Net support

Critical information Infrastructures

©David Rooney

The Internet has permeated people’s lives and has become a cornerstone of our physical, economic and social infrastructures. What does this mean for policy?

On 14 August 2003, a blackout across the northeast United States and Ontario, Canada left 50 million people without power, disrupting transportation, water supply and industry. The blackout was blamed on a snowballing of human and computer errors at FirstEnergy, a US power company. But the synchronicity of these events was striking. Three days earlier, the Blaster worm slid into US networks, infecting a million computers before finally being quashed at the end of August. While FirstEnergy’s main systems probably repelled the worm, its peripheral systems may have been less immune, causing the alarms to stall.

The electrical grid is a “critical infrastructure,” a term used to describe services such as utilities, telecommunications, banking, hospitals, civil defence, etc. These are supported by information systems and networks which are increasingly connected directly or indirectly (through corporate networks) to the Internet. These critical information infrastructures enable our modern life, linking towns, cities and countries in a networked society. Their disruption or destruction would have a serious impact on the health, safety, security and economic wellbeing of citizens.

A decade ago the Internet was the concern of a narrow set of people and sectors. This has changed. The Internet, though less than two decades old, has evolved into a critical infrastructure in its own right, to become a substructure on which other critical systems now depend.

If the Internet has benefitted societies enormously, it is because of the advantages it brings. Online banking and education are obvious examples. Sensors are starting to enable environmental agencies to track the concentration of pollutants in air and water, and allow medical personnel to monitor patients continuously outside of hospital, as well as assess and prioritise the treatment of victims in situations where there are massive numbers of casualties. Just as the Internet permits millions of people to access services they might otherwise be deprived or ignorant of, such as social services and allowances, so essential services such as energy, health, global and transport systems have also tapped into the Internet to improve supply, co-ordination, monitoring and operations. The web is continually weaving its way deep into our infrastructures, and many vital services, from aviation to paying taxes, will continue to be grafted in.

It is for that very reason, that the Internet’s own essential role in supporting our daily economic and social activities, as well as our critical infrastructures, raises serious policy questions.

Think what the consequences would be of a total Internet blackout in an OECD country. Researchers at the Swiss Federal Institute of Technology in Zurich calculated that a week-long Internet blackout in Switzerland would cause a 1.2% drop in annual GDP. Such estimates may seem far-fetched, but then again, today’s global financial services have evolved hand in hand with the Internet’s own growth, and so it should not be surprising to find they have become two sides of the same coin. Removing the Internet from international finance would be rather like transport running out of petrol.

Meanwhile, other key services are likely to become more reliant on the Internet, making the information system supporting them more critical. Electricity supply is already “wired” in, and as market liberalisation progresses and supply and demand becomes more cross-border, its reliance will increase across the grid.

Whether our economies should be so dependent on this relatively new and rather vulnerable technology is to miss the point. The benefits of using Internet in critical infrastructures have clearly outweighed the costs in terms of risk, otherwise the systems would not have caught on so rapidly. Nevertheless, a prudent approach would be to limit the points of contact between different critical infrastructures and the Internet, to lighten the system’s interdependency. This is easier said than done, of course. Rather, the prediction made by Google’s Vinton Cerf is that “the Internet will become so pervasive that connection to it will no longer be a conscious act”. Being more, not less, conscious is surely what we need to build back into the system as we graft larger portions of critical infrastructures onto the Internet.

At the euphoric heights of telecommunications investment in the late 1990s, capacity was tacked ad hoc onto the network, without needs analysis or planning; and in place of measurement, unverified claims were made about Internet growth and capacity. In reality, no one knows how big the Net is nor what areas are growing, because no one has collected the data. Yet policymakers need to be assured that those responsible for the information systems that underpin critical infrastructures are on top of their trade and that their critical information systems are reliable, so that if something goes wrong, they will know how and where to intervene, and what the outcome will be.

After all, critical infrastructures by definition should be reliable. When people turn on the lights, they trust the system. They rely on the fact that thousands of volts running through the power lines will be stepped down by the transformer before they flow into our home. Trust depends on the resilience of the infrastructure, and such trust is now needed for critical information infrastructures.

We live with a “safety and security paradox”: the more secure we become, the less tolerant we are of remaining risks, however small. Some level of risk must of course be accepted. If it were possible to reduce risks to near zero, the cost would be excessive.

A major difficulty is the porous nature of the Internet. Where do critical information infrastructures and “the wild” meet? Blaster is an example of self-propagating malicious code infecting critical information infrastructures. What about targeted attacks on shipping or aviation, for instance? Local vulnerabilities that can only be exploited by logging into the local host or desktop are fewer, but the number of remote attacks is escalating. Internet security researchers at IBM reported that 89.4% of vulnerabilities in 2007 could be exploited remotely, compared to 43.6% in 2000. Cross-border attacks are thus likely to increase, making it more difficult to track down perpetrators. Ensuring critical information systems are protected from such eventualities is essential.

Clearly there are policy issues to be answered, and in its recommendations on the protection of critical information infrastructures, OECD calls on governments to work together to clarify and implement policy, to harmonise legal frameworks and to share information among themselves and the private sector. It recommends taking interdependencies of different infrastructures into consideration and conducting a risk assessment based on the vulnerabilities and threats to critical information infrastructures. It also identifies the need for a national operational infrastructure security capability and fostering a strong culture of security for today’s age of rapid technological progress and social change. This all demands leadership and cooperation, without which public confidence in critical information infrastructures may be sorely tested.

The Internet will continue to bring great benefits. It is a remarkably empowering technology, but like all new technologies, we are still learning the ropes. When it comes to the evolving nexus of information systems and critical infrastructures, we must take that learning very seriously indeed.

 

References

  • Woodcock, Bill (2007), “Instrumenting the Internet to support the development of informed policy”, speaker’s position paper for the NSF/OECD workshop on Social and Economic Factors Shaping the Future of the Internet, held in Washington D.C., 31 January 2007.
  • OECD (2007), “The Development of Policies for the Protection of Critical Information Infrastructures” DSTI/ICCP/REG(2007)20/FINAL.
  • “How the Internet killed the phone business”. The Economist, 17 September 2005.

©OECD Observer No 268 June 2008

The OECD Observer would like to thank Andrew Wyckoff and his team in the Information and Communications Policy Division of the OECD for their expertise and assistance as we compiled this special edition.




Economic data

E-Newsletter

Stay up-to-date with the latest news from the OECD by signing up for our e-newsletter :

Twitter feed

Suscribe now

<b>Subscribe now!</b>

To receive your exclusive print editions delivered to you directly


Online edition
Previous editions

Don't miss

  • “Nizip” refugee camp visit
    July 2016: OECD Secretary-General Angel Gurría visits the “Nizip” refugee camp, situated between Gaziantep and the Turkish-Syrian border, accompanied by Turkey’s Deputy Prime Minister Mehmet Şimşek. The camp accommodates a small number of the 2.75 million Syrians currently registered in Turkey, mostly outside the camps. In his tour of the camp, Mr Gurría visits a school, speaks with refugees and gives a short interview.
  • OECD Observer i-Sheet Series: OECD Observer i-Sheets are smart contents pages on major issues and events. Use them to find current or recent articles, video, books and working papers. To browse on paper and read on line, or simply download.
  • Queen Maxima of the Netherlands gives a speech next to Mexico's President Enrique Pena Nieto (not pictured) during the International Forum of Financial Inclusion at the National Palace in Mexico City, Mexico June 21, 2016.
  • How sustainable is the ocean as a source of economic development? The Ocean Economy in 2030 examines the risks and uncertainties surrounding the future development of ocean industries, the innovations required in science and technology to support their progress, their potential contribution to green growth and some of the implications for ocean management.
  • OECD Environment Director Simon Upton presented a talk at Imperial College London on 21 April 2016. With the world awash in surplus oil and prices languishing around US$40 per barrel, how can governments step up efforts to transform the world’s energy systems in line with the Paris Agreement?
  • Happy 10th birthday to Twitter. This 2008 OECD Observer interview with Henry Copeland said you’d do well.
  • The OECD Gender Initiative examines existing barriers to gender equality in education, employment, and entrepreneurship. The gender portal monitors the progress made by governments to promote gender equality in both OECD and non-OECD countries and provides good practices based on analytical tools and reliable data.
  • Once migrants reach Europe, countries face integration challenge: OECD's Thomas Liebig speaks to NPR's Audie Cornish.

  • Message from the International Space Station to COP21

  • COP21 Will Get Agreement With Teeth: OECD Secretary-General Angel Gurría on Bloomberg

  • The carbon clock is ticking: OECD’s Gurría on CNBC

  • If we want to reach zero net emissions by the end of the century, we must align our policies for a low-carbon economy, put a price on carbon everywhere, spend less subsidising fossil fuels and invest more in clean energy. OECD at #COP21 – OECD statement for #COP21
  • They are green and local --It’s a new generation of entrepreneurs in Kenya with big dreams of sustainable energy and the drive to see their innovative technologies throughout Africa. blogs.worldbank.org
  • Pole to Paris Project
  • In order to face global warming, Asia needs at least $40 billion per year, derived from both the public and private sector. Read how to bridge the climate financing gap on the Asian Bank of Development's website.
  • How can cities fight climate change?
    Discover projects in Denmark, Canada, Australia, Japan and Mexico.
  • Climate: What's changed, what hasn't, what we can do about it.
    Lecture by OECD Secretary-General Angel Gurría, hosted by the London School of Economics and Aviva Investors in association with ClimateWise, London, UK, 3 July 2015.

  • Climate change: “We should not disagree when scientists tell us we have a window of opportunity–10-15 years–to turn this thing around” argues Senator Bernie Sanders.

  • In the long-run, the EU benefits from migration, says OECD Head of International Migration Division Jean-Christophe Dumont.
  • Is technological progress slowing down? Is it speeding up? At the OECD, we believe the research from our Future of ‪Productivity‬ project helps to resolve this paradox.
  • Is inequality bad for growth? That redistribution boosts economies is not established by the evidence says FT economics editor Chris Giles. Read more on www.ft.com.
  • Catherine Mann, OECD Chief Economist, explains on Bloomberg why "too much bank lending can slow economic growth".
  • Interested in a career in Paris at the OECD? The OECD is a major international organisation, with a mission to build better policies for better lives. With our hub based in one of the world's global cities and offices across continents, find out more at www.oecd.org/careers .

Most Popular Articles

Poll

What issue are you most concerned about in 2016?

Unemployment
Euro crisis
International conflict
Global warming
Other

OECD Insights Blog

NOTE: All signed articles in the OECD Observer express the opinions of the authors
and do not necessarily represent the official views of OECD member countries.

All rights reserved. OECD 2016