Protection goals formulated in CI(I)P and cybersecurity strategy papers (usually at the national/federal level) tend to be very general as well; rather than being specific mandates or measurable values, they are guiding principles, or mission statements. Nevertheless, on the second level, much more information can be found about the objects to be protected, the measures, and the threats. There are many similarities between CI(I)P strategy documents: One common element is the importance of the concepts of resilience and of public-private partnerships, in different combinations. For example, the overarching goal of the United States’ National Infrastructure Protection Plan (NIPP), one of the more elaborate strategies, is to ‘[b]uild a safer, more secure, and more resilient America by preventing, deterring, neutralizing, or mitigating the effects of deliberate efforts by terrorists to destroy, incapacitate, or exploit elements of our Nation’s CIKR [Critical Infrastructures and Key Resources] and to strengthen national preparedness, timely response, and rapid recovery of CIKR in the event of an attack, natural disaster, or other emergency.’[20] Similarly, in Canada, the document National Strategy and Action Plan for Critical Infrastructure: Strategy (2008) highlights the importance of enhancing resilience as a critical infrastructure protection goal that can be “achieved through the appropriate combination of security measures to address intentional and accidental incidents, human induced intentional threats, business continuity practices to deal with disruptions and ensure the continuation of essential services, and emergency planning to ensure adequate response procedures are in place to deal with unforeseen disruptions and natural disasters.’[21] Furthermore, this document reveals that partnerships, risk management, and information-sharing are viewed as key components of CI(I)P. The recent Australian Critical Infrastructure Resilience Strategy (2010), finally, includes two main objectives of CIP. First, increasing the effectiveness of owners and operators of CI in managing foreseeable risks “through an intelligence and information led, risk informed approach”, and secondly, “enhance their capacity to manage unforeseen or unexpected risk to the continuity of their operations, through an organizational resilience approach.”[22] There are many other national CI(I)P strategies that follow a similar approach, but in order to highlight the most important protection goals as formulated on the level of CI(I)P strategies, these three recent examples should be sufficient. They show that CI(I)P strategies usually pursue an all-hazard approach and include both human induced attacks and accidental failures of CIs. In addition, the goal of resilience of CIs has recently gained a lot of attention and is today perceived as one of the most important protection goals in CI(I)P. Resilience can be described as the ability of a system to recover quickly after experiencing a sudden shock or physical stress.[23] Since critical infrastructures are highly interdependent and complex, they cannot be protected against all potential threats. Accordingly, the ability to recover quickly after an incident – a high resiliency – is perceived as essential for ensuring the continuation of critical services. 24 M. Dunn Cavelty and M. Suter
More tailored protection goals – very often tied specifically to definition and implementation of protection measures – can be found in sector-specific CIP plans. The case of the United States provides a good example for a CIP framework which is based on sector-specific protection approaches. The 2006 National Infrastructure Protection Plan (NIPP) allocates the responsibility for sector-specific protection plans to the respective federal agencies. The sector-specific federal agencies[24] became responsible for coordinating CIP efforts with relevant public and private stakeholders and developing sector-specific plans. All sector plans share a common framework; however, they also allow for flexibility and encourage customization. Thus far, nine plans have been made available in the following areas: agriculture and food, banking and finance, communication, defense industrial base, energy, information technology, national monuments and icons, transportation systems, and water. In all of the sectors discussed, the respective plans list specific implementation measures used to achieve the goals.[25] The following protection goals have been identified for the IT sector:[26] 1) prevention and protection through risk management by identifying and assessing core functions, prioritizing risks and mitigating vulnerabilities; 2) improving situational awareness during normal operations; and 3) enhance the capabilities of public and private sector security partners to respond to and recover from realized threats and disruptions. Another country that has a published sector-specific plan for CIIP is Germany. The documents National Plan zum Schutz der Informationsinfrastruktur (National Plan for Critical Information Infrastructure Protection) of 2005 and the subsequent 2007 report Umsetzungsplan KRITIS [27] (implementation plan KRITIS) outline the protection goals for CIIP. Similar to the IT-Sector-Specific-Plan of the US, prevention, reaction and sustainability are defined as generic goals of CIIP. In addition, the implementation strategy refers to the concepts of availability, integrity, and confidentiality, which are known form information assurance policies. The examples of sector-specific protection goals for CIIP in the US and in Germany reveal that even on this specific level, the definitions of goals and objectives remain very broad. It is not described in further detail what exactly needs to be done in order to achieve the goals. The difficulties of formulating clear and unambiguous protection goals show that there is still a need for conceptual groundwork in the field of CI(I)P.