3.1.

2 Level 2 (Protection Policies): CI(I)P Strategies

Protection goals formulated in CI(I)P and cybersecurity strategy papers (usually at the
national/federal level) tend to be very general as well; rather than being specific
mandates or measurable values, they are guiding principles, or mission statements.
Nevertheless, on the second level, much more information can be found about the
objects to be protected, the measures, and the threats.
There are many similarities between CI(I)P strategy documents: One common
element is the importance of the concepts of resilience and of public-private
partnerships, in different combinations. For example, the overarching goal of the
United States’ National Infrastructure Protection Plan (NIPP), one of the more
elaborate strategies, is to ‘[b]uild a safer, more secure, and more resilient America by
preventing, deterring, neutralizing, or mitigating the effects of deliberate efforts by
terrorists to destroy, incapacitate, or exploit elements of our Nation’s CIKR [Critical
Infrastructures and Key Resources] and to strengthen national preparedness, timely
response, and rapid recovery of CIKR in the event of an attack, natural disaster, or
other emergency.’[20]
Similarly, in Canada, the document National Strategy and Action Plan for Critical
Infrastructure: Strategy (2008) highlights the importance of enhancing resilience as a
critical infrastructure protection goal that can be “achieved through the appropriate
combination of security measures to address intentional and accidental incidents,
human induced intentional threats, business continuity practices to deal with
disruptions and ensure the continuation of essential services, and emergency planning
to ensure adequate response procedures are in place to deal with unforeseen
disruptions and natural disasters.’[21] Furthermore, this document reveals that
partnerships, risk management, and information-sharing are viewed as key
components of CI(I)P.
The recent Australian Critical Infrastructure Resilience Strategy (2010), finally,
includes two main objectives of CIP. First, increasing the effectiveness of owners and
operators of CI in managing foreseeable risks “through an intelligence and
information led, risk informed approach”, and secondly, “enhance their capacity to
manage unforeseen or unexpected risk to the continuity of their operations, through an
organizational resilience approach.”[22]
There are many other national CI(I)P strategies that follow a similar approach, but
in order to highlight the most important protection goals as formulated on the level of
CI(I)P strategies, these three recent examples should be sufficient. They show that
CI(I)P strategies usually pursue an all-hazard approach and include both human
induced attacks and accidental failures of CIs. In addition, the goal of resilience of CIs
has recently gained a lot of attention and is today perceived as one of the most
important protection goals in CI(I)P. Resilience can be described as the ability of a
system to recover quickly after experiencing a sudden shock or physical stress.[23]
Since critical infrastructures are highly interdependent and complex, they cannot be
protected against all potential threats. Accordingly, the ability to recover quickly after
an incident – a high resiliency – is perceived as essential for ensuring the continuation
of critical services.
24 M. Dunn Cavelty and M. Suter

3.1.3 Level 3 (Protection Goals): Sector-Specific Protection Goals

More tailored protection goals – very often tied specifically to definition and implementation of protection measures
– can be found in sector-specific CIP plans. The case of the United States provides a good example for a CIP
framework which is based on sector-specific protection approaches. The 2006 National Infrastructure Protection
Plan (NIPP) allocates the responsibility for sector-specific protection plans to the respective federal agencies. The
sector-specific federal agencies[24] became responsible for coordinating CIP efforts with relevant public and private
stakeholders and developing sector-specific plans. All sector plans share a common framework; however, they also
allow for flexibility and encourage customization.
Thus far, nine plans have been made available in the following areas: agriculture and food, banking and finance,
communication, defense industrial base, energy, information technology, national monuments and icons,
transportation systems, and water. In all of the sectors discussed, the respective plans list specific implementation
measures used to achieve the goals.[25] The following protection goals have been identified for the IT sector:[26] 1)
prevention and protection through risk management by identifying and assessing core functions, prioritizing risks
and mitigating vulnerabilities; 2) improving situational awareness during normal operations; and 3) enhance the
capabilities of public and private sector security partners to respond to and recover from realized threats and
disruptions.
Another country that has a published sector-specific plan for CIIP is Germany. The documents National Plan
zum Schutz der Informationsinfrastruktur (National Plan for Critical Information Infrastructure Protection) of 2005
and the subsequent 2007 report Umsetzungsplan KRITIS [27] (implementation plan KRITIS) outline the protection
goals for CIIP. Similar to the IT-Sector-Specific-Plan of the US, prevention, reaction and sustainability are defined
as generic goals of CIIP. In addition, the implementation strategy refers to the concepts of availability, integrity, and
confidentiality, which are known form information assurance policies.
The examples of sector-specific protection goals for CIIP in the US and in Germany reveal that even on this specific
level, the definitions of goals and objectives remain very broad. It is not described in further detail what exactly needs to
be done in order to achieve the goals. The difficulties of formulating clear and unambiguous protection goals show that
there is still a need for conceptual groundwork in the field of CI(I)P.