Critical Information Infrastructure - Securing the Building Blocks of 21st Century Society
On July 22, 2021, a major cyber attack hit Transnet, the group operating South Africa’s largest ports. 60% of South Africa’s trade moves through Durban’s port, but one week after its systems went down, it was still operating at only 10% capacity.
The Transnet cyberattacks affected South Africa’s critical infrastructure – its ports. When incapacitated or destroyed, damage to critical infrastructure can lead to debilitating effects on physical security, national economic security, national public health or safety, or any combination of those matters. In the Transnet case, the damage included supply chain disruptions and the loss of current and possibly future revenue (for example, if nearby ports can demonstrate themselves to be impervious to such assaults, South African ports stand to lose quite a lot of business).
The target of the Transnet attack was the software that allowed its container release and acceptance systems to function correctly. While it might not be immediately apparent, even small systems like this one are crucial to the economies of many countries, and attacks on these systems – known as critical information infrastructure – can be debilitating.
Critical information infrastructure (CII) refers to the computer systems and networks crucial to national security and economic and social stability. In this case, computer systems should be defined and considered in a broad sense to remain technologically neutral, including physical and virtual assets like smart phones, data centers, computer terminals, certain computer programs and applications, and just about everything in between that could be relevant to the integrity of these systems.
CII is thus part of the security bedrock of any nation and should be treated as a security issue first and foremost. Protecting CII is not the same as protecting countries and consumers from cyber crimes – this would be the remit of a strong cybersecurity agency. Rather, CII is threatened by cyber measures attempting to damage systems that manage national critical infrastructure – and in some cases, improperly managed CII can lead to an inability to respond to a cyber threat at all.
CII is typically owned by both private and public partners, some of whom might be foreign companies. Governments are generally responsible for regulating network frequencies and for offering contracts to those who can build network infrastructure, but the winners of those contracts are often also responsible for properly maintaining that infrastructure. Private companies such as banks, for example, provide important services that, if disrupted, would cause critical failures or damage to society; as such, they are responsible for ensuring that they manage their systems to avoid such issues.
CII is notoriously difficult to secure, as has been demonstrated by breaches and failures in many contexts. In many countries a nation’s critical infrastructure and key resources are owned and operated by the private sector. And there are frequent attacks – too often, successful ones – against these private actors. One study of companies in advanced economies found that 89% of energy and manufacturing firms experienced cyberattacks seeking to disrupt production and supply in 2021, with 28% of breaches amongst the critical infrastructure organizations studied came from ransomware and destructive attacks.
The pace of attacks (and breaches) are not going to let up anytime soon. IBM’s 2022 “Cost of a Data Breach” report found that threat actors often target the weakest links in the global supply chains that both prop up and rely upon important organizations and industries. The list includes, among others, financial services, industrial, transportation, and health-care companies. To highlight the need to protect such assets, countries like Ghana have required the banking, mining, energy, and health sectors (among others) to register their IT systems as CII.
With the constant creation of ever-more complicated systems for conducting business or government activity, the ever-growing list of Internet of Things (IoT) devices (any physical object connected to the internet that exchanges data with other devices or systems), and the continually growing accessibility of the internet via handheld devices for people the world over, there are more ways than ever for a threat actor to penetrate CII. Developing a strategy to counter such threats, therefore, should be a major effort for all Commonwealth countries.
How does CII Impact Developing Countries Across the Commonwealth?
Critical information infrastructure has already demonstrated immense value to national growth and development. Telecoms frameworks have already proven critical to driving economic growth across the continent. An IFC report noted that “expanding 4G penetration across Africa by just 10% could boost GDP per capita by 2.5%,” while a World Bank study noted that 4G coverage can cut poverty by up to 4.3 percentage points. Many estimate that 5G alone could drive billions of dollars of growth in the next decade.
Beyond basic telephone service and access to the internet, the value provided by such infrastructure has created vast opportunities for nearly every industry. Manufacturing, retail, and agricultural yields can be improved by smart technologies, as can food production and distribution. Digital solutions provide new paths for individuals to tackle poverty and inequality and can provide significant job opportunities for underemployed young populations. They can also improve lagging education systems and promote the dissemination and adoption of climate change adaptation strategies. Creating jobs in these spaces will promote the creation of a robust cyber industry, allowing for potentially revolutionary entrepreneurial ventures as well for governments to close the digital divide and increase domestic cyber security capabilities.
Populations across the developing Commonwealth are seizing the lead in some digital industries which require strong CII protection. E-governance, wherein governments manage critical personal information online, is a rapidly expanding field, but one that will need to demonstrate extreme competence in safeguarding personally identifiable information. Cryptocurrency is another – Hootesuite’s 2019 Global Digital Yearbook noted that 10.7% of South Africans possessed cryptocurrencies (the most of any country surveyed), while Nigeria and Ghana also stand out above the worldwide average of 5.5%. And on the African continent alone, the value of the rapidly growing e-commerce sector is expected to reach to an estimated $75 billion USD by 2025.
The Need for Increased Security
For Commonwealth countries to further promote this kind of growth and development, CII has to be secured. As countries begin to roll out 5G networks, vulnerabilities in the existing 3G and 4G LTE networks upon which 5G and future networks will be built could pose a threat. As one think tank has noted, “Because of how the IT infrastructure evolved in Africa, several… cybercrime trends will become especially acute and pose a significant danger.” Besides the immediate economic harms, public failure of these government-regulated systems can create political and lack of trust issues for both individuals and firms alike.
Attacks on critical infrastructure are already becoming more common. In Africa alone, cybersecurity incidents increased from 564 in 2000 to 24 million in 2016. Banks have lost billions to theft and service disruption, and government agencies have been effectively targeted. Cyberattacks on maritime infrastructure are similarly on the rise, with experts worrying that an attack on ports and shipping industries could lead to major disruptions. Fears that RFID chips used to track endangered or high-value animals can be hacked and the animals’ locations exposed are growing
Increasing protections for CII networks can help to make activities affecting individuals and critical infrastructure alike harder to carry out, likely providing a worthwhile return on investment for those nations who build good systems from the outset.
An Inconsistent Environment
Much of what worries experts surrounds the nature of the new digital world. IoT devices are proliferating, and the addition of cloud, edge and 5G systems are increasing the complexity for securing mixed systems. And given the prerogatives of companies to quickly bring their innovations to market, new products are not always the most secure – as one industry report found, “98% of all IoT device traffic is unencrypted, exposing personal and confidential data on the network and allowing attackers the ability to listen to unencrypted network traffic, collect personal or confidential information, then exploit that data for profit on the dark web.” With ever-more points of entry and access to data by threat actors, the security risks to CII and the critical infrastructure they are associated only seem to be increasing. Globally, particularly given the proliferation of Android operating systems in smartphones, handheld devices are increasingly being targeted by cyber criminals investing seeking to steal personal data or extort money from individuals. 89% of the smartphone market share in Africa runs on the Android platform, with cybersecurity firm Symantec claiming that one in every 7 mobile devices there has been infected with malware. These, too, can be used to access company or government systems and databases, with major possible consequences.
Another area of worry surrounds the safety of data that is transmitted through CII managed by foreign or private actors. Generally, individuals own the data they create, but service providers often have ultimate control over that data. For example – cloud services companies don’t necessarily let individuals choose which countries their data is stored in, which means that data stored in one country or another, regardless of the citizenship of the original creator of the data, could be subject to the laws of the country of storage and the particularities of the company actively storing that information. The providers of a data storage service are also responsible for securing that data – but leaks do happen. The type and amount of data collected could also vary depending on the provider and the industry in which the provider operates, making it difficult to make a blanket claim as to just what the risks of working with foreign providers of CII could be.
It goes without saying that data breaches can pose a national security threat for all countries. If companies involved with national security infrastructure are breached, there’s a risk of data or information or access to national security infrastructure being exposed. The data can be used for the purposes of committing further crimes – for example, if government employees or employees of CII firms use the same passwords at work as they do on a website whose data has been stolen, a threat actor might be able to utilize this to access government or CII management systems. The data can be used by foreign powers for espionage purposes, as well as by companies attempting to manipulate the public using their data, or it can be sold by criminal actors for massive profits and used to commit fraud that costs the state millions.
Data breaches can also come from a foreign government compelling an international CII provider hosting data in its domain to provide information that a government or private business would prefer to keep private – and beyond a diplomatic protestation, there would be rather little that the country from which the data was collected could do about it. At the moment, there is little evidence that international companies that build and manage CII have been coerced into providing information to governments. It would be bad for business and would keep such a firm from getting new contracts. But that has not stopped governments from using their relationships and their spy agencies to penetrate less secure foreign-built networks in order to acquire the necessary data. High profile cases highlight the worries countries have with devices – and their data capture – sending their citizen’s information overseas. Critically, these concerns are heightened when there is a perceived lack of transparency in governance and trust in the device manufacturer’s country; areas where the Commonwealth, both as an institution and in its component parts is well placed to support fellow member states understand and adjudicate over.
This makes the quality of the network and the parties responsible for a given part of the CII machine particularly important. All complex systems are bound to have bugs or weaknesses of some sort, but you can hedge against these risks by following the “you get what you pay for” mantra. Cheaper systems will likely be more prone to hacking, and with such complex networks at play in the case of 5G provision, for example, some companies will be more capable to manage data and network traffic security than others. As industry expert GSMA explained, “hacking 5G could become as simple as hacking the web.”
Provider quality should thus be a priority for Commonwealth nations for a few reasons. First, politically, a country responsible for regulating a network looks bad when that network goes down due to a lack of regulatory enforcement that might have prevented such an issue. Second, it is possible that a government itself could be prone to hacking and intrusion into their systems if they build this on a poorly secured network – a situation which could easily prove disastrous. And third, a lack of adequate network security, even if outside companies find their own data storage solutions, can result in intrusions into the systems of those businesses countries might be trying to attract. This would obviously not be a strong marketing strategy for those countries looking to grow their economies and international investment.
The Way Forward
One solution can be adopting a zero-trust model for CII at all levels. The Zero Trust model is a framework requiring all users to be authenticated, authorized, and continuously validated in order to access and continue to be able to access an application and its data. IBM found that approximately 80% of organizations haven’t adopted zero trust strategies, even with nearly 30% of breaches (with an average cost of 5.4 million USD in the study) being ransomware or destructive attacks.”
Moving away from technical solutions, developing countries, including many in the Commonwealth, as a whole have a gap of hundreds of thousands of cybersecurity professionals, a situation demonstrated by the dearth of businesses and governments exhibiting appropriate strategies to combat threats. The Africa Center has estimated that due to this gap, 96% of cybersecurity incidents are unreported or unresolved, leaving the true cost of cybercrime and cyberattacks largely unknown. Rather few countries have released national cybersecurity strategies or created teams responsible for responding to cyber incidents.
More nations should ratify the Budapest Convention on Cyber Crime and the Malabo Convention on Cybersecurity and Personal Data to allow adequate information and technical assistance sharing amongst countries and to set uniformly adequate systems. Policies, regulations, and formal processes associated with CII must be developed to assess which CII providers qualify to build high-quality infrastructure that can be adequately managed in the public-private hybrid manner that works best for each nation. Integrating cyber teams with the armed forces and important ministerial positions can allow for greater attention and pressure to be brought to bear in the effort to improve developing Commonwealth nations’ cyber capabilities. Crackdowns on transnational crime and smuggling will similarly provide nations with better resources and training opportunities. And instituting new regulatory frameworks across blocks of countries, such as spectrum band regulations, can allow business and development activities to thrive across whole regions.
Successful regulatory frameworks can be built and executed on using existing successful frameworks of a number of Commonwealth nations. Commonwealth nations like Singapore, Malaysia, the UK, Canada, and India all cracked the top 10 of ITU’s Global Cybersecurity Index 2020, with Ghana, Mauritius, Tanzania, Cyprus, Nigeria and Malta making the top 50. Bangladesh, Rwanda, and Tanzania were specifically mentioned as being “outliers among least developed countries … [that have] demonstrated strong cybersecurity commitments.” The geographic, cultural, and developmental diversity of these countries, and, the variety of well-built frameworks available to be used as templates offers a great opportunity for countries at various stages of developing their cybersecurity apparatuses to begin implementing these frameworks now..
Promoting the growth of cyber industry in every Commonwealth country will help create a competitive environment with tailored solutions to each specific context. The promotion of these industries will also increase the skill base of developers and coders who can then bring their talents to other entrepreneurial ventures and will increase the regulatory and policing capacity of governments who can train and benefit from the increased cyber capabilities of such a great number of individuals. To ensure security, new security frameworks need to be created and implemented, and more organizations will need to implement the ‘Zero Trust’ model in their ecosystems – particularly those who are responsible for CII.
Ultimately, lying at the heart of the response to the threat to CII is the need to boost resilience. Whether through helping develop cyber industry ecosystems in individual regions and countries, or through supporting regulatory development, the Commonwealth possesses the breadth of experience, capability, capacity, and cultural nuance to drive resilience. The costs of overlooking this are not simply a heightened threat of cyber-attack, but when it comes to CII; a threat to the very building blocks of the digital/infrastructure makeup and identity of an entire country.