Critical Infrastructure up on Blocks
A new strategy is on the way
The current Canadian strategy for critical infrastructure (CI) protection dates back to 2009. Pause to let that sink in.
Here is the old version:
https://www.publicsafety.gc.ca/cnt/rsrcs/pblctns/srtg-crtcl-nfrstrctr/index-en.aspx
Starting in 2021, the old strategy was put up on the blocks, wheels removed, bonnet opened, to see what was broken, leaking, needed fixing. You can be sure that a great deal of extra energy was jolted into the process by the experience of the border blockades during the “Freedom Convoy” in January and February 2022.
The usual “stakeholder” consultations were held and drew 120 survey responses, a majority from the private sector. A “What we Heard” report was subsequently released by Public Safety Canada in the Fall of 2022. It didn't garner much attention (so this is a small effort in response).
https://www.publicsafety.gc.ca/cnt/rsrcs/pblctns/rnwng-cnd-pprch-crtcl-nfrstrctr-rslnc-2022/index-en.aspx
While we await the development of a new CI strategy (likely forthcoming in 2023), the “What we Heard” report contains important indications of where change is needed. If you are with me still on the ‘old car/junker/beater’ metaphor, this will be the (dreaded) mechanic’s bill.
Two initial conclusions were drawn. One was that the original, high-level definition of CI remains functional:
“processes, systems, facilities, technologies, networks, assets and services essential to the health, safety, security or economic well-being of Canadians and the effective functioning of government.”
A second was that the 2009 effort to identify 10 broad critical infrastructure sectors still had some merit. The sectors remained distinguishable and important:
energy and utilities information and communications technology
finance health
food water
transportation safety
government manufacturing
So far, so good.
But inputs to the consultation noted that more attention needed to be paid to the inter-dependencies of many of the sectors, and—a related thought—that more effort needed to be put into maintaining discussions across the sectors, to avoid a siloed approach.
There was also a feeling that the 10 sectors needed to welcome some newcomers, especially space. Yup, space. Why? Space platforms, it was recognized, are not just a burgeoning industry, but fulfill functions not fully captured under the umbrella of “information and communications technology,” including navigational systems (GPS) and military, environmental, and climate change monitoring, especially in the Arctic.
Other suggestions for expanding the list of CI sectors clearly drew from the experience of the border blockades in early 2022—including ideas in favour of adding a distinct “defence and security” sector and a “democratic institutions” sector, to break these both out from the existing “government” CI sector designation.
Greater concern was expressed about the state of the original engine of the 2009 CI strategy. That engine was meant to drive three broad objectives:
Building partnerships
Understanding risks
Sharing information
Many of the stakeholder respondents felt the system was sputtering, starved of horsepower (OK, I won’t go on much longer about the damned ‘old junker’ metaphor).
The biggest ideas on new forms of partnership emphasized the importance of bringing municipalities and indigenous representatives to the table. It was understood that they were crucially impacted by CI problems, were important first responders, and needed support in order to ensure their resilience. There was also agreement that the original CI sector partnership efforts linking government and the private sector owners and operators were far too siloed.
The original strategy’s efforts to understand risks were deemed insufficient. Two main reasons were advanced. One was that the strategy lacked any real effort to identify and prioritize the most vital CI sectors, based on a notion of CI risk. A second concerned inadequate development of CI threat assessments, including risk foresight (future looking) analysis. Those involved in the consultations highlighted the need for more assessment of cyber threats, more attention to “emerging risks,” including pandemics, climate change impacts and protests, and greater concerns about cascading threats across CI sectors.
Gaps in information sharing and public education about CI threats were also highlighted. The consultation process side-stepped the issue of the very slow-moving development of a “national risk profile” that Public Safety has been working on, but respondents developed their own ideas about a “public repository of information,” which might serve the same purpose as a means for sharing information about threats, and best practices in meeting CI risks. There was a very evident plea here for much stronger ways to ensure connectivity between the public and private sectors: “CI stakeholders wish to be involved in decision-making through dedicated timely and actionable information sharing mechanisms.” Governments may set policies and regulations for critical infrastructure protection, but most CI infrastructure in Canada is in private sector hands.
Making sure that governments and the private sector could truly cooperate on ensuring CI protection was at the heart of a suggestion that there needed to be some kind of national CI centre (a “one stop shop for CI support and coordination”).
The “What we Heard” report offered one more surprise fix before banging shut the bonnet on the 2009 model. Although the majority of respondents were from the private sector, an “overwhelming majority” wanted to see the most vital CI formally designated and subject to regulation. New requirements to be laid at the feet of CI owners and operators could be extensive, to include CI protection and service standards, reporting on incidents, establishing cyber security practices, taking part in exercises, having response and recovery plans, business continuity strategies, and providing ownership information. Of course, private sector respondents also identified the need to provide financial support to the industry in any transition to a regulatory framework. A “few” even noted the “occasional need for penalties in response to regulatory non-compliance.” If that sounds a little casual, it does not take away from the surprising desire on the part of the industry to be regulated by government.
When a government embarks on even the most carefully controlled process of stakeholder engagement, it can get more than it bargained for. Without the experience of supply chain disruptions with the COVID-19 pandemic and the border blockade tactics used by the so-called “Freedom Convoy” protests, the outcome of these deliberations might have been to put a patched-up ‘beater’ back on the road.
If the government takes seriously what it heard, that won’t do. This should make the 2023 iteration of a Critical Infrastructure strategy a truly important initiative, with new thinking on critical infrastructure sectors (bring on space!), new engaged partners (municipalities and indigenous groups), new ways of sharing information and best practices (a national CI centre of excellence), better public education and even a regulatory regime. Why not, for something on which our lives depend?
“Hood”
“bonnet”?