On 14 August 2003, a blackout across the northeast United States and Ontario, Canada left 50 million people without power, disrupting transportation, water supply and industry. The blackout was blamed on a snowballing of human and computer errors at FirstEnergy, a US power company. But the synchronicity of these events was striking. Three days earlier, the Blaster worm slid into US networks, infecting a million computers before finally being quashed at the end of August. While FirstEnergy’s main systems probably repelled the worm, its peripheral systems may have been less immune, causing the alarms to stall.
The electrical grid is a “critical infrastructure,” a term used to describe services such as utilities, telecommunications, banking, hospitals, civil defence, etc. These are supported by information systems and networks which are increasingly connected directly or indirectly (through corporate networks) to the Internet. These critical information infrastructures enable our modern life, linking towns, cities and countries in a networked society. Their disruption or destruction would have a serious impact on the health, safety, security and economic wellbeing of citizens.
A decade ago the Internet was the concern of a narrow set of people and sectors. This has changed. The Internet, though less than two decades old, has evolved into a critical infrastructure in its own right, to become a substructure on which other critical systems now depend.
If the Internet has benefitted societies enormously, it is because of the advantages it brings. Online banking and education are obvious examples. Sensors are starting to enable environmental agencies to track the concentration of pollutants in air and water, and allow medical personnel to monitor patients continuously outside of hospital, as well as assess and prioritise the treatment of victims in situations where there are massive numbers of casualties. Just as the Internet permits millions of people to access services they might otherwise be deprived or ignorant of, such as social services and allowances, so essential services such as energy, health, global and transport systems have also tapped into the Internet to improve supply, co-ordination, monitoring and operations. The web is continually weaving its way deep into our infrastructures, and many vital services, from aviation to paying taxes, will continue to be grafted in.
It is for that very reason, that the Internet’s own essential role in supporting our daily economic and social activities, as well as our critical infrastructures, raises serious policy questions.
Think what the consequences would be of a total Internet blackout in an OECD country. Researchers at the Swiss Federal Institute of Technology in Zurich calculated that a week-long Internet blackout in Switzerland would cause a 1.2% drop in annual GDP. Such estimates may seem far-fetched, but then again, today’s global financial services have evolved hand in hand with the Internet’s own growth, and so it should not be surprising to find they have become two sides of the same coin. Removing the Internet from international finance would be rather like transport running out of petrol.
Meanwhile, other key services are likely to become more reliant on the Internet, making the information system supporting them more critical. Electricity supply is already “wired” in, and as market liberalisation progresses and supply and demand becomes more cross-border, its reliance will increase across the grid.
Whether our economies should be so dependent on this relatively new and rather vulnerable technology is to miss the point. The benefits of using Internet in critical infrastructures have clearly outweighed the costs in terms of risk, otherwise the systems would not have caught on so rapidly. Nevertheless, a prudent approach would be to limit the points of contact between different critical infrastructures and the Internet, to lighten the system’s interdependency. This is easier said than done, of course. Rather, the prediction made by Google’s Vinton Cerf is that “the Internet will become so pervasive that connection to it will no longer be a conscious act”. Being more, not less, conscious is surely what we need to build back into the system as we graft larger portions of critical infrastructures onto the Internet.
At the euphoric heights of telecommunications investment in the late 1990s, capacity was tacked ad hoc onto the network, without needs analysis or planning; and in place of measurement, unverified claims were made about Internet growth and capacity. In reality, no one knows how big the Net is nor what areas are growing, because no one has collected the data. Yet policymakers need to be assured that those responsible for the information systems that underpin critical infrastructures are on top of their trade and that their critical information systems are reliable, so that if something goes wrong, they will know how and where to intervene, and what the outcome will be.
After all, critical infrastructures by definition should be reliable. When people turn on the lights, they trust the system. They rely on the fact that thousands of volts running through the power lines will be stepped down by the transformer before they flow into our home. Trust depends on the resilience of the infrastructure, and such trust is now needed for critical information infrastructures.
We live with a “safety and security paradox”: the more secure we become, the less tolerant we are of remaining risks, however small. Some level of risk must of course be accepted. If it were possible to reduce risks to near zero, the cost would be excessive.
A major difficulty is the porous nature of the Internet. Where do critical information infrastructures and “the wild” meet? Blaster is an example of self-propagating malicious code infecting critical information infrastructures. What about targeted attacks on shipping or aviation, for instance? Local vulnerabilities that can only be exploited by logging into the local host or desktop are fewer, but the number of remote attacks is escalating. Internet security researchers at IBM reported that 89.4% of vulnerabilities in 2007 could be exploited remotely, compared to 43.6% in 2000. Cross-border attacks are thus likely to increase, making it more difficult to track down perpetrators. Ensuring critical information systems are protected from such eventualities is essential.
Clearly there are policy issues to be answered, and in its recommendations on the protection of critical information infrastructures, OECD calls on governments to work together to clarify and implement policy, to harmonise legal frameworks and to share information among themselves and the private sector. It recommends taking interdependencies of different infrastructures into consideration and conducting a risk assessment based on the vulnerabilities and threats to critical information infrastructures. It also identifies the need for a national operational infrastructure security capability and fostering a strong culture of security for today’s age of rapid technological progress and social change. This all demands leadership and cooperation, without which public confidence in critical information infrastructures may be sorely tested.The Internet will continue to bring great benefits. It is a remarkably empowering technology, but like all new technologies, we are still learning the ropes. When it comes to the evolving nexus of information systems and critical infrastructures, we must take that learning very seriously indeed.
- Woodcock, Bill (2007), “Instrumenting the Internet to support the development of informed policy”, speaker’s position paper for the NSF/OECD workshop on Social and Economic Factors Shaping the Future of the Internet, held in Washington D.C., 31 January 2007.
- IBM Internet Security Systems (2007), “X-Force 2007 Trend Statistics”, see: www.iss.net/xforce_report_images/2008/index.html
- See mi2g’s report on the effect of an Internet blackout: www.mi2g.com/cgi/mi2g/press/220705.php
- OECD (2007), “The Development of Policies for the Protection of Critical Information Infrastructures” DSTI/ICCP/REG(2007)20/FINAL.
- “Downturn busting to herald end of tradition telephony”, ComputerWeekly.com, www.computerweekly.com
- “How the Internet killed the phone business”. The Economist, 17 September 2005.
- For more information, contact Anne.Carblanc@oecd.org
©OECD Observer No 268 June 2008
The OECD Observer would like to thank Andrew Wyckoff and his team in the Information and Communications Policy Division of the OECD for their expertise and assistance as we compiled this special edition.