EDITOR ’ S QUESTION
In 2022 , we rely on critical infrastructure more than ever . As national and global services are adopted , we increasingly rely on those services to operate our daily lives .
So , protecting critical national infrastructure , and I would argue critical global infrastructure , is a concern if we want to continue living in a joined-up , digitally enabled world . So how at risk is this infrastructure ? Risk is typically defined as the negative impact x likelihood of impact . The fact it ’ s described as ‘ critical ’ gives us the clue as to the possible impact of an outage . The likelihood is more complex . Yes , we ’ ve seen infrastructure attacks , both by foreign nation states and by organized crime . But there seem to be relatively few cases when compared to the thousands of successful attacks on commercial organizations .
Is it because critical national infrastructure is much better protected than commercial organizations ? I ’ d argue there ’ s a wide range , from the most protected to the least , and certainly when defending decades of legacy technology , some operations are handicapped in attempting to win a ‘ best-protected ’ prize .
Ransomware is great for extorting cash , however , when it ’ s critical infrastructure , the host national government may get involved and that ’ s an unfair fight . When an attacker is after cash , picking on CNI makes their RoI less appealing .
So , the organizations most likely to attack CNI are those belonging to , or at the command of , foreign nation states . So why don ’ t we see more ? My personal view is that every nation with a military and intelligence service is obliged to create attack plans for any potential adversary . The work will be done to constantly probe and create blueprints for attacks . But , fortunately , in most cases , nations aren ’ t publicly at war despite rowdy headlines and sabre rattling . So those plans are kept at the ready , until the environment is such that it ’ s politically acceptable and strategically valuable to use them . Proportionality counts – if , in peacetime , I switch off your electricity grid , is that an act of war ? When does a cyberattack warrant a military response ? What can I get away with ? How much provocation is acceptable ?
The organizations most likely to attack CNI are those belonging to , or at the command of , foreign nation states .
I suspect CNI attacks are still at a relatively low level due to the less favorable RoI for criminal attackers , and a not-quite-hostile-enough political climate for state actors . But I expect that might change in a hurry , and at scale , if and when there is more heated conflict between state actors . p
NIK WHITFIELD , CHAIRMAN , PANASEER
www . intelligentcio . com INTELLIGENTCIO APAC 35