Critical Infrastructure

Protection to Resilience

15 July 2015

Despite its ambitious mission, will the revived National Strategy for Critical Infrastructure be able to sidestep long-standing problems associated with private sector ownership of critical infrastructure and the limits of emergency management in a federal system that may undermine it’s effectiveness while also raising fresh questions regarding the strategic concept of resilience?

In 2009, Public Safety Canada released the long-awaited National Strategy for Critical Infrastructure. A product of extended consultation between federal, provincial and territorial governments and private sector stakeholders, the National Strategy and it’s associated Action Plans (2009 & 2014) are a renewed attempt on the part of the federal government to develop a comprehensive framework to address the challenges of critical infrastructure (CI) security. Traditionally a matter of civil defense against military threats, the Strategy seeks to establish an all-hazard framework to mitigate complex and unpredictable risks facing Canada’s physical and cyber CI today.

The National Strategy defined critical infrastructure as “processes, systems, facilities, technologies, networks, assets and services essential to the health, safety, security or economic well-being of Canadians and the effective functioning of government.” While the term ‘critical infrastructure’ is relatively new, the protection of assets such as industrial facilities, transportation hubs, or power grids has been a longstanding problem for any modern nation state. In Canada, the protection of such assets has historically come under the purview of the Vital Points Program. First initiated in 1938 by the federal government, the Program sought to catalogue all key infrastructure assets essential to protecting Canada’s industrial capacity during times of war and, as the Cold War progressed, aid in the continuity of government in the event of a nuclear attack.

The Vital Points Program was initially administered by the (then) Department of Justice but was transferred in 1949 to the Department of National Defence, and then to the Emergency Measures Organization in 1960, which itself was reconfigured into Public Safety and Emergency Preparedness Canada (PSEPC) in 1981 and then renamed to Public Safety Canada in 2003.

The main features of the Vital Points Program remained fairly consistent throughout this history. The program was managed by an inter-departmental steering committee composed of various federal departments, each of which would recommend public or private facilities from within their respective portfolios for inclusion on a list of vital points known as the Vital Points Ledger.

The Ledger itself was divided into three categories according to a scoring system devised by the interdepartmental committee and administered by the RCMP. According to the 1991 Vital Points disruption of operations in a Category I facility would have a “disastrous effect upon the security and continued efficient functioning of the country.” Disruption of Category II and III facilities (which could overlap provincially-maintained Vital Points Ledgers), are described as able to “seriously affect” or “adversely affect” the security and efficient functioning of the country.

The RCMP was to maintain and ongoing regime of consultation and inspection for all listed vital points, and assume direct responsibility for the protection of Category I vital points during national emergencies under direction from Cabinet.

The Vital Points Program was a product of concerns unique to the geopolitics of the WWII and Cold War era – the sabotage of vital points by enemy operatives on Canadian soil ranked particularly high as a threat to be protected against. In this context, and as noted by Martin Rudner in a paper published in the International Journal (2009), the Vital Points Program constituted a regime of physical protection in which “guards, gates, and guns” assumed a prominent role.

A 1988 review of the Vital Points Program on behalf of Emergency Preparedness Canada (the lead department of the program at the time), concluded that this protective approach had clear shortcomings – even if the RCMP were able to discharge its duties mandated under the program. In light of the “staggering” number of vital points on the federal Vital Points Ledger that had been listed by 1988, the review concluded that the changing nature of foreseeable threats, including the emergence of “computer crime” and “mass destruction terror,” required a “radical change in thinking,” yet found “little evidence of such change permeating the Vital Points Program.”

The review recommended that Emergency Preparedness Canada forgo seeking to specify “precise arrangements for a specific crisis situation” in favor of fostering an “ongoing state of good security” across public and private sectors that blended protective measures with contingency management and crisis response that would be “generally applicable and adaptable to any crisis scenario.” In this framework, Emergency Preparedness Canada would function less as a guarantor of protection in favour of taking on the role of a coordinator of efforts and champion of best practices for the public and private actors directly responsible for managing their own ‘ongoing state of good security.’

In 1993 a PSEPC Report to Parliament stated that the Vital Points Program was under review in order to “bring it in line with the changing international situation,” however, no public record of the program exists after that time.

The Y2K problem renewed concerns for the security of vital systems – under the new moniker of critical infrastructure – leading to development of the current National Strategy, which is broadly congruent with the recommendations of the 1988 Vital Points review.

Most notably, the defensive stance underpinned by the Vital Points Program has given way to all-hazards resilience in the National Strategy in which fostering the capacity of private sector owners of CI to ‘bounce forward’ from disruptive events (regardless of their initial cause), is the strategic focus.

This shift from protection to resilience is a two-part recognition that disruptive events come in many forms, and that not all disruptive events can be prevented. The hierarchical nature of the vital points committees and the taxonomical Vital Points Ledger have been replaced in the National Strategy by industry-specific forums and a national cross-sector forum convened by Public Safety Canada that are composed of government regulators, private sector partners, and industry associations intended to be participatory in nature.

With responsibility for the resilience of privately owned critical assets in the hands of owner-operators, the RCMP now focuses on providing intelligence support and investigative capacity to private sector owners through the National Critical Infrastructure Team since 2002.

The National Strategy thus seeks to foster a distributed and open-ended condition of readiness within the private sector to not only prevent infrastructural failures from occurring but to nurture the resilience to adapt and recover from failure – this is a marked departure from the regime of physical fortification sought by the Vital Points Program.

Nonetheless, while understanding of the nature of contemporary threats to CI, and recognizing that strategic methods of response have clearly changed, the National Strategy has, so far, been unable to escape two long-standing structural issues that will continue to limit its effectiveness if they do not receive careful consideration.

Trust and Sharing
The first limitation of the National Strategy is that participation in the sector networks and national cross-sector networks by private industry is voluntary. This has wide-ranging implications on the critical issue of information sharing. With the large majority of infrastructural assets privately owned, sharing of information on threats, vulnerabilities, and preparedness measures between businesses and with government is critical. However, the need to share information is often at odds with competitive pressures between firms and a general distrust from business of sharing any form of information with government.

Though the development of non-disclosure agreements and other instruments of confidentiality can aid the flow of information between government and the private sector, the voluntary nature of the relationships involved mean that trust between private sector partners and government plays a crucial role in enabling information exchange.

The corollary of this is that information exchange will be severely inhibited should trust between partners degrade due to information breaches or ill-conceived actions on the part of government regulators that appear to foist costly obligations on the private sector, which in turn will undermine the willingness of private actors to participate.

An early glimpse at these difficulties is found in correspondence between the Commissioner of the RCMP and the Secretary of the Interdepartmental Committee on Vital Points in 1949. In updating the committee on aspects of a survey of vital points being conducted by the RCMP at the time, the Commissioner requested clarification on the federal supervision of privately owned facilities because “these are private concerns and the question of cost is involved.” The Secretary of the Interdepartmental Committee on Vital Points agreed, acknowledging, that “the matter requires careful consideration” as “it might be difficult to implement this program without unduly exciting private industry.

With the majority of CI assets owned privately – estimates range from 80-90% – trust between stakeholders will play as vital role today as it did in 1949. The ongoing work to enhance infrastructure resilience taking place within the National Strategy needs to maintain this trust if it is to be successful.

Municipal Non-engagement
The second limitation of the National Strategy is that municipalities are largely excluded from the framework. As ‘creatures of the provinces,’ cities have historically been disconnected from the federal and provincial structures responsible for emergency management. Disappointingly, this exclusion has been reproduced within the National Strategy – it does not allow municipalities to participate as equal partners in the sector-specific or national cross-sector networks.

Canadian municipalities are consequently shut out from the networks of information that are exchanged and fostered by the National Strategy, with potentially dire results. A prominent lighting rod for these concerns is the shipment of dangerous goods by rail through Canadian cities. Pointing to the risks posed for local populations and first responders should a derailment occur, municipal leaders have long protested the lack of information provided about shipments of dangerous goods through city boundaries.

During consultations in the development of the National Strategy, the Federation of Canadian Municipalities urged Public Safety Canada to enable municipalities to engage as partners of equal standing with other levels of government in the sector-specific and national cross-sector forum, yet municipalities were ultimately excluded in the final version of the Strategy. As major owners/operators of a significant proportion of critical infrastructure and providers of first responders during times of crises, Canadian municipalities need greater representation within the sector and cross-sector forums if greater infrastructure resiliency is to be achieved.

A final reservation about the National Strategy concerns the embrace of resilience as a strategic concept for CI security. The concept of resilience is notably absent from pre-2007 public safety and emergency preparedness reviews such as the three volumes of National Emergencies: Canada’s Front Lines released by the Senate Standing Committee on National Security & Defence, and Securing an Open Society released by the Privy Council Office, both in 2004.

It was not until 2007 that resilience was defined in the Emergency Management Framework as “the capacity of a system, community or society to adapt to disturbances resulting from hazards by persevering, recuperating or changing to reach and maintain an acceptable level of functioning,” yet by 2009 this hitherto peripheral concept was entrenched as the Strategic Outcome of Public Safety Canada in it’s 2008-2009 Report on Plans & Priorities.

Given its rapid embrace in the fields of public safety and emergency preparedness in general, and in critical infrastructure security in particular, it is necessary to reflect on the nature of the concept itself.

Resilience is often touted as a response to the problem of unpredictable and potentially catastrophic crises that complex systems can generate (so-called ‘black swan’ events or ‘wicked risks’). Tightly coupled and interdependent critical infrastructure systems and the problem of cascading infrastructural failures are material forms of these concerns. It is no surprise, then, that some of the first articulations of resilience in government discourse in Canada – notably the 2004 and 2005 Departmental Performance Reports of PSEPC – were in relation to the problem of CI security.

While it is sensible to advocate for greater preparedness to unexpected events on the part of critical infrastructure owner/operators as well as on the part of individuals, families, communities, and society as a whole, resilience as a concept contains an in-built fatalism that says we cannot prevent catastrophic events from occurring but can only adapt to their effects. In turn, this fatalism precludes appreciating how factors such as government deregulation or corporate risk taking may ‘set the stage’ for future worst-case scenarios, as well as the unequal socio-economic distribution of exposure to infrastructural failure.

Today’s enthusiasm for resilience in the field of critical infrastructure and business continuity tends to remove these factors from our understanding of the political economics of a catastrophe in favour of accepting them as inevitable outcomes of living in a world of complexity – which sidelines questions about the causes and consequences of catastrophe. Resilience as a principle of emergency management is useful, yet the valourization of resilience as a cure-all for complex risks needs to be guarded against.

Protecting the Future
The Vital Points Program was introduced to protect the industrial capacity of Canada to wage war and aid the survival of the nation in the worst-case scenario of a nuclear attack. Critical infrastructure security today addresses a much more amorphous set of anxieties about malicious attacks, major accidents, and natural disasters, all of which are exponentially complicated by the digital interconnectedness of today’s infrastructures.

The National Strategy is a response to these concerns, yet the long-standing problems identified above require ongoing attention and, with respect to municipal involvement, structural changes to the National Strategy if it is to be successful.

The embrace of resilience poses concerns of a different nature. Championed as a strategy for managing complex risks yet serving to naturalize the political and economic sources of complexity, we may eventually find that what we really want is protection from resilience.

Phil Boyle is an Assistant Professor in the Department of Sociology & Legal Studies at the University of Waterloo. The author acknowledges the financial support of the Social Sciences and Humanities Research Council Insight Development Grant no. 430-2014-00690 for the research contained in this article.
© FrontLine Security 2015