As the European Commission’s Vice-President Margaritis Shinas put it in July 2020 when unveiling the European Commission’s new strategy for internal and external security over the next five years, “From protecting our critical infrastructure to fighting cybercrime and countering hybrid threats, we can leave no stone unturned when it comes to our security” (Sánchez Nicolás, 2016). Said new strategy places a particular emphasis on critical infrastructure protection, which plays a crucial role in the realm of the security of the European Union (EU). But what exactly do we mean by ‘critical infrastructure’? Why do we need to develop an effective critical infrastructure protection strategy? And how can defence planners help achieve what European policymakers have not managed so far?
As defined by the Council of the EU’s Directive 2008/114/EC, the term critical infrastructure refers to an “asset, system, or part thereof located in Member States which is essential for the maintenance of vital societal functions, health, safety, security, economic, or social well-being of people”. The term, therefore, refers to those vital parts of society whose disruption could lead to devastating consequences. The power grid, the transport network, and information and communication systems are among these, as they are essential to maintain vital societal functions. Thus, governments have a particular responsibility in protecting and ensuring their continued functioning. This can take the shape of avoiding technical failures, but also combating threats, including natural disasters, terrorist activities, and, more recently, cyber threats (Official Journal of the European Union, 2008).
The power grid attacks on Ukraine back in December 2015 are a good example of what happens when a government leaves a few stones unturned, resulting in its critical infrastructure lacking protection. The cyberattack, attributed to the Russian hacking group Sandworm, took down the information systems of three Ukrainian energy producers. This eventually resulted in about 60 substations going offline, leaving 225,000 Ukrainian citizens without electricity or heating for the next six hours. While the consequences could have been far worse, the fact that this attack was conducted remotely shows how threatening cyberattacks are and how careful governments and corporations must be in protecting their critical infrastructure. The fact that workers for the Supervisory Control and Data Acquisition (SCADA) network were not required a two-factor authentication to access the system that controlled the power stations’ breakers allowed hackers to hijack their credentials. This first crucial step made it easier for hackers to complete their mission and cut the power for hundreds of thousands of Ukrainians (Zetter, 2016).
The EU and its Member States (MS) are aware of the menaces that this type of infrastructure faces and have taken significant action to protect them. In 2004, the European Programme for Critical Infrastructure Protection (EPCIP) was launched – a package of measures aimed at improving the protection of critical infrastructure across all EU states and relevant sectors. It aims to respond to terrorism, criminal activities, natural disasters, and any other possible scenarios for failure. A major pillar within this programme is the EU Directive 2008/114/EC, which establishes a procedure for identifying and designating European Critical Infrastructures (ECI), mainly in the energy (excluding nuclear energy) and transport sectors. This identification labour constitutes a key first step in providing comprehensive protection of energy and transportation infrastructure. Additionally, the EU has set up networks to exchange critical infrastructure protection ideas, studies, and good practices, among which are the Critical Infrastructure Warning Information Network (CIWIN) and the European Reference Network for Critical Infrastructure Protection (ERN-CIP).
All this coordination results in a system that aims to provide a comprehensive approach to protecting this crucial infrastructure. However, you may be left confused right now thinking “Only the energy and transportation sectors? What about other crucial sectors like information and communication? Or health? Why does the directive not protect this type of infrastructure?”. This topic has been the subject of controversy for years now. The initial proposal for this Directive (Proposal COM (2006) 787) was meant to cover nine critical infrastructure sectors in addition to energy and transport: the nuclear industry, information and communication technologies (ICT), water, food, health, finances, chemical industries, space, and research facilities. But following controversial discussions in the Council, the list was narrowed down considerably to the two ‘priority sectors’ energy and transport (European Parliament, 2021).
So instead, critical infrastructures pertaining to any other sectors are covered by different Critical Infrastructure Protection (CIP) sector-specific initiatives, such as the NIS and NIS II Directives on Security of Network and Information Systems and Decision 541/2014/EU regarding space surveillance. To make matters more coherent and homogeneous, the European Commission released Proposal COM (2020) 829 final, which aims for a Directive on the resilience of critical entities. Said proposal “is closely aligned and establishes close synergies with the proposed NIS 2 Directive, which aims at enhancing all hazards ICT resilience on the part of ‘essential entities’ and ‘important entities’, meeting specific thresholds in a large number of sectors” (European Commission, 2020). While governments are indeed taking action to strengthen the resilience of the EU’s critical infrastructure, these efforts are not sufficient. A clear divide between physical infrastructure (energy and transport) and digital infrastructure (ICT) is not the best approach if the goal is to make CIP legislation comprehensive. Indeed, in an age of full-on digitalization with technologies like the cloud, 5G, and quantum computing, the EU’s CIP framework is not up to date. There is an ever-increasing interconnectivity of infrastructures across sectors, resulting in ever reducing gaps between, for example, the energy sector and the communication sectors. Therefore, the EU needs a new and more resilient CIP strategy.
In this sense, the military can help. As EU Institute for Security Studies’ Daniel Fiott put it in his Brief “Digitalising Defence”, there is a need for both “European policymakers and defence planners to develop an effective CIP strategy that deals with the false dichotomy between ‘virtual’ and ‘physical’ infrastructure” (Fiott, 2020). Similarly, according to a Clingendael Report of May 2021, a new framework that gives the military an enhanced role in strengthening EU resilience is needed (Zandee et al, 2021).
In case of disaster relief, the military is already involved in strengthening CIP resilience. This has been evident over the last two years, as most EU states have used their armed forces in tackling the Covid-19 crisis. Hence, military involvement in combatting hybrid threats and developing EU critical infrastructure protection would be a true asset. Indeed, defence planners already have experience in CIP, for example, when dealing with the protection of undersea fibre optic cables. Said cables are nowadays considered to be the world’s main channels for communication and interconnectedness. As such, the commercial and financial sectors, along with public administrations and armed forces, all heavily rely on them. Submarine fibre optic cables are therefore considered CI, as their disruption of submarines could have serious repercussions. As a report from EURACTIV explains, last October, NATO started noticing an increased Russian undersea activity. Defence Ministers discussed possible ways of protecting these undersea cables amid fears that they may be tapped into or damaged by the Russian navy. To combat this situation, NATO put new tools in place to protect undersea infrastructure and established a new NATO Atlantic Command in Norfolk to monitor threats against undersea infrastructure and find solutions on how to combat them (Brzozowski, 2020).
By bringing their experience in CIP to the table and coordinating action with EU policymakers, MS’ defence planners could have a truly positive impact on shaping an effective critical infrastructure protection strategy. As the European Commission prepares to unveil new projects, such as the EU 5G toolbox, and is still finding its direction regarding its Strategic Compass, the time is ripe for such a partnership to surface.
Written by Euan Scott
Bibliography
Brzozowski, Alexandra (2020), “NATO seeks ways of protecting undersea cables from Russian attacks”, EURACTIV [online]. Available at: https://www.euractiv.com/section/defence-and-security/news/nato-seeks-ways-of-protecting-undersea-cables-from-russian-attacks/ [Accessed 10 August 2021].
European Commission (2020), “Proposal for a DIRECTIVE OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on the resilience of critical entities”, [online]. Available at: https://ec.europa.eu/info/law/better-regulation/have-your-say/initiatives/12462-Protecting-critical-infrastructure-in-the-EU-new-rules_en#:~:text=PDF%20-%2056%20pages)-,Download%C2%A0,-Available%20languages%20(23 [Accessed 9 August 2021].
European Parliament (2021), “ECI Revision of Directive 2008/114/EC”, Available at: https://www.europarl.europa.eu/RegData/etudes/BRIE/2021/662604/EPRS_BRI(2021)662604_EN.pdf [Accessed 3 August 2021].
Fiott, Daniel (2020), “Digitalising Defence”, EUISS [online]. Available at: https://www.iss.europa.eu/sites/default/files/EUISSFiles/Brief%204%20Defence.pdf [Accessed 1 August 2021].
Official Journal of the European Union (2008), “COUNCIL DIRECTIVE 2008/114/EC”, EUR-Lex: EU Law [online]. Available at: https://eurlex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32008L0114&from=EN [Accessed 1 August 2021].
Sánchez Nicolás, Elena (2020), “EU five-year security plan to focus on critical infrastructure”, EU Observer [online]. Available at: https://euobserver.com/justice/149030 [Accessed 8 August 2021].
Zandee, Dick, Adája Stoetman, Bob Deen (2021), “The EU’s Strategic Compass for security and defence”, Clingandael [online]. Available at: https://www.clingendael.org/sites/default/files/2021-05/Report_The_EUs_Compass_for_security_and_defence_May_2021.pdf [Accessed 8 August 2021].
Zetter, Kim (2016), “Inside the Cunning, Unprecedented Hack of Ukraine’s Power Grid”, Wired [online]. Available at: https://www.wired.com/2016/03/inside-cunning-unprecedented-hack-ukraines-power-grid/ [Accessed 3 August 2021].