05nickolov PDF
05nickolov PDF
05nickolov PDF
I&S
Eugene NICKOLOV
Introduction
The information revolution and the spread of Internet are stimulating globalization
and allowing corporations to conduct business around the world. Communication
technologies improve the productivity, efficiency and competitiveness of organiza-
tions around the globe. Today, organizations are outsourcing much of their business,
consolidating operations by tunneling data to one central processing location, and
using the Internet to cut down operation costs and overhead. With the increasing
number of transactions, enormous amounts of data with varying degrees of protection
are flowing over the Internet.
On the other hand, modern society has become much more dependent on the avail-
ability, reliability, safety and security of many technological infrastructures. Both be-
cause of the significant social and economic benefits they provide as well as because
of the serious consequences of their malfunctioning, information systems have be-
come a necessity for human well-being. Infrastructures considered critical are those
physical and information-based facilities, networks and assets, which if damaged
INFORMATION & SECURITY. An International Journal, Vol.17, 2005, 105-119.
106 Critical Information Infrastructure Protection: Analysis, Evaluation and Expectations
would have a serious impact on the well-being of citizens, proper functioning of gov-
ernments and industries or other adverse effects. The following infrastructures need
to be functioning at least at a minimal level for the public and private sectors to be
able to survive:
• Electricity, fuel and water supply;
• Transportation and communication systems;
• Food supply and waste management;
• Finance and insurance;
• Information and telecommunication networks;
• Military and defense systems, civil protection;
• Emergency, health and rescue services;
• Public agencies and administration, justice system;
• Media, major research establishments, etc.
The energy supply and the communication systems can be regarded as crucial since
the rest of the infrastructures depend on them in order to function properly.
Although in the past many of these systems have been physically separated since the
technology boom and the change of market dynamics in the 1970s, critical infra-
structures have progressively converged and become dependent of information
structures such as the public telephone network, the Internet, terrestrial and satellite
wireless networks for a variety of information management, communications, and
control functions. Technological progress has lead to more automation in the opera-
tion and control of critical infrastructures and the creation of a special information in-
frastructure. Recently, this infrastructure has emerged as one of the most important
critical infrastructures because it is the base for managing and integrating all other
critical infrastructures as well as new forms of communication, information exchange
and commerce. This symbiosis is a national security priority, since the information
infrastructure is crucial for economic progress, military and civilian government op-
erations. In particular, the government and military information infrastructures de-
pend on commercial telecommunications providers for everything from logistics and
transport to personnel and travel functions. The extent to which these systems are in-
tertwined increases the effects of any malfunctioning since they are spread across dif-
ferent infrastructures, affecting a wide range of users.
Furthermore, the greater role of information and the availability of electronic means
to collect, analyze and modify it, have transformed information and information sys-
tems both into an invaluable asset and a lucrative target.
Eugene Nickolov 107
Following this train of thoughts, one should place the destructive potential of cyber-
war in between nuclear and conventional war although currently tools for cyber at-
tacks are developed in 120 countries, and nuclear arms – in 20 countries.
computers deployed across the Internet serve as remote controls for attacks. In some
countries even the government is involved by approving official documents for the
preparation and execution of cyber attacks.
Most cases of CII breach are easy to perform since the vulnerabilities or configura-
tion errors as well as detailed how-to guides are available for everyone on the
Internet. However, the background knowledge required to perform the intrusion is
steadily decreasing, thus increasing the overall success rate of intrusions. All one
needs in order to initiate an information structure attack is a personal computer con-
nected to the Internet and an e-mail program, while organizations trying to prevent
intrusions are usually constrained by both staff and equipment shortage. End-users are
often left to train themselves; new employees may not possess the same level of
knowledge as incumbents about system capabilities, potential vulnerabilities or risk
reduction measures.
Due to the increasing pressure to reduce production time, a new surge in the number
of computer and network vulnerabilities is to be expected. Therefore, one should plan
for infrastructures that have built-in instability, critical points of failure, and extensive
interdependencies. Furthermore, more and more CIIs are becoming privately-held or
owned by foreign nations.
CII attacks include:
• Unauthorized access to sensitive or confidential information;
• Destruction, modification or substitution of software needed by critical infra-
structures;
• Limited access for the agents able to prevent or mitigate the results of the at-
tacks.
The possible consequences from critical infrastructure attacks include:
• Blocked transportation, electricity and water supply, communications, data
transmission, nuclear power plants, air-traffic control;
• Bankruptcy of commercial structures and financial systems, failure of interna-
tional business transactions, destabilization of markets and financial institu-
tions, money and information theft;
• Loss of intellectual property or reputation (due to a worm attack the company
for on-line payments PayPal was facing a bankruptcy in 2002);
• Human victims or material losses, provoked by the destructive use of critical in-
frastructure elements (cyber sabotage in the food industry, air or railway traf-
fic);
• Unauthorized access and/or modification of personal information;
Eugene Nickolov 109
Looking into more detail at the last item, it is clear that the private sector and law en-
forcement must gather and share information about threats, vulnerabilities, remedies
and successful operating models of cyber security. To improve CIIP, industries have
to share some information about incidents and damages with the government and the
public, even when information sharing is damaging for the company itself. Only
complete disclosure of information both in the private sector and the government
could even the potential of the attackers and the defenders of the CII.
On the other hand, sharing CII has some negative side effects both to public and pri-
vate interests. Information sharing could be regarded as price fixing, unreasonable re-
straint to trade, or systematic discrimination against certain customers. It also could
raise privacy concerns, expose proprietary corporate secrets, and reveal weaknesses
and vulnerabilities that erode public confidence and invite hackers. Retailers and
credit card issuers often worry that disclosing any problems with the security of
online transactions (e.g., hackers gaining access to credit card numbers or purchase
history) may undermine public confidence in Internet commerce, to the detriment of
their businesses. An ISP attack disclosure also could lead to a loss of customers and
revenue.4 Releasing a top ten vulnerabilities list to the public helps system
administrators and computer users, but provides hackers with the information they
need to successfully attack at-risk networks.
Therefore, trust with respect to how the information will be used, how it will be pro-
tected from disclosure, and whether legal tools can be used by the government and
private parties against those sharing information is needed among those sharing in-
formation in order to achieve successful protection of the national CII.
There are also several other factors that complicate efforts to improve CII security.
First, there is an inequality between the low cost performing an attack and the high
cost of protection mechanisms. Therefore, there are indeed well-known technical vul-
nerabilities inside many infrastructures, but because of the prohibitive costs not
enough has been done to address them.
Sometimes, losses from security breaches can be dealt with only if large numbers of
parties coordinate to make the necessary investments. The incentive that one consci-
entious network owner has to invest in security measures is reduced if the owner be-
lieves that other connected networks are insecure, which would undermine the impact
of the conscientious owner’s measures. Moreover, assigning liability for security
breaches is difficult – a user cannot easily identify the source of the problem (e.g.,
whether it was due to the user’s software, the ISP, the backbone to which the ISP is
connected, or software used by others).6
Another complicating factor is that computer network externalities are international in
scope and implementation of a strong security policy conflicts with efforts to promote
open communication environment. Furthermore, current highway net infrastructures
connect countries with different levels of technological development; the “weak
points” are vulnerable in two different ways: by themselves and as an initial point for
attacks (zombing).
International Level
CII attacks are becoming a growing transnational phenomenon, making prosecution
extremely difficult. Therefore cyber security must be approached from an interna-
tional perspective, taking into account:
1. National and international initiatives;
2. Legal developments;
3. Best practices and resources;
4. Guidance on developing and implementing effective security programs;
5. Technological considerations.
Achieving cyber security requires a global effort; it cannot be achieved by a few na-
tions. It requires the input from all information and communication technologies us-
ers, including citizens, governments, businesses, and organizations. On the multina-
tional front, the Group of Eight (G8), the Asia-Pacific Economic Conference
(APEC), the European Union (EU), the Council of Europe (CoE), the Organization
for Economic Cooperation & Development (OECD), the Organization of American
States (OAS), and the United Nations (UN) are each working towards solving this
problem. As early as December 1998 the General Assembly of the United Nations
116 Critical Information Infrastructure Protection: Analysis, Evaluation and Expectations
approved Resolution 53/70 on cyber crimes, cyber terrorism and cyber war. It appeals
to the member states to inform the UN Secretary General of their opinions on the
following issues:
• The problems related to information security;
• Basic notions related to information security;
• Development of international principles of the global information space and tele-
communications, which help combat cyber terrorism and cyber crimes.
The EU has adopted the Proposal for a Council Framework Decision on Attacks
against Information Systems that recommends a harmonized approach to attacks
against information systems through uniform prohibitions against illegal access to in-
formation systems, as well as instigating, aiding or abetting such acts. The Council of
Europe developed the Convention on Cyber crime (with the United States participat-
ing as an observer), which has since been signed by 42 countries.7
In October 2004 the General Assembly adopted a resolution about the creation of a
global culture of cyber security and the protection of CII which recommends:
• The creation of emergency warning networks and crisis communication networks
regarding cyber-vulnerabilities, threats and incidents;
• Public and private partnerships to share and analyze critical infrastructure
information;
• The adoption of adequate substantive and procedural laws to enable states to
investigate and prosecute attacks on CII and coordinate such investigations with
other states when necessary.
In addition, many bilateral and multilateral documents have been signed for legal
help, extradition, and law unification, guaranteeing transnational and international
prosecution of cyber criminals. For example, the U.S. has held bilateral meetings on
critical infrastructure protection (CIP) with Germany, Japan, Australia, Canada,
China, and India. The European Commission recently held a conference at which EU-
Russia cooperation regarding cyber security was highlighted. The case of U.S. v.
Gorshkov,8 in which an FBI agent conducted a cross-border search of a Russian com-
puter to obtain evidence to indict a Russian citizen on extortion charges, is an exam-
ple of how international cooperation helps cross-border searches in the current envi-
ronment and how it might become the norm in the absence of formal international co-
ordination.
restore the network to operational capacity faster. Informal communication and coor-
dination do take place, but with the evolution of the Internet itself there is a need to
increase the scope and scale of such activities.
Notes:
1
John Moteff, Claudia Copeland, and John Fischer, “Critical Infrastructures: What Makes an
Infrastructure Critical?” Report for Congress RL31556 (Congressional Research Service,
Library of Congress, 21 Jan 2003).
2
Andreas Wenger, Jan Metzger, and Myriam Dunn, eds., International CIIP Handbook
(Zurich: Center for Security Studies at the Swiss Federal Institute of Technology, 2004),
<www.isn.ethz.ch/crn/_docs/CIIP_Handbook_2004_web.pdf>.
3
U.S. The National Strategy to Secure Cyberspace (US Government, February 2003),
<http://www.whitehouse.gov/pcipb> (18 July 2005).
4
Paolo Donzelli, “A Goal-Driven and Agent-Based Requirements Engineering Framework,”
Requirements Engineering 9, no. 1, Springer-Verlag London (February 2004): 16-39.
5
Patrick L. Anderson and Ilhan K. Geckil, “Northeast Blackout Likely to Reduce US
Earnings by $6.4 Billions,” AEG Working Paper 2003-2 (Anderson Economic Group, 19
August 2003).
6
Paolo Donzelli and Roberto Setola, “Putting the Customer at the Center of the IT System –
A Case Study” (paper presented at the Euro-Web 2001 Conference – The Web in the Public
Administration, Pisa, Italy, 18-20 December 2001).
7
<http://conventions.coe.int/Treaty/Commun/ChercheSig.asp?NT=185&CM=&DF=&CL=
ENG> (18 July 2005).
8
U.S. v. Gorshkov, 2001 WL 1024026 (Western District of Washington).
EUGENE NICKOLOV, Prof. DSc. PhD Eng. Mag., has been Director of the National
Laboratory of Computer Virology in the Bulgarian Academy of Sciences since 1991. He is
Professor of Informatics, Doctor of Mathematics, Doctor of Computer Sciences, Engineer of
Radioelectronics and Master of Sciences in Microelectronics. His main scientific interests are
in informatics: algorithms, effectiveness, protections of operating systems; abstract models of
computer systems, theory of programs; simulation and modelling of computer and
communication technologies; theory of information and cryptographics; data security,
computer security, communication security; analysis, synthesis, protection of stegano objects.
Address for correspondence: Acad. G. Bontchev Str., Building 8, Office 104, 1113 Sofia,
Bulgaria; Phone: +359-2-9733398; E-mail: eugene@nlcv.bas.bg.