Forum Institutional

Why defining and securing systemically important critical infrastructure is so vital

Defining 'systemically important critical infrastructure' is vital to keep services running in the event of a cyberattack. Pictured: Cooling towers of a power station seen beyond water

Defining 'systemically important critical infrastructure' is vital to keep services running in the event of a cyberattack. Image: Unsplash/Kirill Shavlo

Alexander Klimburg
Akshay Joshi
Head, Centre for Cybersecurity, World Economic Forum
Filipe Beato
Lead, Centre for Cybersecurity, World Economic Forum
This article is part of: World Economic Forum Annual Meeting
  • Critical infrastructure protection is vital to keep essential services running and often relies on public-private cooperation models.
  • But while failure of critical infrastructure is often considered a worst-case scenario, there is often a question over who pays for its security.
  • Identifying 'systemically important critical infrastructure' could help open up new cooperation models and unlock new funding mechanisms.

Government efforts to engage in critical infrastructure protection are hardly new. In the United States, the first efforts were codified all the way back in 1998 in the Presidential Decision Directive 63, which reads:

Critical infrastructures are those physical and cyber-based systems essential to the minimum operations of the economy and government. They include, but are not limited to, telecommunications, energy, banking and finance, transportation, water systems and emergency services, both governmental and private.

This mission seems clear: to set up comprehensive public-private cooperation models that help assure the provision of essential services to the government, the economy and the public.

In the US, the governmental programmes in this regard have led to a huge increase in cybersecurity spending just in the entities directly affected – over $105 billion in 2021 alone, according to one estimate.

Challenges of critical infrastructure protection

However, despite well over two decades of experience, getting critical infrastructure protection right still seems to be a challenge. The recent Colonial Pipeline attack paralysed the gas supply on the east coast of the US. Similar impacts were witnessed as a result of the Amsterdam-Rotterdam-Antwerp attack in February 2022, and the Florida water plant incident in February 2021.

While full-scale outages in the electricity sector have yet been relatively contained, for instance the 2015 power grid hack in Ukraine, several cyber powers have reportedly prepositioned malware in each other`s power grids.

It is far from clear if critical infrastructure protection programmes would be sufficient in dealing with the effects of such a worst-case act – one that could even rise to the level of an actual cyberwar if committed by states.

The wide-scale and prolonged failure of critical infrastructure is sometimes considered the worst-case outcome of a political conflict – exactly what we would do as a society if the power fails for days, let alone weeks, is a matter of widespread speculation.

Cyberattack on critical infrastructure 'prime fear'

But the concern is not only one of overexcited journalists or filmmakers. For the Global Cybersecurity Outlook 2022 report, the World Economic Forum surveyed 120 senior cyber leaders to understand their concerns, both for their enterprises but also for themselves personally. When asked what they worried about personally, infrastructure breakdown due to a cyberattack emerged as the number one concern, substantially ahead of identity theft.

Over the last 20 years, virtually all Organisation for Economic Co-operation and Development governments have experimented with various carrots and sticks to increase private sector collaboration.

Discover

How is the Forum tackling global cybersecurity challenges?

More recent discussion in Europe and the US has concentrated on the “sticks” – in particular, new legal requirements by governments that operators of critical infrastructure must report serious breaches in their networks.

These regulations – like the EU Cybersecurity Act and the very recent US Cyber Incident reporting for Critical Infrastructure act of 2022 – were seen as relatively low-cost options and were supposed to incentivize private companies to invest more in security.

But it didn’t answer the question that is really on many critical infrastructure operators’ minds – more security and operational resilience would be great, but who was going to pay for it?

Who pays for critical infrastructure protection?

A significant challenge of critical infrastructure protection programmes is simply that the societal needs are not the same as many industry needs. For instance, the emergency services in many countries depend on the same mobile phone infrastructure as everyone else.

Cellular base stations are critical, but only few have standby generators in case of a wide scale power blackout, and only for a day or two at most. The government can (and sometimes does) force these companies to build more redundancy into these networks, but overall telecom companies work under tight profit margins making investors wary of any additional burdens.

Have you read?

And while government might also just purchase, subsidize or otherwise reward the purchase of such equipment, there may remain a legal question: if such subsidies were to apply to all critical infrastructures – and in the US these are likely to be many thousands of companies – would it not represent a major anti-competitive act, especially where being “critical” was hardly an exceptional situation anymore?

Defining systemically important critical infrastructure

The solution to this conundrum is an entire new type of critical infrastructure, which potentially may even result in an entire new type of corporation: the “systemically important critical infrastructure”.

The concept of systemically important critical infrastructure was floated in the US Cyberspace Solarium Commission’s 2020 report as “the entities, responsible for the most important critical systems and assets in the US, that would be granted special assistance from the federal government as well as assume increased responsibility for additional security and information security requirements that are vital to their unique status and importance”.

Loading...

In other words, it encompasses only the “critical of the critical” enterprises – those like power and telecoms that are needed to make the others run.

In the US there is a clear move to adopting the concept wholesale, and the legislation pushed forward might represent the start of a very new idea of critical infrastructure. However, the exact deliberations of what may constitute systemically important critical infrastructure and how it can be enacted are still very much at the start.

Rethinking regulation models to ensure resilience

In addition to collaboration between governments and critical infrastructure organizations, there is a need to establish improved cost-sharing models and co-regulatory models that ensure resilience of the basic underpinnings of daily life.

A new legal category of ‘systemically important’ infrastructure may provide government with the ability to unlock new funding mechanisms that were previously unavailable. This is clearly needed for some infrastructure, whereas as mentioned previously, the sums needed to ensure business continuity and disaster recovery at the level that society may need clearly exceeds the budgets the operators can spend on this.

Discover

What is the World Economic Forum doing on infrastructure?

Beyond even capital expenditure-related measures, it could even include operational expenditure-related issues – such as the costs associated with maintaining sufficiently large cybersecurity organizations and similarly to deal with the threats at hand. The concept opens the door for creative thinking.

The new concept of systemically important critical infrastructure organizations may be the best way to cut the Gordian knot that has bedevilled public-private cooperation in critical infrastructure for decades: how to properly share the cost burden of modern societies’ reliance on certain life-essential industries. Getting this right will be a huge step in the Fourth Industrial Revolution.

Don't miss any update on this topic

Create a free account and access your personalized content collection with our latest publications and analyses.

Sign up for free

License and Republishing

World Economic Forum articles may be republished in accordance with the Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International Public License, and in accordance with our Terms of Use.

The views expressed in this article are those of the author alone and not the World Economic Forum.

Stay up to date:

Cybersecurity

Related topics:
Forum InstitutionalCybersecurity
Share:
The Big Picture
Explore and monitor how Cybersecurity is affecting economies, industries and global issues
World Economic Forum logo

Forum Stories newsletter

Bringing you weekly curated insights and analysis on the global issues that matter.

Subscribe today

Davos 2025: How to follow the Annual Meeting on our digital channels

Beatrice Di Caro

December 17, 2024

The other 51 weeks: what happens before and after Davos?

About us

Engage with us

  • Sign in
  • Partner with us
  • Become a member
  • Sign up for our press releases
  • Subscribe to our newsletters
  • Contact us

Quick links

Language editions

Privacy Policy & Terms of Service

Sitemap

© 2024 World Economic Forum