Critical Information Infrastructure Protection: The Megacommunity Approach

The Internet, and Information and Communication Technology (ICT) in general, have become central elements of the twenty-first century infrastructure: critical services such as electricity, water, telecommunications, transportation, and financial services depend in turn on ICT-based services in order to deliver their value to society.

Alongside this, however, has come a worrying global increase in cyber attacks. Some have evolved to the level of cyber warfare, such as the August 2008 attacks against Georgian infrastructure and key government websites that coincided with fighting between Georgian and Russian troops, and the massive distributed denial of service (DDoS) attack against crucial government and private sector web-based services – essentially shutting them down – in Estonia in April and May 2007. Threats such as these have led the governments of many industrialised nations to consider cyber security an important component of national security.

The Prioritisation of Cyber Security

On 29 May 2009, US President Barack Obama stated in a speech at the White House that ‘it is now clear this cyber threat is one of the most serious economic and national security challenges we face as a nation. We are not as prepared as we should be, as a government or as a country’. He also announced the creation of a Cyber Security Office in the White House that will report to the president, National Security Council, and National Economic Council. In addition, he underlined that economic prosperity today depends on cyber security. Less than a month after President Obama’s speech, the US Department of Defense announced the creation of a Cyber Command to protect military networks against cyber threats.

Cyber security concerns are equally high across Europe. Many European Union member states have already announced national cyber security strategies, and the European Commission has recently announced its intention to issue a regulation to protect critical European information infrastructure. In this communication, released on 30 March by the Directorate-General for Information Society and Media, the Commission identified public-private partnerships, international co-operation, and information-sharing as key elements of the European cyber security strategy.

Prime Minister Gordon Brown announced the first UK Cyber Security Strategy on 25 June. Published alongside the 2009 update of the National Security Strategy, the Cyber Security Strategy will help the government re-shape the way the UK responds to the new challenges of cyber space and digital society. Announcing the strategy, the prime minister said:[1]

Just as in the nineteenth century we had to secure the seas for our national safety and prosperity, and in the twentieth century we had to secure the air, in the twenty-first century we also have to secure our position in cyberspace in order to give people and businesses the confidence they need to operate safely there.

Protecting cyberspace and IT services is much more complex than protecting physical domains, however. The fragmented nature of the ownership and regulatory control of the global ICT infrastructure is one of the most challenging difficulties we encounter. The Internet is, by definition, a network of networks, owned and managed almost entirely by private companies. There is no single entity in a position to have a complete overview or control of the Internet. In addition, even though one country might enact and enforce strict regulatory conditions against cyber criminals, there are other countries with less-developed programmes where these groups can organise and operate relatively openly with little fear of prosecution. By leveraging global network connectivity, they can then perpetrate the actual ‘crime’ anywhere they please from the safety of their host countries.

This fragmentation is leveraged by criminals, terrorists, hackers, activists, spies, and others: attacks and intrusions are perpetrated by hopping through different networks in different jurisdictions to avoid being tracked, compromising as many unprotected computers as possible along the way.

Nefarious actors are also leveraging the enormous potential of new collaboration, information-sharing, and co-ordination tools offered by Internet services such as blogs, social networks, forums and peer-to-peer networks. Ironically, they are able to utilise the same ‘killer apps’ that drive the development of the digital economy as weapons against it, since they do not have to comply with various regulations and laws that could limit the exchange of information at the international level.

A New Approach

For all these reasons, cyber security requires a new approach to mitigate the looming threat: governments, private organisations, experts, researchers, customers and citizens all share the same need for safer digital services and electronic communications. They need to come together in a ‘megacommunity’, where leaders from government, private and civil service communities confront together the problems that none can solve alone: they share resources, knowledge, skills, and experiences to identify common solutions.

A megacommunity is a public sphere in which organisations and people deliberately and formally join together around a compelling issue of mutual importance – in this case, cyber security.[2] Whether they are aware of it or not, all stakeholders in this global issue are already members of a cyber security megacommunity, even though there may be no formal recognition of the group or participation in it. Any action taken by one stakeholder affects the course of action of the others, even if they are mutually unaware of each other’s existence. Formally recognising the interdependence of all relevant stakeholders and co-ordinating their efforts within a topic-focused megacommunity is a key requirement for eventually finding a common solution.

A megacommunity contains organisations that sometimes compete and sometimes collaborate, but it is not strictly a business niche. Nor is it a public-private partnership, which is typically an alliance focused on a relatively narrow purpose. A megacommunity is a larger ongoing sphere of interest, where governments, corporations, NGOs and others intersect over time. The participants remain interdependent because their common interest compels them to work together, even though they might not see or describe their mutual problem or situation in the same way or perceive the same value in its resolution.

Cyber security is one of the best examples of where the megacommunity approach could help each participant to increase its protection. For example, there are various areas in the UK Cyber Security Strategy that require a megacommunity approach:

• Development of an Industrial Cyber Strategy: governments and industry from the UK and abroad need to co-ordinate research and development of new solutions, leveraging national and EU/US funds to develop national and global solutions
• Cyber Security Skills Strategy: government and private sector organisations should work closely with academia and research institutions to plug skill gaps and train a new class of managers and officials
• Providing better advice to business and citizens about the nature of the risks: information-exchange and co-operation between governments and private sector organisations is essential for having a deep understanding of the new threats
• Developing international law: all parties involved should support the development of international law to fight electronic crime and all related phenomena (for example, cyber espionage and cyber terrorism)
• Tackling the use of cyberspace by criminals and terrorists: law enforcement should establish new methodologies of international co-operation, information exchange, and mutual support in order to fight electronic crime.

Conclusions

The concept of megacommunities for cyber security is an important idea, but it requires the involvement of most (if not all) governments and organisations that are connected through cyberspace. Organisations in many countries are still not fully aware of the implications and consequences of new security threats, and as such do not realise that they are already a part of this megacommunity. Formally recognising this megacommunity will help raise awareness internationally, and help mutual stakeholders to begin benefitting from each other.

The most advanced organisations, both in public and private sector, must lead this change by introducing other governments, institutions, and bodies to the megacommunity approach.

Andrea Rigoni
Senior Advisor
Booz & Company

Matthew Holt
Senior Associate
Booz & Company 

NOTES

[1] Richard Norton Taylor, 'GCHQ steps up strategy to combat cyber-attacks, Brown announces', Guardian 25 June 2009.

[2] See Reginald Van Lee, Mark Gerencser, Fernando Napolitano and Christopher Kelly, Megacommunities: How Leaders of Government, Business and Non-Profits can Tackle Today’s Global Challenges Together (London: Palgrave Macmillan, 2008). The Megacommunities Manifesto can be found at http://www.strategy-business.com/.resiliencereport/resilience/rr00035.