For over a quarter century the United States and the European Union have been diligently planning and implementing policies and procedures to protect the critical infrastructure sectors that are vital to the prosperity and security the majority of their citizens enjoy. Given the evolving nature of threats against critical infrastructure, recent US and EU efforts have focused on enhancing collective critical infrastructure security and resilience (CISR) posture. The core objective of these CISR initiatives is to strengthen their ability to deter, prevent, reduce the consequences of, respond to, and recover from a broad array of vulnerabilities, hazards, and threats to critical infrastructure. Any such disruptions to or destruction of these critical infrastructure systems and assets can have damaging impacts on individual nations, the transatlantic economy and security environment, and the ability of the North Atlantic Treaty Organization (NATO) to fulfill its core tasks.
This podcast is based on Chapter 10 in Enabling NATO’s Collective Defense: Critical Infrastructure Security and Resiliency (NATO COE-DAT Handbook 1). The goal of this chapter ultimately is to help Allies and partners better understand these two frameworks and apply their key principles and tenets to enhance the CISR posture in their respective countries.
Click here to read the book.
Click here to watch the webinar.
Episode Transcript: “Comparing Policy Frameworks: CISR in the United States and the European Union”
Stephanie Crider (Host)
You’re listening to Conversations on Strategy. The views and opinions expressed in this podcast are those of the authors and are not necessarily those of the Department of the Army, the US Army War College, or any other agency of the US government.
Conversations on Strategy welcomes Dr. Alessandro Lazari, coauthor of “Comparing Policy Frameworks: CISR in the United States and the European Union.”
Lazari’s been working as a specialist in critical infrastructure protection, resilience, and cybersecurity since 2004. He is currently a senior key account manager at 24 AG (F24 AG), focused on incident and crisis management in Europe.
Alessandro, welcome to Conversations on Strategy. I’m glad you’re here.
Alessandro Lazari
Thank you very much indeed for inviting me over. It’s a pleasure to be here.
Host
You recently contributed to the book Enabling NATO’s Collective Defense: Critical Infrastructure Security and Resiliency. The chapter you worked on compares policy frameworks of critical infrastructure security and resiliency in the US and the EU. The US (critical infrastructure security and resilience or) CISR framework: What do we need to know?
Lazari
I mean, thanks for asking about this. This has been part of my PhD studies—to go on deep between the lines about everything that the US has built in the past decades—and I have to say that this is really considerable. If you think that the (Presidential Decision Directive 63 or) PDD-63, just to give an example . . . presidential directive signed by (Bill) Clinton in May ’98 still stands as one of the brightest examples of CISR policies for a while—if you look at it nowadays, after so many years, you see how very well defined is the problem, how very well defined the mechanism to tackle it and to, you know, deal with it and to improve the overall posture of US against the threat of, you know, any potential attack to national critical infrastructure.
I mean, there is many examples in . . . in the US policies of things that really worked. I can tell that they constitute a milestone to which many, many countries are looking at because of the comprehensiveness. Because I can tell also that due to its particular system, (the) US has experienced a wide range of events that span across all the potential threats of critical infrastructure in the 50 states and as a federal system, so they’ve really wanted to organize something that is really very, very big.
Last but not least, the US has also considerable experience in maintaining the infrastructure. One of the greatest examples is the renovation that the US government did in the old railroad . . . you know, riverways in the ’40s and ’50s and ’60s is one . . . also a considerable milestone of the experience in the US. So, it’s very much worth looking at it because there is many countries that are now in the condition of tackling those challenges nowadays. So really, throughout the entire lifespan, you know, a lot of things that are really, you know, in use nowadays that really can provide example to the way the countries should deal with CISR nowadays.
Host
Let’s go into a little bit more detail. What currently guides the US CISR policy?
Lazari
One of the latest milestones in . . . in the US CISR policy is (Presidential Policy Directive 21 or) PPD-21, signed by Barack Obama in 2013. I mean, that can be considered one of the examples of the maturity of the policy in the US. You know, in announcing all the functional relationships among the very stakeholders involved in the life cycle of critical infrastructure security and resilience, there’s so many from both public and private side. From the public side, you have (the Department of Homeland Security or) DHS and all the departments that are involved, all the agencies, and from the other side, all the operators and the critical nodes within the country and so on and so forth. So, there is a considerable amount of stakeholders that need to talk to each other to be really aligned to do better. And here, we come to the second pillar that is information sharing.
Once you have identified all the functional relationship nodes, you absolutely need to cut short the distance between them. So they need to become closer and closer because they need to talk to each other, and in a country like (the) US, it’s very difficult because it’s a very big country with a big number of stakeholders involved. So for sure, this is also a challenge. And last but not least, after you have enabled, you know, the recognition of the functional relationship and the improvement of the information sharing, you then need to enable one very important pillar that is always mentioned in PPD-21: that is analysis of incident threats and emerging risk. Because you do not only deal with today, you also deal with the future. So you need to understand with . . . how, you know, uh, risks are evolving, so the emerging one . . . and you need to analyze all the incidents and threats constantly because the threats evolve as much as the society because, you know, we have new enemies, new ways to attack the systems, and history evolves; we all know that. So once you put together really this critical mass of activities and knowledge, you can say you are really structuring well all your policy on . . . on CISR.
Host
Tell me about the EU framework: European Programme for Critical Infrastructure Protection.
Lazari
The EU, it’s based on the membership of the member states that are part of the EU. There were 28, and, after the Brexit, now it’s 27. You know, every time, the negotiation of each steps of the policy is something that really seeks for the involvement of them all on proposal from the European Commission that is normally proposing new pieces of policy and regulation in this field. But this entails every time that member states are involved because they have a stake, they take a joint decision. But the European Programme for Critical Infrastructure Protection is really the very first milestone. As much as it is for PDD-63 in the case of US, it is really the very first piece of joint policy on critical infrastructure protection on the European side.
And this really comes immediately after the September 11 attacks to, you know, London and Madrid in 2004, 2005. It really starts from an all-hazard approach with a clear intent of fighting against terrorism. So, financing of terrorism, all aspects of dealing with terrorism and the impact of terrorism, terrorism of critical infrastructure. Then, immediately, the EU recognized within the program that the all-hazard approach really needs to be developed because it’s not only terrorism that can threaten the continuity, you know, and the existence itself of critical infrastructure, but there is many other threats that can really disrupt or create issues. So, the European program has really put together the member states for the first time ever in discussing the critical infrastructure protection.
This is still, nowadays, mainly the international level. The first thing you need: competency. It still relies on the member states that are part of the EU, but the program has, really, the 27 in the condition to discuss together all the challenges, all the state of play of each one of them. So to set new goals that are not overambitious for some of them, because you have to imagine when, in 2008, the European program was launched, there were five or six member states that really had a national framework for critical infrastructure protection, and many others that didn’t have one, or, you know, they really needed to amend it heavily because it was obsolete or not taken care of on all aspects.
It can be said that the European program has really created that first spark that has enabled the EU to be in the state of play it is nowadays because, for the first time, it has really asked the member states to discuss national security outside of their own border, but in a joint, coordinated manner.
Host
So, there were some significant changes to the program in 2016 and 2020. I would love to hear about them.
Lazari
After a very long journey between 2008 and 2016, the EU in, um, 2016 has decided to move a little bit to focus not only on the critical, physical aspect of critical infrastructure but also on the cyber dimension. Of course, the member states were already dealing with that, but the real pro of the EU is that there is a harmonization effort going on.
In 2016, we had the promulgation of the so-called Network and Information Security Directive. This really adds an important layer now on top of the CISR policy, which is very focused on cybersecurity or what we call “operator of essential services.” This new term that is different from critical infrastructure has been introduced to identify all of those services that are delivered through the mean of the network and information system. So, really, to narrow down the focus on the cyber dimension, of course, completely integrated together with the physical aspect, because these are absolutely complimentary. We cannot deal with one or just the other. You need to deal with all of them.
And it is very important to notice that even though this first NIS—Network and Information Security—Directive was promulgated back in 2020, on the 16th of December, 2020, the European Commission proposed already an amendment of this directive to launch the second directive, the so-called (Network and Information Security 2 or) NIS 2.
You can see that, here, the policy life cycle has been shortened because, normally, there is a very long policy cycle between one policy and another. You have an average of eight to nine years, even 10 sometimes. Here, you see that between 2016 and 2020, you have the promulgation of the first directive, already, in 2020, the proposal. And it’s very likely that in early 2023, this will alter its course, partially substituting the first one, but adding a lot more efforts and a lot more sectors. They go from 19 to 35, so there is a huge recognition and an improvement in the terms of sector.
There is also the intent to differentiate between coverage of an essential service and important service. So to create also sort of criticality assessment between the two lists of designated operators. So, I think this is very important. There is also the announcement of the cooperation among the countries, the announcement of the functioning of the EU Computer Security Incident Response Teams—so, better sharing of information regarding the incident and some support.
Last but not least, also, I can tell that, uh, 16th of December 2020 can be remembered as one of the really landmark of the EU CISR because on the very same day, apart from the proposal on the NIS 2 directive, same European Commission, sending a very strong message, published the proposal also for the . . . for the so-called Critical Entities Resilience Directive.
Also, here, you see a new terminology, critical entity and resilience, that goes . . . it’s very far from critical infrastructure protection. So not only we move, like, the focus is really on resilience, so in being able to withstand, to bounce back after something has gone wrong, but, also, the commission introduced the term “entity.” This is also a clear message that the type of infrastructure that we can designate is not only old style, like we only operate private operator, but entity has been used also to identify offices, departments of the public administration and the government that are really pivotal for the functioning member states and the new institution and so on, so forth.
So you see that we move from operator to entities and from protection to resilience. So I think this really be remembered what . . . of the days in which really the EU has recalled the importance of the complementarity of the physical and cyber protection and resilience and the importance, also, of the states and the public administration and the governments in securing national security, EU security, and the international security because, of course, this go beyond that.
Host
Going forward, what does critical infrastructure security and resilience look like for the US and the EU?
Lazari
Even though we have this really great example of the European program for critical infrastructure protection, the PDD-63, all the executive orders, you know, every one of them in the US are very comprehensive in, you know, tackling the problem in the way it should be tackled and with all the effects that they have on the European Union, on the allied countries in NATO and so on, so forth.
I think that there is some things that . . . on which we . . . we really need to improve. One of these is hybrid threats because we often talk about physical and cybersecurity, but we do not consider the hybrid threats that are all these actions below the threshold of warfare that are still to the entity or to the state or to the operator that is targeted. There is no clarity which is who’s behind these actions. It . . . these actions are also coordinated. So, there could be a state or nonstate actor that has decided to put under pressure certain systems, certain layers of our modern society, and it can be done with a combination of conventional and unconventional types of plot. And this is, for sure, one of the hot topics.
The European Union has already recognized the importance of hybrid threats in 2016, and, in 2020, there is two specific documents that are being released on the point they’re working out in creating a framework for governments and public administration to try and recognize some key indicators that there is hybrid threats, that you are subject to hybrid threats, because you have
to . . . to imagine this extremely complex type of environment. It’s a number of events that are not correlated because they’re happening here and there. Therefore, you don’t have control on all of them, and, therefore, you cannot really see through the fog what’s going on. You just see the vertical events, but you don’t see the horizontal plot. Social tension, fake news propaganda—they are all part of this big element.
Another thing that I think is part of the hybrid threat but is not properly dealt everywhere is that nonfinancial side. We know that all these operators of critical infrastructure, the way you want to call them, or critical entities or operators of essential services—they are companies. They may be on . . . on regulated market, on the stock exchange, on support. Therefore, someone may acquire them, part of them, part of the ownership.
To me, the way we scrutinize a certain operation on national critical infrastructure is not yet clear because certain strategic infrastructure should remain of national property. I don’t mean it should be public. I mean that it should have national shareholders with minimum shareholders from abroad because they are strategic infrastructure on which, first of all, speculation shouldn’t take place, but, also, you have to imagine that once you see someone in the, you know, in the board of directors, everything is discussed there, immediately goes as to where as soon as the meeting is over. This shouldn’t really happen. And this is not only happening at the scrutiny, it’s already taking place for big infrastructure. For example, Italy has procedures for that. It’s very advanced, but the . . . the way the . . . the law is tuned on very big operations leaves every small operation outside.
Here, we fall into another problem: third parties. It’s not only about critical infrastructure. Critical infrastructure relies on a constellation of third parties. Sometimes, they are also very small companies. They are very important in the supply chain. We don’t know who owns them. There is a little bit of scrutiny the company does on those other companies, third parties, but it’s not enough. So, the vetting procedure, the scrutiny procedure, they should really improve because we need to be sure that we are relying on the right people—that when something is going wrong, will help us out of the mud instead of leaving us in there. To identify friend or foe, as the . . . the military would say. So, this is, to me, among the hybrid threats, the financial aspect—also, the financial or third party. So, trustworthiness of the third party. Third-party risk assessment, to me, is fundamental.
Host
Do you have any final thoughts before we go?
Lazari
One last thing that is taking place anyway because of our footprint on planet Earth is climate change. To me, we need to work on the sustainability of critical infrastructure, and we need to do climate change risk assessments. This is something that already the Critical Entities Resilience Directive will ask to critical entities that will be designated under this directive in the future to do.
So, to assess what is the impact of climate change on critical infrastructure, you have to imagine that the weather, among other things, is considerably changing. Fifteen years ago, no one could hear about, you know, medicane—that is, the . . . this Mediterranean hurricane, for example, in the Mediterranean. I come from the south of Italy, I’ve never heard about. We never heard “hurricane,” but, all of a sudden, in the last five years, we have initial glimpse of what it could look like, hurricanes. Of course, the proper hurricane, the one that you are experiencing in the US, you know, are much, much different, and their force of devastation is much higher. But, still, I can tell that these medicanes are already threatening our critical infrastructure because they have not been designed to withstand this type of event.
Even though some of those that are designed for withstanding certain types of very severe weather events, they can be still disrupted, but ours are not designed at all. So, you can imagine the impact of if these hurricanes keep coming, and they keep increasing in . . . in their strength, the way they . . . we see them behave in other countries that are severely hit by hurricanes, this could really pose a threat to our critical infrastructure.
So, for sure, the climate change has to be assessed. We will find ourselves with operators that have been used, like, operating extreme cold and in heat wave and the other way around. Operators used to work in extreme hot having cold wave, and, therefore, the reliabilities of these infrastructures may change, may be really threatened because they are not designed to operate in different condition or in very severe warm or cold. So yeah, that’s another thing that I would definitely take into account that will challenge critical infrastructure in the future.
Host
Thank you for your time. Thanks for your contribution. This was a real treat to talk with you.
Lazari
Thank you very much indeed, once again, for inviting, and, uh, all the best.
Host
Learn more about the CISR frameworks of the United States and the European Union at press.armywarcollege.edu/monographs/955.
If you enjoyed this episode and would like to hear more, you can find us on any major podcast platform.
Author information: Alessandro Lazari has been working as a specialist in critical infrastructure protection, resilience, and cyber security since 2004. He is currently a senior key account manager at 24 AG, focused on incident and crisis management in Europe. From 2010–19, he provided policy support to two key initiatives at the European Commission: the European Programme for Critical Infrastructure Protection and Strengthening Europe’s Cyber Resilience. Lazari is a fellow in legal informatics at the University of Lecce’s School of Law (Italy) and a lecturer at COE-DAT’s Protecting Critical Infrastructure Against Terrorist Attacks course. He is the author of European Critical Infrastructure Protection, published in 2014 by Springer Inc. He holds a master’s degree in law and a PhD in computer engineering, multimedia, and telecommunications.
view more