Critical Infrastructure Protection Diplomacy in the Age of Cyber Threats

 Dr. ASLI VAROL

As problems and conflicts diversify in the global arena, it becomes difficult to determine where the power of information and communication technologies will reach. The use of these technologies for destructive purposes seriously harms countries, institutions, societies and individuals. Cyber attacks on domestic and cross-border critical infrastructures cause tension in international relations and therefore lead to the development of a new field of diplomacy in foreign policy. 

Critical Infrastructure Protection in the European Union 

Cyber-attacks are among the fastest growing types of crime worldwide. However, cyber-attacks are also growing in scale, cost, and complexity. So businesses need to invest more money to make cyberspace safer for themselves and their customers. Companies, citizens and all countries are also affected by cyber attacks. The first known cyber-attack against a country was carried out in Estonia in April 2007. This attack affected the online services of banks, media outlets and government agencies for weeks. Since then, many other countries have been subject to cyber-attacks, including critical infrastructures such as electrical power systems, hospitals or water utilities. Critical industries such as transportation, energy, healthcare and finance have become increasingly dependent on digital technologies to run their core businesses. Growing digital connectivity certainly brings tremendous opportunities. But this digital connectivity also exposes economies and societies to cyber threats. Cybersecurity incidents are increasing in number, complexity and scale, as well as their economic and social impact (Negreiro, 2022). 

The Commission of the European Communities states that critical infrastructures consist of physical and information technology facilities, networks, services and assets that, if disrupted or destroyed, could have a serious impact on the health, safety, security or economic well-being of citizens or the effective functioning of governments around the world. Critical infrastructures exist in many sectors of the economy. Energy installations and networks, communications and information technology, banking and finance, food, water, transportation and distribution, production, storage and transport of dangerous goods, energy, utilities, health, food supply, communications, key government services are referred as critical infrastructures (Commission of the European Communities, 2004: 3-4). 

The European Union’s “Critical Entities Resilience Directive” covers critical infrastructures in a broad context, covering ten sectors: energy, transport, banking, financial market infrastructure, health, drinking water, wastewater, digital infrastructure, public administration and space (European Commission, 2020: 11). 

The EU-wide “Directive on Security of Network and Information Systems across the EU” (NIS Directive), which must be transposed by Member States by 9 May 2018, constitutes the first part of EU-wide legislation on cybersecurity. The EU has introduced legislative measures to increase the overall level of cybersecurity in the EU, with a focus on protecting critical infrastructure. The NIS Cooperation Group and the network of Computer Security Incident Response Teams (CSIRTs) were established within the Association to ensure both the exchange of information on cybersecurity and cooperation in specific cybersecurity incidents. On 16 December 2020, the European Commission presented a proposal for a directive on measures for a high level of common cybersecurity across the Union (NIS 2), which would repeal and replace the existing NIS Directive (NIS1). Expanding the scope of NIS2 to force more organizations and sectors to take effective action will help increase the level of cybersecurity in Europe in the long run (Negreiro, 2022).

In May 2022, the Council and the European Parliament agreed on measures for a common high level of cybersecurity around the world. Thus, the Union aimed to further develop the resilience and response capacities of both the public and private sectors and the EU as a whole. The new directive, called ‘NIS 2’, was prepared to replace the existing directive (NIS Directive) on security of network and information systems. Stronger risk and incident management and collaboration lay the foundation for cybersecurity risk management measures and reporting obligations in all sectors covered by NIS 2, such as energy, transport, health and digital infrastructure (Council of the European Union, 2022). 

Critical Infrastructure Protection Diplomacy as a Subfield of Cyber Diplomacy                                   

Today, critical infrastructures cannot be separated from cyberspace. The management, operation and control systems of critical infrastructures have technological infrastructure in the cyberspace. Therefore, critical infrastructure protection diplomacy is close to cyber diplomacy. However, cyber diplomacy represents a wider area than critical infrastructure protection in cyberspace. Therefore, critical infrastructure protection diplomacy can be considered as a sub-field of cyber diplomacy.

Critical infrastructure protection diplomacy is defined as the use of diplomatic tools and organizational methods to address issues related to the safe design, construction, operation and decommissioning of cross-border critical infrastructures. In this context, critical infrastructure protection diplomacy includes various actors such as the state, private sector, academia, civil society and international organizations. Vevera states that they envision the field of critical infrastructure protection diplomacy as a pragmatic, risk-focused form of diplomacy. In this area, it should be aimed to provide more security and durability (Vevera, 2022: 45). 

One pillar of critical infrastructure protection diplomacy should be on crisis management. In order to protect critical infrastructures from the dangers of physical terrorism or cyber terrorism, it is necessary to take serious security measures in the national and international arena. However, an effective crisis management plan should be prepared in order to overcome the crises caused by physical, cyber or both types of attacks with the least damage. In order to prevent the crisis and to minimize the damage caused by the crisis, it is necessary to keep the emergency response and rescue efforts ready, to keep the communication network open, and to make preparations for rapid recovery after the crisis. The crisis management plan required for critical infrastructures should cover both the national and international area. In this context, it is necessary to increase international cooperation and technology sharing between countries to ensure security.      

Vevera states that the challenges of the modern world can be analyzed from a critical infrastructure protection perspective, revealing how the functioning of interdependent and interconnected critical infrastructures affects the security of our societies. In this context, Vevera proposes critical infrastructure protection diplomacy following the development of cyber diplomacy as a separate field of study and practice in international relations. Critical infrastructure protection diplomacy, similar to cyber diplomacy, requires a significant diversity of stakeholders and a multidisciplinary approach (Vevera, 2022: 48). 

United Nations Warns Global Community and Governments to Protect Critical Infrastructures 

The United Nations Group of Governmental Experts (GGE) 2021 Report once again confirms that the serious information and communication technology threats identified in previous reports continue. The report also highlights that there are serious concerns about harmful information and communication technology activities against critical infrastructure, including critical information infrastructure, infrastructure that provides essential services to the public, the technical infrastructure necessary for the general availability or integrity of the Internet, and health sector entities (Gavrilović, 2021). 

Cybercrime is a threat to the national security of countries. Cybercriminals target and attack all sectors of critical infrastructure, including healthcare and public health, information technology, financial services and energy sectors. Ransomware attacks, in particular, are becoming more and more successful. Ransomware attacks cripple governments and businesses, and the profits from these attacks are increasing (Hogan-Burney, 2021: 8). Identifying and punishing perpetrators is imperative to deter malicious cyber activity against critical infrastructures. However, the multitude and multiplicity of cyber threats complicates attribution. State and non-state attackers sometimes work together temporarily or imitate each other. Protection of personal information and cyber security of critical infrastructures are closely related. As a result of the increasing digitization of their processes, critical infrastructure operators are increasingly managing or storing the personal data of their users (Garriaud-Maylam, 2022: 10-11). 

NATO Calls for Cooperation on Critical Infrastructure Protection Diplomacy 

The security environment is complex, dynamic and challenging, as evidenced by the hybrid warfare methods employed during the Ukraine conflict that began in 2014, and the global pandemic and its effects. Thus, challenges arise in critical infrastructure protection. In this sense, NATO strives to manage international cooperation to address critical infrastructure problems. The critical infrastructures of NATO Member States and their partners are facing an increased and unprecedented level of malicious cyber activity with destabilizing and devastating consequences. Public and private institutions that are indispensable for the functioning, well-being and cohesion of allied societies, such as energy providers, telecommunications operators, banks, hospitals, transport companies and democratic institutions are targeted (Garriaud-Maylam, 2022). In this context, critical infrastructure protection diplomacy is recognized as an emerging field that mixes diplomacy with technical expertise on systemic issues to influence systemic governance (Vevera, 2022).

Recently, there has been an international consensus for the applicability of international law in cyberspace and the establishment of non-binding standards for protecting critical infrastructures against cyber attacks. However, there are still many areas of disagreement between some states and therefore the implementation of the legal framework remains inadequate. The absence of unanimity, cooperation, and willingness therefore encourages a variety of state and non-state actors to take advantage of the increased availability and complexity of hacking tools and techniques. For this reason, NATO states that destructive malicious cyber operations against allied critical infrastructures continue. These operations are aimed at making a profit, obtaining political or trade secrets. However, some cyber attacks also aim to weaken and intimidate NATO member states and their partners, thereby challenging the democratic values on which their societies are built (Garriaud-Maylam, 2022: 2). 

Microsoft Digital Defense Report underlines that Russia is the most active country in cyberspace. Russia poses a persistent threat to critical infrastructures of NATO's Allied and partner countries. According to the report, from July 2020 to June 2021, 58% of malicious cyber activity attributed to a state globally originated from Russia. After Russia, the largest observed volume of attacks came from North Korea, Iran and China. Apart from these countries, South Korea, Turkey and Vietnam are also active in cyberspace but have much less volume (Burt, 2021). 

Conclusion 

Digitalization and increasing activities in the cyber field have revealed the problem of cyber security in critical infrastructure systems. The management and operation of critical infrastructures are provided by technological infrastructure today. This situation causes technological fragility in critical infrastructures. Whether state-sponsored or not, cyber-attacks cause these systems to be permanently damaged or temporarily cease to serve. For example, a major cyber attack on a country's energy systems will seriously affect other sectors in the country and the entire society. In this context, in addition to taking national and transnational measures, it is necessary to activate critical infrastructure protection diplomacy in order to ensure international cooperation and to make international laws that will bring deterrent sanctions. It is important to attend the calls of international or regional organizations such as the United Nations, NATO or the European Union, and their efforts to protect critical infrastructures. In this context, critical infrastructure protection diplomacy can be activated by establishing multi-stakeholder dialogues and utilizing various scientific fields.

 

 References

 

Burt, Tom (2021): Russian cyberattacks pose greater risk to governments and other insights from our annual report, Microsoft, 7 October 2021, https://blogs.microsoft.com/on-the-issues/2021/10/07/digital-defense-report-2021/, Accessed: 18. 10. 2022. 

Commission of the European Communities (2004): “Critical Infrastructure Protection in the fight against terrorism”, Communication from the Commission to the Council and the European Parliament, Brussels, 20.10.2004 COM (2004) 702 final, https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:52004DC0702&from=GA, Accessed: 22. 06. 2022. 

Council of the European Union (2022): “Strengthening EU-wide cybersecurity and resilience – provisional agreement by the Council and the European Parliament”, Press Release 435/22 13/05/2022, https://www.consilium.europa.eu/en/press/press-releases/2022/05/13/renforcer-la-cybersecurite-et-la-resilience-a-l-echelle-de-l-ue-accord-provisoire-du-conseil-et-du-parlement-europeen/pdf, Accessed: 24. 10. 2022.

European Commission (2020): Proposal for a Directive of the European Parliament and of the Council on the resilience of critical entities, Brussels, 16.12.2020 COM(2020) 829 final 2020/0365 (COD), https://eur-lex.europa.eu/resource.html?uri=cellar:74d1acf7-3f94-11eb-b27b-01aa75ed71a1.0001.02/DOC_1&format=PDF, Accessed: 23. 10. 2022. 

Garriaud-Maylam, Joëlle (2022): “Strengthening The Protection of Critical Infrastructure Against Cyber Threats”, NATO Parliamentary Assembly, Committe on Democracy and Security (CDS), Draft Report, https://www.nato-pa.int/download-file?filename=/sites/default/files/2022-09/010%20CDS%2022%20E%20rev.%201%20-%20CYBER%20THREATS%20-%20GARRIAUD-MAYLAM%20REPORT%20.pdf, Accessed: 17. 10. 2022. 

Gavrilović, Andrijana (2021): “What’s new with cybersecuritynegotiations? The UN GGE 2021 Report”, 06 June 2021, DiploFoundation, https://www.diplomacy.edu/blog/whats-new-with-cybersecurity-negotiations-the-un-gge-2021-report/, Accessed: 08. 10. 2022. 

Hogan-Burney, Amy (2021): “Introduction: The growing threat of cybercrime”, Microsoft Digital Defense Report October 2021, https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RWMFIi, Accessed: 18. 10. 2022. 

Negreiro, Mar (2022): The NIS2 Directive: A high common level of cybersecurity in the EU, Briefing: EU Legislation in Progress, European Union, European Parliamentary Research Service, June 2022, https://www.europarl.europa.eu/RegData/etudes/BRIE/2021/689333/EPRS_BRI(2021)689333_EN.pdf, Accessed: 23. 10. 2022. 

Vevera, Adrian Victor (2022): “Critical Infrastructure Diplomacy – Tracing the Contours of a New Practice”, International Journal of Cyber Diplomacy, Vol. 3, 41-49, https://doi.org/10.54852/ijcd.v3y202205.