Tags: Business - Management, Douglas Bland, Macdonald-Laurier Institute, Politics - Canada, Technology, Technology - Security

Federal government needs a security strategy

April 3, 2012

EDITOR’S NOTE: In December, 2011, The Macdonald-Laurier Institute published study by Andrew Graham, from Queen’s University, called Canada’s Critical Infrastructure: When is Safe Enough Safe Enough?, which outlined the security risks to Canada’s critical infrastructure. The following essay, the second of five, was written by Douglas Bland, a Professor and Chair in Defence Management Studies in the Queen’s University School of Policy Studies.

KINGSTON, ON, Apr. 3, 2012, Troy Media/ – Canada does not have a national critical infrastructure (CI) strategy.

This central national security issue is dependent on a weak, incoherent federal ‘framework document’ developed by Public Safety Canada meant to guide a plethora of conflicting authorities if they decided to produce CI security policies in their jurisdictions, government departments, or private enterprises.

There is no reliable mechanism to hold anyone to account for any decisions regarding Canada’s CI security simply because no one is accountable for Canada’s national CI security.

The present federal CI non-policy, non-system cannot be tweaked; it must be entirely invented. This construction should be built on a foundation composed of three conceptual and structural elements:

(1) direct federal government leadership in matters of national CI strategy, security, policy, and management, (2) a CI assessment process refocused from ‘risk-based analysis to’ ‘vulnerability-based analysis’, and (3) a federal government constructed regime of principles, norms, and processes to direct the development and management of a national CI security strategy.

Active national leadership for CI security

Public Safety Canada manages a complicated network of ‘partnerships’, including the 14 federal government departments with CI responsibilities, and suggests to these partners that the government’s CI ‘guidelines’ would be useful if they were interested in developing CI security programs in their own jurisdictions or industries. Incredibly, the government of Canada does not even have a standard list of terms and definitions to guide CI policy development within its own departments and agencies.

The federal government’s general explanation for this abdication of responsibility is that, when CI is defined broadly, it encompasses so many facilities, situations, and programs inside and outside of government that it would be impossible for officials to design a comprehensive, federally directed program. The argument is supported by the assertion that the federal government does not have the authority to dictate CI security terms to provincial and territorial governments or to private business owners.

However, the federal government could intervene in CI on several matters that touch directly on standing federal government areas of responsibility that are creating policy impediments, as it does in a host of inter-governmental policy areas.

The federal government could lead by example if it were to direct its departments and agencies to develop credible CI security plans in accordance with CI protection standards developed by the federal government. It could also control the scope of the CI management problem by establishing, after careful CI assessments based on credible criteria, degrees of infrastructure of ‘criticality’ to national security. Such a scale would relieve the CI policy process of much of its burden and focus the government’s attention on truly critical infrastructures.

A national regime for CI security

Coherent public policy rests on regimes of principles, norms, rules, and decision-making procedures that join practical policy aims to policy outcomes. Canada’s present CI security policies have no clear aims, nor any coherent regime to direct strategic aims if they did exist. The first policy step towards the development of an effective national CI strategy is to assemble an inter-governmental agreement on the national regime for the construction, management, and direction of a national CI security strategy.

A public policy regime for national CI security must address at least the following fundamental questions:

‘¢ What facts and circumstances define a specific infrastructure as ‘critical’ – and to what degree – and thus in need of security?

‘¢ What criteria define CI as ‘secure’?

‘¢ To what degree do ‘national security considerations’ override provincial and territorial and private enterprises’ rights to build and manage infrastructure that serves the public?

‘¢ Who among the three levels of government decides who pays and who gets what in matters of national CI security?

‘¢ What regulatory instruments need to be developed to manage and support a national CI security strategy?

From ‘Risk-Based Analysis’ to ‘Vulnerability-Based Analysis’

Canada’s assessments of CI security as described in a convoluted and internally confused Public Safety Canada statement is centred on ‘risk-based analysis’ aimed at ‘. . . clarifying the dimensions of risk (to every CI in Canada) including its causes, likelihood of occurrence and possible severity of consequences.’

Yet risk is inherent in every element of CI, from development to installation to daily operation. Threats are as innumerable as imagination allows. Policies, therefore, based on attempting to guess what present and future risks might be and how they will unfold and with what consequences, are sure to be overcome by necessarily narrow analysis (can anyone really account for every risk facing even minor CI systems and circumstances?) and 9/11-type surprises.

It is possible to know with a high degree of certainty where the weaknesses and vulnerabilities lie in each CI system, and then to develop and implement plans to reduce system vulnerabilities or to regenerate systems in cases of failure. It is also possible to assess the ‘cost-efficiency’ of CIs and CI systems and then to determine their criticality to Canada’s well-being. It is possible to improve the security of critical structures and systems if governments and private enterprises begin the process from a sound, coherent conceptual framework.

The central CI policy question is not, ‘What risks lie in wait?’ but ‘To what degree and cost is Canada’s security and social, industrial, and economic welfare vulnerable to a disruption to a particular CI or critical system no matter the cause or source of that a disruption?’

The critical component of a CI is not its physical structure, but the products and services the structure delivers to the public that are critical to public safety and well-being. The primary aim of a CI security strategy, therefore, must be to ensure the continued delivery of essential products and services to governments and Canadians in the event that a particular CI system is disabled.

In the case of a particular CI, the answer derived from vulnerability-based analysis determines whether or not it is secure. Officials can then prepare appropriate, practical responses to safeguard the products the CI delivers to Canadians.

A CI security regime aimed at mitigating service vulnerabilities requires the development of an inventory of CI systems, an assessment of the social, industrial, and economic value delivered by each CI and each system, and an assessment of the social, industrial and economic costs of any event – accidental, natural, or hostile – that might degrade each CI or system.

Cooperation among all levels of government important

The federal government should develop, direct, and manage a comprehensive, government-wide policy to protect federal, provincial, local, and private infrastructures it deems critical to the security, safety, and social and economic welfare of Canada and Canadians.

In order to do this, we need an inter-governmental convention to establish a national CI regime to create the policy. All levels of government and private industry should cooperatively develop a vulnerability-based analysis program as the central pillar in assessments of Canada’s national CI security needs, and then CI vulnerability reduction programs. These programs might include establishing high-grade physical secure measures for some systems; creating system redundancies; creating alternate sources or means to provide for essential products; and stockpiling essential commodities, among other things.

Douglas Bland earned his Ph.D from Queen’s University and is a Professor and Chair in Defence Management Studies in the Queen’s University School of Policy Studies. This essay was originally written for the Macdonald-Laurier Institute.

This backgrounder is FREE to use on your websites or in your publications. However, Troy Media, with a link to its web site, MUST be credited.  

© Troy Media