The beyond the border action plan: a tool for enhanced Canada-U.S. cooperation on critical infrastructure and cyber security - or more window dressing?

• Author: de Laat, William
• Position: 35th Annual Henry T. King Conference: The US-Canadian Border Action Plan

While there is ample recognition in both countries of the deep integration of the Canadian and American economies, our mutual reliance on an intricate web of interconnected physical and cyber infrastructure is often overlooked. With few exceptions, governments and the private sector have a limited understanding of the complex interdependencies between these shared systems and networks, and the enormous economic fallout that can result from major infrastructure failures.

Canada and the United States have made only modest progress to date in addressing issues related to their shared critical infrastructures and cyber systems. Neither country has devoted sufficient resources nor shown a sustained commitment to making shared infrastructures more resilient and less vulnerable to failure or attack.

Both governments have been slow to put in place effective policies and procedures to anticipate, manage, and recover from major cross-border infrastructure disruptions. Joint initiatives in the Beyond the Border Action Plan ("BTBAP") (1) and the Canada-United States Action Plan for Critical Infrastructure ("CUSCI"), (2) have not been given priority by senior officials in either country and have failed to set out a coherent set of deliverables, deadlines, and accountabilities. This, in turn, has left private sector stakeholders to fend largely for themselves, with little direction from government.

Canada and the United States should address these issues as a top priority immediately after the 2012 United States presidential elections. By moving aggressively to identify gaps and vulnerabilities, and to agree on remedial measures to protect their joint systems and networks, they will not only be protecting their respective economic and security interests, but they could also become important models for international cooperation in this area. In the global rush to determine cyber security standards, Canada, in particular, should ramp up its game, or it might well face the bleak prospect of being left out in the cold while the United States and other global players move ahead without them. (3)

CONTEXT

At the outset, I wish to stress that the views and opinions expressed here are strictly my own. I recognize that a short article like this can provide only a quick and incomplete picture of Canada-United States relations in critical infrastructure protection and cyber security. My purpose in writing this article is to suggest where there might be opportunities for making more rapid progress and to identify some possible gaps and weaknesses in our current approach.

CRITICAL INFRASTRUCTURE AND CYBER SECURITY AS PRIORITY ISSUES FOR PUBLIC POLICY

Sometimes the terms critical infrastructure and cyber security are confused and misunderstood even by the public policy makers responsible for them. It is a truism to point out that networks, systems, and information flows have become the lifeblood of the global economy. But few seem to be aware that almost all business, economic, and even personal information now exists in digital form. The implications of this fact are staggering.

And so, the links between infrastructure protection, cyber security, and trade are unmistakable. As President Obama recently stated, "America's economic prosperity in the 21st century will depend on cyber security." (4) Another expert report put it this way:

The U.S. has developed more than most other nations as a modern society heavily dependent on electronics, telecommunications, energy, information networks, and a rich set of financial and transportation systems that leverage modern technology. This asymmetry is a source of substantial economic, industrial, and societal advantages, but it creates vulnerabilities and critical interdependencies that are potentially disastrous to the United States. (5)

Stand-alone critical infrastructure, unconnected to the Internet or other large computer networks, is almost non-existent today.

In a Canada-United States context, these networks and systems--be they computer networks, electric power grids, pipelines, transportation and logistics networks, or supply chains--together form the essential underpinnings of an immense and highly prosperous North American economy. Andrew Graham, a Canadian policy commentator, underlines this convergence of cyber systems and critical infrastructure: "the interdependence of critical CI systems is developing an overlay of what might be called the meta-CI system, cybernetics and computer control systems that control ... systems such as energy, transportation, finance, and others." (6)

It seems that not a day goes by without increasingly alarming reports of intrusions and disruptions of banking systems or government networks. This is remarkable, given that back issues of the Canada-United States Law Journal, for example, reveal almost no references to critical infrastructure or cyber security until a couple of years ago. (7) Major disruptions or failures of critical infrastructure have never really loomed large in the public psyche, and as a result, these issues were never at the forefront of public policy. Today, however, growing public and business concern about the potential economic impacts of infrastructure disruptions is becoming a compelling driver for speeding up joint work between our two countries in this area. (8)

Another indication of growing policy interest in cyber security is found in a survey of a large cross-section of global public policy leaders conducted by the Security and Defence Agenda of Brussels, Belgium. (9) Here are some of the survey's key findings:

* Forty-five percent of respondents said cyber security is now as important as border security. (10)

* Forty-three percent of respondents identified damage or disruption to critical infrastructure and its potential economic impact as the greatest single threat posed by cyber attacks. (11)

* Fifty-seven percent of respondents believed an arms race is taking place in cyberspace. (12)

* Thirty-six percent of respondents said cyber security is more important than missile defence. (13)

* The cyber-readiness of the United States, Canada, Australia, United Kingdom, China, and Germany, all lagged behind smaller nations like Israel, Sweden, and Finland, among the twenty-three countries rated by report. (14)

As a result, critical infrastructure protection, and to an even greater extent, cyber security, have become increasingly important public policy priorities. (15) This not only creates enormous opportunities for ramping up our work on these issues, but it also poses major challenges and raises expectations of those responsible for managing them.

If these were easy issues, they would have been solved a decade ago. But there really are no easy solutions or "low-hanging fruit" here. Critical infrastructure and cyber security issues are difficult to grapple with. They are complex and constantly changing. Added to this complexity is the fact that none of these networks or infrastructures falls exclusively within the public safety, law enforcement, intelligence, or trade domains. This lack of clear accountabilities and a poor understanding by many policy makers of the complex issues at play have made policy development slow and cumbersome. To make things even messier, these infrastructure set are more often controlled by the private sector or provincial and state players than by federal government so.

A BRIEF REVIEW OF CANADA-UNITED STATES COLLABORATION ON CYBER SECURITY AND CRITICAL INFRASTRUCTURE

The United States and Canada have had a long history of collaboration on critical infrastructure, emergency management, and defence issues. (16) It is instructive to reflect on how our joint work on critical infrastructure and cyber security has evolved, particularly since September 11, 2001. Before the 1990s, the term infrastructure was usually synonymous with public works (bridges, canals, etc.) or information systems. After September 11, however, the policy debate shifted from infrastructure adequacy to physical and cyber infrastructure protection, and then more recently, to infrastructure resilience.

For all its hoopla, and, as many have said, waste of time and energy, Y2K was an important first step by Canada and the United States in working together to secure vital computer and telecommunications networks. That work brought about close collaboration across all sectors of the economy, innovative new forms of public-private sector cooperation, and for the first time in a cross-border setting, a serious assessment of the potential interdependencies and cascading effects that failures in one sector could have on others. The work plans associated with Y2K were rigorous, with contingency plans developed for almost everything that might go wrong. (17) The entire effort had a strong economic focus and enjoyed sustained high-level political support. (18)

It also marked the tentative beginning of a new global awareness of these issues. An International Y2K Cooperation Centre (18) was established at the behest of national Y2K coordinators from over 120 countries when they met at the First Global Meeting of National Y2K Coordinators at the United Nations in December 1988. (19) The World Bank provided funding. (20) The Centre's mission was to "promote increased strategic cooperation and action among governments, peoples, and the private sector to minimize adverse Y2K effects on the global society and economy." (21)

Though the problem at hand at that time was more static and less complex than the ones we face in dealing with critical infrastructure and cyber security today, Y2K did drive our...