 Wilson, W., 78 The World, 2, 4, 6–9, 46–48, 55, 64, 65, 70, 77, 80, 82, 84, 90, 100, 146, 147, 151, 164, 166, 168–171, 179, 196, 229, 230, 244, 262 Work, 3, 8, 23, 24, 26–29, 42, 43, 51, 56, 69, 70, 73, 74, 76, 80, 83, 86, 87, 98, 110, 126, 130, 145, 150, 155, 156, 159, 173, 180, 181, 185, 187, 188, 190, 192, 195, 196, 233, 255 Workstations, 73 World heritage sites, 54 World Trade Centre, 3, 54, 159, 161, 169, 234 World Trade Organization, 147 World Wide Web, 12, 99, 160, 169, 175, 219, 243 WorldCom, 89, 149 Worms, 38 Y Y2K, 1, 98, 158, 236, 265 Yale, 55 Z Zambia, 59 Zekos, 171, 172, 232 Zurich, 10–12, 203, 211, 254