tag:theconversation.com,2011:/uk/topics/critical-infrastructure-15306/articlesCritical infrastructure – The Conversation2023-03-29T18:23:20Ztag:theconversation.com,2011:article/2028942023-03-29T18:23:20Z2023-03-29T18:23:20ZFederal budget 2023: Long-term investments are needed to fix Canada’s infrastructure gap<figure><img src="https://images.theconversation.com/files/518282/original/file-20230329-26-aztqml.JPG?ixlib=rb-1.1.0&rect=77%2C128%2C8508%2C5599&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">The budget is focused on building communities through infrastructure, housing, transit and connectivity.</span> <span class="attribution"><span class="source">THE CANADIAN PRESS/Adrian Wyld</span></span></figcaption></figure><p>The federal government’s <a href="https://www.budget.canada.ca/2023/report-rapport/toc-tdm-en.html">2023 budget</a> unveiled investments in infrastructure, with a narrative highlighting resilient and sustainable communities, and pointing to Ottawa’s progress and investments to date. </p>
<p>The budget is focused on building communities through infrastructure, housing, transit and connectivity. Much of this emphasizes investments made since 2015, including <a href="https://www.infrastructure.gc.ca/pub/dp-pm/2022-23/2022-supp-tp-pt-eng.html">$33.5 billion to the Investing in Canada Infrastructure Program</a>, and $35 billion to the <a href="https://cib-bic.ca/en/about-us/our-purpose/">Canada Infrastructure Bank</a>.</p>
<h2>Funding critical infrastructure</h2>
<p>The budget’s investments include funding advanced research in infrastructure innovation, and continuing to invest in Canada’s Infrastructure Bank and Infrastructure Program. </p>
<p>The bank will play a leading role in electrification as part of the government’s push for clean power. This will likely position the bank as the government’s primary financing tool for major electrification projects. </p>
<figure class="align-center zoomable">
<a href="https://images.theconversation.com/files/518277/original/file-20230329-2823-j8ruvo.JPG?ixlib=rb-1.1.0&q=45&auto=format&w=1000&fit=clip"><img alt="A women in a green suit speaking in Parliament" src="https://images.theconversation.com/files/518277/original/file-20230329-2823-j8ruvo.JPG?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/518277/original/file-20230329-2823-j8ruvo.JPG?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=400&fit=crop&dpr=1 600w, https://images.theconversation.com/files/518277/original/file-20230329-2823-j8ruvo.JPG?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=400&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/518277/original/file-20230329-2823-j8ruvo.JPG?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=400&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/518277/original/file-20230329-2823-j8ruvo.JPG?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=503&fit=crop&dpr=1 754w, https://images.theconversation.com/files/518277/original/file-20230329-2823-j8ruvo.JPG?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=503&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/518277/original/file-20230329-2823-j8ruvo.JPG?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=503&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px"></a>
<figcaption>
<span class="caption">Deputy Prime Minister and Minister of Finance Chrystia Freeland delivers the federal budget in the House of Commons on Parliament Hill in Ottawa on March 28, 2023.</span>
<span class="attribution"><span class="source">THE CANADIAN PRESS/Sean Kilpatrick</span></span>
</figcaption>
</figure>
<p>Budget 2023 also commits to engaging with provinces and territories to revise procurement policies to ensure they benefit Canadian workers and build resilient supply chains. There are also investments in <a href="https://www.budget.canada.ca/2023/report-rapport/chap3-en.html#a13">port, air and other critical transportation infrastructure</a>.</p>
<p>We know that <a href="http://canadainfrastructure.ca/en/index.html">Canada’s infrastructure is at risk</a>. Federal infrastructure investments can help to take financial pressure off municipalities that are faced with massive funding shortfalls in addressing their infrastructure concerns. With the population expected to grow, infrastructure will continue to be stressed and will <a href="https://nationalpost.com/news/canada/canada-immigration-plans">struggle to keep up</a> without proper funding. </p>
<p>Budget 2023 provides no new major funds for what is considered essential community infrastructure: roads, water, wastewater and other infrastructure assets. Unlike electrification and connectivity — many aspects of Canada’s infrastructure gap remain relegated to low-priority status. </p>
<p>More investment is needed to address critical infrastructure gaps, but these are investments that Canadians may not be ready to make. Previous budgets have focused on short-term infrastructure investments as an economic stimulus, which doesn’t support the <a href="https://macleans.ca/opinion/canada-needs-more-infrastructure-spending-but-not-as-short-term-stimulus/">long-term view infrastructure requires</a>.</p>
<h2>Canada’s infrastructure gap</h2>
<p>A 2013 report on <a href="https://policyalternatives.ca/publications/reports/canadas-infrastructure-gap">Canada’s infrastructure gap</a> highlighted the chronic issues in infrastructure investments, including the notion that <a href="https://theconversation.com/progress-stops-when-we-create-and-dismantle-infrastructure-programs-every-federal-election-166301">infrastructure remains a political hot potato</a>. </p>
<p>Between the late 1950s and mid 2000s, <a href="https://policyalternatives.ca/sites/default/files/uploads/publications/National%20Office/2013/01/Canada%27s%20Infrastructure%20Gap_0.pdf">public investment in infrastructure decreased</a> from around three per cent of GDP to 1.5 per cent, though it began to rise again in 2010. </p>
<p>During this same period, there was a significant shift in terms of who carries the burden of investing in infrastructure from the federal government, with a large revenue base, to municipalities who have the smallest revenue base.</p>
<p>Canada’s infrastructure deficit is at minimum estimated at <a href="https://www.theglobeandmail.com/report-on-business/time-and-money-lost-to-canadas-infrastructure-gap-a-tremendous-loss/article37302054/">$150 billion</a>.</p>
<p><a href="https://www.cbc.ca/news/canada/toronto/fao-report-stormwater-wastewater-infrastructure-extreme-rainfall-1.6684988">Local governments bear much of the additional infrastructure costs</a> related to extreme events, climate change mitigation and adaptation. </p>
<p>In 2013, floods <a href="https://www.theweathernetwork.com/en/news/weather/forecasts/the-top-five-costliest-canadian-natural-disasters-of-the-2010s">caused around $3 billion in damage in southern Alberta and Toronto</a>. The cost of rebuilding in British Columbia after 2021 flooding has reached <a href="https://www.theglobeandmail.com/canada/british-columbia/article-cost-of-rebuilding-bc-after-november-storms-nears-9-billion/">nearly $9 billion</a>. The annual cost of natural disasters in Canada could be <a href="https://globalnews.ca/news/9091585/canada-climate-disasters-damage-report/">up to $139 billion by 2050</a>.</p>
<figure class="align-center zoomable">
<a href="https://images.theconversation.com/files/518288/original/file-20230329-22-satzwn.JPG?ixlib=rb-1.1.0&q=45&auto=format&w=1000&fit=clip"><img alt="A sign that reads: bridge is out on a snowy road." src="https://images.theconversation.com/files/518288/original/file-20230329-22-satzwn.JPG?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/518288/original/file-20230329-22-satzwn.JPG?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=415&fit=crop&dpr=1 600w, https://images.theconversation.com/files/518288/original/file-20230329-22-satzwn.JPG?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=415&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/518288/original/file-20230329-22-satzwn.JPG?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=415&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/518288/original/file-20230329-22-satzwn.JPG?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=521&fit=crop&dpr=1 754w, https://images.theconversation.com/files/518288/original/file-20230329-22-satzwn.JPG?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=521&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/518288/original/file-20230329-22-satzwn.JPG?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=521&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px"></a>
<figcaption>
<span class="caption">A ‘Bridge is out’ sign is seen following flood damage in Merritt, B.C. in December 2021. Extreme weather events like floods and wildfires are placing greater pressure on public infrastructure.</span>
<span class="attribution"><span class="source">THE CANADIAN PRESS/Jonathan Hayward</span></span>
</figcaption>
</figure>
<p>Internationally, governments are struggling with the same issues. From U.S. President Joe Biden’s <a href="https://www.reuters.com/world/us/biden-administration-touts-1-trillion-infrastructure-bill-2022-08-19/">$1 trillion infrastructure bill</a> to <a href="https://www.bloomberg.com/news/features/2022-08-25/how-china-will-spend-1-trillion-on-infrastructure-to-boost-economy">China’s infrastructure investments</a>, infrastructure demand remains a constant across international communities from large to small. </p>
<p>But the question remains, where and how should we invest? And more importantly, what do you do when too few people seem to pay attention? North Americans have an imbalanced relationship with infrastructure, and our understanding of priority and need. We <a href="https://www.politico.com/news/2022/11/06/biden-infrastructure-democrats-voters-00064694">care less about infrastructure investments</a> when we can’t see the direct benefits.</p>
<p>What we see in the 2023 budget is a careful dance. The government needs to show it’s making investments in infrastructure without further stretching public finances or making the tough choices that our dilapidated infrastructure requires. </p>
<p>No political party is protected from the curse of the infrastructure deficit — and there are no winners in the game of infrastructure funding. What it does require, is that we all collectively take responsibility. This means dealing with public spending deficits, even if that means paying more taxes. And strengthening our relationship with infrastructure and our collective understanding of the role that it plays in our daily lives. </p>
<p>Governments will need to take on additional costs, and individuals will need to learn to accept that improving our communities costs money. We all need to learn that the connection between infrastructure and our well-being is closer than we think.</p><img src="https://counter.theconversation.com/content/202894/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Kerry Black receives funding from the Natural Sciences and Engineering Research Council, the Social Sciences and Humanities Research Council and the Canadian Institutes of Health Research. </span></em></p>The 2023 federal budget provides funding for critical infrastructure and clean energy. But long-term planning is needed to fix chronic problems.Kerry Black, Assistant Professor and Canada Research Chair, Integrated Knowledge, Engineering and Sustainable Communities, University of CalgaryLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/2011222023-03-20T12:45:39Z2023-03-20T12:45:39ZWhat is the National Cybersecurity Strategy? A cybersecurity expert explains what it is and what the Biden administration has changed<figure><img src="https://images.theconversation.com/files/515922/original/file-20230316-16-dtrtr2.jpg?ixlib=rb-1.1.0&rect=0%2C8%2C5615%2C3732&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">The federal government has a lot of cybersecurity resources, but the private sector plays a key role in national cyber defense.</span> <span class="attribution"><span class="source">U.S. government</span></span></figcaption></figure><p>The Biden administration released its first <a href="https://www.whitehouse.gov/briefing-room/statements-releases/2023/03/02/fact-sheet-biden-harris-administration-announces-national-cybersecurity-strategy/">National Cybersecurity Strategy</a> on March 2, 2023. The last version <a href="https://2017-2021.state.gov/release-of-the-2018-national-cyber-strategy/index.html">was issued in 2018</a> during the Trump administration.</p>
<p>As the <a href="https://www.whitehouse.gov/wp-content/uploads/2022/11/8-November-Combined-PDF-for-Upload.pdf">National Security Strategy</a> does for national defense, the National Cybersecurity Strategy outlines a president’s priorities regarding cybersecurity issues. The document is not a directive. Rather, it describes in general terms what the administration is most concerned about, who its major adversaries are and how it might achieve its goals through legislation or executive action. These types of strategy statements are often aspirational.</p>
<p>As expected, the 2023 Biden National Cybersecurity Strategy reiterates previous recommendations about how to improve American cybersecurity. It calls for improved sharing of information between the government and private sector about cybersecurity threats, vulnerabilities and risks. It prescribes coordinating cybersecurity incident response across the federal government and enhancing regulations. It describes the need to expand the federal cybersecurity workforce. It emphasizes the importance of protecting the country’s critical infrastructure and federal computer systems. And it identifies China, Russia, Iran and North Korea as America’s main adversaries in cyberspace.</p>
<p>However, as a former cybersecurity industry practitioner and current <a href="http://www.csee.umbc.edu/%7Erforno/">cybersecurity researcher</a>, I think that the 2023 document incorporates some fresh ideas and perspectives that represent a more holistic approach to cybersecurity. At the same time, though, some of what is proposed may not be as helpful as envisioned.</p>
<p>Some of the key provisions in the current National Cybersecurity Strategy relate to the private sector, both in terms of product liability and cybersecurity insurance. It also aims to reduce the cybersecurity burden on individuals and smaller organizations. However, I believe it doesn’t go far enough in fostering information-sharing or addressing the specific tactics and techniques used by attackers.</p>
<figure>
<iframe width="440" height="260" src="https://www.youtube.com/embed/ehlIZzI5N9c?wmode=transparent&start=0" frameborder="0" allowfullscreen=""></iframe>
<figcaption><span class="caption">Acting National Cybersecurity Director Kemba Walden discusses the Biden administration’s National Cybersecurity Strategy.</span></figcaption>
</figure>
<h2>The end of vendor indemnification?</h2>
<p>For decades, the technology industry has operated under what is known as “<a href="https://www.technipages.com/definition/shrink-wrap-license">shrink-wrap” licensing</a>. This refers to the multiple pages of legal text that customers, both large and small, routinely are forced to accept before installing or using computer products, software and services. </p>
<p>While much has been written about these agreements, such licenses generally have one thing in common: They ultimately <a href="https://www.csoonline.com/article/2129174/legal-quicksand--shrink-wrap-and-click-wrap-agreements.html">protect vendors</a> such as Microsoft or Adobe from legal consequences for any damages or costs arising from a customer’s use of their products, even if the vendor is at fault for producing a flawed or insecure product that affects the end user.</p>
<p>In a groundbreaking move, the new cybersecurity strategy says that while no product is totally secure, the administration will work with Congress and the private sector to prevent companies from being shielded from liability claims over the security of their products. These products underpin most of modern society. </p>
<p>Removing that legal shield is likely to encourage companies to make security a priority in their product development cycles and have a greater stake in the reliability of their products beyond the point of sale.</p>
<p>In another noteworthy shift, the strategy observes that end users bear too great a burden for mitigating cybersecurity risks. It states that a collaborative approach to cybersecurity and resiliency “cannot rely on the constant vigilance of our smallest organizations and individual citizens.” It stresses the importance of manufacturers of critical computer systems, as well as companies that operate them, in taking a greater role in improving the security of their products. It also suggests expanded regulation toward that goal may be forthcoming.</p>
<p>Interestingly, the strategy places great emphasis on the <a href="https://www.axios.com/2023/03/03/biden-cyber-strategy-ransomware">threat from ransomware</a> as the most pressing cybercrime facing the U.S. at all levels of government and business. It now calls ransomware a national security threat and not simply a criminal matter. </p>
<h2>Backstopping cyber insurance</h2>
<p>The new strategy also directs the federal government to consider taking on some responsibility for so-called <a href="https://www.ftc.gov/business-guidance/small-businesses/cybersecurity/cyber-insurance">cybersecurity insurance</a>.</p>
<p>Here, the administration wants to ensure that insurance companies are adequately funded to respond to claims following a significant or catastrophic cybersecurity incident. Since 2020, the market for cybersecurity-related insurance has <a href="https://content.naic.org/sites/default/files/cmte-c-cyber-supplement-report-2022-for-data-year-2021.pdf">grown nearly 75%</a>, and organizations of all sizes consider such policies necessary. </p>
<p>This is understandable given how many companies and government agencies are reliant on the internet and corporate networks to conduct daily operations. By protecting, or “backstopping,” cybersecurity insurers, the administration hopes to prevent a major systemic financial crisis for insurers and victims during a cybersecurity incident.</p>
<p>However, cybersecurity insurance should not be treated as a free pass for complacency. Thankfully, insurers now often require policyholders to <a href="https://news.sophos.com/en-us/2022/03/25/experts-offer-advice-on-cyber-insurance-trends-qualifying-for-coverage/">prove they are following best cybersecurity practices</a> before approving a policy. This helps protect them from issuing policies that are likely to face claims arising from gross negligence by policyholders. </p>
<h2>Looking forward</h2>
<p>In addition to dealing with present concerns, the strategy also makes a strong case for ensuring the U.S. is prepared for the future. It speaks about fostering technology research that can improve or introduce cybersecurity in such fields as artificial intelligence, critical infrastructure and industrial control systems. </p>
<p>The strategy specifically warns that the U.S. must be prepared for a “post-quantum future” where emerging technologies could render existing cybersecurity controls vulnerable. This includes current encryption systems that <a href="https://www.nist.gov/news-events/news/2022/07/nist-announces-first-four-quantum-resistant-cryptographic-algorithms">could be broken</a> by future quantum computers. </p>
<figure>
<iframe width="440" height="260" src="https://www.youtube.com/embed/lvTqbM5Dq4Q?wmode=transparent&start=0" frameborder="0" allowfullscreen=""></iframe>
<figcaption><span class="caption">Practical quantum computers, when they arrive, will force a change in how the internet is secured.</span></figcaption>
</figure>
<h2>Where the strategy falls short</h2>
<p>While the National Cybersecurity Strategy calls for continuing to expand information-sharing related to cybersecurity, it pledges to review federal classification policy to see where additional classified access to information is necessary.</p>
<p>The federal government already <a href="https://theconversation.com/overclassification-overkill-the-us-government-is-drowning-in-a-sea-of-secrets-198917">suffers from overclassification</a>, so if anything, I believe less classification of cybersecurity information is needed to facilitate better information-sharing on this issue. It’s important to reduce administrative and operational obstacles to effective and timely interaction, especially where collaborative relationships are needed between industry, academia and federal and state governments. Excessive classification is one such challenge.</p>
<p>Further, the strategy does not address the use of cyber tactics, techniques and procedures in <a href="https://www.cisa.gov/topics/election-security/foreign-influence-operations-and-disinformation">influence or disinformation campaigns</a> and other actions that might target the U.S. This omission is perhaps intentional because, although cybersecurity and influence operations are often <a href="https://www.cisa.gov/sites/default/files/publications/tactics-of-disinformation_508.pdf">intertwined</a>, reference to countering influence operations <a href="https://americasfuture.org/instead-of-colluding-with-big-tech-to-censor-americans-cisa-should-focus-on-protecting-them/">could lead to partisan conflicts</a> over <a href="https://oversight.house.gov/release/comer-announces-markup-of-bills-to-protect-speech-from-government-censorship%EF%BF%BC/">freedom of speech and political activity</a>. Ideally, the National Cybersecurity Strategy should be apolitical.</p>
<p>That being said, the 2023 National Cybersecurity Strategy is a balanced document. While in many ways it reiterates recommendations made since the first National Cybersecurity Strategy in 2002, it also provides some innovative ideas that could strengthen U.S. cybersecurity in meaningful ways and help modernize America’s technology industry, both now and into the future.</p><img src="https://counter.theconversation.com/content/201122/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Richard Forno has received research funding related to cybersecurity from the National Science Foundation (NSF) and the Department of Defense (DOD) during his academic career, and sits on the advisory board of BlindHash, a cybersecurity startup focusing on remedying the password problem. He is CoPI of UMBC's Scholarship-for-Service program, which is referenced in the 2023 National Cybersecurity Strategy.</span></em></p>The new National Cybersecurity Strategy reiterates the government’s focus on resilient infrastructure and taking the offensive against hackers. But it also brings a fresh approach to the private sector.Richard Forno, Principal Lecturer in Computer Science and Electrical Engineering, University of Maryland, Baltimore CountyLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/1993082023-03-01T05:45:22Z2023-03-01T05:45:22ZPolitical instability and damage to infrastructure: how climate change could undermine Australia’s national security<p>For many Australians, the impacts of climate change on wellbeing are distressingly clear.</p>
<p>Floods have recently caused massive damage in many parts of the country, while the 2019/2020 Black Summer bushfires are still seared in our memories.</p>
<p>Climate change will increase the frequency and intensity of such floods and fires, along with droughts, heatwaves and coastal erosion.</p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/farm-floods-will-hit-food-supplies-and-drive-up-prices-farmers-need-help-to-adapt-as-weather-extremes-worsen-192731">Farm floods will hit food supplies and drive up prices. Farmers need help to adapt as weather extremes worsen</a>
</strong>
</em>
</p>
<hr>
<p>Climate change isn’t only a threat to our unique environment, but also a threat to Australia’s national security.</p>
<p>The federal government is already concerned about this issue. When coming into office last year, Prime Minister Anthony Albanese said “The security implications of climate change are clear and cannot be ignored”. He subsequently <a href="https://www.theguardian.com/environment/2022/jun/22/anthony-albanese-to-order-intelligence-chief-to-examine-security-threats-posed-by-climate-crisis">ordered</a> the Office of National Intelligence to analyse the security implications of climate change. However, the results of this assessment remain classified.</p>
<p>My <a href="https://www.tandfonline.com/doi/full/10.1080/10357718.2023.2170978">latest study</a> provides the most comprehensive scientific (and publicly available) assessment of whether climate change affects national security in Australia. The answer to this question is a clear “yes”, even though some qualifications apply.</p>
<p>The biggest risks are damage to critical infrastructure, strained defence force capacity, and the possibility of increased political instability in our region.</p>
<hr>
<iframe title="Climate change-related threats to Australia’s national security" aria-label="Table" id="datawrapper-chart-prjKd" src="https://datawrapper.dwcdn.net/prjKd/3/" scrolling="yes" frameborder="0" style="width: 0; min-width: 100% !important; border: none;" height="1099" data-external="1" width="100%"></iframe>
<hr>
<h2>Risks to infrastructure</h2>
<p>Climate change poses considerable risks to critical infrastructure. </p>
<p>Australia has long road, rail and grid networks, large parts of which are threatened by sea-level rise or located in disaster risk areas.</p>
<p>If you live in Western Australia, you may remember empty supermarket shelves in early 2022 when floods <a href="https://www.watoday.com.au/national/western-australia/supermarkets-bring-in-purchase-limits-as-floods-expose-vulnerability-of-wa-s-freight-network-20220202-p59ta4.html">washed away a major supply rail line</a>.</p>
<p>Likewise, climate change means more heatwaves. During hot days, demand for energy peaks to keep buildings cool. Simultaneously, high fire risks complicate repair works and bushfires may destroy energy infrastructure. As a result, the likelihood of power outages grows.</p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/rising-seas-threaten-australias-major-airports-and-it-may-be-happening-faster-than-we-think-115374">Rising seas threaten Australia's major airports – and it may be happening faster than we think</a>
</strong>
</em>
</p>
<hr>
<h2>Stretching the capacity of the defence force</h2>
<p>But climate change doesn’t only threaten civil infrastructure. It also affects the capabilities of the Australian Defence Force (ADF). When it comes to roads or power, the military often depends on the same infrastructure as civilians do, so is affected by similar risks.</p>
<p>The Tanami Road connecting Alice Springs to the Kimberley, for instance, is considered of high strategic importance in case of a larger international conflict. Yet it’s vulnerable to disruptions by floods and extreme heat.</p>
<p>Many military bases are also <a href="https://www.sbs.com.au/news/article/exclusive-climate-change-warning-for-australias-military/iij8zlise">located close to the ocean</a> and hence threatened by rising sea levels.</p>
<p>The ADF also plays a key role as a provider of disaster relief, both domestically (such as after the Kimberley floods this year) and internationally (such as after Cyclone Winston in Fiji 2016).</p>
<p>The ADF is quite well resourced, but its capacities could be stretched thin if several relevant incidents occur at the same time.</p>
<p>Imagine, for example, several major disasters requiring military responses at a time when ADF infrastructure is affected by climate change, and geopolitical tensions with China are growing.</p>
<h2>Political instability</h2>
<p>Climate change will also increase the risk of political instability in the Asia-Pacific region.</p>
<p><a href="https://doi.org/10.1016/j.gloenvcha.2020.102063">Research</a> has established that disasters like droughts, floods or storms make violent internal political conflict more likely, particularly in countries with pre-existing risk factors. This is because armed groups have an easier time recruiting impoverished and aggrieved disaster survivors.</p>
<p>Also, states are often weakened after disasters because their military is busy with the disaster response.</p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/climate-change-poses-a-direct-threat-to-australias-national-security-it-must-be-a-political-priority-123264">Climate change poses a 'direct threat' to Australia's national security. It must be a political priority</a>
</strong>
</em>
</p>
<hr>
<p>In the past, we have observed this link in several countries in Australia’s immediate neighbourhood. In Fiji, for instance, more and more residents are fleeing from coastal floods and storms to larger islands and urban areas. This frequently causes <a href="https://www.tandfonline.com/doi/full/10.1080/10402659.2022.2023424">tensions</a> between the newcomers and established residents.</p>
<p>Likewise, Maoist insurgents in India often <a href="https://mitpress.mit.edu/9780262545556/catastrophes-confrontations-and-constraints/">recruit</a> desperate farmers. Droughts and tropical storms deepen poverty in these rural areas.</p>
<p>In the worst case, Australia’s foreign policy will need to deal with twin challenges: climate-related disasters causing political instability in the region and simultaneously undermining the capabilities of core regional partner countries like Indonesia, which are highly vulnerable to extreme climate events.</p>
<h2>Some risks exaggerated</h2>
<p>However, my study also finds some climate-related risks are exaggerated.</p>
<p>On the one hand, climate change isn’t a deterministic force of nature, but a result of human action (and inaction). Ambitious CO2-reduction policies and smart adaptation measures could go a long way in reducing the worst impacts of climate change. Decentralised solar energy projects, for instance, help to avoid greenhouse gas emissions and can act as a buffer against disruptions of the power grid.</p>
<p>On the other hand, depictions of climate change as a trigger of international wars and mass migration are misleading.</p>
<p>We have only seen a relatively small number of large-scale violent disputes between states since World War Two, and in none of them was the environment a major cause of contestation. As long as it’s many times cheaper to build a desalination plant than to invade a country, water wars remain unlikely.</p>
<p>What’s more, international migration is enormously costly for the majority of people living in poorer countries. If their livelihoods are further devastated by storms and droughts, they’re even less likely to be able to pay to move long distances.</p>
<p>Despite these qualifications, the message of recent research is unequivocal: climate change is not “just” an environmental concern. It’s an important national security issue for Australia. Efforts to mitigate and adapt to climate change should, consequentially, remain high on the political agenda.</p><img src="https://counter.theconversation.com/content/199308/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Tobias Ide receives funding from the Australian Research Council for the project 'Disasters and Armed Conflict Dynamics'. </span></em></p>Our foreign policy may need to deal with twin challenges brought about by climate change.Tobias Ide, Senior Lecturer in Politics and International Relations, Murdoch UniversityLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/1999492023-02-14T23:00:02Z2023-02-14T23:00:02ZMassive outages caused by Cyclone Gabrielle strengthen the case for burying power lines<figure><img src="https://images.theconversation.com/files/510210/original/file-20230214-26-6xzi32.jpg?ixlib=rb-1.1.0&rect=0%2C0%2C4261%2C2824&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">
</span> <span class="attribution"><span class="source">Getty Images</span></span></figcaption></figure><p>Another extreme weather event has highlighted the weak points in New Zealand’s critical infrastructure. As Cyclone Gabrielle ripped across the North Island, nearly <a href="https://www.todayfm.co.nz/home/national/2023/02/energy-minister-reports-225000-people-without-power-across-north-island.html">225,000 people lost power</a>.</p>
<p>The cause is relatively obvious: many houses and buildings are connected to the power grid by overground power lines. Overhead wires, a common sight around many suburbs, are highly vulnerable to extreme weather events. When the winds pick up, limbs and trees fall, and power lines are dragged down.</p>
<p>But one solution is equally obvious: bury the power lines. With the threat of <a href="https://www.nature.com/articles/ngeo779%22%22">more frequent storms of increasing intensity</a>, the risk to households, businesses and personal safety demands this option be seriously considered.</p>
<p>Power outages mean more than just the inconvenience of a dark house or a dead mobile phone battery. Many things we rely on, like fibre internet, home WiFi or even our ability to make emergency calls, depend on an electrical connection.</p>
<p>Loss of power puts refrigerators and freezers full of valuable food at risk. And many people rely on electricity for lifesaving medical devices in their homes. Battery backup only offers a short-term solution. When the power goes out, lives and livelihoods are put in danger.</p>
<p><div data-react-class="Tweet" data-react-props="{"tweetId":"1625006620240662531"}"></div></p>
<h2>Costs and benefits</h2>
<p>Perhaps the main argument against burying power lines is the cost. And it’s true, putting thousands of kilometres of cable underground isn’t cheap. The fact is, reliable infrastructure is expensive.</p>
<p>However, while overhead power lines are cheaper to install in the short term, they carry a <a href="https://www.sciencedirect.com/science/article/abs/pii/S0957178711000622">higher maintenance cost</a> and are less reliable – especially in storms. If the cost to households and businesses from a loss of power is also considered, the economics of burying power lines become much more palatable.</p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/cyclone-gabrielle-how-microgrids-could-help-keep-the-power-on-during-extreme-weather-events-199665">Cyclone Gabrielle: how microgrids could help keep the power on during extreme weather events</a>
</strong>
</em>
</p>
<hr>
<p>Another argument against burying power lines is that in areas prone to earthquakes, underground lines are more vulnerable or more difficult to repair. This was certainly the case in the Canterbury earthquakes a decade ago.</p>
<p>However, studies have shown that better routing and reinforcement of underground lines can <a href="https://www.geengineeringsystems.com/ewExternalFiles/Buried%20Cables.pdf">mitigate that risk</a>. Major earthquakes are also far less common than weather events that damage overhead wires.</p>
<p>Earthquake-prone Japan recently announced a plan to <a href="https://japantoday.com/category/national/japanese-government-plans-to-remove-around-4-000-km-of-overhead-power-lines">bury 4,000km of powerlines</a> by 2025. In shaky California, one utility company <a href="https://www.nytimes.com/2021/07/21/business/energy-environment/pge-underground-powerlines-wildfires.html">plans to spend US$10 billion</a> burying power lines to prevent fires.</p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/flood-warning-nzs-critical-infrastructure-is-too-important-to-fail-greater-resilience-is-urgently-needed-198872">Flood warning: NZ's critical infrastructure is too important to fail – greater resilience is urgently needed</a>
</strong>
</em>
</p>
<hr>
<p>Denmark, Switzerland, Germany and the Netherlands have all buried most of their power lines. Unsurprisingly, they also have the lowest “system average interruption duration index” (SAIDI) values – a measure of the average duration of power outages per customer.</p>
<p>All four countries have a SAIDI value of less than 25, meaning the average customer experienced a power outage of fewer than 25 minutes. By comparison, Auckland’s electric distribution business Vector has a SAIDI of 161.9; Christchurch’s Orion scored 57.4; while the country overall averaged over <a href="https://public.tableau.com/app/profile/commerce.commission/viz/Performanceaccessibilitytool-NewZealandelectricitydistributors-Dataandmetrics/Homepage">204 minutes per customer</a> for an outage.</p>
<figure class="align-center ">
<img alt="" src="https://images.theconversation.com/files/510211/original/file-20230214-2190-ymrr9k.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/510211/original/file-20230214-2190-ymrr9k.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=400&fit=crop&dpr=1 600w, https://images.theconversation.com/files/510211/original/file-20230214-2190-ymrr9k.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=400&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/510211/original/file-20230214-2190-ymrr9k.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=400&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/510211/original/file-20230214-2190-ymrr9k.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=503&fit=crop&dpr=1 754w, https://images.theconversation.com/files/510211/original/file-20230214-2190-ymrr9k.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=503&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/510211/original/file-20230214-2190-ymrr9k.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=503&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px">
<figcaption>
<span class="caption">Overhead power lines are also a risk to the workers who fix them after storm damage.</span>
<span class="attribution"><span class="source">Getty Images</span></span>
</figcaption>
</figure>
<h2>Spend now, save later</h2>
<p>There are other good safety reasons for burying power lines, too. Even without trees nearby, power lines can arc in high winds, causing showers of sparks to rain down and potentially ignite fires. This happened in 2020 with the <a href="https://www.newsroom.co.nz/lake-ohau-fire-narrative-goes-up-in-smoke">Lake Ōhau Alpine Village fire</a> that burned 5,000 hectares and 65 structures and caused NZ$35 million in insurance losses.</p>
<p>Broken power lines carry massive voltages, which can maim or kill people. Falling power poles crush people and cars. Single-vehicle crashes into power poles also frequently result in critical and fatal injuries, and <a href="https://www.stuff.co.nz/national/300779663/almost-300-homes-still-without-power-after-coromandel-crash-that-left-person-trapped">large power outages</a>.</p>
<p>Utility poles can obstruct or narrow footpaths, making paths less accessible, particularly for people in wheelchairs. Overhead wires are often cited as an eyesore, and <a href="https://www.stuff.co.nz/environment/300234668/auckland-trees-an-eyesore-after-being-cut-in-deep-v-shapes-to-avoid-power-lines">trimming trees around power lines</a> is both ugly and damaging to the trees.</p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/slippery-slopes-why-the-auckland-storm-caused-so-many-landslides-and-what-can-be-done-about-it-198984">Slippery slopes: why the Auckland storm caused so many landslides – and what can be done about it</a>
</strong>
</em>
</p>
<hr>
<p>Right now, however, the most pressing reason for burying power lines is visible all around. At this point, it’s not clear how extensively cyclone Gabrielle damaged the power lines, but it will likely take days or weeks, not hours, to restore power to everyone.</p>
<p>In the coming weeks, workers will fan out across the North Island into precarious locations, lifted high above the ground in cherry pickers to mend lines and restore power. The work puts their own health and safety at risk, and we could eliminate this danger too with underground power lines.</p>
<p>Clearly it isn’t a good option for everywhere. High-powered transmission lines that bridge large spans in undeveloped areas are likely not viable economic candidates for under-grounding. But the long-term benefits of burying lines in cities and towns far outweigh the upfront costs. It should be given serious consideration before the next “<a href="https://www.theguardian.com/world/2023/feb/13/cyclone-gabrielle-new-zealand-declares-national-state-of-emergency">storm of the century</a>” hits.</p><img src="https://counter.theconversation.com/content/199949/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Timothy Welch does not work for, consult, own shares in or receive funding from any company or organisation that would benefit from this article, and has disclosed no relevant affiliations beyond their academic appointment.</span></em></p>Underground power lines are safer, more resilient and less of an eyesore. The higher upfront cost will pay off in long-term benefits.Timothy Welch, Senior Lecturer in Urban Planning, University of Auckland, Waipapa Taumata RauLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/1878892022-08-03T16:03:47Z2022-08-03T16:03:47ZSouth Africa needs stronger security in place to stop the sabotage of its power supply<figure><img src="https://images.theconversation.com/files/477200/original/file-20220802-14-80pssz.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">
</span> <span class="attribution"><span class="source">EFE-EPA/Kim Ludbrook</span></span></figcaption></figure><p>South African president Cyril Ramaphosa recently <a href="https://www.thepresidency.gov.za/speeches/address-president-cyril-ramaphosa-actions-address-electricity-crisis%2C-union-buildings%2C-tshwane">outlined</a> plans to solve the country’s devastating electricity supply crisis. But he didn’t mention the country’s ability to protect its energy infrastructure as a prerequisite to any solution.</p>
<p>South Africa has had power cuts <a href="https://www.aljazeera.com/news/2022/7/1/power-cuts-in-south-africa-what-you-need-to-now">since 2007</a> when Eskom, the power utility, began failing to meet demand. This got worse every year. The power utility is struggling to keep its <a href="https://www.power-technology.com/news/eskom-coal-power/">aged coal-fired power stations</a> running after many years of poor maintenance. It is also <a href="https://www.esi-africa.com/industry-sectors/asset-maintenance/generating-capacity-woes-continues-to-bedevil-eskom/">struggling</a> to get its two new power stations to operate at full capacity.</p>
<p>Explaining some of the recent power cuts, Ramaphosa said that some of the energy infrastructure had been <a href="https://www.enca.com/news/sas-power-stations-ramaphosa-says-theres-deliberate-sabotage">sabotaged</a>. </p>
<p>We flagged this in an earlier <a href="https://theconversation.com/hybrid-warfare-is-on-the-rise-globally-might-south-africas-eskom-be-its-latest-victim-173166">article</a>. We argued that Eskom was the target of hybrid warfare operations aimed at destabilising South Africa’s national power generation capability. </p>
<p>The question is whether the country has the necessary security capabilities to protect its energy infrastructure from such threats and risks. An assessment of the security capabilities also has to include a fit for purpose test of the legislation for the <a href="https://www.gov.za/sites/default/files/gcis_document/201911/4286628-11act8of2019criticalinfraprotectact.pdf">protection of critical infrastructure</a>.</p>
<p>Enhanced intelligence capacities are required to detect, deter and neutralise threats such as sabotage, or subversion caused by rioting. More – and appropriately equipped – security forces are also needed to physically secure critical infrastructure. These could be privately or publicly funded.</p>
<p>Our view is that the country does not have what is required where and when it is needed. A comprehensive approach is needed – including managing security threats – to address its energy crisis. This requires collaboration between the state and private sector to implement the president’s long-term energy security vision. </p>
<h2>Hybrid attacks now common</h2>
<p>South Africa is not the only country whose energy infrastructure is facing security threats. There are <a href="https://www2.deloitte.com/za/en/insights/industry/public-sector/cyberattack-critical-infrastructure-cybersecurity.html">numerous examples</a> of attacks on critical infrastructure. These are typically <a href="https://ec.europa.eu/research-and-innovation/en/horizon-magazine/critical-infrastructures-under-daily-attack-erncip-head-georg-peter">cyber-related</a>. But physical attacks such as <a href="https://www.da.org.za/2021/11/eskom-infrastructure-sabotage-is-consistent-with-the-july-insurrectionists-modus-operandi">sabotage</a> also occur.</p>
<p>The <a href="https://issafrica.org/iss-today/critical-infrastructure-attacks-why-south-africa-should-worry">Institute for Security Studies</a> argues that attacks on the critical infrastructure of developing countries, such as South Africa, could be “<a href="https://issafrica.org/iss-today/critical-infrastructure-attacks-why-south-africa-should-worry">potentially devastating</a>”. South Africa’s national security vulnerabilities, combined with the security risks to a monolithic state owned entity with no backup, could exacerbate the country’s power supply insecurities. </p>
<p>Cyber attacks on Eskom’s critical infrastructure could lead to severe damage. The result could be corresponding losses of generation capacity and damage to the economy. </p>
<p>National security vulnerabilities can be reduced by state security capabilities that are equal to the task. A <a href="https://www.thepresidency.gov.za/content/report-expert-panel-july-2021-civil-unrest">Report of the Expert Panel</a> into <a href="https://www.bbc.com/news/world-africa-57818215">civil unrest</a> in the country in July 2021 revealed serious capacity problems within the state security sector. The sector is mandated to forewarn government, and to protect critical infrastructure and the public against <a href="https://journals.sas.ac.uk/amicus/article/view/1671">hybrid threats</a>. These include terrorism, subversion, sabotage, espionage and organised crime. </p>
<p>This weakness was also highlighted in the 2018 <a href="https://www.gov.za/sites/default/files/gcis_document/201903/high-level-review-panel-state-security-agency.pdf">High-Level Review Panel on the State Security Agency</a>. It concluded that the country’s <a href="https://nationalgovernment.co.za/units/view/42/state-security-agency-ssa">State Security Agency</a> had been</p>
<blockquote>
<p>compromised by factionalism, mismanagement and inefficiency.</p>
</blockquote>
<p>The agency is South Africa’s primary authority tasked with protecting the country against such hybrid threats. Yet it is in a state of disrepair. This calls for the country to focus efforts on (at least) the capability to secure Eskom against obvious national security threats. </p>
<h2>The importance of critical infrastructure</h2>
<p>The protection of South Africa’s energy infrastructure falls within the remit of the new <a href="https://www.gov.za/sites/default/files/gcis_document/201911/4286628-11act8of2019criticalinfraprotectact.pdf">Critical Infrastructure Protection Act 8 of 2019</a>. Such infrastructure is crucial for the effective functioning of the economy, <a href="https://www.gov.za/sites/default/files/gcis_document/201911/4286628-11act8of2019criticalinfraprotectact.pdf">national security</a> and public safety. </p>
<p>Critical infrastructure consists of national assets that are viewed as having strategic importance. South Africa has plenty of critical infrastructure spread across its length and breadth – measuring <a href="https://www.worlddata.info/africa/south-africa/index.php#:%7E:text=South%20Africa%20is%20a%20country,25th%20biggest%20in%20the%20world">about 1.219 million km²</a>. These include the Eskom energy grid – <a href="https://www.eskom.co.za/wp-content/uploads/2021/08/TDP-Report-2019-2029_Final.pdf">including power stations, sub-stations and transmission networks</a> – dams, the banking system and oil storage. The sheer scale requires extensive security capabilities necessary for physical protection and monitoring threats. </p>
<p>Beyond physically securing this infrastructure, the state also needs to have the ability to detect, deter and neutralise threat actors. These are classical counterintelligence prerogatives. Failure on this front makes the country vulnerable to destabilisation. </p>
<p>The <a href="https://www.thepresidency.gov.za/download/file/fid/2442">stretched nature</a> of the country’s security agencies was laid bare during the <a href="https://www.bbc.com/news/world-africa-57818215">violent riots</a> in July 2021. It is thus reasonable to question the capacity of the police, and other security agencies, to secure Eskom’s critical infrastructure and that of private power producers.</p>
<h2>Planning for security</h2>
<p>In our view, all planning to develop and diversify the national power grid and energy supply should include enough resources to protect them. This requires cooperative planning between Eskom and the South African security sector (both state and private).</p>
<p>The exact role of the South African National Defence Force in providing security for critical infrastructure remains unclear. The <a href="https://www.gov.za/sites/default/files/gcis_document/201503/act-102-1980.pdf">National Key Points Act 1980</a>, the <a href="https://www.gov.za/sites/default/files/gcis_document/201409/a42-020.pdf">Defence Act 2002</a> and the <a href="https://www.gov.za/sites/default/files/gcis_document/201911/4286628-11act8of2019criticalinfraprotectact.pdf">Critical Infrastructure Protection Act 8 of 2019</a> are not explicit on the issue. </p>
<p>The protection of critical infrastructure has been assigned to the South African Police Service, with the defence force <a href="https://static.pmg.org.za/170512review.pdf">supporting it</a>. Given that the defence budget has been shrinking annually, the military will probably not be able to sustain this.</p>
<p>With the private sector playing an increased role in the energy sector, South Africa needs to develop dedicated private security capacities to protect its critical infrastructure. At the very least, it should adopt a mixed public-private security model akin to the police service’s <a href="https://cvwa.org.za/community-police-forum/">community policing</a> concept. </p>
<p>The president’s energy vision envisages a much larger private industrial capacity. If left unsecured, such capacity would be just as vulnerable to sabotage as the current Eskom infrastructure is. It is time the country took stock of its security requirements in the same way it has started being serious about its energy vulnerabilities. </p>
<p>There’s also the question of whether the penalties prescribed by law are fit to deter sabotage. </p>
<h2>What needs to happen</h2>
<p>The hybrid nature of <a href="https://www.da.org.za/2021/11/eskom-infrastructure-sabotage-is-consistent-with-the-july-insurrectionists-modus-operandi">threats to the country’s infrastructure</a> can only be solved by an integrated solution. That requires, firstly, clarity about mandates as well as state security capabilities. </p>
<p>Secondly, security sector capacity needs to be developed alongside critical infrastructure. Thirdly, legislation needs to increase existing sanctions in terms of fines and imprisonment.</p>
<p>Lastly, public-private security partnerships must be established to bolster the security of the country’s electricity infrastructure.</p><img src="https://counter.theconversation.com/content/187889/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Sascha-Dominik (Dov) Bachmann has received funding from the Australian Department of Defence for research regarding grey zone and information operations targeting Australia. Sascha Dov is a Research Fellow with The Security Institute for Governance and Leadership in Africa, Faculty of Military Science, Stellenbosch University. Sascha would like to thank Dr. Sasha-Lee Afrika for her insightful comments and assistance, particularly regarding the law.</span></em></p><p class="fine-print"><em><span>Dries Putter does not work for, consult, own shares in or receive funding from any company or organisation that would benefit from this article, and has disclosed no relevant affiliations beyond their academic appointment.</span></em></p>The hybrid nature of threats to South Africa’s energy infrastructure can only be solved by an integrated solution, including severe sanctions that should include fines and imprisonment.Sascha-Dominik (Dov) Bachmann, Professor in Law and Co-Convener National Security Hub (University of Canberra) and Research Fellow (adjunct) - The Security Institute for Governance and Leadership in Africa, Faculty of Military Science, Stellenbosch University- NATO Fellow Asia-Pacific, University of CanberraDries Putter, Lecturer at the Faculty of Military Science / Affiliate Member, National Security Hub, University of Canberra and Researcher for Security Institute for Governance and Leadership in Africa (SIGLA), Stellenbosch UniversityLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/1754712022-01-26T19:55:02Z2022-01-26T19:55:02ZRussia could unleash disruptive cyberattacks against the US – but efforts to sow confusion and division are more likely<figure><img src="https://images.theconversation.com/files/442625/original/file-20220125-27-qyhl0p.jpg?ixlib=rb-1.1.0&rect=0%2C0%2C6000%2C3997&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">The Department of Justice indicted six officers of Russia's GRU military intelligence service in October 2020 on charges of hacking and deploying malware.</span> <span class="attribution"><a class="source" href="https://www.gettyimages.com/detail/news-photo/poster-showing-six-wanted-russian-military-intelligence-news-photo/1229171656">Andrew Harnik - Pool/Getty Images</a></span></figcaption></figure><p>As tensions mount between Russia and the West over Ukraine, the threat of Russian cyberattacks against the U.S. increases. The Department of Homeland Security issued an <a href="https://www.cnn.com/2022/01/24/politics/russia-cyberattack-warning-homeland-security/index.html">intelligence bulletin</a> on Jan. 23, 2022, warning that Russia has the capability to carry out a range of attacks, from <a href="https://www.cisa.gov/uscert/ncas/tips/ST04-015">denial-of-service</a> attacks on websites to disrupting critical infrastructure like power grids.</p>
<p>“We assess that Russia would consider initiating a cyberattack against the Homeland if it perceived a US or NATO response to a possible Russian invasion of Ukraine threatened its long-term national security,” the DHS <a href="https://abcnews.go.com/Politics/dhs-warns-russian-cyberattack-us-responds-ukraine-invasion/story?id=82441727">stated in the bulletin</a>, which it sent to law enforcement agencies, state and local governments, and critical infrastructure operators.</p>
<p>Cybersecurity experts are concerned that in the wake of recent cyberattacks by hackers affiliated with Russia, the Russian government has the capability to carry out disruptive and destructive attacks against targets in the U.S. The <a href="https://theconversation.com/the-sunburst-hack-was-massive-and-devastating-5-observations-from-a-cybersecurity-expert-152444">SolarWinds attack</a>, uncovered in December 2020, gave the perpetrators access to the computer systems of many U.S. government agencies and private businesses. The DHS and FBI accused Russian hackers in March 2018 of <a href="https://www.cisa.gov/uscert/ncas/alerts/TA18-074A">infiltrating U.S. energy and infrastructure networks</a>.</p>
<p>Russian cyberattacks could include continued attempts to diminish Americans’ confidence in <a href="https://www.nytimes.com/news-event/russian-election-hacking">elections</a>, undermine <a href="https://www.thecipherbrief.com/column_article/dont-underestimate-economic-side-russias-cyber-warfare">economic stability</a>, damage the <a href="https://www.vox.com/world/2018/3/28/17170612/russia-hacking-us-power-grid-nuclear-plants">energy grid</a>, and even disrupt <a href="https://www.cbsnews.com/news/cyberattacks-ransomware-hacking-hospitals-target-foreign-groups/">health care systems</a>. </p>
<p>While some components of these systems almost certainly remain vulnerable to Russian-aligned hackers, the Russian government is likely to think twice before unleashing highly disruptive attacks against the U.S., because the U.S. government could interpret such attacks, particularly those targeting critical infrastructure, as <a href="https://www.wsj.com/articles/SB10001424052702304563104576355623135782718">acts of war</a>. The DHS bulletin stated that Russia has a high threshold for initiating disruptive attacks. As a researcher who <a href="https://scholar.google.com/citations?user=nNlgxmMAAAAJ&hl=en">studies cyberwarfare</a>, I believe a more likely threat from Russian hackers is launching disinformation campaigns.</p>
<h2>Distract, distort and divide</h2>
<p>Americans can probably expect to see Russian-sponsored cyber activities working in tandem with propaganda campaigns. These activities are likely to be aimed at preventing a unified response to Russian aggression in Ukraine. </p>
<p>Russian military doctrine includes the well-evolved concept of <a href="https://www.ndc.nato.int/news/news.php?icode=995">information confrontation</a>, which uses cyber means to create doubt about what is true. Russia’s information warfare strategy seeks to manipulate information and relationships. </p>
<p>The <a href="https://apps.dtic.mil/sti/pdfs/AD1108494.pdf">specific maneuvers</a> aim to bolster narratives, people and groups that support Russian interests and undermine those that are counter to Russian interests. The maneuvers, which include dismissing and distorting information and undermining opinion leaders, are carried out in the press and on social media. </p>
<p>Russian intelligence operatives are skilled at using technology, including <a href="https://theconversation.com/how-fake-accounts-constantly-manipulate-what-you-see-on-social-media-and-what-you-can-do-about-it-139610">amplifying misinformation through fake accounts</a> on popular social media platforms. In effect, Russia uses social and other online media like a military-grade fog machine that confuses the U.S. population and encourages mistrust in the strength and validity of the U.S. government.</p>
<figure class="align-center zoomable">
<a href="https://images.theconversation.com/files/442652/original/file-20220125-23-ziie5q.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=1000&fit=clip"><img alt="a seven-story office building with gray walls and blue windows" src="https://images.theconversation.com/files/442652/original/file-20220125-23-ziie5q.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/442652/original/file-20220125-23-ziie5q.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=400&fit=crop&dpr=1 600w, https://images.theconversation.com/files/442652/original/file-20220125-23-ziie5q.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=400&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/442652/original/file-20220125-23-ziie5q.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=400&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/442652/original/file-20220125-23-ziie5q.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=503&fit=crop&dpr=1 754w, https://images.theconversation.com/files/442652/original/file-20220125-23-ziie5q.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=503&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/442652/original/file-20220125-23-ziie5q.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=503&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px"></a>
<figcaption>
<span class="caption">This office building, dubbed the ‘troll factory,’ housed the Internet Research Agency, a Kremlin-backed disinformation organization.</span>
<span class="attribution"><a class="source" href="https://newsroom.ap.org/detail/Election2018RussianMeddling/91870df003cc492494b575682ef911c0/photo">AP Photo/Dmitri Lovetsky</a></span>
</figcaption>
</figure>
<p>Repressive governments like those in <a href="https://www.hrw.org/news/2020/06/18/russia-growing-internet-isolation-control-censorship">Russia</a> and <a href="https://gking.harvard.edu/50C">China</a> have perfected the manipulation of online information as a way to control their own populations. Democracies are especially vulnerable to these techniques, given the open exchange of ideas and lack of centralized control over sources of information. </p>
<p>In addition, U.S. society is <a href="https://www.pewresearch.org/politics/2014/06/12/political-polarization-in-the-american-public/">polarized</a>, and that polarization is <a href="https://www.brown.edu/news/2020-01-21/polarization">occurring at an increasing rate</a>. A study by researchers at the University of Oxford examined Russia’s computational propaganda against the U.S. <a href="https://int.nyt.com/data/documenthelper/534-oxford-russia-internet-research-agency/c6588b4a7b940c551c38/optimized/full.pdf">between 2013 and 2018</a> and found that it was designed to boost U.S. political polarization.</p>
<h2>Plausible deniability</h2>
<p>Though the Russian government commonly operates through its intelligence services, including the technical experts in the <a href="https://www.justice.gov/opa/pr/six-russian-gru-officers-charged-connection-worldwide-deployment-destructive-malware-and">GRU</a> military intelligence service and the spymasters in the <a href="https://crsreports.congress.gov/product/pdf/IF/IF11718">FSB</a> domestic intelligence service, it also uses <a href="https://www.defenseone.com/technology/2021/05/russias-latest-hack-shows-how-useful-criminal-groups-are-kremlin/174401/">criminal groups</a> to achieve its aims. </p>
<p>History shows that Russia is most likely to recruit proxies to carry out cyberattacks that <a href="https://www.armyupress.army.mil/Portals/7/military-review/Archives/English/MilitaryReview_20111231_art013.pdf">disrupt decision-making</a> so that the attacks don’t point directly back to the Kremlin. There is no foggier battlefield than cyberspace. That is one of the main benefits of cyberspace as an element of national power – a cyberattack almost always allows for plausible deniability. </p>
<p>On Jan. 14, 2022, Russia <a href="https://theconversation.com/how-the-biden-administration-is-making-gains-in-an-uphill-battle-against-russian-hackers-174199">arrested members of the Russian-based cyber gang REvil</a> who were responsible for the 2021 ransomware attacks against <a href="https://www.bbc.com/news/world-us-canada-57338896">meat supplier JBS Foods</a>, headquartered in Greeley, Colorado, and <a href="https://www.politico.com/news/2021/05/08/colonial-pipeline-cyber-attack-485984">the Colonial Pipeline</a>, headquartered in Alpharetta, Georgia. The unusual move caused cybersecurity analysts to wonder about Russia’s motive, including speculation about <a href="https://www.darkreading.com/threat-intelligence/russia-takes-down-revil-ransomware-operation-arrests-key-members">making it easier for the government to deny a connection</a> to the cyberattacks.</p>
<h2>US cyber defenses</h2>
<p>National cyber defense is <a href="https://theconversation.com/the-colonial-pipeline-ransomware-attack-and-the-solarwinds-hack-were-all-but-inevitable-why-national-cyber-defense-is-a-wicked-problem-160661">inherently challenging</a>, but the U.S. is far from defenseless. Several <a href="https://www.washingtonpost.com/politics/2021/06/28/cybersecurity-202-united-states-is-still-number-one-cyber-capabilities/">analysts</a> <a href="https://www.iiss.org/blogs/research-paper/2021/06/cyber-capabilities-national-power">have noted</a> that the U.S. is the most capable cyber power in the world. The U.S. also has <a href="https://www.forbes.com/sites/jodywestby/2020/12/20/russia-has-carried-out-20-years-of-cyber-attacks-that-call-for-international-response/?sh=526ef3a96605">20 years</a> of experience dealing with Russian cyber aggression.</p>
<figure class="align-center zoomable">
<a href="https://images.theconversation.com/files/442626/original/file-20220125-27-177bhii.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=1000&fit=clip"><img alt="people in military uniforms sit at desks with multiple computer monitors" src="https://images.theconversation.com/files/442626/original/file-20220125-27-177bhii.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/442626/original/file-20220125-27-177bhii.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=399&fit=crop&dpr=1 600w, https://images.theconversation.com/files/442626/original/file-20220125-27-177bhii.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=399&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/442626/original/file-20220125-27-177bhii.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=399&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/442626/original/file-20220125-27-177bhii.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=501&fit=crop&dpr=1 754w, https://images.theconversation.com/files/442626/original/file-20220125-27-177bhii.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=501&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/442626/original/file-20220125-27-177bhii.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=501&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px"></a>
<figcaption>
<span class="caption">U.S. Army intelligence personnel in the Cyber Operations Center at Fort Gordon in Georgia watch for network attacks.</span>
<span class="attribution"><a class="source" href="https://www.flickr.com/photos/ftmeade/45028818622/">U.S. Army photo by Michael L. Lewis</a></span>
</figcaption>
</figure>
<p>The Biden administration’s <a href="https://theconversation.com/how-the-biden-administration-is-making-gains-in-an-uphill-battle-against-russian-hackers-174199">tough stance on Russian hacking</a> has made some progress. And though disinformation is among the murkiest of cyber strategies, cybersecurity experts are <a href="https://theconversation.com/the-battle-against-disinformation-is-global-129212">making headway</a> on that front, too.</p>
<h2>Cause for concern but no reason to fear</h2>
<p>Cyber activity that creates room for Russia to present the seizure of Ukraine as a fait accompli is much more likely than a crippling cyberattack. Though Russia might temporarily deter a U.S. response to Russian moves in Ukraine by disrupting U.S. critical infrastructure, Americans are likely to present a unified and powerful response to such an overt attack. I believe Russia is more likely to prefer a path of insidious political polarization to weaken U.S. geopolitical influence.</p>
<p>Even if Russia were to launch extensive cyberattacks against the U.S., the average American is unlikely to be harmed. The disruption of natural gas and food supplies would clearly have a significant economic impact, but it is <a href="https://www.washingtonpost.com/politics/2021/10/01/ransomware-attack-might-have-caused-another-death/">extremely rare</a> for a cyberattack to lead to loss of life. </p>
<p>If you are worried about the situation in Ukraine and wondering what you can do to defend against Russian cyberattacks, I recommend tuning out divisive rhetoric and cultivating common ground with Americans whom you might not agree with. Though there are many issues U.S. society is working through, Americans can still try to find some general agreement in the principles of the American experiment.</p>
<p>[<em>Science, politics, religion or just plain interesting articles:</em> <a href="https://memberservices.theconversation.com/newsletters/?source=inline-checkoutweekly">Check out The Conversation’s weekly newsletters</a>.]</p><img src="https://counter.theconversation.com/content/175471/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>I am a reservist in the United States Army.</span></em></p>Russia probably has the means to attack US electrical grids and otherwise create havoc but probably won’t go that far. Instead, watch for disinformation aimed at undermining the US and NATO.Justin Pelletier, Professor of Practice of Computing Security, Rochester Institute of TechnologyLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/1741992022-01-21T13:40:59Z2022-01-21T13:40:59ZHow the Biden administration is making gains in an uphill battle against Russian hackers<figure><img src="https://images.theconversation.com/files/441408/original/file-20220118-23-ta8go3.jpg?ixlib=rb-1.1.0&rect=48%2C0%2C5395%2C3577&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">Shortly after taking office, President Biden declared that the the U.S. would no longer roll over in the face of Russian cyberattacks.</span> <span class="attribution"><a class="source" href="https://newsroom.ap.org/detail/Biden/29e09be03a1948fca6c2bc88ff5d40d5/photo">AP Photo/Evan Vucci</a></span></figcaption></figure><p>On Jan. 14, 2022, the FSB, Russia’s domestic intelligence service, announced that it had <a href="https://www.reuters.com/technology/russia-arrests-dismantles-revil-hacking-group-us-request-report-2022-01-14/">broken up the notorious Russia-based REvil</a> ransomware criminal organization. The FSB said the actions were taken in response to <a href="http://www.fsb.ru/fsb/press/message/single.htm%21id%3D10439388%40fsbMessage.html">a request from U.S. authorities</a>. The move marks a <a href="https://www.wired.com/story/russia-revil-ransomware-arrests-ukraine/">dramatic shift in Russia’s response</a> to criminal cyberattacks launched against U.S. targets from within Russia, and comes at a time of heightened tensions between the two countries.</p>
<p>U.S. policy and actions in response to cyberattacks connected to Russia have changed distinctly since the Biden administration took office. President Joe Biden has openly confronted Russian President Vladimir Putin on his <a href="https://www.cnn.com/2021/07/09/politics/biden-putin-call-syria-ransomware/index.html">responsibility regarding international cyberattacks</a>, and the Biden administration has taken <a href="https://www.whitehouse.gov/briefing-room/statements-releases/2021/04/15/fact-sheet-imposing-costs-for-harmful-foreign-activities-by-the-russian-government/">unprecedented steps to impose costs</a> on Russian cyber criminals and frustrate their efforts.</p>
<p>Upon taking office, Biden immediately faced difficult challenges from Russian intelligence operatives and criminals in headline-grabbing cyberattacks on private companies and critical infrastructure. As a <a href="https://scholar.google.com/citations?user=kmwlBpoAAAAJ&hl=en">scholar of Russian cyber operations</a>, I see that the administration has made significant progress in responding to Russian cyber aggression, but I also have clear expectations about what national cyber defense can and can’t do.</p>
<h2>Software supply chain compromise</h2>
<p>The <a href="https://theconversation.com/the-sunburst-hack-was-massive-and-devastating-5-observations-from-a-cybersecurity-expert-152444">SolarWinds hack</a> carried out in 2020 was a successful attack on the global <a href="https://www.hackread.com/understanding-software-supply-chain-how-to-secure-it/">software supply chain</a>. The hackers used the access they gained to thousands of computers to spy on nine U.S. federal agencies and about 100 private-sector companies. U.S. security agencies said that a sophisticated hacking group, “<a href="https://www.washingtonpost.com/national-security/russian-government-spies-are-behind-a-broad-hacking-campaign-that-has-breached-us-agencies-and-a-top-cyber-firm/2020/12/13/d5a53b88-3d7d-11eb-9453-fc36ba051781_story.html">likely Russian in origin</a>,” was responsible for the intelligence-gathering effort.</p>
<figure>
<iframe width="440" height="260" src="https://www.youtube.com/embed/jxTxGlE9X5s?wmode=transparent&start=0" frameborder="0" allowfullscreen=""></iframe>
<figcaption><span class="caption">The SolarWinds hack explained.</span></figcaption>
</figure>
<p>On Feb. 4, 2021, Biden addressed Putin in a statement delivered at the State Department. Biden said that the days of the U.S. rolling over in the face of Russian cyberattacks and interference in U.S. elections “<a href="https://www.whitehouse.gov/briefing-room/speeches-remarks/2021/02/04/remarks-by-president-biden-on-americas-place-in-the-world/">are over</a>.” </p>
<p>Biden vowed to “<a href="https://thehill.com/policy/cybersecurity/537436-biden-says-administration-launching-urgent-initiative-to-improve-nations">not hesitate to raise the cost on Russia</a>.” The U.S. government had not previously issued indictments or imposed sanctions for <a href="https://www.wsj.com/articles/massive-hack-blamed-on-russia-tests-limits-of-u-s-response-11608309198">cyber espionage</a>, in part out of concerns that they could result in reciprocal actions by Moscow against NSA and CIA hackers. Nevertheless, the U.S. Treasury Department <a href="https://home.treasury.gov/news/press-releases/jy0127">issued sanctions</a> against the Russian Foreign Intelligence Service, the SVR, on April 15, 2021. </p>
<p>Biden also signed an <a href="https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/">executive order</a> to modernize federal government cybersecurity. He directed agencies to deploy systems that detect cyber incursions, like the one that spotted <a href="https://www.paloaltonetworks.com/blog/2020/12/solarwinds-statement-solarstorm/">SolarWinds activity at Palo Alto Networks</a>. In parallel, his security agencies <a href="https://www.cisa.gov/uscert/ncas/analysis-reports/ar21-189a">published tools and techniques</a> used by the SVR and ransomware gangs to help organizations defend against them. </p>
<p>Economic sanctions and technical barriers, however, did not slow SVR efforts to gather intelligence on U.S. foreign policy. In May 2021, Microsoft revealed that hackers associated with Russia <a href="https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium">exploited the mass-mailing service Constant Contact</a>. By masquerading as the U.S. Agency for International Development, they sent <a href="https://www.cnn.com/2021/05/28/tech/microsoft-solarwinds-russia-hack-intl-hnk/index.html">authentic-looking emails</a> with links to more than 150 organizations, which, when clicked, inserted a malicious file that allowed computer access. </p>
<h2>Ransomware attacks</h2>
<p>Also in May, the shutdown of the Colonial Pipeline by a ransomware attack by the Russian cyber gang <a href="https://www.washingtonexaminer.com/news/darkside-the-hacking-group-behind-the-colonial-pipeline-hack">DarkSide</a> halted the flow of <a href="https://www.nytimes.com/2021/05/08/us/politics/cyberattack-colonial-pipeline.html">nearly half the gas and jet fuel</a> to the Eastern Seaboard. <a href="https://www.dw.com/en/us-states-declare-emergency-over-gas-shortage-fears-following-cyberattack/a-57501414">Panicked drivers</a> rushed to fill up tanks while <a href="https://www.wsj.com/articles/u-s-gas-prices-hit-3-a-gallon-as-shortage-sets-in-amid-colonial-pipeline-shutdown-11620832180">prices soared</a>. A month later, consumers scrambled to find <a href="https://www.wsj.com/articles/meatpacker-jbs-hit-by-cyberattack-affecting-north-american-australian-operations-11622548864">meat alternatives</a> after <a href="https://www.foxbusiness.com/markets/fbi-russia-linked-revil-responsible-jbs-cyberattack">REvil infected beef and pork processer JBS USA</a> with ransomware. </p>
<figure>
<iframe width="440" height="260" src="https://www.youtube.com/embed/Xes6ZgV1Iww?wmode=transparent&start=0" frameborder="0" allowfullscreen=""></iframe>
<figcaption><span class="caption">Ransomware attacks explained.</span></figcaption>
</figure>
<p>Biden said Russia has “<a href="https://www.nbcnews.com/politics/white-house/biden-says-no-evidence-russian-government-was-involved-pipeline-hack-n1266866">some responsibility</a> to deal with this.” At a summit in Geneva in June, he handed Putin a list of <a href="https://www.nytimes.com/2021/07/07/us/politics/biden-ransomware-russia.html">off-limits critical infrastructure</a> that would merit a U.S. response if attacked. It is likely that Russian intelligence services and law enforcement have a <a href="https://www.recordedfuture.com/russian-state-connections-criminal-actors/">tacit understanding</a> with cybercriminals and can shut down their resources. </p>
<p>Though not counting on Putin to exert influence, the White House formed a <a href="https://www.politico.com/news/2021/07/14/white-house-ransomware-task-force-499723">ransomware task force</a> to go on the offense against the gangs. The first step was using a counterterrorism program to <a href="https://www.darkreading.com/attacks-breaches/state-dept-to-pay-up-to-$10m-for-information-on-foreign-cyberattacks/d/d-id/1341540">offer rewards</a> of up to US$10 million for information on hackers behind state-sanctioned breaches of critical infrastructure. </p>
<p>In close collaboration with international partners, the Justice Department announced <a href="https://www.wsj.com/articles/hackers-linked-to-ransomware-attacks-on-jbs-kaseya-arrested-in-romania-11636390527">the arrest</a> of a Ukrainian national in Poland, charged with the REvil ransomware attack against <a href="https://www.toolbox.com/it-security/threat-reports/news/is-revils-latest-exploit-against-kaseya-one-of-the-biggest-ransomware-attacks-ever/">Kaseya</a>, an information technology software supplier. The Justice Department also <a href="https://www.justice.gov/opa/pr/ukrainian-arrested-and-charged-ransomware-attack-kaseya">seized $6.1 million</a> in cryptocurrency from another REvil operator. Romanian authorities arrested two others involved in REvil attacks. </p>
<p>U.S. law enforcement seized $2.3 million <a href="https://www.justice.gov/opa/pr/department-justice-seizes-23-million-cryptocurrency-paid-ransomware-extortionists-darkside">paid in ransom</a> to DarkSide by Colonial Pipeline by using a private key to unlock bitcoin. And the Treasury Department <a href="https://home.treasury.gov/news/press-releases/jy0364">disrupted the virtual currency exchanges SUEX</a> <a href="https://home.treasury.gov/news/press-releases/jy0471">and Chatex</a> for laundering the proceeds of ransomware. Treasury Department sanctions blocked all of their property in the U.S. and prohibited U.S. citizens from conducting transactions with them.</p>
<figure class="align-center zoomable">
<a href="https://images.theconversation.com/files/441778/original/file-20220120-9603-3wm8hd.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=1000&fit=clip"><img alt="a man with salt-and-pepper hair wearing a dark blue military uniform" src="https://images.theconversation.com/files/441778/original/file-20220120-9603-3wm8hd.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/441778/original/file-20220120-9603-3wm8hd.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=400&fit=crop&dpr=1 600w, https://images.theconversation.com/files/441778/original/file-20220120-9603-3wm8hd.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=400&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/441778/original/file-20220120-9603-3wm8hd.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=400&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/441778/original/file-20220120-9603-3wm8hd.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=503&fit=crop&dpr=1 754w, https://images.theconversation.com/files/441778/original/file-20220120-9603-3wm8hd.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=503&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/441778/original/file-20220120-9603-3wm8hd.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=503&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px"></a>
<figcaption>
<span class="caption">Gen. Paul Nakasone, Director of the National Security Agency, testifying before the House Intelligence Committee on April 15, 2021.</span>
<span class="attribution"><a class="source" href="https://newsroom.ap.org/detail/CongressWorldwideThreats/5c00ae96a70e486095feb844a4b10ec1/photo">Al Drago/Pool via AP</a></span>
</figcaption>
</figure>
<p>Additionally, the top U.S. cyberwarrior, Gen. Paul Nakasone, acknowledged for the first time in public that the U.S. military had taken <a href="https://www.cnet.com/tech/services-and-software/us-military-has-reportedly-acted-against-ransomware-groups/">offensive action</a> against ransomware groups. In October, U.S. Cyber Command <a href="https://www.washingtonpost.com/national-security/cyber-command-revil-ransomware/2021/11/03/528e03e6-3517-11ec-9bc4-86107e7b0ab1_story.html">blocked the REvil website</a> by redirecting traffic, which prevented the group from extorting victims. After REvil realized its server was compromised, it <a href="https://www.toolbox.com/it-security/cyber-risk-management/news/revil-ransomware-taken-down-again/">ceased operations</a>. </p>
<h2>Limits of US responses</h2>
<p>Russia <a href="https://www.wsj.com/articles/how-russias-info-warrior-hackers-let-kremlin-play-geopolitics-on-the-cheap-11609592401">conducts or condones cyberattacks</a> by state and criminal groups that take advantage of gaps in international law and avoid crossing national security lines. In October, the SVR stepped up attempts to <a href="https://www.wsj.com/articles/microsoft-solarwinds-hackers-continue-to-hit-technology-companies-11635145200">break into technology companies</a> to steal sensitive information. U.S. officials considered the operation to be <a href="https://www.nytimes.com/2021/10/25/us/politics/russia-cybersurveillance-biden.html">routine spying</a>. The reality that international law does not prohibit espionage per se prevents U.S. responses that could serve as strong deterrents. </p>
<p>Similarly, after cyber gang BlackMatter <a href="https://abcnews.go.com/Technology/wireStory/iowa-farm-cooperative-hit-ransomware-systems-offline-80136119">carried out a ransomwware attack</a> on an Iowa farm cooperative in September, the gang <a href="https://arstechnica.com/information-technology/2021/09/5-9-million-ransomware-attack-on-farming-co-op-may-cause-food-shortage/">claimed that the cooperative did not count</a> as critical infrastructure. The gang’s claim refers to cyberattack targets that would prompt a national response from the U.S. government.</p>
<p>Despite this ambiguity, the administration has unleashed the military to frustrate the efforts of ransomware groups, while law enforcement agencies have gone after their leaders and their money, and organizations in the U.S. have shored up their information systems defenses.</p>
<p>Though government-controlled hackers might persist, and criminal groups might disappear, rebuild and rebrand, in my view the high costs imposed by the Biden administration could hinder their success. Nevertheless, it’s important to bear in mind that <a href="https://theconversation.com/the-colonial-pipeline-ransomware-attack-and-the-solarwinds-hack-were-all-but-inevitable-why-national-cyber-defense-is-a-wicked-problem-160661">national cyber defense is an extremely challenging problem</a> and it’s unlikely that the U.S. will be able to eliminate the threat.</p>
<p>[<em><a href="https://memberservices.theconversation.com/newsletters/?nl=politics&source=inline-politics-important">Get The Conversation’s most important politics headlines, in our Politics Weekly newsletter</a>.</em>]</p><img src="https://counter.theconversation.com/content/174199/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Scott Jasper does not work for, consult, own shares in or receive funding from any company or organization that would benefit from this article, and has disclosed no relevant affiliations beyond their academic appointment.</span></em></p>The US has made a dent in Russian cyber criminal gangs. But tensions with Russia and the shadowy nature of hacking keep the threat level high.Scott Jasper, Senior Lecturer in National Security Affairs, Naval Postgraduate SchoolLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/1701912021-10-24T12:25:34Z2021-10-24T12:25:34ZCyberattacks to critical infrastructure threaten our safety and well-being<figure><img src="https://images.theconversation.com/files/427826/original/file-20211021-15-y4vdon.jpg?ixlib=rb-1.1.0&rect=30%2C10%2C6679%2C3983&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">Our critical infrastructures are growing increasingly complex as the number of devices and connections in these systems continues to grow.</span> <span class="attribution"><span class="source">(Shutterstock)</span></span></figcaption></figure><iframe style="width: 100%; height: 175px; border: none; position: relative; z-index: 1;" allowtransparency="" src="https://narrations.ad-auris.com/widget/the-conversation-canada/cyberattacks-to-critical-infrastructure-threaten-our-safety-and-well-being" width="100%" height="400"></iframe>
<p>What would happen if you could no longer use the technological systems that you rely on every day? I’m not talking about your smart phone or laptop computer, but all those systems many of us often take for granted and don’t think about. </p>
<p>What if you could not turn on the lights or power your refrigerator? What if you could not get through to emergency services when you dial 911? What if you could not access your bank account, get safe drinking water or even flush your toilet? </p>
<p>According to Canada’s <a href="https://www.publicsafety.gc.ca/cnt/rsrcs/pblctns/srtg-crtcl-nfrstrctr/index-en.aspx">National Strategy for Critical Infrastructure</a>, critical infrastructure refers to the processes, systems, facilities, technologies, networks, assets and services essential to the health, safety, security or economic well-being of the public and the effective functioning of government.</p>
<p>Disruptions to these kinds of systems, especially those caused by cyberattacks, can have devastating consequences. That’s why these systems are called critical infrastructure.</p>
<h2>A string of attacks</h2>
<p>Over the past six months, the fragility of critical infrastructure has been given plenty of attention. This has been driven by a string of notable cyberattacks on several critical infrastructure sectors.</p>
<p>It was revealed that in late March 2021, CNA Financial Corp., one of the largest insurance companies in the United States was <a href="https://www.insurancebusinessmag.com/ca/news/cyber/cna-concludes-investigation-into-cyberattack-260688.aspx">victim to a ransomware attack</a>. As a result, the company faced disruptions of their systems and networks.</p>
<p>In May 2021, <a href="https://www.bbc.com/news/business-57050690">a ransomware attack on Colonial Pipeline halted plant operations for six days</a>. The attack led to a fuel crisis and increased prices in the eastern U.S.</p>
<figure>
<iframe width="440" height="260" src="https://www.youtube.com/embed/3YrerKldYPM?wmode=transparent&start=0" frameborder="0" allowfullscreen=""></iframe>
<figcaption><span class="caption">MSNBC looks at the cybersecurity concerns raised by the attack on Colonial Pipeline.</span></figcaption>
</figure>
<p>Weeks later, in June 2021, a <a href="https://www.vox.com/recode/2021/6/1/22463179/jbs-foods-ransomware-attack-meat-hackers">ransomware attack hit JBS USA Holdings, Inc.</a>, one of the world’s largest meat producers. This attack brought about supply chain turmoil in Canada, the U.S. and Australia.</p>
<p>Also in June 2021, the <a href="https://www.cnn.com/2021/06/02/business/steamship-authority-ransomware-attack/index.html">Martha’s Vineyard and Nantucket Steamship Authority was victim of a ransomware attack</a> that disrupted ferry services and caused service delays.</p>
<h2>Fragile infrastructures</h2>
<p>On Oct. 14, 2021, hot on the heels of cyberattacks targeting the financial, gas, food and transportation sectors, the U.S. Cybersecurity and Infrastructure Security Agency <a href="https://us-cert.cisa.gov/ncas/alerts/aa21-287a">released Alert AA21-287</a>.</p>
<p>The alert turns attention to the fragility of yet another critical infrastructure sector. It warns of “ongoing malicious cyberactivity” targeting water and wastewater facilities. These activities include exploits of internet-connected services and outdated operating systems and software, as well as <a href="https://cyber.gc.ca/en/glossary">spear phishing and ransomware attacks</a> – something we have seen a lot in recent cyberattacks.</p>
<p>According to the alert, these cyberthreats could impact the ability of water and wastewater facilities to “provide clean, potable water to, and effectively manage the wastewater of, their communities.”</p>
<h2>Vulnerability factors</h2>
<p>The need for combating cyberthreats to critical infrastructure is well recognized. However, the infrastructure today is far from secure. This is due to a many interrelated factors that create a perfect storm of exposures.</p>
<p>First, many of our most critical systems are extremely complex. This complexity is rapidly increasing as the number of devices and connections in these systems continues to grow.</p>
<p>Second, many of these systems involve a mix of insecure, outdated legacy systems and new technologies. These new technologies promise features like advanced analytics and automation. However, they are sometimes connected and used in insecure ways that the original designers of the legacy systems could not have imagined.</p>
<p>Taken together, these factors mean that these systems are too complex to be completely understood by a person, a team of people or even a computer model. This makes it very difficult to identify weak spots that if exploited — accidentally or intentionally — could lead to system failures.</p>
<h2>Analyzing real-world complexities</h2>
<p>In the <a href="https://carleton.ca/cybersea/">Cyber Security Evaluation and Assurance (CyberSEA) Research Lab</a> at Carleton University, we are developing solutions to address the fragility of critical infrastructure. The goal is to improve security and resilience of these important systems.</p>
<p>The complexities of critical infrastructure can lead to unexpected or unplanned interactions among system components, known as <a href="https://doi.org/10.1109/TR.2017.2665164">implicit interactions</a>.</p>
<p>Exploitation of implicit interactions has the potential to impact the safety, security and reliability of a system and its operations. For example, implicit interactions can enable system components to interact in unintended — and often undesirable — ways. This leads to unpredictable system behaviours that can allow attackers to damage or disrupt the system and its operations.</p>
<figure class="align-center zoomable">
<a href="https://images.theconversation.com/files/427833/original/file-20211021-27-13go718.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=1000&fit=clip"><img alt="A diagram of a complex system with many nodes" src="https://images.theconversation.com/files/427833/original/file-20211021-27-13go718.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/427833/original/file-20211021-27-13go718.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=338&fit=crop&dpr=1 600w, https://images.theconversation.com/files/427833/original/file-20211021-27-13go718.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=338&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/427833/original/file-20211021-27-13go718.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=338&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/427833/original/file-20211021-27-13go718.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=424&fit=crop&dpr=1 754w, https://images.theconversation.com/files/427833/original/file-20211021-27-13go718.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=424&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/427833/original/file-20211021-27-13go718.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=424&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px"></a>
<figcaption>
<span class="caption">Infrastructure systems become increasingly complex as new connections and devices are added to critical infrastructure with updates in technologies.</span>
<span class="attribution"><span class="source">(Shutterstock)</span></span>
</figcaption>
</figure>
<p>We recently conducted a cybersecurity analysis at CyberSEA on a real-world municipal wastewater treatment system, where we identified and measured characteristics of implicit interactions in the system. This was part of our <a href="https://ciri.illinois.edu/events/implicit-interactions-case-study">ongoing research</a>, conducted in partnership with the <a href="https://ciri.illinois.edu/">Critical Infrastructure Resilience Institute</a> at the University of Illinois at Urbana-Champaign.</p>
<p>Our analysis found a significant proportion of implicit interactions present in the system, and <a href="https://doi.org/10.1007/978-3-030-64330-0_3">approximately 28 per cent of these identified vulnerabilities showed signs of being ripe for attackers to exploit and cause damage or disruption in the system</a>.</p>
<h2>A glimmer of hope</h2>
<p>Our study showed that implicit interactions exist in real-world critical infrastructure systems. Feedback from the operators of the wastewater system in our case study stated that <a href="https://ciri.illinois.edu/newsNew-CIRI-tool-helps-critical-infrastructure-operators-identify-risks-from-implicit-interactions">our approaches and tools are useful for identifying potential security issues and informing mitigation efforts when designing critical systems</a>.</p>
<p>This may be a glimmer of hope in the fight against cyberthreats to critical infrastructure. Continued development of rigorous and practical approaches to address increasingly critical issues in designing, implementing, evaluating and assuring the safe, secure and reliable operation of these systems is needed. </p>
<p>A more robust infrastructure will lead to fewer threats to our security and access to services, ensuring our well-being and the effective functioning of our governments and society.</p><img src="https://counter.theconversation.com/content/170191/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Jason Jaskolka receives funding from the U.S. Department of Homeland Security Grant 2015-ST-061-CIRC01 and the Natural Sciences and Engineering Research Council of Canada (NSERC) grant RGPIN-2019-06306.</span></em></p>An increasing number of cyberattacks threaten critical infrastructures. These attacks exploit weaknesses in outdated and insecure systems.Jason Jaskolka, Assistant Professor, Systems and Computer Engineering, Carleton UniversityLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/1609912021-05-27T20:03:36Z2021-05-27T20:03:36ZCyber attacks can shut down critical infrastructure. It’s time to make cyber security compulsory<figure><img src="https://images.theconversation.com/files/403048/original/file-20210527-13-beo3at.jpg?ixlib=rb-1.1.0&rect=17%2C0%2C2977%2C2016&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">
</span> <span class="attribution"><span class="source">Maksim Shmeljov / Shutterstock</span></span></figcaption></figure><p>On May 7, a pipeline system carrying almost half the fuel used on the east coast of the United States was <a href="https://www.politico.com/news/2021/05/08/colonial-pipeline-cyber-attack-485984">crippled by a major cyber attack</a>. The five-day shutdown of the Colonial Pipeline resulted in widespread fuel shortages and panic-buying as Virginia, North Carolina and Florida declared a state of emergency. </p>
<p>The attack highlights how vulnerable critical infrastructure such as fuel pipelines are in an era of growing cyber security threats. In Australia, we believe the time has come to make it compulsory for critical infrastructure companies to implement serious cyber security measures.</p>
<h2>Collateral damage</h2>
<p>The risk of cyber attacks on critical infrastructure is not new. In the wake of the events of September 11, 2001, <a href="https://doi.org/10.1016/j.intman.2005.09.008">research</a> demonstrated the need to address global security risks as we analysed issues of vulnerability and critical infrastructure protection. We also proposed systems to ensure security in critical supply chain infrastructure such as seaports and practices including container shipping management.</p>
<p>The rise of “ransomware” attacks, in which attackers seize important data from an organisation’s systems and demand a ransom for its return, has heightened the risk. These attacks may have unintended consequences.</p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/colonial-pipeline-forked-over-4-4m-to-end-cyberattack-but-is-paying-a-ransom-ever-the-ethical-thing-to-do-161383">Colonial Pipeline forked over $4.4M to end cyberattack – but is paying a ransom ever the ethical thing to do?</a>
</strong>
</em>
</p>
<hr>
<p>Evidence suggests the Colonial shutdown was the <a href="https://www.bnnbloomberg.ca/colonial-pipeline-paid-hackers-nearly-us-5m-in-ransom-1.1603285">result</a> of such an attack, targeting its data. It appears the company <a href="https://www.zdnet.com/article/colonial-pipeline-ransomware-attack-everything-you-need-to-know/">shut down</a> the pipeline network and some other operations to prevent the malicious software from spreading. This resulted in a cascade of unintended society-wide effects and collateral damage. </p>
<p>Indeed, the attackers may have been surprised by the extent of the damage they caused, and now appear to <a href="https://www.securityweek.com/darkside-ransomware-shutdown-exit-scam-or-running-hills">have shut down their own operations</a>.</p>
<p>We have seen how critical supply chain infrastructure can be severely disrupted as collateral damage. We must consider how severe the fallout might be from a direct attack. </p>
<p>The events in the US also raise another important question: how vulnerable is our critical supply chain infrastructure in Australia?</p>
<h2>Critical infrastructure is an attractive target</h2>
<p>Australian society is dependent on many international and domestic supply chains. These are underpinned by critical supply chain infrastructure that is often managed by advanced and interlinked information and communication systems. This makes them attractive targets for cyber attackers. </p>
<p>Cyber risk frameworks are often derived from traditional risk management approaches, addressing issues of a potential cyber attack <a href="https://www.sciencedirect.com/science/article/pii/S0166497214000194">as</a> <a href="https://www.cyber.gov.au/acsc/view-all-content/guidance/applying-risk-based-approach-cyber-security">routine</a> <a href="https://www.sciencedirect.com/science/article/pii/S2405896315005947">conventional</a> <a href="https://www.sciencedirect.com/science/article/pii/S0166497214000194#bib35">risk</a>. These risk management approaches weigh up the costs of preventing a cyber attack against the costs and probability of a breach. </p>
<p>In some industries, this assessment will factor in the cost of a lost customer base who may never return. However, providers of critical services such as transportation, medical care, electricity, water, and food see little risk of losing customers. </p>
<p>After the Colonial incident, customers trooped back to petrol stations as soon as they could and went on buying fuel. Thus, critical industries may perceive less cost from a breach than companies in other industries because their customers will return.</p>
<h2>Time for compliance</h2>
<p>Australia’s national efforts in cyber security are coordinated by the <a href="https://www.cyber.gov.au">Australian Cyber Security Centre</a> (ACSC) under the auspices of the Australian Signals Directorate. The ACSC works with public and private sector organisations to share information about threats and guidance on best practices for security. </p>
<p>ACSC documents such as the <a href="https://www.cyber.gov.au/acsc/view-all-content/essential-eight">Essential Eight</a> provide guidance for organisations on baseline security measures. These are supplemented by more comprehensive resources including the <a href="https://www.cyber.gov.au/acsc/view-all-content/ism">Australian Government Information Security Manual</a>. </p>
<p>However, our research has shown the best practices are not universally followed, even by the Australian government’s <a href="https://nikthompson.com/PDF/Thompson-Bunn-2020.pdf">own websites</a>. </p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/the-colonial-pipeline-ransomware-attack-and-the-solarwinds-hack-were-all-but-inevitable-why-national-cyber-defense-is-a-wicked-problem-160661">The Colonial Pipeline ransomware attack and the SolarWinds hack were all but inevitable – why national cyber defense is a 'wicked' problem</a>
</strong>
</em>
</p>
<hr>
<p>Lack of knowledge is not the problem. Security best practices are generally well understood and documented by the ACSC. The ACSC also provides specific guidance for critical sectors and industries, such as a <a href="https://aemo.com.au/en/initiatives/major-programs/cyber-security/aescsf-framework-and-resource">security framework developed for the energy sector</a>. </p>
<p>The challenge here is that these are guidelines only. Companies can choose whether to follow them or not.</p>
<p>What Australia needs is a cyber security compliance program. This would mean making it compulsory for companies that manage critical infrastructure such as ports or pipelines to follow some kind of rules.</p>
<p>A first step might be to demand these companies comply with the existing guidelines, and require certification of a baseline of cyber security. </p>
<h2>Lessons from the United States</h2>
<p>The US government responded to the Colonial cyber attack with an <a href="https://www.whitehouse.gov/briefing-room/statements-releases/2021/05/12/fact-sheet-president-signs-executive-order-charting-new-course-to-improve-the-nations-cybersecurity-and-protect-federal-government-networks/">executive order</a> to improve cyber security and federal government networks. The order proposes a raft of measures to modernise standards and improve information sharing and reporting requirements. These are valuable measures, many of which are already within the scope of the existing duties of Australia’s ACSC. </p>
<p>Another measure in the US order is the establishment of an independent Cyber Safety Review Board. Australia could likewise establish a partnership between government and industry to oversee cyber security. A similar body already regulates aviation: the <a href="https://www.casa.gov.au/about-us">Civil Aviation Safety Authority</a>. </p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/australia-is-facing-a-looming-cyber-emergency-and-we-dont-have-the-high-tech-workforce-to-counter-it-124776">Australia is facing a looming cyber emergency, and we don't have the high-tech workforce to counter it</a>
</strong>
</em>
</p>
<hr>
<p>Such an organisation would provide robust analysis and reporting of cyber incidents. It would also share information with information technology managers, software and hardware developers, public administrators, crisis managers, and others. </p>
<p>Cyber security threats create high levels of uncertainty for the public and private sector. Attacks that disrupt critical supply chain infrastructure have widespread impacts on society and trade. </p>
<p>A cyber security compliance program may be financially costly, but would be a worthwhile investment given the societal impact of a successful cyber attack.</p><img src="https://counter.theconversation.com/content/160991/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>The authors do not work for, consult, own shares in or receive funding from any company or organisation that would benefit from this article, and have disclosed no relevant affiliations beyond their academic appointment.</span></em></p>Cybersecurity for pipelines and ports is too important to leave unregulated.Richard Oloruntoba, Associate Professor of Supply Chain Management & Supply Chain Management Lead, Curtin UniversityNik Thompson, Associate Professor of Information Systems, Curtin UniversityLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/1397252020-06-04T16:21:19Z2020-06-04T16:21:19ZCybercriminals are now targeting critical electricity infrastructure<figure><img src="https://images.theconversation.com/files/339803/original/file-20200604-67347-3n60j1.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">
</span> <span class="attribution"><span class="source">cwales / shutterstock</span></span></figcaption></figure><p>Amid the constant stream of news on the coronavirus pandemic, one event passed relatively unnoticed. On the afternoon of May 14, a company named Elexon was <a href="https://www.elexon.co.uk/article/update-on-14-may-cyber-attack/">hacked</a>. You probably haven’t heard of it, but Elexon plays a key role in the UK’s electricity market, and though the attack did not affect the electricity supply itself, as an academic who researches <a href="https://www.researchgate.net/profile/Henri_Van_Soest">cybersecurity in the electricity system</a>, I am worried. This near miss reveals just how vulnerable our critical infrastructure is to such attacks – especially during a pandemic.</p>
<p>Elexon plays an important role in the operation of the country’s electricity system. In such a system, the levels of supply and demand need to be balanced at all times. Otherwise, the system becomes unstable, which can lead to blackouts. To avoid this, Elexon compares the amount of electricity that generators promise they will produce, with the amount of electricity that suppliers say will be consumed. Where needed, the company determines the difference in price and transfers funds between the parties on either side of the transaction.</p>
<p>The lockdown has made Elexon’s role significantly more difficult. Usually, electricity demand is pretty fixed, as people broadly go to work, return home, cook dinner and watch TV at roughly the same hour every day. However, the lockdown has <a href="https://theconversation.com/we-analysed-electricity-demand-and-found-coronavirus-has-turned-weekdays-into-weekends-134606">ripped up the rule book</a> on all this. Despite many people staying at home, electricity demand has also dropped by about 20% compared to this time last year due to the closure of factories and businesses. In sum, it is a lot harder to correctly predict demand. </p>
<p>The drop in demand also means that less electricity is needed. Because wind and solar power are now the cheapest forms of electricity available, coal and gas plants <a href="https://news.sky.com/story/coronavirus-renewable-energy-overtakes-fossil-fuels-in-powering-britain-11991953">are generating</a> less, and there has lately been a big increase in renewable energy sources in the overall mix. However, wind and solar power experience large swings in supply, depending on whether the sun shines and the wind blows. This again makes supply and demand more complicated to manage. </p>
<h2>Held to ransom</h2>
<p>The Elexon attack used ransomware, in which a computer virus encrypts the contents of a computer, and it can only be decrypted after a ransom has been paid, typically in bitcoin or another cryptocurrency. The most famous ransomware attack is no doubt the 2017 WannaCry attack, which particularly affected the UK’s <a href="https://www.digitalhealth.net/2018/10/dhsc-puts-cost-wannacry-nhs-92m/">National Health Service</a>.</p>
<figure class="align-center zoomable">
<a href="https://images.theconversation.com/files/339826/original/file-20200604-31187-1ptxr2i.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=1000&fit=clip"><img alt="" src="https://images.theconversation.com/files/339826/original/file-20200604-31187-1ptxr2i.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/339826/original/file-20200604-31187-1ptxr2i.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=400&fit=crop&dpr=1 600w, https://images.theconversation.com/files/339826/original/file-20200604-31187-1ptxr2i.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=400&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/339826/original/file-20200604-31187-1ptxr2i.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=400&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/339826/original/file-20200604-31187-1ptxr2i.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=503&fit=crop&dpr=1 754w, https://images.theconversation.com/files/339826/original/file-20200604-31187-1ptxr2i.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=503&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/339826/original/file-20200604-31187-1ptxr2i.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=503&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px"></a>
<figcaption>
<span class="caption">Nightmare.</span>
<span class="attribution"><span class="source">Andrey_Popov / shutterstock</span></span>
</figcaption>
</figure>
<p>Several reports indicate that the Elexon attack relied on <a href="https://www.cbronline.com/news/elexon-hack-ransomware-revil">REvil/Sodinokibi ransomware</a>, the same as was used in a cyberattack on financial company <a href="https://www.bbc.co.uk/news/business-51017852">Travelex</a> on New Year’s Eve 2019. The Travelex hack was traced back to a Russian hacking collective, and although it is notoriously difficult to attribute cyberattacks with certainty, it is likely that Elexon fell victim to the same hackers. On June 1, the hackers <a href="https://www.cbronline.com/news/elexon-hack-ransomware-revil">posted some</a> of the stolen Elexon data online, in an attempt to pressure the company to pay the ransom. </p>
<h2>A cybercrime pandemic</h2>
<p>The attack on Elexon does not stand alone. As countries around the world have locked down, cybercriminals have launched attacks on a wide range of targets, mostly using ransomware. The lockdown-induced rise in home-working has been a <a href="https://www.theguardian.com/technology/2020/may/24/hacking-attacks-on-home-workers-see-huge-rise-during-lockdown">big enabling factor</a>, as lots of professional communication now takes place over the general internet, which is a lot more insecure than using a local company network with a firewall around it.</p>
<p>Critical infrastructures have been hit particularly hard. In recent months, cyberattacks have been launched on <a href="https://www.forbes.com/sites/daveywinder/2020/04/08/cyber-attacks-against-hospitals-fighting-covid-19-confirmed-interpol-issues-purple-alert/#58a8545d58bc">hospitals</a>, <a href="https://www.bbc.com/news/world-us-canada-52656656">coronavirus research facilities</a>, <a href="https://www.nytimes.com/2020/05/19/world/middleeast/israel-iran-cyberattacks.html">ports</a>, <a href="https://www.dw.com/en/israel-thwarted-attack-on-water-systems-cyber-chief/a-53596796">water supply infrastructure</a>, and the Brussels-based ENTSO-E, the <a href="https://www.entsoe.eu/news/2020/03/09/entso-e-has-recently-found-evidence-of-a-successful-cyber-intrusion-into-its-office-network/">European Network of Transmission System Operators for Electricity</a>.</p>
<p>This sort of infrastructure is in the crosshairs for two main reasons. First, cybercriminals bet that operators will be less hesitant to pay ransom than other targets, because the continued operation of electricity, water, hospitals and so on is so important. </p>
<p>But it’s also because their computer systems are often outdated. While it may seem paradoxical, the reason for this is the fact that critical infrastructures should always be available. When a system works fine, there is little incentive to change it, especially when changes to computer systems can easily lead to incompatibilities, errors or crashes. For instance, three years after the WannaCry attack, the NHS is once again exposed to an attack because many of its computers are still running on Windows 7, <a href="https://www.zdnet.com/article/one-in-three-nhs-computers-is-still-running-outdated-windows-7-software/">which is no longer supported</a>. </p>
<p>Ransomware attacks are typically not very complicated. They make use of known software vulnerabilities that have already been patched, and the criminals specifically target those computers that have not been updated. These inherent vulnerabilities, combined with the lockdown-induced difficulties in balancing the electricity grid, mean that a more sophisticated cyberattack on Elexon could have had big consequences for the UK electricity system. </p>
<p>As it happens, the attack only affected Elexon’s internal IT systems, and the rest of the electricity system, <a href="https://twitter.com/ng_eso/status/1260996779677569024">as well as the electricity supply itself</a>, was not affected. But this should force us to think about how vulnerable our critical infrastructure is to cyberattacks. </p>
<p>What would have happened if the attack had indeed affected the electricity supply? It would have seriously hindered the UK’s response to the pandemic, and it is possible that we would have struggled to get the power back up, as all resources are currently going into fighting the virus. In addition, it is unlikely that a lockdown without electricity and internet could be maintained for long. The fact that cybercriminals know this only makes our critical infrastructures more appealing targets.</p><img src="https://counter.theconversation.com/content/139725/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Henri van Soest does not work for, consult, own shares in or receive funding from any company or organisation that would benefit from this article, and has disclosed no relevant affiliations beyond their academic appointment.</span></em></p>A recent ransomware attack on the UK electricity system shows this pandemic is also about computer viruses.Henri van Soest, PhD Candidate in Land Economy, University of CambridgeLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/1324322020-03-08T12:52:36Z2020-03-08T12:52:36ZCoronavirus, rail blockades: Crisis management plans protect companies<figure><img src="https://images.theconversation.com/files/318466/original/file-20200303-66069-111qu4b.jpg?ixlib=rb-1.1.0&rect=0%2C0%2C5000%2C3248&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">A woman works at a textile factory in Hangzhou in February 2020. The disruption of Chinese manufacturing in the midst of the coronavirus is causing global supply chain issues.</span> <span class="attribution"><span class="source">(Chinatopix via AP)</span></span></figcaption></figure><p><a href="https://www.who.int/emergencies/diseases/novel-coronavirus-2019/events-as-they-happen">The outbreak of the COVID-19 virus in China</a> and <a href="https://www.bbc.com/news/world-us-canada-51550821">the railway disruptions across Canada</a> represent two different yet similar classic case studies. </p>
<p>They remind us that nations and global economies are becoming increasingly interconnected. Incidents thousands of kilometres away are being felt locally.</p>
<p>This is a result of the increasing importance of critical infrastructure. In order to mitigate these negative consequences to organizations — like lost revenue, lost customers and reputational damage — they must have well-structured and defined contingency plans in place to meet operational objectives.</p>
<p>What’s known as critical infrastructure (CI) has many different definitions within academic literature and among different governments worldwide. But essentially, CI can be defined as infrastructure so vital that its incapacity or destruction would have <a href="http://doi.org/10.1002/0471789542">a debilitating impact on the economy and/or the defence of the country, and therefore becomes a national security issue</a>. </p>
<p>The Canadian government has <a href="https://www.publicsafety.gc.ca/cnt/rsrcs/pblctns/srtg-crtcl-nfrstrctr/index-en.aspx">defined 10 sectors deemed critical</a> to its national security. They include transportation, health, manufacturing and government, just to name a few. </p>
<h2>Infrastructure linked</h2>
<p>Prior to <a href="https://theconversation.com/world-politics-explainer-the-twin-tower-bombings-9-11-101443">the events of 9/11</a>, many of those CI sectors <a href="https://www.crcpress.com/Critical-Infrastructure-Homeland-Security-and-Emergency-Preparedness/Radvanovsky-McDougall/p/book/9781138057791">were physically and logically separated with little interdependence</a>. However, advances in information technology and the requirement to improve efficiencies has resulted in infrastructures becoming more automated and interlinked. </p>
<p>But this has resulted in increased <a href="https://www.cisa.gov/sites/default/files/publications/Guide-Critical-Infrastructure-Security-Resilience-110819-508v2.pdf">interdependencies between infrastructure elements and sectors, and created new systemic vulnerabilities</a> that can have catastrophic cascading effects. </p>
<p>For example, the unavailability of parts of the railway system (transportation CI) due to the blockades translates into serious disruption of the supply chain system that other CIs rely upon. <a href="https://www.retailcouncil.org/advocacy/operations/joint-statement-of-concern-by-retailers-and-manufacturers-on-the-impact-of-rail-blockades/">Perishable food on trains can’t reach retailers and consumers</a> (food CI) and <a href="https://montrealgazette.com/news/local-news/railway-blockades-desperate-quebec-businesses-lay-off-workers-turn-to-trucking">steel needed to create goods cannot be delivered to businesses</a> (manufacturing CI). </p>
<figure class="align-center ">
<img alt="" src="https://images.theconversation.com/files/318468/original/file-20200303-66089-11h49i7.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/318468/original/file-20200303-66089-11h49i7.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=400&fit=crop&dpr=1 600w, https://images.theconversation.com/files/318468/original/file-20200303-66089-11h49i7.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=400&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/318468/original/file-20200303-66089-11h49i7.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=400&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/318468/original/file-20200303-66089-11h49i7.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=503&fit=crop&dpr=1 754w, https://images.theconversation.com/files/318468/original/file-20200303-66089-11h49i7.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=503&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/318468/original/file-20200303-66089-11h49i7.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=503&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px">
<figcaption>
<span class="caption">Cargo containers sit on idle train cars at port in Vancouver in February 2020. Rail blockades across the country have led to an increase in the number of cargo ships waiting to load or unload.</span>
<span class="attribution"><span class="source">THE CANADIAN PRESS/Darryl Dyck</span></span>
</figcaption>
</figure>
<p>The <a href="https://www.ble-t.org/pr/news/headline.asp?id=9574">domino-like effect</a> can occur when salt travelling on trains cannot reach chemical companies (manufacturing CI) that are then unable to make hydrochloric acid intended for sale to the food industry (food CI). </p>
<h2>Overwhelming public health agencies</h2>
<p>As for the COVID-19 virus, it is overtaxing and <a href="https://time.com/5788495/china-hospital-shortage/">overwhelming hospitals in China</a> and the <a href="https://www.theguardian.com/world/2020/feb/28/australian-doctors-warn-of-overwhelmed-public-health-system-in-event-of-coronavirus-pandemic">public health systems in other countries</a> (health CI). </p>
<p>Many Chinese manufacturers (manufacturing CI) <a href="https://fortune.com/2020/02/19/coronavirus-china-workers-businesses-pay-wages/">have slowed or even stopped production</a> as they encourage workers to stay home. Since Chinese goods <a href="https://fortune.com/2020/02/21/fortune-1000-coronavirus-china-supply-chain-impact/">form a large portion of the global supply chain for companies in the West</a>, it means the delayed delivery of essential products to the Western market. </p>
<p>To compound the problem further, there are few aviation delivery options because most major airlines (transportation CI) <a href="https://www.businessinsider.com/airlines-canceling-changing-flights-to-china-amid-coronavirus-fears-2020-1">have cancelled flights to mainland China</a>.</p>
<p>For some medium-sized businesses in Canada, the simultaneous occurrences of both the COVID-19 virus and the railway disruptions serve as <a href="https://www.thestar.com/business/2020/02/24/almost-a-quarter-of-small-businesses-have-been-hurt-by-the-rail-blockades-including-one-that-ironically-sells-model-trains.html">a “double whammy” that negatively effects operations</a>. </p>
<p>So what’s the solution? How can organizations remain resilient and continue to meet their business objectives in such an unpredictable and highly interdependent environment?</p>
<h2>Protecting critical infrastructure</h2>
<p>One solution is to protect the different sectors of infrastructure <a href="https://www.oecd.org/publications/towards-an-all-hazards-approach-to-emergency-preparedness-and-response-9789264289031-en.htm">from experiencing major disruption from all types of hazards</a>. <a href="https://doi.org/10.2202/1547-7355.1860">Critical infrastructure protection (CIP)</a> programs involve various levels of government working together with large private sector partners to share vital intelligence, information and resources to protect the economy and the national interest.</p>
<p>Post-9/11, governments have had to heavily partner with the private sector on CIP initiatives. This is because <a href="https://www.forbes.com/sites/cognitiveworld/2019/05/06/public-private-partnerships-and-the-cybersecurity-challenge-of-protecting-critical-infrastructure/#7c340a685a57">around 85 per cent of critical infrastructure assets are owned and operated by private organizations</a>.</p>
<p>A recent example of CIP was demonstrated when the <a href="https://www.cbc.ca/news/politics/cp-cn-arrangement-blockade-1.5474684">Canadian government secretly worked with both CN & CP Rail</a> to quietly move vital goods by collaborating to share railway lines.</p>
<figure class="align-center ">
<img alt="" src="https://images.theconversation.com/files/318480/original/file-20200304-66106-b6xc6e.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/318480/original/file-20200304-66106-b6xc6e.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=400&fit=crop&dpr=1 600w, https://images.theconversation.com/files/318480/original/file-20200304-66106-b6xc6e.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=400&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/318480/original/file-20200304-66106-b6xc6e.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=400&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/318480/original/file-20200304-66106-b6xc6e.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=503&fit=crop&dpr=1 754w, https://images.theconversation.com/files/318480/original/file-20200304-66106-b6xc6e.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=503&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/318480/original/file-20200304-66106-b6xc6e.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=503&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px">
<figcaption>
<span class="caption">Ontario Provincial Police officers speak with protesters on the closed train tracks at a rail blockade in Tyendinaga Mohawk Territory, near Belleville, Ont., in February 2020.</span>
<span class="attribution"><span class="source">THE CANADIAN PRESS/Lars Hagberg</span></span>
</figcaption>
</figure>
<p>The second solution is critical for small- and medium-sized businesses that don’t have immediate access to government resources and cannot rely on quick intervention like CP and CN Rail. </p>
<p>They must proactively control their own destiny by having up-to-date business continuity and crisis management plans in order to minimize the impacts of CI disruptions to their operations. </p>
<h2>Same goods, different country</h2>
<p>Business continuity plans are essentially operational contingency strategies that <a href="https://www.gov.mb.ca/emo/pdfs/bcont_e.pdf">ensure the continuous delivery of critical services and products</a> for the organization. </p>
<p>For example, a Canadian business normally relying on imported goods from China may have pre-established agreements to obtain the same goods from another country during the COVID-19 outbreak, or even have mutual-aid agreements with competitors for assistance. </p>
<p><a href="https://doi.org/10.1016/j.ssci.2014.04.017">Conducting business impact analyses</a> internally will identify essential services or functions within the organization that require plans for continued delivery during operational disruptions.</p>
<p>Crisis management plans are meant to guide management’s response to dealing with the crisis itself until things get back to normal. Much of the crisis management process <a href="https://hbswk.hbs.edu/item/your-crisis-response-plan-the-ten-effective-elements">involves defining the decision-making structure</a> of an organization, and the <a href="https://theconversation.com/crisis-communication-saving-time-and-lives-in-disasters-through-smarter-social-media-50403">communications between decision-makers and relevant stakeholders</a>. </p>
<p>Crisis management and business continuity plans are powerful tools for organizations <a href="https://doi.org/10.1016/j.techfore.2015.11.005">to remain resilient during operations when unforeseen circumstances disrupt the availability of critical infrastructure</a>.</p><img src="https://counter.theconversation.com/content/132432/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Sean Spence does not work for, consult, own shares in or receive funding from any company or organisation that would benefit from this article, and has disclosed no relevant affiliations beyond their academic appointment.</span></em></p>Crisis management and business continuity plans are powerful tools for companies to remain resilient and operational when unforeseen circumstances disrupt the availability of critical infrastructure.Sean Spence, Doctorate Student - Security Risk Management, University of PortsmouthLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/1294872020-01-13T11:48:09Z2020-01-13T11:48:09ZCyberspace is the next front in Iran-US conflict – and private companies may bear the brunt<figure><img src="https://images.theconversation.com/files/309559/original/file-20200112-103959-1w0dwab.jpg?ixlib=rb-1.1.0&rect=415%2C67%2C2080%2C1519&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">In the wake of U.S. killings, Iran's supreme leader vowed 'harsh revenge' – which could come in the form of cyber attacks.</span> <span class="attribution"><a class="source" href="http://www.apimages.com/metadata/Index/Iran-Soleimani/e2f14b805bf6438c969cc4aa8f374368/2/0">Office of the Iranian Supreme Leader via AP</a></span></figcaption></figure><p>Iran and other nations have waged a stealth cyberwar against the United States for at least the past decade, largely targeting not the government itself but, rather, critical infrastructure companies. This threat to the private sector will get much worse before it gets better and businesses need to be prepared to deal with it.</p>
<p>As in the days of <a href="https://www.crn.com/news/security/expert-rogue-states-haven-t-been-this-aggressive-since-pirates-roamed-the-seas">pirates and privateers</a>, much of our nation’s critical infrastucture is controlled by private companies and enemy nations and their proxies are targeting them aggressively.</p>
<p>The U.S.-Iran cyberconflict has simmered for years, but the current crisis boiled over with <a href="https://www.state.gov/on-attacks-by-irans-proxies-in-iraq/">Iranian attacks on U.S. interests in Iraq</a> that led to the Jan. 3 U.S. drone strike that <a href="https://www.latimes.com/world-nation/story/2020-01-06/muhandis-was-tehrans-man-in-iraq-his-killing-by-the-u-s-may-have-more-blowback-than-suleimanis">killed a senior Iranian general and terrorist leader</a>. Iran’s supreme leader threatened “<a href="https://www.cnbc.com/2020/01/07/how-iran-could-retaliate-against-the-us-after-solemani-killing.html">harsh revenge</a>,” but said Iran would <a href="https://www.globalsecurity.org/wmd/library/news/iran/2020/iran-200105-presstv08.htm">limit those efforts to military targets</a>.</p>
<p>But even before Iranian missiles struck U.S. military bases in Iraq on Jan. 7, <a href="https://www.dailymail.co.uk/news/article-7852819/Iranian-hackers-breach-government-website-retaliation-airstrike.html">pro-Iranian hackers reportedly attacked</a> at least one U.S. government-related website, along with a number of private company sites. Of greater concern, a new report details significant recent efforts by <a href="https://www.wired.com/story/iran-apt33-us-electric-grid/">Iran to compromise the U.S. electric</a>, oil and gas utilities.</p>
<p>Iran, which has reportedly attacked <a href="https://www.reuters.com/article/us-saudi-aramco-attacks-un-exclusive/exclusive-u-n-investigators-find-yemens-houthis-did-not-carry-out-saudi-oil-attack-idUSKBN1Z72VX">Saudi Arabian energy production</a>, is also capable, according to U.S. officials, of conducting “<a href="https://www.nbcnews.com/news/us-news/iran-has-laid-groundwork-extensive-cyberattacks-u-s-say-officials-n893081">attacks against thousands of electric grids</a>, water plants, and health and technology companies” in the U.S. and Western Europe. Disrupting those systems could cause significant damage to homes and businesses and, in the worst case, injuries and death.</p>
<p>Much of our targeted critical infrastructure is under the control of private companies. Without government protection – and in the absence of any agreed-upon rules of cyber warfare – businesses are at high risk, and strict American criminal laws prohibit many forms of cyber self-defense by private companies. But there are straightforward measures companies can take both to protect themselves and to enhance our collective national cybersecurity. </p>
<figure class="align-center zoomable">
<a href="https://images.theconversation.com/files/309561/original/file-20200112-103987-fi5bdr.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=1000&fit=clip"><img alt="" src="https://images.theconversation.com/files/309561/original/file-20200112-103987-fi5bdr.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/309561/original/file-20200112-103987-fi5bdr.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=430&fit=crop&dpr=1 600w, https://images.theconversation.com/files/309561/original/file-20200112-103987-fi5bdr.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=430&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/309561/original/file-20200112-103987-fi5bdr.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=430&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/309561/original/file-20200112-103987-fi5bdr.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=540&fit=crop&dpr=1 754w, https://images.theconversation.com/files/309561/original/file-20200112-103987-fi5bdr.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=540&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/309561/original/file-20200112-103987-fi5bdr.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=540&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px"></a>
<figcaption>
<span class="caption">Hackers with ties to the Iranian government attacked the Bowman Avenue Dam near New York City in 2016.</span>
<span class="attribution"><a class="source" href="http://www.apimages.com/metadata/Index/Dam-Cyberattack/e4b86953ce4e4047ae689f288e1d0ced/1/0">AP Photo/Seth Wenig</a></span>
</figcaption>
</figure>
<h2>What will Iran do?</h2>
<p>Though it’s impossible to predict with certainty the behavior of the Iranian regime and their many proxies, their cyberattacks likely will continue to go well beyond governmental systems, which are <a href="https://www.cybercom.mil/default.aspx">reasonably well defended</a>. Iran and its supporters likely will focus on easier targets operated by private companies.</p>
<p>A recent U.S. Department of Homeland Security alert highlights <a href="https://www.us-cert.gov/ncas/alerts/aa20-006a">Iran’s capabity and willingness</a> to engage in <a href="https://www.nbcnews.com/news/us-news/iran-has-laid-groundwork-extensive-cyberattacks-u-s-say-officials-n893081">multiple types of destructive cyberattacks</a> over the last decade. According to indictments filed by the U.S. Department of Justice, as cited in the DHS alert:</p>
<ul>
<li><p>Beginning as far back as 2011, Iran has conducted numerous Distributed Denial of Service (DDoS) attacks, sending <a href="https://www.justice.gov/opa/file/834996/download">massive amounts of internet traffic to knock websites offline</a>. Iran’s DDoS attacks have targeted, among others, financial institutions, for whom the resulting downtime reportedly cost millions of dollars.</p></li>
<li><p>In 2013, one or more Iranians working for the country’s Revolutionary Guard <a href="https://www.reuters.com/article/us-usa-iran-cyber-idUSKCN0WQ1JF">illegally accessed the control system of a New York dam</a>, although no direct damage apparently was done. </p></li>
<li><p>In 2014, Iran <a href="https://money.cnn.com/2015/02/27/technology/security/iran-hack-casino/index.html">conducted an attack on the Sands Las Vegas Corporation</a>, stealing customer credit card, Social Security and driver’s license numbers and wiping all data from Sands’ computer systems.</p></li>
<li><p>Between 2013 and 2017, hackers working on behalf of Iran’s Revolutionary Guard conducted a “massive” cyber theft operation targeting academic and intellectual property data, along with email information, from hundreds of universities, more than 45 companies, at least two federal agencies, at least two state governments and the United Nations.</p></li>
</ul>
<p>It is possible that new efforts along these lines could be planned and timed to <a href="https://www.engadget.com/2019/10/04/iran-cyberattacks-targeted-us-presidential-campaign/">affect upcoming American elections</a>. In addition, other countries could launch attacks and <a href="https://securityaffairs.co/wordpress/92770/apt/turla-false-flag-iran.html">try to blame them on Iran, or vice versa</a>.</p>
<h2>No clear cyber rules of engagement</h2>
<p>For conventional and even nuclear warfare, nations have, over the centuries, agreed to rules of armed conflict. They’ve developed ways to signal their intentions to escalate or deescalate a conflict. The U.S. and Iran have, for now, deescalated their public military conflict, thanks to Iran warning of its missile attack and not killing or injuring anyone and the U.S. not taking any further military action.</p>
<p>But cyberspace remains the wild west, with few, if any, <a href="https://theconversation.com/in-a-world-of-cyber-threats-the-push-for-cyber-peace-is-growing-119419">agreed-on rules of engagement</a> or <a href="https://www.americansecurityproject.org/attacking-the-grid-the-danger-of-us-russia-cyber-escalation/">well-understood signaling mechanisms</a>. This makes any ongoing cyberconflict between Iran and its enemies all the more dangerous, with critical infrastructure companies at risk of being caught in the crossfire.</p>
<p>Without government assistance, those companies are largely on their own in defending against Iranian or other foreign government attacks. Strict criminal laws <a href="https://www.lawfareblog.com/legislative-hackback-notes-active-cyber-defense-certainty-act-discussion-draft">severely restrict companies’ defensive options</a>, prohibiting, for example, technologies to trace and destroy stolen data. </p>
<figure class="align-center zoomable">
<a href="https://images.theconversation.com/files/309495/original/file-20200110-97158-qftkhw.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=1000&fit=clip"><img alt="" src="https://images.theconversation.com/files/309495/original/file-20200110-97158-qftkhw.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/309495/original/file-20200110-97158-qftkhw.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=337&fit=crop&dpr=1 600w, https://images.theconversation.com/files/309495/original/file-20200110-97158-qftkhw.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=337&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/309495/original/file-20200110-97158-qftkhw.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=337&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/309495/original/file-20200110-97158-qftkhw.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=423&fit=crop&dpr=1 754w, https://images.theconversation.com/files/309495/original/file-20200110-97158-qftkhw.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=423&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/309495/original/file-20200110-97158-qftkhw.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=423&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px"></a>
<figcaption>
<span class="caption">Front lines in an Iran-U.S. cyberwar are spread out all over the country.</span>
<span class="attribution"><a class="source" href="https://unsplash.com/photos/M5tzZtFCOfs">Taylor Vick/Unsplash</a>, <a class="license" href="http://creativecommons.org/licenses/by/4.0/">CC BY</a></span>
</figcaption>
</figure>
<h2>Collective cyberdefense</h2>
<p>All of that said, there are steps companies can take to <a href="https://theconversation.com/5-ways-to-protect-yourself-from-cybercrime-120062">protect themselves</a>, not only from Iranian or other governmental attacks but against hacking by data thieves, ransomware gangs, corporate rivals, disgruntled employees or anyone else. </p>
<p>Vigilance and communication is key. Companies, particularly in critical infrastructure sectors such as energy, financial, telecommunications and health care, should stay in closer-than-usual touch with appropriate governmental bodies, including the Department of Homeland Security, the FBI and the appropriate cyber <a href="https://www.nationalisacs.org/member-isacs">Information Sharing & Analysis Centers</a>. ISACs can help companies quickly get threat intelligence from the government and report attacks that may have implications beyond a single company.</p>
<p>Businesses also should carefully check their systems for malware previously inserted maliciously to enable future attacks. They should, of course, scan their systems on an ongoing basis for viruses and other malicious code that could let hackers have unauthorized access to systems or data. <a href="https://www.us-cert.gov/ncas/alerts/aa20-006a">Companies should also</a> <a href="https://theconversation.com/how-secure-is-your-data-when-its-stored-in-the-cloud-90000">securely back up their data</a>, closely monitor data traffic on their networks, require workers to use <a href="https://theconversation.com/the-age-of-hacking-brings-a-return-to-the-physical-key-73094">multi-factor authentication</a> when logging into IT resources, and provide cybersecuritiy training and awareness to employees. </p>
<p>Protecting our national and economic security from attack is in the hands of private citizens and companies in a way that hasn’t been true perhaps since <a href="https://www.britannica.com/event/Dunkirk-evacuation">British boat owners rescued their nation’s army from annihilation</a> at Dunkirk in 1940. By taking reasonable cybersecurity measures, companies, and all of us individually, can not only help protect ourselves and our nation but, perhaps, even help to prevent a war. </p>
<p>[ <em>Like what you’ve read? Want more?</em> <a href="https://theconversation.com/us/newsletters?utm_source=TCUS&utm_medium=inline-link&utm_campaign=newsletter-text&utm_content=likethis">Sign up for The Conversation’s daily newsletter</a>. ]</p><img src="https://counter.theconversation.com/content/129487/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Bryan Cunningham does not work for, consult, own shares in or receive funding from any company or organization that would benefit from this article, and has disclosed no relevant affiliations beyond their academic appointment.</span></em></p>Less overt than conventional military actions, cyber attacks can have dangerous consequences – especially when they target critical infrastructure systems controlled by the private sector.Bryan Cunningham, Executive Director of the Cyber Security Policy & Research Institute, University of California, IrvineLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/976902018-06-05T08:31:25Z2018-06-05T08:31:25ZExplainer: why Chinese telecoms participating in Australia’s 5G network could be a problem<p>Chinese telecom giants ZTE and Huawei are facing renewed scrutiny about the potential for their equipment and software to be used <a href="http://www.abc.net.au/radionational/programs/breakfast/we-cant-afford-to-play-politics-huawei/9830860">in Australia’s 5G mobile</a> network, following revelations from a <a href="https://www.smh.com.au/business/companies/china-s-zte-was-built-to-spy-and-bribe-court-documents-allege-20180531-p4ziqd.html">current court case in the United States</a>. </p>
<p>In the end, Australia’s willingness to include Huawei and ZTE in its 5G mobile infrastructure should be based on a rational analysis of risks. There is no shame in excluding them based on evidence rather than Sinophobia.</p>
<p>So let’s look at the evidence.</p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/how-chinas-huawei-is-taking-on-samsung-and-apple-52838">How China's Huawei is taking on Samsung and Apple</a>
</strong>
</em>
</p>
<hr>
<h2>What has spurred the debate?</h2>
<p>The case in the US involves allegations of bribery and industrial espionage against ZTE, echoing the company’s previous bad behaviour in <a href="https://www.justice.gov/opa/pr/zte-corporation-agrees-plead-guilty-and-pay-over-4304-million-violating-us-sanctions-sending">violating US sanctions</a>, and <a href="https://www.washingtonpost.com/news/business/wp/2018/04/16/u-s-companies-banned-from-selling-to-chinas-zte-telecom-maker/?utm_term=.fc5fa128dcbe">concealing further breaches</a> in violation of a plea deal. </p>
<p>ZTE’s actions essentially paralysed its business worldwide after the <a href="https://www.commerce.gov/news/press-releases/2018/04/secretary-ross-announces-activation-zte-denial-order-response-repeated">US banned the company</a> from using US-made parts in its equipment. American components comprise <a href="https://www.reuters.com/article/usa-china-zte/update-7-u-s-bans-american-companies-from-selling-to-chinese-phone-maker-zte-idUSL1N1RT0IX">25-30% of ZTE’s equipment</a>.</p>
<p>The debate over whether to ban the companies from involvement with Australia’s 5G network was reignited by Labor MP Michael Danby. During a speech to parliament last week, <a href="https://www.theaustralian.com.au/national-affairs/michael-danby-urges-government-not-to-allow-huawei-and-zte-to-buy-5g-network/news-story/10a0c2938db4ffec21387191514afb34">he said</a>:</p>
<blockquote>
<p>Let me issue a clarion call to this parliament, to the media and to the Australian public: Australia’s 5G network must not be sold to these telcos.</p>
</blockquote>
<h2>What do ZTE and Huawei do?</h2>
<p><a href="http://wwwen.zte.com.cn/pub/en/about/corporate_information/">ZTE</a> operates in 140 countries and supplies network products and end-to-end telecom services. It booked RMB124 billion (about US$16 billion) in <a href="https://quotes.wsj.com/CN/XSHE/000063/financials">revenue during 2017</a>.</p>
<p><a href="http://www.huawei.com/en/?ic_medium=direct&ic_source=surlent">Huawei</a>, based in Shenzen, provides networking products and telecom solutions. It operates in 170 countries and employs 180,000 people. </p>
<p>The company provides 4.5G networks, wireless broadband, cloud services, data centres, smart city solutions, and banking solutions, and has a global smartphone market share of about 11%. It had <a href="http://www.huawei.com/en/press-events/news/2018/3/Huawei-2017-Annual-Report">revenues of US$92 billion</a> in 2017.</p>
<h2>Why is there concern about them supplying our 5G network?</h2>
<p>The 5G network is <a href="https://www.homeaffairs.gov.au/about/national-security/critical-infrastructure-resilience">critical infrastructure</a>. It is expected to support services that are essential to the smooth running of society and the economy, including an increasing number of internet-connected devices such as self-driving cars.</p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/what-is-5g-the-next-generation-of-wireless-explained-96165">What is 5G? The next generation of wireless, explained</a>
</strong>
</em>
</p>
<hr>
<p>In a June 2017 white paper about 5G security, Swedish telecommunications company Ericsson <a href="https://www.ericsson.com/assets/local/publications/white-papers/wp-5g-security.pdf">noted</a> that, in comparison to current mobile networks: </p>
<blockquote>
<p>The values hosted in, and generated by, the 5G system are estimated to be even higher, and the assets (hardware, software, information and revenue streams) will be even more attractive for different types of attacks. Furthermore, considering the possible consequences of an attack, the damage may not be limited to a business
or reputation; it could even have a severe impact on public safety.</p>
</blockquote>
<p>With these high stakes, it is essential that our 5G network is secure from interference. </p>
<p>There are concerns about Chinese telecoms companies supplying the 5G network in Australia due to accusations they have been involved in bribery, concealment and destruction of evidence, alongside suspected participation in espionage. </p>
<p>In 2013, former CIA Director General Michael Hayden <a href="https://www.reuters.com/article/us-huawei-security/former-cia-boss-says-aware-of-evidence-huawei-spying-for-china-idUSBRE96I06I20130719">reported</a> that Huawei:</p>
<blockquote>
<p>… shared with the Chinese state intimate and extensive knowledge of foreign telecommunications systems it is involved with.</p>
</blockquote>
<p>In 2015, the FBI <a href="https://publicintelligence.net/fbi-huawei/">stated</a> that: </p>
<blockquote>
<p>the Chinese Government’s potential access to US business communications is dramatically increasing. Chinese Government-supported telecommunications equipment on US networks may be exploited through Chinese cyber activity, with China’s intelligence services operating as an advanced persistent threat to US networks. </p>
</blockquote>
<p>Further, it noted that:</p>
<blockquote>
<p>China makes no secret that its cyber warfare strategy is predicated on controlling global communications network infrastructure.</p>
</blockquote>
<p>It is the combination of alleged corruption and state control that makes these companies potentially dangerous.</p>
<p>China’s deep pockets make Huawei highly competitive. As the FBI <a href="http://www.newsweek.com/china-can-spy-us-citizens-through-their-huawei-smartphones-spy-chiefs-warn-806430">warned</a>:</p>
<blockquote>
<p>With over $100 billion in Chinese government subsidization and direct financing, Huawei is able to … [make] offers [that are] difficult to refuse in exchange for access to US networks. </p>
</blockquote>
<p>The same applies to Australia, and other countries.</p>
<h2>Is there any evidence to support these concerns?</h2>
<p>ZTE and Huawei have been subject to allegations of bribery and corruption in a number of countries – and in some cases, banned from doing business. </p>
<p><a href="https://www.justice.gov/opa/pr/zte-corporation-agrees-plead-guilty-and-pay-over-4304-million-violating-us-sanctions-sending">ZTE pleaded guilty</a> in March 2017 to breaching US sanctions – by illegally shipping equipment to Iran and North Korea – obstruction of justice, and making a false statement. It paid the US government more than US$892 million in penalties (with a further US$300 million suspended). ZTE was mandated to have a “corporate monitor” to ensure future good behaviour. </p>
<p>In 2016, the government of Norway <a href="https://www.thelocal.no/20160107/norway-fund-blacklists-chinas-zte-over-corruption">embargoed its state pension fund</a> from investing in ZTE because of corruption.</p>
<p>ZTE was investigated for <a href="https://www.ft.com/content/94ced06e-a362-11e2-ac00-00144feabdc0">corruption in Mongolia</a> in 2013.</p>
<p>Both ZTE and Huawei were <a href="http://www.information-age.com/huawei-and-zte-execs-convicted-of-bribery-in-algeria-2107858/">banned from public sector contracts</a> in Algeria due to bribery in 2012.</p>
<p>ZTE was alleged to have <a href="https://asia.nikkei.com/Politics/ZTE-whistleblower-convicted-of-corruption-in-Philippines">bribed Philippine officials</a> in connection with a US$329 million broadband deal in 2007.</p>
<p>To be sure, ZTE and Huawei are not alone in paying bribes and <a href="https://ssrn.com/abstract=2443282">engaging in unethical business practices overseas</a>. But such behaviour is not conducive to the “<a href="https://www.ericsson.com/assets/local/publications/white-papers/wp-5g-security.pdf">trust models</a>” necessary for security in such critical infrastructure.</p>
<h2>What is the case currently before the courts in the US?</h2>
<p>It is important to stress that the allegations in this case are just claims at this point – no court has held them to be true. </p>
<p>ZTE was sued by Universal Telephone Exchange (UTE), an American company, in a Dallas court in 2010. UTE alleged that ZTE had misappropriated its trade secrets and interfered with its bid to secure telecom services contracts in Liberia in 2003-2004. UTE claimed it would have obtained the deal with LTC, but for ZTE’s illegal actions. It sought actual damages of US$10 million and US$20 million in exemplary damages.</p>
<hr>
<p>
<em>
<strong>
Read more:
<a href="https://theconversation.com/the-china-u-s-conflict-is-about-much-more-than-trade-96406">The China-U.S. conflict is about much more than trade</a>
</strong>
</em>
</p>
<hr>
<p>The parties had to arbitrate the dispute in 2012 because of an arbitration clause in a non-disclosure agreement. ZTE prevailed in the arbitration. The arbitrator ruled that UTE’s claims were barred by statutes of limitations, and even if they were not so barred, that ZTE did not harm UTE.</p>
<p>UTE sued to vacate the ruling. In its motion to vacate, UTE claims that ZTE:</p>
<blockquote>
<p>… is a notoriously corrupt organization with a pattern of engaging in bribery, corruption, industrial espionage, and egregious criminal behavior on a worldwide basis. </p>
</blockquote>
<p>These allegations rely heavily on ZTE’s guilty plea with the US in March 2017. </p>
<p>The Dallas court vacated the arbitrator’s decision and remanded the case back for arbitration before a three member tribunal. ZTE’s appeal is pending. </p>
<h2>Where do things stand now?</h2>
<p>The US government issued a <a href="https://intelligence.house.gov/sites/intelligence.house.gov/files/documents/huawei-zte%20investigative%20report%20(final).pdf">report</a> as far back as 2012 recommending that:</p>
<blockquote>
<p>US government systems … should not include Huawei or ZTE equipment, including in component parts. </p>
</blockquote>
<p>Contractors were also asked to exclude this equipment. </p>
<p>The US is <a href="https://www.reuters.com/article/us-usa-trade-china-zte/u-s-reached-deal-to-keep-chinese-telecom-zte-in-business-congressional-aide-idUSKCN1IQ2JY">likely to lift the sanctions on ZTE</a> in exchange for a fine, employment of American compliance officers, and management changes as part of Trump’s <a href="https://twitter.com/realDonaldTrump/status/996119678551552000?ref_src=twsrc%5Etfw">broader trade strategy with China</a>. However, the embargo on US government entities purchasing ZTE or Huawei products or services is likely to stay.</p>
<p>The question is whether Australia should follow America’s lead in its dealings with ZTE and Huawei. If past is prologue, it is difficult to justify a departure from the US approach.</p><img src="https://counter.theconversation.com/content/97690/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Sandeep Gopalan does not work for, consult, own shares in or receive funding from any company or organisation that would benefit from this article, and has disclosed no relevant affiliations beyond their academic appointment.</span></em></p>Australia’s willingness to include Huawei and ZTE in its 5G mobile infrastructure should be based on a rational analysis of risks. We take a look at current and past court cases brought against them.Sandeep Gopalan, Pro Vice-Chancellor (Academic Innovation) & Professor of Law, Deakin UniversityLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/908692018-01-30T12:20:05Z2018-01-30T12:20:05ZCritical infrastructure firms face crackdown over poor cybersecurity<figure><img src="https://images.theconversation.com/files/203846/original/file-20180129-89564-v12mtt.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption"></span> <span class="attribution"><a class="source" href="https://www.shutterstock.com/image-photo/didcot-power-station-647783968?src=Zse7CFfEYf2wRUecrfRh3A-1-10">Shutterstock</a></span></figcaption></figure><p>An EU-wide cybersecurity law is due to come into force in May to ensure that organisations providing critical national infrastructure services have robust systems in place to withstand cyber attacks.</p>
<p>The legislation will insist on a set of cybersecurity standards that adequately address events such as last year’s <a href="https://theconversation.com/wannacry-report-shows-nhs-chiefs-knew-of-security-danger-but-management-took-no-action-86501">WannaCry ransomware attack</a>, which <a href="https://www.nao.org.uk/report/investigation-wannacry-cyber-attack-and-the-nhs/">crippled some ill-prepared NHS services across England</a>.</p>
<p>But, after a <a href="https://www.gov.uk/government/consultations/consultation-on-the-security-of-network-and-information-systems-directive">consultation process</a> in the UK ended last autumn, the government had been silent until now on its implementation plans for the forthcoming law. </p>
<p>The <a href="https://ec.europa.eu/digital-single-market/en/network-and-information-security-nis-directive">NIS Directive</a> (Security of Network and Information Systems) was adopted by the European parliament in July 2016. Member states, <a href="https://theconversation.com/uk/topics/brexit-9976">which for now includes the UK</a>, were given “21 months to transpose the directive into their national laws and six months more to identify operators of essential services.”</p>
<p>The Department for Digital, Culture, Media and Sport (DCMS) finally slipped out its <a href="https://www.gov.uk/government/news/government-acts-to-protect-essential-services-from-cyber-attack">plans</a> on a Sunday, but – given its spin on fines – it doesn’t seem as though the government was attempting to bury the story.</p>
<h2>Interesting spin</h2>
<p>The DCMS warned – in rather alarmist language – that “organisations risk fines of up to £17m if they do not have effective cybersecurity measures” in place. There are echoes of the EU’s <a href="http://data.consilium.europa.eu/doc/document/ST-5419-2016-INIT/en/pdf">General Data Protection Regulation</a> (GDPR), by matching its €20m (£17m) maximum penalty level – though the option to charge 4% of turnover for NIS as well was dropped after consultation. </p>
<p>However, exorbitant penalties have been used as a scare tactic by <a href="http://www.computerweekly.com/news/450426779/NetApp-privacy-chief-warns-enterprises-off-investing-in-GDPR-snake-oil-tech">GDPR snake oil salesmen</a>, despite clear statements from the Information Commissioner’s Office (ICO) <a href="https://iconewsblog.org.uk/2017/08/09/gdpr-sorting-the-fact-from-the-fiction/">indicating a cautious regime</a>. Did the DCMS mean to invite <a href="https://techcrunch.com/2018/01/29/uk-security-fine-nis-directive/">overblown headlines</a> about the NIS directive, too?</p>
<p>Another peculiarity is that the government announcement doesn’t once mention the EU. Instead, the NIS directive is presented as an important part of the <a href="https://www.gov.uk/government/publications/national-cyber-security-strategy-2016-to-2021">UK Cyber Security Strategy</a>, even though it is an EU initiative. A pattern is emerging here: the <a href="https://www.wired.co.uk/article/european-union-mobile-roaming-charges">removal of mobile roaming fees</a>, a <a href="https://www.gov.uk/government/news/card-surcharge-ban-means-no-more-nasty-surprises-for-shoppers">ban on hidden credit card charges</a> and <a href="https://theconversation.com/ten-stealth-microplastics-to-avoid-if-you-want-to-save-the-oceans-90063">environmental initiatives</a> have all been claimed as UK policies by Theresa May’s government without any adequate attribution to the EU. Digital minister Margot James said:</p>
<blockquote>We are setting out new and robust cybersecurity measures to help ensure the UK is the safest place in the world to live and be online. We want our essential services and infrastructure to be primed and ready to tackle cyber-attacks and be resilient against major disruption to services.</blockquote>
<h2>Who needs to be aware of the NIS directive?</h2>
<p>The <a href="https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/677065/NIS_Consultation_Response_-_Government_Policy_Response.pdf">government consultation response</a> clarifies which operators of essential services and digital service providers the directive will apply to, once transposed into UK law. It uses a narrow definition of “essential”, excluding sectors such as government and food. Small firms are mostly excused from compliance; nuclear power generation has been left out, presumably to cover it exclusively under national security; and electricity generators are excluded from compliance if they don’t have smart metering in place. Digital service providers expected to comply with the NIS directive include cloud services (such as those providing data storage or email), online marketplaces and search engines.</p>
<p>The law requires one or more “competent authorities”, which the UK plans to organise by sector. It means communications regulator Ofcom will oversee digital infrastructure businesses and data watchdog the ICO will regulate digital service providers. They will receive reports on incidents, give directions to operators and set appropriate fines. </p>
<p>It’s worth noting that the ICO, in its multiple roles, could fine a service provider twice for different aspects of the same incident – once due to non-compliance with NIS and once due to non-compliance with GDPR. But incidents need to be considered significant in order to be on the radar for this directive. It will be judged on the number of affected users, the duration and geographical spread of any disruption and the severity of the impact. </p>
<p>Clearly, once this legislation is in place, the next WannaCry-style incident will be closely scrutinised by regulators to see how well prepared organisations are to deal with such a major event.</p>
<h2>National and international coordination</h2>
<p>The coordination of many NIS activities falls to the UK’s <a href="https://www.ncsc.gov.uk/">National Cyber Security Centre (NCSC)</a>, part of the government’s surveillance agency, <a href="https://www.gchq.gov.uk/news-article/national-cyber-security-centre-2017-annual-review">GCHQ</a>. It will provide the centralised computer security incident response team (CSIRT), and act as the “single point of contact” to collaborate with international peers as a major cyber attack unfolds. The NCSC will play a central role in reporting and analysing incidents, but remains out of the loop on enforcing the law and fines.</p>
<figure>
<iframe width="440" height="260" src="https://www.youtube.com/embed/NMMO9OgX9KE?wmode=transparent&start=0" frameborder="0" allowfullscreen=""></iframe>
</figure>
<p>Sharing cyber incident information within an industry sector or internationally is important for larger scale analysis and better overall resilience. However, there are risks due to the inclusion of cyber vulnerability implications, business critical information and personal data in such sensitive reports. Two EU research projects (<a href="http://www.necs-project.eu/">NeCS</a> and <a href="http://c3isp.eu/">C3ISP</a>) aim to address these risks through the use of privacy preserving methods and security policies. The C3ISP project says its “mission is to define a collaborative and confidential information sharing, analysis and protection framework as a service for cybersecurity management.”</p>
<h2>More security standards?</h2>
<p>The idea of having prescriptive rules per sector was considered and rejected during the UK’s consultation process on the NIS directive. It’s in line with how the GDPR imposes cybersecurity requirements for personal data: it consistently refers to “appropriate technical and organisational measures” to achieve security, without pinning it down to specifics. Such an approach should help with obtaining organisational involvement that goes beyond a compliance culture.</p>
<p>A set of 14 guiding principles were drawn up, with the NCSC providing <a href="https://www.ncsc.gov.uk/guidance/table-view-principles-and-related-guidance">detailed advice</a> including helpful links to existing cybersecurity standards. However, the <a href="https://www.ncsc.gov.uk/guidance/cyber-assessment-framework-caf">cyber assessment framework</a>, originally promised for release in January this year, won’t be published by the NCSC until late April – a matter of days before the NIS comes into force.</p>
<p>Nonetheless, the NIS directive presents a good drive to improve standards for cybersecurity in essential services, and it is supported by sensible <a href="https://www.ncsc.gov.uk/guidance/nis-guidance-collection">advice</a> from the NCSC with more to come. It would be a shame if the positive aspects of this ended up obscured by hype and panic over fines.</p><img src="https://counter.theconversation.com/content/90869/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Eerke Boiten receives funding from EPSRC EP/P011772/1 EMPHASIS (EconoMical, PsycHologicAl and Societal Impact of RanSomware). He is a visiting professor at the University of Kent and through that involved with the EU H2020 project NeCS (Network of Excellence in Cyber Security) for which he was previously the principal investigator at Kent.</span></em></p>But despite the UK’s alarmist tone on the incoming NIS directive, it’s not just about the hefty £17m fines.Eerke Boiten, Professor of Cybersecurity, School of Computer Science and Informatics, De Montfort UniversityLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/738522017-04-06T02:43:28Z2017-04-06T02:43:28ZWhy suburban tensions and inequality will drive infrastructure innovation<figure><img src="https://images.theconversation.com/files/160632/original/image-20170314-9600-hsvodd.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">What new and innovative infrastructure is likely to emerge from the suburbs? </span> <span class="attribution"><span class="source">Roger Keil</span>, <span class="license">Author provided</span></span></figcaption></figure><p><em>This is the fifth article in our series <a href="https://theconversation.com/au/topics/making-cities-work-37182">Making Cities Work</a>. It considers the problems of providing critical infrastructure and how we might produce the innovations and reforms needed to meet 21st-century needs and challenges.</em></p>
<hr>
<p>The global trend towards <a href="http://www.utppublishing.com/Suburban-Governance-A-Global-View.html">suburbanisation and suburbanisms</a> (meaning suburban ways of life) has an <a href="https://www.jovis.de/en/books/details/product/suburban-constellations.html">important infrastructure dimension</a>. In both growing and shrinking suburbs, <a href="http://suburbs.info.yorku.ca/2015/06/the-global-suburban-infrastructure-workshop-june-14-16-2015/">decisions on infrastructure</a> – mobility systems, water and waste water systems, and energy distribution and production networks – have been central. </p>
<p>Around the world, major transport and water/wastewater infrastructures often drive mushrooming peripheral growth. Big pipes, expressways, rapid transit lines, gas supply and the electricity grid, for example, have traditionally preceded residential subdivisions and commercial development.</p>
<p>In other areas (often in less-developed contexts), infrastructure development lags behind peripheral expansion. Informal settlement patterns, rapid and unequal peri-urbanisation and high degrees of social segregation characterise these areas. </p>
<p>In more mature suburban environments and in high-growth regions, gridlock, system failure and all manner of bottlenecks are typical. </p>
<p>The various forms of infrastructure need to be situated within their societal context. Infrastructures are contested between constituencies and are <a href="http://onlinelibrary.wiley.com/doi/10.1111/j.1468-2427.2008.00792.x/abstract">powerful instruments of social regulation</a>. Central to our argument is the view that the ramifications stretch far beyond the expectations and control of decision-makers. </p>
<h2>Suburbs are sites of stress</h2>
<p>Suburban areas, in their multiform, emerging worldwide configurations, feel infrastructure stress most acutely. Having to deal with severe infrastructure inadequacies, suburbs offer fertile ground for infrastructure experimentation and innovation.</p>
<p>All infrastructures share a common characteristic. At the very core of the concept is the role of supporting the functioning of different aspects of society. </p>
<p>We differentiate two types of infrastructure. </p>
<p>The first is the “hard” physical, public-works-type infrastructure: roads, highways, water and sewage systems, railways, wires, cables and transmitters. This includes the political, organisational know-how and financial requirements for their design, construction, operation and maintenance. </p>
<p>The second category can be described as “soft” or social infrastructures. These consist mostly of services. </p>
<p>Infrastructures are central to newer, non-central portions of metropolitan regions in this era of global suburbanisation. This is because they operate as conduits, facilitators and sometimes the main ingredient of that extension. Infrastructures order these suburban landscapes and make them accessible. </p>
<p>One feature common across the suburban environment is its fragmentation. Fragmentation is built into the morphology of the suburb. Its territory is dissected by the transport and utility infrastructures connecting the central city to its hinterland and the rest of the world. </p>
<p>An important, underrated aspect of suburban infrastructures is their tremendous importance for how the entire urban region functions. Suburban infrastructure, often thought of as merely functional for the suburban constellation itself, remains multi-scalar – that is, it also supports metropolitan and higher-scale purposes. </p>
<p>Thus, infrastructures work as fragmenting and sorting mechanisms of complex suburban landscapes. </p>
<p>Infrastructures play a central role in building suburbs but are also the foundation for the retrofitting of ageing peripheral areas. <a href="https://www.versobooks.com/books/2163-extrastatecraft">Keller Easterling describes</a> the infrastructural grid as:</p>
<blockquote>
<p>… thick with technologies that are potential multipliers: populations of suburban houses, skyscrapers, vehicles, spatial products, zones, mobile phones, or global standards.</p>
</blockquote>
<p>In this sense the suburbs are a “zone”. And suburbanisation is a horizontal division of labour, a giant production grid, a gargantuan spatial factory floor spread across city and society. And networked infrastructures enable it. </p>
<h2>Infrastructure connects and excludes</h2>
<p>With fragmentation come inequality and marginalisation – access to and exclusion from suburban infrastructures. The global suburb is a place of extremes. High levels of unevenness in the availability of infrastructures reflect and intensify this. </p>
<p>Infrastructure issues are exacerbated in the suburbs. Several of their characteristics contribute to this situation: their recent nature, rapid development, economic polarisation and sprawling nature.</p>
<figure class="align-center zoomable">
<a href="https://images.theconversation.com/files/162848/original/image-20170328-21267-l763oy.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=1000&fit=clip"><img alt="" src="https://images.theconversation.com/files/162848/original/image-20170328-21267-l763oy.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/162848/original/image-20170328-21267-l763oy.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=400&fit=crop&dpr=1 600w, https://images.theconversation.com/files/162848/original/image-20170328-21267-l763oy.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=400&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/162848/original/image-20170328-21267-l763oy.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=400&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/162848/original/image-20170328-21267-l763oy.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=503&fit=crop&dpr=1 754w, https://images.theconversation.com/files/162848/original/image-20170328-21267-l763oy.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=503&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/162848/original/image-20170328-21267-l763oy.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=503&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px"></a>
<figcaption>
<span class="caption">Anting suburban train station, Shanghai. The pressures to provide infrastructure to such areas are likely to drive innovative solutions.</span>
<span class="attribution"><span class="source">Roger Keil</span>, <span class="license">Author provided</span></span>
</figcaption>
</figure>
<p>The infrastructure deficit in suburban areas results from the combined effects of accelerated suburban growth and insufficient funding. The latter reflects difficult economic circumstances and the predominance of other public sector expenditure priorities. </p>
<p>Infrastructure deficiencies are most severe in informal settlements. Governments largely overlook their needs, and the acute poverty of residents prevents reliance on locally funded infrastructure programs. The shortage or absence of <a href="https://theconversation.com/water-sensitive-innovations-to-transform-health-of-slums-and-environment-71615">water and sanitary infrastructures</a> contributes to low health and longevity indicators. </p>
<p>Confronted with the need to overcome multiple forms of infrastructure difficulties, the suburbs are a likely source of urban infrastructure innovation and fertile spawning grounds for new solutions. We thus expect the future of urban infrastructures to emerge from the suburbs. </p>
<p>The impetus is great for infrastructure innovations to fill the gap between need and availability and overcome the inappropriateness of prevailing systems. In this sense, suburbs can be seen as laboratories for new infrastructure. </p>
<hr>
<p><em>This article draws on a <a href="http://www.tandfonline.com/doi/full/10.1080/08111146.2016.1187122">research paper</a> by the authors in a new <a href="http://www.tandfonline.com/toc/cupr20/35/1">special issue</a> of the international journal, Urban Policy and Research, on critical urban infrastructure. These matters have been taken up in more detail in two forthcoming books by the authors, Global Suburban Infrastructure: Social Restructuring, Governance and Equity (University of Toronto Press) by Pierre Filion and Nina Pulver, and Suburban Planet (Polity Press) by Roger Keil.</em></p>
<p><em>You can read other published articles in our series <a href="https://theconversation.com/au/topics/making-cities-work-37182">here</a>.</em></p><img src="https://counter.theconversation.com/content/73852/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Pierre Filion receives funding from the Social Sciences and Humanities Research Council (SSHRC) of Canada.</span></em></p><p class="fine-print"><em><span>Roger Keil receives funding from the Social Sciences and Humanities Research Council (SSHRC) of Canada.</span></em></p>Suburban areas feel infrastructure stress most acutely. Having to deal with severe inadequacies, suburbs offer fertile ground for infrastructure experimentation and innovation.Pierre Filion, Professor, School of Planning, University of WaterlooRoger Keil, York Research Chair in Global Sub/Urban Studies, York University, CanadaLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/738502017-04-05T19:23:05Z2017-04-05T19:23:05ZStumbling into the future: living with the legacy of the great infrastructure sell-off<p><em>This is the fourth article in our series <a href="https://theconversation.com/au/topics/making-cities-work-37182">Making Cities Work</a>. It considers the problems of providing critical infrastructure and how we might produce the innovations and reforms needed to meet 21st-century needs and challenges.</em></p>
<hr>
<p>The privatisation of urban infrastructure in Australia is an ironic story. The vehicles of urban infrastructure – the utilities and the state-owned enterprises – were so central to the life of cities that they became perfect entities for private sell-off. We now live with the consequences of the sell-off.</p>
<p>The utilities flourished in Australia as a nation-building exercise following the second world war. The <a href="http://www.economist.com/blogs/economist-explains/2014/06/economist-explains-20">Bretton Woods agreements</a> entrenched Keynesian fiscal behaviours across the Western world. </p>
<p>The utilities thrived on the willingness of governments to raise capital for public works. They were also central to the development of state capacity and the assembly of a career-based professional public service. As part of the social compact, the public accepted reasonable user pricing for the availability of water, energy, public transport and telecommunications services.</p>
<p>Hence, the utilities and the state-owned enterprises led the roll-out of urban infrastructure in the second half of the 20th century. This roll-out shaped the nature of Australian urban life, its format and flows.</p>
<p>But then fiscal crisis of the state descended in the 1970s and 1980s. The sell-off of public assets was seen worldwide as a solution to state indebtedness. Arguments that private enterprise could deliver infrastructure services more efficiently added impetus. </p>
<h2>A wholesale transformation</h2>
<p>Few governments resisted the sell-off urge. Australian governments, state and federal, participated in the sell-off, though in a stuttering manner. Through time, however, the change has been substantial.</p>
<p><a href="http://onlinelibrary.wiley.com/doi/10.1111/1467-8462.12072/full">Abbott and Cohen calculate</a> that the output of state-owned enterprises in Australia in 1989-90 accounted for 7% of GDP, 9% of total employment, and 14% of gross fixed capital expenditure. </p>
<p>By 2011-12, the output of state-owned enterprises had fallen to 1.3% of GDP. Their gross fixed capital expenditure contributed only 1.8% of the nation’s total. The authors estimate that proceeds from privatisations in Australia since 1987 total around A$194 billion (in constant year 2000 dollars).</p>
<p>The sell-off commercialised and privatised a raft of assets: electricity generation and transmission, gas distribution, airports, ports and telecommunication. New assets went straight to private hands: motorways, public transport, renewable energy generation, and freight handling.</p>
<p>The shedding of public responsibility for infrastructure meant public investment in Australia as a share of GDP fell from more than 5% in the mid-1980s to well below 3% <a href="http://www.bis.com.au/im-the-other-deficit.html/section/4545">by the end of the 1990s</a>.</p>
<h2>What’s in it for investors?</h2>
<p>There is much to understand about the sell-off. Here I focus only on why private investors are willing to pay extraordinary prices to acquire urban infrastructure assets.</p>
<p>The attraction of investing in an urban infrastructure asset comes from the infrastructure services being embedded in the daily flows of people, water, energy and information throughout a city. The flows of a city are remarkably ordered in terms of volume, direction and timing. </p>
<p>How a city operates is dependent on the co-existence of decisions by infrastructure operators and users. The operators decide how and when services will be available. Households and firms decide what they will be doing across a 24-hour day and therefore how and when they will use the infrastructure services on offer.</p>
<p>Thus, the efficiency of infrastructure provision comes from the predictability of the flows of a city. These in turn come from a historical patterning and sequencing of behaviours by householders and firms as they read off and conform to each other’s movements.</p>
<p>An example is the relatively sympathetic structuring and sequencing of work hours and school hours. This ensures that public transport facilities are utilised more efficiently in peak hours, while the hours that parents and children spend together are made more convenient.</p>
<p>The embeddedness of infrastructure into city life means that revenue streams from user fees for infrastructure services are highly predictable and stable. And because transport, water and energy supply is usually monopolised, the householder has little choice but to continue as a consumer of an infrastructure service.</p>
<p>The books of a utility or state-owned enterprise, then, represent a discrete set of households well trained to pay their monthly bills. This is precisely the type of revenue stream that pension, insurance and sovereign wealth funds seek when faced with the peculiar problem of having surplus cash to lock away for at least the next two decades.</p>
<h2>What did we lose in the sell-off?</h2>
<p>Perhaps it was clever to have solved a government debt problem in Australia back in the day through a sell-off of assets to a new class of long-term investor. But as a consequence we have lost other things. </p>
<p>Infrastructure as a planning tool to shape our cities is one. Revenue streams to subsidise needy customers or supply to remote locations is another.</p>
<p>And, critically, we have lost the opportunity for the state to revamp energy, water and transport systems to allow for innovative supply and demand formats – such as distributed electricity supply networks – that are more appropriate to a climate-threatened planet.</p>
<p>Long-term privatisation contracts, most of them closed to scrutiny, lock urban infrastructure provision into 20th-century formats.</p>
<p>The difficult task now will be their unlocking.</p>
<hr>
<p><em>This article draws on a <a href="http://www.tandfonline.com/doi/full/10.1080/08111146.2016.1235034">research paper</a> by the author in a new <a href="http://www.tandfonline.com/toc/cupr20/35/1">special issue</a> of the international journal, Urban Policy and Research, on critical urban infrastructure. You can read other published articles in our series <a href="https://theconversation.com/au/topics/making-cities-work-37182">here</a>.</em></p><img src="https://counter.theconversation.com/content/73850/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Phillip O'Neill is the recipient of ARC Discovery Project Grant DP130104319 that has funded research relevant to this article.</span></em></p>Long-term privatisation contracts, most of them closed to scrutiny, lock urban infrastructure into 20th-century formats unsuited for a climate-threatened planet.Phillip O'Neill, Director, Centre for Western Sydney, Western Sydney UniversityLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/736842017-04-04T19:26:40Z2017-04-04T19:26:40ZHow do we restore the public’s faith in transport planning?<figure><img src="https://images.theconversation.com/files/162549/original/image-20170327-18970-1d5k97c.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">Politicised projects that steamroll proper process are giving transport planning a bad name.</span> <span class="attribution"><span class="source">www.shutterstock.com</span></span></figcaption></figure><p><em>This is the third article in our series <a href="https://theconversation.com/au/topics/making-cities-work-37182">Making Cities Work</a>. It considers the problems of providing critical infrastructure and how we might produce the innovations and reforms needed to meet 21st-century needs and challenges.</em></p>
<hr>
<p>Opposition to proposed road projects has become a feature of state and federal elections. </p>
<p>In Western Australia, protests <a href="https://theconversation.com/three-ingredients-for-running-a-successful-environmental-campaign-72371">against the Roe Highway Stage 8</a> escalated just before Christmas 2016. On the eve of the state election, Main Roads WA contractors (acting at the behest of the then Liberal-National government) pushed forward with the destruction of the <a href="https://theconversation.com/roe-8-perths-environmental-flashpoint-in-the-wa-election-74155">environmentally significant</a> Beeliar wetlands. </p>
<p>This happened despite considerable community opposition. The Labor opposition, now the newly elected government, declared it would <a href="http://www.abc.net.au/news/2017-01-04/labor-to-scrap-roe-8-if-it-wins-wa-election/8160980">halt the construction</a> if elected.</p>
<h2>Politics as usual puts planning under a cloud</h2>
<p>In our recently <a href="http://www.tandfonline.com/eprint/uchdXHUJR7HKCMyEUncd/full">published paper</a>, we compared road projects in Melbourne (East West Link), Sydney (WestConnex) and Perth (Perth Freight Link). Based on observational, policy and media analysis, we found growing antagonism between the state governments and their residents. </p>
<p>Roe 8 is just the latest freeway battle in Australia, following those in <a href="http://www.smh.com.au/nsw/election-2016-labor-promises-not-to-fund-westconnex-as-anthony-albanese-addresses-electorate-20160519-gozdj3.html">Sydney</a> and <a href="http://www.theage.com.au/victoria/victoria-state-election-2014-premier-denis-napthine-announces-250m-for-tullamarine-freeway-20141108-11j0rn.html">Melbourne</a>, where the Labor government <a href="https://theconversation.com/east-west-link-shows-miserable-failure-of-planning-process-40232">cancelled the East West Link</a>.</p>
<p>To the casual observer, these protests, and promises by parties in opposition to scrap contracts if elected, could be seen simply as “politics as usual”. </p>
<p>However, normalising politics in transport can veil the deficiencies and shortcuts that undermine planners’ ability to act in the public interest. For this reason, it is critical that we examine what dynamics are at play, and how planning serves and/or exacerbates these. </p>
<h2>Professional planning bypassed</h2>
<p>In the case of Roe 8, <a href="https://theconversation.com/roe-8-fails-the-tests-of-responsible-21st-century-infrastructure-planning-71810">good planning was circumvented</a>. </p>
<p>Not only is this undermining efforts to reduce car dependency and invest in public transport – goals adopted in these three cities’ metropolitan strategic plans since at least the 1990s – it is undermining professional planning practice. </p>
<p>The evasion of due process in planning has recently come into sharp focus. Reports by the <a href="https://www.anao.gov.au/work/performance-audit/approval-and-administration-commonwealth-funding-westconnex-project">Australian Auditor-General</a> on the WestConnex project in Sydney and by the <a href="http://www.audit.vic.gov.au/publications/20151209-East-West-Link/20151209-East-West-Link.pdf">Victorian Auditor-General</a> on the East West Link in Melbourne are severely critical of processes taken. The report on the East West Link concluded that the Victorian government lacked “a sound basis for the government’s decision to commit to the investment”. </p>
<p>In the case of Roe 8, Main Roads WA documents provided to the Department of Infrastructure and Regional Development were recently released under FOI after a two-year court battle to keep them secret. These show a rushed and partial assessment of the transport case for the road was put to Infrastructure Australia. </p>
<p>The latter, in its own <a href="http://www.abc.net.au/news/2015-08-19/perth-freight-link-poorly-planned-hastily-conceived-report/6707364">assessment</a>, alerts us to concerns about inadequate analysis:</p>
<blockquote>
<p>A rapid BCR (benefit cost ratio) was completed for the preferred option only … [and] a rapid BCR was not completed for additional options to determine if the preferred option provided the greatest net benefits. </p>
</blockquote>
<p>Traffic planning is only one part of the process. A Freight Network Review commenced in 2001 and <a href="https://www.planning.wa.gov.au/dop_pub_pdf/attachment_2.pdf">concluded in 2003</a> found that Roe 8 was not needed. There is no publicly available report stating why this sound planning was set aside.</p>
<p>In addition, proper planning process has been bypassed. The previous WA government argued that the Roe Highway had been reserved in the Metropolitan Region Scheme (MRS) since the 1960s and that this was good long-term planning. However, the detailed road alignment falls outside this reserve at three locations. </p>
<p>This triggered the use by the WA Planning Commission of a “Planning Control Area” (PCA), the purpose of which is to protect land until “proper planning” can take place. After this, an MRS amendment must be initiated and advertised for public comment.</p>
<p>Construction began before any public consultation on the MRS amendment. Was this to avoid public scrutiny? </p>
<p>Public consultation is an important part of any good planning process. It was undertaken for other 1960s major road reserves. These were reviewed against current knowledge and policy, and in some cases <a href="https://www.planning.wa.gov.au/dop_pub_pdf/121041_-_MRS_Report_on_Submissions.pdf">deleted</a> (the Stirling Highway, for example). </p>
<p>Public input into the planning process provides an opportunity for governments to bring the community with them through both owning the planning problem and arriving at a solution that the public can support. </p>
<h2>Risks of politicisation are high</h2>
<p>Large transport projects are likely to attract opposition from affected communities. Construction is disruptive and the visual, noise and amenity changes are significant. </p>
<p>These projects are also transformational. They lead to profound city-wide, and even region-wide, changes to the environment and the working of a city. </p>
<p>For these reasons, planning for transport projects must be a process of careful consideration. It requires sound professional planning based on reasoned justification drawing on the best available evidence. This process must be transparent to all. </p>
<p>When politicians choose a different course to planning advice, this must be on their own account and again transparent. We need a strong discussion on professional ethics and the need for clear separation of planners’ independent advice from elected politicians’ decisions.</p>
<p>In the case of Roe 8, are we to assume that the analysis and conduct of the planning process we see revealed reflects what planners at Main Roads WA and the Western Australian Planning Commission believe is sound professional practice? Or are they simply building a case for politicians? </p>
<p>Without clear and transparent documentation, planners leave themselves open to criticism and bring the profession into disrepute.</p>
<h2>Room for improvement</h2>
<p>Based on <a href="http://www.tandfonline.com/eprint/uchdXHUJR7HKCMyEUncd/full">our research</a>, we assert the need to recognise that the gap between strategic planning and project planning needs to be filled by a more community-oriented decision-making process.</p>
<p>We must challenge “<a href="http://www.tandfonline.com/eprint/AAdExHQCg67j4mhsDFvP/full">urgency</a>” – when governments aim to sign contracts before we have had sound planning analysis and community input. </p>
<p>Long-term planning does not mean that a project like Roe 8, which was first mooted more than 50 years ago, must be built today. We need to take into account new knowledge and current views on our future. We must place equality and environmental and economic sustainability in balance, as weighed by community values. </p>
<p>The political process is one place where those values must be considered holistically. This is immensely important, but it should not undermine transparent and sound planning. </p>
<hr>
<p><em>This article draws on a <a href="http://www.tandfonline.com/eprint/uchdXHUJR7HKCMyEUncd/full">research paper</a> by the authors in a new <a href="http://www.tandfonline.com/toc/cupr20/35/1">special issue</a> of the international journal, Urban Policy and Research, on critical urban infrastructure. You can read other published articles in our series <a href="https://theconversation.com/au/topics/making-cities-work-37182">here</a>.</em></p><img src="https://counter.theconversation.com/content/73684/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Crystal Legacy receives funding from the Australian Research Council. </span></em></p><p class="fine-print"><em><span>Carey Curtis is affiliated with the Beeliar Group of Professors for Environmental Responsibility</span></em></p><p class="fine-print"><em><span>Jan Scheurer does not work for, consult, own shares in or receive funding from any company or organisation that would benefit from this article, and has disclosed no relevant affiliations beyond their academic appointment.</span></em></p>Politicised transport projects that flout proper process lead to hostility between residents and governments, and give planners a bad name.Crystal Legacy, Australian Research Council (DECRA) Fellow and Vice Chancellor's Research Fellow, Centre for Urban Research, School of Global, Urban and Social Studies, RMIT UniversityCarey Curtis, Professor of City Planning and Transport, Curtin UniversityJan Scheurer, Senior Research Fellow, Curtin UniversityLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/738512017-04-03T04:12:37Z2017-04-03T04:12:37ZFrom Smart Cities 1.0 to 2.0: it’s not (only) about the tech<p><em>This is the second article in our series <a href="https://theconversation.com/au/topics/making-cities-work-37182">Making Cities Work</a>. It considers the problems of providing critical infrastructure and how we might produce the innovations and reforms needed to meet 21st-century needs and challenges.</em></p>
<hr>
<p>Australia, one of the world’s most urbanised nations, is looking to up its investment in digital technologies to make our cities work better. </p>
<p>In coming months, tech companies, local governments and other eligible organisations will be teaming up to apply for round one of the federal government’s A$50 million <a href="https://cities.dpmc.gov.au/smart-cities-program">Smart Cities and Suburbs Program</a>. The program is seeking ideas for prototypes and platforms that can help solve a local urban challenge of some kind. </p>
<p>As the draft guidelines suggest, project funding could be used for anything from managing waste better, making local precincts more liveable, or helping citizens become more engaged with their councils, to developing systems that help planners better predict local development impacts.</p>
<p>Compared to other areas of federal infrastructure spending – like <a href="http://investment.infrastructure.gov.au/funding/r2r/">roads</a> – $50 million for smart city investments may not sound like much. But it’s a bit of a windfall for an area that has struggled to get off the ground in Australia for the past few years. </p>
<p>Australia has been in <a href="http://www.smh.com.au/it-pro/government-it/australian-cities-in-no-hurry-to-become-smart-20141027-11cbnt.html">no hurry to become smart</a>. Overseas, many cities have put significant effort into building their profile as smart cities. They have invested in technology acceleration, data analytics, visualisation and instrumentation programs, and so on. </p>
<p>Before launching the federal program, Australia had made relatively few investments in smart city programs. Those investments remained relatively modest. </p>
<h2>The benefits of not rushing in</h2>
<p>In retrospect, perhaps this wasn’t such a bad thing. It’s now widely recognised that, despite the rhetoric of technology vendors, much of the early investment in smart cities failed to demonstrate significant benefits to cities and their citizens. </p>
<p>This period of “Smart Cities 1.0” investment was dominated by relatively small or experimental prototypes involving separate systems and infrastructures. Think a Cisco <a href="http://investadelaide.com.au/why-adelaide/adelaide-smart-city/smart-lighting-trial-project">smart light trial</a>, combined with a <a href="http://www.cmtedd.act.gov.au/smartparking/home">smart parking app</a>. These have been small, interesting prototypes, but not necessarily generating the efficiencies and value sometimes claimed for smart cities. </p>
<figure>
<iframe width="440" height="260" src="https://www.youtube.com/embed/vZ3Cr8jR4J4?wmode=transparent&start=0" frameborder="0" allowfullscreen=""></iframe>
<figcaption><span class="caption">Adelaide and Cisco have run a smart street lighting trial in the CBD.</span></figcaption>
</figure>
<p>The embrace of relatively small or experimental prototypes in Smart Cities 1.0 created vertical “data silos” and <a href="https://theurbantechnologist.com/2016/02/01/why-smart-cities-still-arent-working-for-us-after-20-years-and-how-we-can-fix-them/">failed to scale or demonstrate real benefits</a>. The emerging logic of “<a href="http://www.thefifthestate.com.au/columns/spinifex/a-minister-for-cities-great-now-for-a-smart-cities-discussion/77632">Smart Cities 2.0</a>” is quite different. Smart Cities 2.0 investments focus on creating platforms for data access, sharing, re-use and inter-operability. </p>
<p>Part of the reason for this shift lies in the changing nature of the technologies themselves. Our urban environments are turning into landscapes populated by more and more connected “Things” equipped with many different sensors for data capture and analytics. This is driving a growing need for inter-operable platforms and standards that give more players wider access to city data. </p>
<p>A city that invests in these platforms can kick-start a wider technology ecosystem, enabling innovation in city services to thrive. </p>
<p>The emerging critical infrastructures for Smart Cities 2.0 are turning out to be <a href="https://data.london.gov.uk/blog/building-the-city-data-market/">city data markets</a>, <a href="https://www.citydataexchange.com/">data exchanges</a>, and data protocols, standards and specifications. These have been developed by groups like the <a href="http://www.hypercat.io/">Hypercat</a> and <a href="https://www.lora-alliance.org/">LORA</a> alliances. </p>
<p>It is becoming more clear that these infrastructures will require more strategic collaborations between governments, industry, communities, citizens and researchers. </p>
<h2>Reinventing government as ‘a platform’?</h2>
<p>For those of us who are happy to hear tech vendors talk about data sharing and open innovation, this all sounds great. We do hope some of this thinking makes its way into the funding of pilots and prototypes under the Smart Cities and Suburbs Program. </p>
<p>But we should be mindful here that what is perhaps most radical about this new phase is not the technologies themselves, but the way they are repositioning the role of government. </p>
<p>Governments are increasingly positioning themselves as the “platform” for wider innovation in data services. Australia’s Digital Transformation Office has embraced this idea of services “<a href="https://www.dta.gov.au/standard/design-guides/government-as-a-platform/">built on a shared (data) core</a>”. Many other agencies are following suit. </p>
<p>But if cities “run on information” are going to make a real difference, we need to think about how these new platforms can be used to overcome the endemic governance challenges our cities face. </p>
<p>Major Australian cities are made up of a patchwork of local government areas overlaid with state and federal jurisdictions responsible for transport, education, health and so on. No single agency “runs” the city. Many of them even work against each other.</p>
<p>The result is that instruments for strategic planning, like the metropolitan strategy, have tended to remain relatively weak. Modelled on the <a href="https://www.london.gov.uk/">Greater London Authority</a>, the <a href="http://www.greater.sydney/">Greater Sydney Commission</a> represents a shift towards metropolitan-scale governance. This creates an opportunity to scale up investments in data infrastructures, building scalable city-wide data architecture like the <a href="https://data.london.gov.uk/">London Data Store</a>. </p>
<p>Though we might not be able to solve the endemic challenges of patchwork municipal governance, we can encourage our city governments to invest in data-rich platforms to help foster data-driven collaborations and services that benefit our cities. </p>
<h2>Responsive governance the key</h2>
<p>The ingredients of a smart city include a raft of technology innovations, as well as a willingness to experiment with new ways of doing things. </p>
<p>Today’s <a href="https://theconversation.com/explainer-the-internet-of-things-16542">Internet of Things</a> technologies, data analytics platforms and sensor-enabled services are sure to deliver new ways to understand, visualise and analyse the nature and scale of many of our most pressing urban challenges. </p>
<p>But solving challenges such as waste management, urban liveability and land-use planning will require more than technology investments, data-capture services or digital prototypes. Solutions will also depend on effective long-term partnerships within and beyond government. </p>
<p>While the digital infrastructure is no doubt important, it will be the city governments that invest in new ways to collaborate and co-innovate that will ultimately lead the way in delivering the smarter, more responsive services our cities so desperately need.</p>
<hr>
<p><em>This article draws on a <a href="http://www.tandfonline.com/doi/full/10.1080/08111146.2016.1235032">research paper</a> by the authors in a new <a href="http://www.tandfonline.com/toc/cupr20/35/1">special issue</a> of the international journal, Urban Policy and Research, on critical urban infrastructure. You can read other published articles in our series <a href="https://theconversation.com/au/topics/making-cities-work-37182">here</a>.</em></p><img src="https://counter.theconversation.com/content/73851/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Sarah Barns has received funding from the UK Urban Studies Foundation for her work on digital strategies to support urban governance. She also consults as a smart city strategist & researcher for organisations such as CSIRO and Urban Growth NSW. </span></em></p><p class="fine-print"><em><span>Donald McNeill receives funding from the Australian Research Council through a Future Fellowship on Governing Digital Cities.</span></em></p><p class="fine-print"><em><span>Michele Acuto receives funding from Research Councils UK (ESRC and EPSRC) and the UK Government (FCO), the World Bank Group, and the United Nations (WHO and UN-Habitat). He is also a Senior Fellow of the Chicago Council on Global Affairs.</span></em></p><p class="fine-print"><em><span>Ellie Cosgrave does not work for, consult, own shares in or receive funding from any company or organisation that would benefit from this article, and has disclosed no relevant affiliations beyond their academic appointment.</span></em></p>Australia has lagged behind some other countries in its investment in smart cities, but in retrospect that may not have been such a bad thing.Sarah Barns, Urban Studies Foundation Postdoctoral Research Fellow, Institute for Culture and Society, Western Sydney UniversityDonald McNeill, Professor of Urban and Cultural Geography, Western Sydney UniversityEllie Cosgrave, Research Associate, UCLMichele Acuto, Professor of Diplomacy and Urban Theory, UCLLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/738492017-04-02T19:34:36Z2017-04-02T19:34:36ZWhat’s critical about critical infrastructure?<p><em>This is the first article in our series <a href="https://theconversation.com/au/topics/making-cities-work-37182">Making Cities Work</a>. It considers the problems of providing critical infrastructure and how we might produce the innovations and reforms needed to meet 21st-century needs and challenges.</em></p>
<hr>
<p>Our cities and regions depend on the critical nodes and arteries that together comprise urban infrastructure systems. This includes energy, food, water, sewerage and communications.</p>
<p>The positioning of critical infrastructure is crucial to our understanding of the world we live in and how we see ourselves. It’s our means of survival as <em>Homo urbanis</em>.</p>
<p>This means key questions around critical infrastructure need to be better considered. How is it critical, when and for whom?</p>
<h2>Beyond espionage, sabotage and coercion</h2>
<p>Critical infrastructure has received much attention in recent years. The reasons include concerns about exposure to terrorist attack, disruption by disasters, rising awareness of the interdependent nature of urban infrastructure, and changes in ownership and responsibility for infrastructure assets. </p>
<p>The <a href="https://www.nationalsecurity.gov.au/Media-and-publications/Publications/Documents/national-guidelines-protection-critical-infrastructure-from-terrorism.pdf">Australian government defines critical infrastructure</a> as:</p>
<blockquote>
<p>… those physical facilities, supply chains, information technologies and communication networks which, if destroyed, degraded or rendered unavailable for an extended period, would significantly impact on the social or economic wellbeing of the nation or affect Australia’s ability to conduct national defence and ensure national security.</p>
</blockquote>
<p>This definition expands traditional thinking to include network and information infrastructure. However, the emphasis is on national security and defence issues such as espionage, sabotage and coercion. Infrastructure is defined as critical on the basis of what is <em>at threat</em> should it be destroyed or disabled, and how much that matters.</p>
<p>Yet what is critical about critical infrastructure is not just a matter of national security threats. It is also the key linkages between this infrastructure and human and environmental system vulnerability, integrity and equity. </p>
<p>Experiences of critical infrastructure are not equal, but highly contingent on political and economic priorities, influence and opportunity.</p>
<h2>Critical how and for whom?</h2>
<p>When securing urban infrastructure, the focus is on whom or what is being secured – and from what. </p>
<p>Any issue is capable of securitisation which involves casting the security issue as a threat that calls for emergency measures. But security for whom? From what threats? By what means? And at what cost? </p>
<p>Critical infrastructure can be government-owned (such as dams), privately owned (like airports), community-owned (like irrigation systems), or involve public-private partnerships (like electricity distribution networks). </p>
<p>The ownership patterns of infrastructure of all kinds have changed rapidly in recent years. This has left questions of responsibility unresolved. An example is the ownership versus service provision arrangements for the supply and distribution of catchment water resources. </p>
<p>Alongside the need for improved service quality, cost efficiencies, variety and choice, a growing trend towards highly uneven and inequitable community and environmental outcomes demands our attention. </p>
<p>How critical infrastructure is defined influences which stakeholders are deemed to have a role or responsibility in protecting it. </p>
<p>In South Australia, a severe thunderstorm <a href="http://www.abc.net.au/news/2016-09-28/sa-weather-serious-questions-must-be-answered-frydenberg-says/7886262">blacked out the state</a> in 2016. The resulting political finger-pointing distracted attention from the real issues of risk and responsibility in delivering electricity to the community. </p>
<h2>Critical when and at what scale?</h2>
<p>The scale question leads us to consider assets not normally included as critical infrastructure. An example is the vital role of natural ecosystems in our long-term economic and social welfare. Natural or semi-natural water catchments are in many places the sole source of water for towns and cities. </p>
<p>However, maintaining the integrity of these water supplies has largely ignored the importance of the catchment itself in providing much-needed filtering and treatment of that water. The contamination of Canberra’s water supply, following the <a href="http://www.environmentcommissioner.act.gov.au/publications/soe/2003actreport/indicators03/fire03">2003 bushfires</a> in the Cotter River catchment, was unprecedented in redefining what is critical infrastructure.</p>
<p>An alternative to a national security approach to critical infrastructure involves a complementary focus on the local scale. Local access to food, for instance, can be seen as critical. The <a href="http://www.australianfoodsovereigntyalliance.org/home-page/">Australian Food Sovereignty Alliance</a> argues for community-scale urban food policies and practices. </p>
<p>In 2001, foot and mouth disease broke out in the UK. The <a href="http://www.bbc.com/news/magazine-35581830">crisis</a> exposed individuals’ vulnerability to increasingly integrated, global food supply chains. That underscores the merits of social and environmental policy at local government level. </p>
<p>Big assets and sudden events are at one level defensible as a prime focus. But this approach is limited by a traditional framing of critical infrastructure and a bias towards certain timeframes.</p>
<p>Decisions on resources, priorities and effort inevitably involve scale-dependent judgements. These judgements should be defined by the nature of the impacts: one-off or cumulative; human or nature-oriented; fast or slow onset. </p>
<p>For example, local infrastructure – minor roads, flood buffers, bridge culverts and so on – is critical for society to function. Yet it is not well catered for in policy. Local government capacity to provide and manage infrastructure is limited. And varying interpretations of scale and criticality shape the funding debate. </p>
<h2>Our urban arteries</h2>
<p><a href="http://www.tandfonline.com/doi/abs/10.1080/08111146.2017.1282857?journalCode=cupr20">Critical infrastructure</a> networks shape and sustain our cities and regions. But they also expose communities to a range of threats. These include natural disasters, terrorism, peak oil and climate change. </p>
<p>So how do we decide what is critical and what is not? To arrive at an answer we must consider not only physical or informational assets, but the inclusion/exclusion of communities, places and values. </p>
<p>How can we better recognise and integrate natural ecosystems as critical to human survival and flourishing? How do we do this amid infrastructure privatisation and securitisation? And where are the points of resistance and pathways for alternative action?</p>
<p>We need to be more imaginative about critical urban infrastructure. A better, more sustainable approach needs to: </p>
<ul>
<li><p>expand our understanding of what critical infrastructure is to include environmental and local systems;</p></li>
<li><p>learn from previous security decisions and their outcomes; and</p></li>
<li><p>include local levels of activity to broaden the narrow national security approach in order to meet contemporary infrastructure challenges.</p></li>
</ul>
<hr>
<p><em>This article draws on a <a href="http://www.tandfonline.com/doi/full/10.1080/08111146.2017.1282857">research paper</a> by the authors in a new <a href="http://www.tandfonline.com/toc/cupr20/35/1">special issue</a> of the international journal, Urban Policy and Research, on <a href="http://www.tandfonline.com/doi/full/10.1080/08111146.2017.1283751">critical urban infrastructure</a>. You can read other published articles in our series <a href="https://theconversation.com/au/topics/making-cities-work-37182">here</a>.</em></p><img src="https://counter.theconversation.com/content/73849/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Wendy Steele receives funding from the Australian Research Council. </span></em></p><p class="fine-print"><em><span>Karen Hussey has received funding in the past from the Bushfire and Natural Hazards CRC.</span></em></p><p class="fine-print"><em><span>Stephen Dovers' research is in part funded by the Bushfire and Natural Hazards CRC.</span></em></p>Critical infrastructure is our means of survival as an urban species. So, we must identify what is critical, for whom and how it might fail us.Wendy Steele, Associate Professor of Urban Policy and Planning, RMIT UniversityKaren Hussey, Deputy Director, Global Change Institute, The University of QueenslandStephen Dovers, Emeritus Professor, Fenner School of Environment and Society, Australian National UniversityLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/709972017-01-11T01:04:55Z2017-01-11T01:04:55ZHospitals feel the heat too from extreme weather and its health impacts<p>As <a href="http://www.smh.com.au/environment/weather/sydney-weather-air-pollution-alert-as-temperatures-to-hit-47-across-nsw-this-week-20170109-gtojlj.html">southeastern Australia swelters</a> through another heatwave, how well equipped are our hospitals to cope with severe weather events? </p>
<p>Hospitals lie at the heart of our ability to manage the significant potential health impacts of extreme weather events. Many people would be surprised to hear that the vast majority of our hospitals have not been <a href="http://www.tandfonline.com/doi/abs/10.1080/01446193.2016.1165856?journalCode=rcme20">designed with these risks in mind</a>. And they have <a href="http://www.tandfonline.com/doi/abs/10.1080/09613218.2016.1097805?journalCode=rbri20">not been adapted</a> to ensure they can maintain healthcare services during such events.</p>
<p>The recent <a href="https://theconversation.com/keeping-one-step-ahead-of-pollen-triggers-for-thunderstorm-asthma-69408">thunderstorm asthma outbreak</a> in Melbourne, which was <a href="http://www.abc.net.au/news/2016-12-08/victorian-coroner-to-investigate-thunderstorm-asthma-deaths/8104066">linked to eight deaths</a> and put 8,500 people in hospital, is a vivid example of the health impacts of extreme weather. Such events can be life-threatening, especially for the aged, obese and critically ill.</p>
<p>Individually, health services workers do a remarkable job in coping with such events. However, the buildings they work in and the infrastructure that supports them often constrain their ability to respond. </p>
<p>Stories of power outages and of sick people waiting hours for beds and patients dying because hospitals were overstretched do not inspire confidence in the health system as Australia faces the prospect of <a href="http://www.climatecouncil.org.au/uploads/9901f6614a2cac7b2b888f55b4dff9cc.pdf">more frequent extreme weather events</a> such as <a href="https://www.healthdirect.gov.au/hot-weather-risks-and-staying-cool">heatwaves</a>, <a href="https://www.healthdirect.gov.au/floods-and-cyclones">floods and storms</a>.</p>
<figure class="align-center zoomable">
<a href="https://images.theconversation.com/files/152204/original/image-20170109-9899-1e553ly.png?ixlib=rb-1.1.0&q=45&auto=format&w=1000&fit=clip"><img alt="" src="https://images.theconversation.com/files/152204/original/image-20170109-9899-1e553ly.png?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/152204/original/image-20170109-9899-1e553ly.png?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=387&fit=crop&dpr=1 600w, https://images.theconversation.com/files/152204/original/image-20170109-9899-1e553ly.png?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=387&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/152204/original/image-20170109-9899-1e553ly.png?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=387&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/152204/original/image-20170109-9899-1e553ly.png?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=486&fit=crop&dpr=1 754w, https://images.theconversation.com/files/152204/original/image-20170109-9899-1e553ly.png?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=486&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/152204/original/image-20170109-9899-1e553ly.png?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=486&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px"></a>
<figcaption>
<span class="caption">A map of temperatures like this one for Wednesday, January 11, spells trouble for health services across Australia.</span>
<span class="attribution"><span class="source">Bureau of Meteorology</span></span>
</figcaption>
</figure>
<h2>Warning bells are ringing</h2>
<p>During the 2014 heatwave in South Australia, when Adelaide became the <a href="https://www.theguardian.com/world/2014/jan/16/adelaide-heatwave-could-break-all-records-pipping-461c-mark-set-in-1939">hottest place on the planet</a>, <a href="https://ij-healthgeographics.biomedcentral.com/articles/10.1186/1476-072X-9-41">heart attack rates</a> increased <a href="http://www.abc.net.au/news/2016-03-02/australia-underprepared-to-deal-with-killer-heat-report-says/7212408">by more than 300%</a>. Other emerging extreme weather health risks include <a href="https://theconversation.com/smoke-from-bushfires-poses-a-health-hazard-for-all-of-us-11493">asthma from bush fires</a>, increasing waterborne and <a href="https://theconversation.com/is-climate-change-to-blame-for-outbreaks-of-mosquito-borne-disease-39176">vector diseases</a> such as <a href="https://www.healthdirect.gov.au/malaria">malaria</a>, <a href="https://theconversation.com/a-tale-of-three-mosquitoes-how-a-warming-world-could-spread-disease-43471">dengue fever</a> and <a href="https://www.healthdirect.gov.au/typhoid-and-paratyphoid">typhoid</a>, <a href="https://www.healthdirect.gov.au/dehydration">dehydration</a> and <a href="https://www.healthdirect.gov.au/heatstroke">heat exhaustion</a>, and physical injury from flying debris and floods.</p>
<p>There are many reports of hospital buildings and infrastructure <a href="http://www.emeraldinsight.com/doi/abs/10.1108/17595901111167097">failing during extreme weather events</a> in Australia. For example, <a href="http://www.climatecouncil.org.au/uploads/9901f6614a2cac7b2b888f55b4dff9cc.pdf">power outages</a> have affected numerous hospitals and back-up systems reportedly failed during the 2004 heatwaves that swept Australia. </p>
<p>During the 2005 Sydney heatwaves, <a href="http://www.smh.com.au/news/national/hospitals-swamped-as-heatwave-kicks-in/2005/12/29/1135732694090.html">hospitals were swamped</a>. Many people were simply seeking respite in air-conditioned reception areas.</p>
<p>In 2006, Cyclone Larry <a href="http://statements.qld.gov.au/Statement/Id/45207">closed much of Innisfail Hospital</a>. Staff required medical support from Townsville and Cairns hospitals. Herberton Hospital was without power until a generator was provided. Leaking roofs resulted in emergency evacuations. </p>
<p>In 2009, one-in-100-year storms left more than <a href="http://www.abc.net.au/news/2009-04-01/flooded-coffs-harbour-declared-disaster-zone/1638018">3,000 NSW residents stranded</a> by floods, many of them old and seriously at risk. Floodwaters isolated Coffs Harbour, Dorrigo and Bellingen hospitals. People needing urgent medical treatment had to be sent up to 80 kilometres away.</p>
<p>Most recently, after super-cell thunderstorms blacked out South Australia, <a href="http://www.sbs.com.au/news/article/2016/09/29/adelaide-hospitals-back-power-fails">back-up generators failed</a> at an Adelaide hospital. Seventeen patients had to be transferred from Flinders Medical Centre to Flinders Private Hospital. </p>
<h2>What are the systemic problems?</h2>
<p>These stories are worrying, but perhaps not surprising, given that most of our hospitals were designed when these risks were not on the horizon. In the quest for cheap land not suited to commercial development, many hospitals have been built in areas prone to floods and storms. And many are built out of materials and designed in a way that could increase the risk to patients during extreme weather events. </p>
<p>Hospitals face many challenges in adapting to a changing climate. <a href="http://www.arcom.ac.uk/-docs/proceedings/6f43d85eb7a4398cc685ba4988a57e28.pdf">Our research</a> identified a long list of issues, including:</p>
<ul>
<li><p>underfunded building and infrastructure maintenance and capital works programs</p></li>
<li><p>poor road access for new patients and back-up medical supplies</p></li>
<li><p>generators built in basements prone to flooding</p></li>
<li><p>lack of accommodation for staff trapped on site</p></li>
<li><p>poor coordination with other emergency and health agencies such as aged care</p></li>
<li><p>access roads being cut off</p></li>
<li><p>managers who do not understand the role of buildings in healthcare delivery</p></li>
<li><p>buildings and infrastructure that cannot adapt to changing healthcare needs and patient surges during extreme weather events.</p></li>
</ul>
<p>The impacts of extreme weather on hospital buildings and infrastructure and how these influence service delivery during such events have been neglected. These aspects of disaster planning systems need to be properly considered. </p>
<p>In the high-pressured, resource-stretched, highly politicised and hierarchical health sector, current disaster management practices too often overlook the role of buildings and infrastructure. </p>
<p>While severely limited resources are understandably directed towards frontline health service needs, the current system is creating a stock of health buildings and infrastructure that represent a risk, rather than an asset, to quality healthcare delivery during extreme weather events.</p>
<p>The designers and facilities managers of new hospitals are now required to think about these risks, but our understanding of how to mitigate the risks is poor. This means most of our hospitals and other health facilities remain vulnerable to the inevitable extreme weather events in the future. </p>
<p>It’s a matter of time before we see the next headline about needless death and suffering due to a hospital being poorly designed to cope with an extreme weather event. </p>
<h2>How do we fix these problems?</h2>
<p>The problems would be easier to overcome if we had a more holistic approach to disaster management planning. Such planning needs to better integrate the organisational and built environment aspects of hospital resilience. </p>
<p>This will require a paradigm shift in hospital disaster management. That, in turn, requires an emphasis on involving all hospital stakeholders in disaster management planning. </p>
<p>Hospital infrastructure design, planning, construction and ongoing maintenance need to be revisited. Robust quality control will be required to ensure compliance with improved standards consistent with changing needs. </p>
<p>We will inevitably need to redirect and find additional resources for building adaptation and modification. However, this is probably why nothing will change until we have a disaster big enough to force policymakers to change. Such is life … and death.</p><img src="https://counter.theconversation.com/content/70997/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Martin Loosemore receives funding from the Australian Research Grants Council, including for research cited in this article. </span></em></p><p class="fine-print"><em><span>Anumitra Mirti Chand does not work for, consult, own shares in or receive funding from any company or organisation that would benefit from this article, and has disclosed no relevant affiliations beyond their academic appointment.</span></em></p>Most of our hospitals were not designed to cope with the health impacts of future extreme weather. And hospital infrastructure has not been adapted to secure health care during such events.Martin Loosemore, Professor, Construction Management Program, Built Environment, UNSW SydneyAnumitra Mirti Chand, Researcher, City Futures Research Centre, UNSW SydneyLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/595332016-05-31T00:08:50Z2016-05-31T00:08:50ZElection FactCheck: Has public infrastructure investment fallen 20% under the Coalition?<p><div data-react-class="Tweet" data-react-props="{"tweetId":"727435682839298052"}"></div></p>
<p>Infrastructure spending is never far from the headlines, especially during an election campaign.</p>
<p>But was Labor right to say in a tweet that public sector infrastructure investment has fallen 20% under the Abbott-Turnbull government? </p>
<h2>Checking the source</h2>
<p>When asked for sources on this claim on Twitter, a Labor spokesperson referred The Conversation to engineering construction data from the Australian Bureau of Statistics between the September quarter of 2013 (when the Coalition government was elected) and September 2015. </p>
<p>The Labor spokesperson said of the ABS <a href="http://abs.gov.au/AUSSTATS/abs@.nsf/Lookup/8762.0Explanatory%20Notes1Sep%202015?OpenDocument">data</a>:</p>
<blockquote>
<p>The relevant table in Table 1 is A1831482J – value of work done for the public sector. We compare the September 2015 quarter with September 2013 quarter when the Coalition was elected. This includes infrastructure work done for the public sector by both the private sector and the public sector. This shows a fall from $7666 million to $6121 million – a fall of 20.2%. </p>
</blockquote>
<iframe src="https://datawrapper.dwcdn.net/secIa/1/" frameborder="0" allowtransparency="true" allowfullscreen="allowfullscreen" webkitallowfullscreen="webkitallowfullscreen" mozallowfullscreen="mozallowfullscreen" oallowfullscreen="oallowfullscreen" msallowfullscreen="msallowfullscreen" width="100%" height="400"></iframe>
<h2>Is a 20% fall accurate?</h2>
<p>To start with, this claim is out of date. </p>
<p>The number quoted in a press release issued by the shadow minister for infrastructure, Anthony Albanese, was correct when he first went public with this claim, in <a href="http://anthonyalbanese.com.au/new-figures-highlight-coalitions-ongoing-infrastructure-failure">January 2016</a>.</p>
<p>At the time of the above <a href="https://twitter.com/australianlabor/status/727435682839298052">tweet</a>, it reflected figures from the ABS’ <a href="http://abs.gov.au/AUSSTATS/abs@.nsf/DetailsPage/8762.0Sep%202015?OpenDocument">September 2015 report</a> (released 13 January). But those figures were out of date by the time the tweet was issued on May 3. The <a href="http://abs.gov.au/AUSSTATS/abs@.nsf/DetailsPage/8762.0Dec%202015?OpenDocument">December 2015 report</a> was released on March 30.</p>
<p>The most recent figures have revised the September 2015 number. Now the data show that between September 2013 and September 2015 there was only a 17% drop in real terms. Using the newer data, the September 2013 to December 2015 comparison shows an even smaller drop of 15%.</p>
<h2>Is the decrease attributable to the Coalition?</h2>
<p>The second question is whether this is really driven by the Coalition government, as the tweet implies.</p>
<p>For one thing, it could be argued there is a lag between a new government being sworn in and a significant impact on infrastructure work done. The Coalition government didn’t release a <a href="http://www.budget.gov.au/2014-15/">budget</a> until May 2014, but from the chart we have constructed below it is clear that engineering work had begun to decline in late 2012. </p>
<figure class="align-center zoomable">
<a href="https://images.theconversation.com/files/124522/original/image-20160530-7715-cltc7.png?ixlib=rb-1.1.0&q=45&auto=format&w=1000&fit=clip"><img alt="" src="https://images.theconversation.com/files/124522/original/image-20160530-7715-cltc7.png?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/124522/original/image-20160530-7715-cltc7.png?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=450&fit=crop&dpr=1 600w, https://images.theconversation.com/files/124522/original/image-20160530-7715-cltc7.png?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=450&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/124522/original/image-20160530-7715-cltc7.png?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=450&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/124522/original/image-20160530-7715-cltc7.png?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=566&fit=crop&dpr=1 754w, https://images.theconversation.com/files/124522/original/image-20160530-7715-cltc7.png?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=566&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/124522/original/image-20160530-7715-cltc7.png?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=566&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px"></a>
<figcaption>
<span class="caption"></span>
<span class="attribution"><span class="source">Author provided.</span></span>
</figcaption>
</figure>
<p>By September 2013, public sector engineering work had already declined 9% over the past year. The change of government has certainly not halted the decline in infrastructure spending, but the decline began under Labor.</p>
<h2>Who else is responsible for public sector infrastructure?</h2>
<p>It’s also inaccurate to lay the full decline in infrastructure investment at the door of the federal government of the day. </p>
<p>The engineering activity includes <a href="http://abs.gov.au/AUSSTATS/abs@.nsf/Lookup/8762.0Explanatory%20Notes1Dec%202015?OpenDocument">spending by state and local governments</a>, as well as federal money. State governments mostly have the ultimate decision on major infrastructure, and <a href="http://grattan.edu.au/wp-content/uploads/2016/04/869-Roads-to-Riches.pdf">state spending on infrastructure</a> is more than double that of the federal government. While the amount of federal funding, and the projects to which it is directed, will certainly influence the level of state spending on infrastructure, it is far from being the only factor.</p>
<p><a href="http://www.budget.gov.au/2016-17/content/bp3/download/BP3_consolidated.pdf">Federal budget papers</a> show changes in the level of federal infrastructure investment. The majority of federal infrastructure spending is in the form of payments to support state infrastructure services. The chart below shows that these payments are very lumpy from year to year, and it is difficult to determine any clear trends. Federal infrastructure spending is weighted towards larger projects, so these jumps up and down from year to year are to be expected.</p>
<figure class="align-center zoomable">
<a href="https://images.theconversation.com/files/124521/original/image-20160530-7706-nrc35l.png?ixlib=rb-1.1.0&q=45&auto=format&w=1000&fit=clip"><img alt="" src="https://images.theconversation.com/files/124521/original/image-20160530-7706-nrc35l.png?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/124521/original/image-20160530-7706-nrc35l.png?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=450&fit=crop&dpr=1 600w, https://images.theconversation.com/files/124521/original/image-20160530-7706-nrc35l.png?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=450&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/124521/original/image-20160530-7706-nrc35l.png?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=450&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/124521/original/image-20160530-7706-nrc35l.png?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=566&fit=crop&dpr=1 754w, https://images.theconversation.com/files/124521/original/image-20160530-7706-nrc35l.png?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=566&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/124521/original/image-20160530-7706-nrc35l.png?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=566&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px"></a>
<figcaption>
<span class="caption"></span>
<span class="attribution"><span class="source">Author provided.</span></span>
</figcaption>
</figure>
<p>An alternative assessment of infrastructure trends under the Coalition government is to look at the first two Coalition budget years (2014-15 and 2015-16) against the two preceding financial years. This gives an overall increase of 9% in real terms. </p>
<p>Given the lumpiness of spending, however, it is difficult to make any sensible conclusion about the trend in federal infrastructure investment based on this number alone.</p>
<h2>Verdict</h2>
<p>Labor’s tweet was inaccurate. The ABS figures on which Labor had sourced its information were up to date in January 2016 but out of date by the time the tweet was issued in May.</p>
<p>It is also an exaggeration to link an overall decrease in public infrastructure investment to the federal government, given its relatively small share of spending in this area. <strong>– Marion Terrill and Owain Emslie</strong></p>
<hr>
<h2>Review</h2>
<p>I agree with the findings and the thrust of this fact-finding mission. It’s probably true to say that the ALP statement may not have been meant to be misleading but was indeed an error based on not having the most recent data.</p>
<p>However, it’s also true that most people in the industry would know that the federal government are never the biggest player in this space and so can’t take the blame for the bad news – or the fame for the good news – on infrastructure spending.</p>
<p>Infrastructure is an issue for all three levels of government. Urban rail infrastructure, for example, requires partnership between all three levels of government, and the private sector. It’s a bit much to ask during an election campaign, but I look forward to the time when we are ready to advance Australia in this way. <strong>– Peter Newman</strong></p>
<hr>
<p><div class="callout"> Have you ever seen a “fact” worth checking? The Conversation’s FactCheck asks academic experts to test claims and see how true they are. We then ask a second academic to review an anonymous copy of the article. You can request a check at checkit@theconversation.edu.au. Please include the statement you would like us to check, the date it was made, and a link if possible.</div></p><img src="https://counter.theconversation.com/content/59533/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>The authors do not work for, consult, own shares in or receive funding from any company or organisation that would benefit from this article, and have disclosed no relevant affiliations beyond their academic appointment.</span></em></p>Labor says that public sector infrastructure investment has fallen 20% under the Abbott-Turnbull government. Is that right?Marion Terrill, Transport Program Director, Grattan InstituteOwain Emslie, Associate, Grattan InstituteLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/575492016-04-27T20:14:08Z2016-04-27T20:14:08ZBudget explainer: does Australia really have an infrastructure deficit?<p>While it has become <a href="http://www.treasury.gov.au/PublicationsAndMedia/Newsroom/Speeches/2016/GIH-Conference">conventional</a> <a href="http://www.theaustralian.com.au/business/business-spectator/how-to-spend-it-australias-infrastructure-deficit/news-story/72fa2605f4ef5669c377348c03fdf3d9">wisdom</a> that Australia has an <a href="http://jbh.ministers.treasury.gov.au/media-release/035-2014/">infrastructure</a> deficit, there is remarkably little shared understanding of what that means. </p>
<p>Does it mean that today’s infrastructure is substandard, or is that we’re not equipped for tomorrow’s infrastructure needs? And how do we even know what we really need, as opposed to what’s on everyone’s wish list?</p>
<p>There is a lot of talk about building physical infrastructure, but it’s the services that these assets provide – like mobility, an internet connection and electricity – that really matter.</p>
<p>So the question is not whether we have built <em>enough</em> infrastructure, but whether it is delivering the quantity and quality of infrastructure services we need now and in the future.</p>
<h2>Billions at stake</h2>
<p>This is not a matter of idle curiosity. Infrastructure gaps and deficits are used to argue for more government spending, and the amounts at stake are huge. </p>
<p>There is no shortage of estimates of the size of Australia’s infrastructure gap, each spanning into the hundreds of billions of dollars. If we take seriously some of the claims about the size of the deficit, tackling it would require spending of more than 40% of Australia’s annual GDP. </p>
<p>But it is worth remembering that an infrastructure deficit can only exist relative to some benchmark, and it’s far from clear what that benchmark should be. </p>
<figure class="align-center ">
<img alt="" src="https://images.theconversation.com/files/118860/original/image-20160415-11423-1vv8rl9.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/118860/original/image-20160415-11423-1vv8rl9.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=450&fit=crop&dpr=1 600w, https://images.theconversation.com/files/118860/original/image-20160415-11423-1vv8rl9.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=450&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/118860/original/image-20160415-11423-1vv8rl9.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=450&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/118860/original/image-20160415-11423-1vv8rl9.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=566&fit=crop&dpr=1 754w, https://images.theconversation.com/files/118860/original/image-20160415-11423-1vv8rl9.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=566&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/118860/original/image-20160415-11423-1vv8rl9.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=566&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px">
<figcaption>
<span class="caption"></span>
</figcaption>
</figure>
<p>The 2013 <a href="http://infrastructureaustralia.gov.au/policy-publications/publications/files/2013_IA_COAG_Report_National_Infrastructure_Plan_LR.pdf">National Infrastructure Plan</a> produced by the Commonwealth Government’s advisory body, Infrastructure Australia, found that: </p>
<blockquote>
<p>We still face a significant infrastructure deficit, estimated at around A$300 billion.</p>
</blockquote>
<p>Engineers Australia’s 2010 <a href="https://www.engineersaustralia.org.au/sites/default/files/shado/Infrastructure%20Report%20Cards/Australian/2010%20Australian%20IRC%20Report.pdf">Infrastructure Report Card</a> stated:</p>
<blockquote>
<p>The investment in infrastructure has still not caught up with the estimated $A700 billion shortfall caused by years of under-investment.</p>
</blockquote>
<p>Neither of these bodies defines the infrastructure gap or specifies how it arrived at its estimate.</p>
<p>Infrastructure Partnerships Australia <a href="http://www.infrastructure.org.au/DisplayFile.aspx?FileID=207">assessed</a> the size of Australia’s infrastructure investment task as $A700 billion by adding up the value of a <a href="http://www.infrastructure.org.au/Content/priorities.aspx">list</a> of potential projects that could be built, on the assumption that they all needed to be built. </p>
<p>Similar estimates have been produced by investment banks Citigroup ($A770 billion) and ABN AMRO ($A445 billion). A <a href="http://www.borsaitaliana.it/bitApp/view.bit?lang=it&target=StudiDownloadFree&filename=pdf%2F71406.pdf">summary</a> of the Citigroup report states that: </p>
<blockquote>
<p>Around $A770 billion (2007 dollars) needs to be spent on economic infrastructure over the next 10 years to adequately improve its quality and functionality.</p>
</blockquote>
<p>Despite being widely <a href="http://www.infrastructure.org.au/DisplayFile.aspx?FileID=442">cited</a> as evidence of the need to boost infrastructure spending, neither of the methodologies underpinning the estimates from Citigroup or ANB AMRO are publicly available. </p>
<p>A striking exception to the deficit estimates is the surplus figure in a <a href="http://www.mckinsey.com/global-themes/europe/secular-stagnation-and-low-investment-breaking-the-vicious-cycle">McKinsey report</a>. </p>
<p>In this report, McKinsey estimates Australia is spending 1.2% of GDP more on infrastructure for the period 2008-2013 than is required to meet its expected needs until 2030. </p>
<figure class="align-center ">
<img alt="" src="https://images.theconversation.com/files/118862/original/image-20160415-11458-y22izb.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/118862/original/image-20160415-11458-y22izb.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=450&fit=crop&dpr=1 600w, https://images.theconversation.com/files/118862/original/image-20160415-11458-y22izb.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=450&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/118862/original/image-20160415-11458-y22izb.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=450&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/118862/original/image-20160415-11458-y22izb.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=566&fit=crop&dpr=1 754w, https://images.theconversation.com/files/118862/original/image-20160415-11458-y22izb.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=566&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/118862/original/image-20160415-11458-y22izb.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=566&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px">
<figcaption>
<span class="caption"></span>
</figcaption>
</figure>
<p>But the McKinsey study only illuminates the challenges of producing a top down estimate of Australia’s infrastructure needs. Instead of evaluating Australia’s infrastructure needs, the authors conclude that Australia is overspending on infrastructure by adopting the <a href="http://www.mckinsey.com/industries/infrastructure/how-we-help-clients/iss">curious</a> assumption that the optimal value of infrastructure is 70% of GDP. </p>
<h2>What we should be measuring</h2>
<p>If we seriously want to know whether we face an infrastructure deficit, we would need to establish some benchmark level for the quality of services that should be provided. </p>
<p>We might, for example, set a maximum time to make a particular journey, and measure how well our infrastructure enables that service standard. If trips regularly take longer, we might decide that we need a new railway line or an extra highway lane. </p>
<p>New capital spending won’t always be the best solution. As <a href="http://infrastructureaustralia.gov.au/policy-publications/publications/files/Australian_Infrastructure_Plan.pdf">Infrastructure Australia</a> points out, it is often possible to make better use of existing infrastructure – by better scheduling of rail services, or introducing congestion charging for roads in peak periods, for example. A deficit would only exist where infrastructure was being used efficiently and unmet demand remained.</p>
<p>When governments and firms make infrastructure investment decisions, they do so against the backdrop of a system that is already mature. They are not deciding how to build a network from scratch; the real question is what additions to the system are most needed.</p>
<p>In practice, the only way to ensure that new increments to the system are worth the cost is to subject them to a rigorous, like for like analysis of claimed project benefits and expected costs. If a project’s benefits exceed its costs, then by definition, it will help close any infrastructure deficit we might be facing.</p>
<p>The fact is, nobody really knows whether Australia has an infrastructure deficit or not. Recent figures attempting to quantify such a deficit in fact shed little light on whether the infrastructure we have is too little, too much or just right. Spending vast sums of money on infrastructure is only useful if each additional investment has benefits that outweigh its costs to the community.</p><img src="https://counter.theconversation.com/content/57549/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>The authors do not work for, consult, own shares in or receive funding from any company or organisation that would benefit from this article, and have disclosed no relevant affiliations beyond their academic appointment.</span></em></p>How can we tell whether we have an infrastructure deficit? And if we do, how big is it?Marion Terrill, Transport Program Director, Grattan InstituteBrendan Coates, Senior Associate, Grattan InstituteLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/528322016-01-13T10:53:38Z2016-01-13T10:53:38ZThe cyberattack on Ukraine’s power grid is a warning of what’s to come<figure><img src="https://images.theconversation.com/files/107831/original/image-20160111-6968-cn3maq.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">
</span> <span class="attribution"><a class="source" href="https://commons.wikimedia.org/wiki/File:Leitstand_2.jpg">Steag/VGB Power Tech GmbH</a>, <a class="license" href="http://creativecommons.org/licenses/by-sa/4.0/">CC BY-SA</a></span></figcaption></figure><p>When more than 100,000 people in and around the Ukrainian city of Ivano-Frankivsk were left without power for six hours, the Ukrainian energy ministry accused Russia of launching a cyberattack on the country’s national energy grid. </p>
<p>Now reports released by security researchers from the <a href="https://ics.sans.org/blog/2016/01/09/confirmation-of-a-coordinated-attack-on-the-ukrainian-power-grid">SANS Industrial Control Systems team</a> and the <a href="https://ics-cert.us-cert.gov/alerts/ICS-ALERT-14-281-01B">Industrial Control Systems Cyber Emergency Response Team</a> confirm their belief that a cyberattack was responsible for the power cut, making the incident one of the first significant, publicly reported cyberattacks on civil infrastructure.</p>
<p>This is a rare event, of which the most famous example is the <a href="http://spectrum.ieee.org/telecom/security/the-real-story-of-stuxnet">Stuxnet malware</a> used to destroy equipment in the Iranian nuclear programme. Many consider Stuxnet so sophisticated that national governments must have been involved. But as is frequently the case, attributing responsibility for Stuxnet has proved difficult, and it’s likely that, despite circumstantial evidence, it will be the same in this case. While the Ukrainian Security Service (SBU) and the international press were quick to blame Russian state-backed hackers, <a href="http://www.ibtimes.com/ukraine-launches-investigation-power-grid-cyberattack-blamed-russia-2246206?rel=rel1">Moscow has remained silent</a>.</p>
<figure class="align-right zoomable">
<a href="https://images.theconversation.com/files/107836/original/image-20160111-6964-9ry0hd.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=1000&fit=clip"><img alt="" src="https://images.theconversation.com/files/107836/original/image-20160111-6964-9ry0hd.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=237&fit=clip" srcset="https://images.theconversation.com/files/107836/original/image-20160111-6964-9ry0hd.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=450&fit=crop&dpr=1 600w, https://images.theconversation.com/files/107836/original/image-20160111-6964-9ry0hd.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=450&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/107836/original/image-20160111-6964-9ry0hd.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=450&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/107836/original/image-20160111-6964-9ry0hd.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=566&fit=crop&dpr=1 754w, https://images.theconversation.com/files/107836/original/image-20160111-6964-9ry0hd.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=566&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/107836/original/image-20160111-6964-9ry0hd.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=566&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px"></a>
<figcaption>
<span class="caption">When control systems turn bad.</span>
<span class="attribution"><a class="source" href="https://www.flickr.com/photos/dbrulz/215262489/in/gallery-physicsclassroom-72157625472900755/">David Becher</a>, <a class="license" href="http://creativecommons.org/licenses/by-sa/4.0/">CC BY-SA</a></span>
</figcaption>
</figure>
<p>Experts examining the attack in Ukraine found that <a href="https://www.f-secure.com/documents/996508/1030745/blackenergy_whitepaper.pdf">BlackEnergy malware</a> appeared to have been used to gain entry to the national grid’s systems. Certainly BlackEnergy has in the past been used for launching distributed denial of service (DDoS) attacks, cybercrime, information theft, <a href="https://ics-cert.us-cert.gov/alerts/ICS-ALERT-14-281-01B">global infection of industrial control systems</a> and <a href="http://www.welivesecurity.com/2014/09/22/back-in-blackenergy-2014/">targeted attacks against Ukraine and Poland</a>. BlackEnergy is seen as the calling card of the <a href="http://uk.reuters.com/article/us-ukraine-cybersecurity-sandworm-idUKKBN0UM00N20160108">Sandworm hacking group</a>, which has been <a href="http://www.wired.com/2014/10/russian-sandworm-hack-isight/">linked to the Russian state</a>.</p>
<p>While the researchers found no evidence that BlackEnergy was directly used to bring down the power supply, forensic analysis has revealed a multi-pronged attack. After the power was cut, denial of service attacks were deployed to try to prevent error messages from reaching service personnel, while the malware wiped the control systems’ servers in order to delay repair and cover its tracks. This attention to detail suggests the attack was indeed aimed deliberately at these particular electricity facilities. </p>
<h2>The spread of technical sophistication</h2>
<p>One consequence of this incident is that many more governments have become acutely aware of the potential vulnerabilities of national civilian infrastructure such as electricity, gas, water and transport networks. Questions regarding the vulnerability of the national grid <a href="http://bigstory.ap.org/article/c8d531ec05e0403a90e9d3ec0b8f83c2/ap-investigation-us-power-grid-vulnerable-foreign-hacks">are being asked in the US</a>, for example. </p>
<p>Inevitably, such attacks also cause tensions between nations. But it’s worth noting that a tense international situation does not necessarily imply that one party is responsible for an attack on another. The increasing availability of sophisticated malware that can be found online has lowered the bar to launching a sophisticated attack – though a successful attack is still regarded as very difficult – meaning that there many potential culprits. A rush to judgement is inadvisable: the Russians were blamed for the Baku-Tbilisi-Ceyhan oil pipeline explosion in 2008, for example, since the Russo-Georgian war began two days later. This conclusion has since <a href="http://www.sueddeutsche.de/digital/tuerkei-ermittler-schliessen-cyberangriff-bei-pipeline-explosion-aus-1.2529345">been challenged</a>. </p>
<figure class="align-center ">
<img alt="" src="https://images.theconversation.com/files/107835/original/image-20160111-6964-1f9gymp.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&fit=clip" srcset="https://images.theconversation.com/files/107835/original/image-20160111-6964-1f9gymp.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=600&h=400&fit=crop&dpr=1 600w, https://images.theconversation.com/files/107835/original/image-20160111-6964-1f9gymp.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=600&h=400&fit=crop&dpr=2 1200w, https://images.theconversation.com/files/107835/original/image-20160111-6964-1f9gymp.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=600&h=400&fit=crop&dpr=3 1800w, https://images.theconversation.com/files/107835/original/image-20160111-6964-1f9gymp.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=754&h=503&fit=crop&dpr=1 754w, https://images.theconversation.com/files/107835/original/image-20160111-6964-1f9gymp.jpg?ixlib=rb-1.1.0&q=30&auto=format&w=754&h=503&fit=crop&dpr=2 1508w, https://images.theconversation.com/files/107835/original/image-20160111-6964-1f9gymp.jpg?ixlib=rb-1.1.0&q=15&auto=format&w=754&h=503&fit=crop&dpr=3 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px">
<figcaption>
<span class="caption">Vulnerable industrial control systems that run, build and monitor things are all around us.</span>
<span class="attribution"><span class="source">BMW Werk Leipzig</span>, <a class="license" href="http://creativecommons.org/licenses/by-sa/4.0/">CC BY-SA</a></span>
</figcaption>
</figure>
<h2>Old equipment faces new problems</h2>
<p>Industrial control systems – those used in all manner of infrastructure in healthcare, manufacturing, utilities, and transport – are moving from high-cost, proprietary hardware and software provided by a handful of specialist companies towards cheaper, more flexible off-the-shelf systems. This increases the scope for attack as the systems are more easily available to practice on. </p>
<p><a href="https://files.sans.org/summit/ics2015/PDFs/Project_SHINE_What_We_Discovered_and_Why_You_Should_Care_Bob_Radvanovsky_Infracritical.pdf">Project SHINE</a> used the <a href="https://www.shodan.io/">SHODAN search engine</a> to discover what level of risk is posed by internet-connected industrial control devices. In January 2014 the project wound up due to the rate at which new devices were appearing – more than a million at the final count.</p>
<p>The problem is that the industrial control systems now being connected to the internet were designed in the pre-internet era. The underlying protocols and components take no account of modern internet threats and so are inherently insecure. These vulnerabilities have led to <a href="http://www.bbc.co.uk/news/technology-30575104">economic damage and lost production</a>, <a href="http://csrc.nist.gov/groups/SMA/fisma/ics/documents/Maroochy-Water-Services-Case-Study_report.pdf">environmental damage</a>, <a href="http://csrc.nist.gov/groups/SMA/fisma/ics/documents/Bellingham_Case_Study_report%2020Sep071.pdf">injury and loss of life</a>, and scale up to potentially catastrophic nationwide effects, as in Ukraine.</p>
<p>While there have been relatively few attacks so far, as more off-the-shelf consumer-grade hardware and software finds its way into critical infrastructure a growing number of highly-skilled “black hat” hackers, motivated by malice, greed or politics, will find ways to exploit these vulnerabilities. With their rudimentary defences, many industrial control systems are no match. Unfortunately staff within many organisations are ill-prepared to prevent, identify or respond; the growing attentions of attackers, together with this lack of knowledge and some complacency is recipe for enormous harm. </p>
<p>To cloud the picture still further is the rapid progress towards an Internet of Things, where physical objects of all types are connected to, and controlled over, the internet. This will underpin the next generation of industrial systems, but will also be common throughout government, business and the home. If we do not learn the lessons of Ukraine and think deeply about the potential threats, there is a very real prospect of major economic and social damage. We must look hard at what is coming and prepare for the worst.</p><img src="https://counter.theconversation.com/content/52832/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Nilufer Tuptuk receives PhD studentship from EPSRC (Engineering and Physical Sciences Research
Council). </span></em></p><p class="fine-print"><em><span>Stephen Hailes receives funding from EPSRC. He is a Co-I on a recently granted IoT research hub on privacy, ethics, trust, reliability, acceptability, and security.</span></em></p>The cyberattack that brought down a city’s power supply in Ukraine is a cautionary tale for what lies ahead.Nilufer Tuptuk, PhD Candidate, UCLStephen Hailes, Professor of Wireless Systems, UCLLicensed as Creative Commons – attribution, no derivatives.tag:theconversation.com,2011:article/375112015-03-11T00:44:44Z2015-03-11T00:44:44ZProtecting critical infrastructure in a world of infinite attacks<figure><img src="https://images.theconversation.com/files/74256/original/image-20150310-13579-lic3ic.jpg?ixlib=rb-1.1.0&q=45&auto=format&w=496&fit=clip" /><figcaption><span class="caption">As transport networks increasingly rely on technology, protecting the systems underpinning them is a growing priority around the world.</span> <span class="attribution"><span class="source">Image sourced from Shutterstock.com</span></span></figcaption></figure><p><em>US President Barack Obama is seeking US$14 billion to tackle it. The UK wants to build a start-up industry around it. And Australia is in the middle of what could be a year-long review into getting better at it. The issue is cyber security, and at risk is the entire digital economy and consumer confidence in it. In this <a href="https://theconversation.com/au/topics/cyber-insecurity">Cyber insecurity series</a> we investigate the size and nature of the cyber crime threat, the industry growing with it, and the solutions emerging to get in front of it.</em></p>
<hr>
<p>The systems responsible for controlling and monitoring most of our national infrastructure - the services that our society relies on, are known as Supervisory Control and Data Acquisition (SCADA) systems. </p>
<p>These systems, on which infrastructure such as power stations, water distribution, roads and public transport rely on, are increasingly the target of cybercriminals. Needless to say, any disruptions to such systems could at best result in financial disasters and at worst the loss of lives.</p>
<p>Faced with increasing and more sophisticated cyber attacks, governments and the private sector need to find increasingly innovative ways to protect themselves. These are the weapons of the future. There will be future wars based on this - you don’t need to attack a country’s military when you can attack it economically. If you stop the electrical system of New York, New York will collapse.</p>
<p>In the past, SCADA and consequently the systems monitored and controlled by them were somewhat protected because they relied on proprietary technologies, with little awareness held in the IT industry. With a very closed industry, little information spread beyond the SCADA community. Today, SCADA systems have evolved from standalone, proprietary solutions and closed networks into large-scale, highly distributed computing systems operating over open networks such as the internet. In addition the hardware and software utilised by SCADA systems are now, in most cases, based on COTS (Commercial Off-The-Shelf) solutions. </p>
<p>Although such changes have increased the efficiency and sophistication of the services provided, they have also increased their vulnerability to malicious and sophisticated attacks. The once closed, proprietary software and hardware infrastructure is now vulnerable to attacks originating from external (internet) and internal corporate networks. The attacks plaguing such systems are the same ones that have been affecting ordinary systems over the years, such as viruses, trojans and worms. Additionally, the network protocols used by SCADA systems were not designed with security requirements in mind. For instance, the majority of protocols do not support any type of encryption. </p>
<p>Over the last few years there has been a push from the computer security industry seeking to adapt its security tools and techniques to address the security issues of SCADA systems. You can see this in the number of conferences dedicated or with tracks dedicated to SCADA systems. </p>
<p>At the same time, the US government together with industry has put in place a set of standards and regulations related to protecting SCADA systems. Those initiatives are on the right track to probably reach the level of security currently deployed on enterprise and personal computer systems. However as we all know, this is not sufficient, otherwise successful malicious attacks on computer systems would be non-existent. </p>
<h2>No more security through obscurity</h2>
<p>For many years the security industry has tried to improve and fix the security on computer systems. Security has improved immensely over the last decade, but we are nowhere close to totally secure systems. Statements made by people from the security industry corroborate this view. Recently, a CTO of a security company <a href="http://www.wired.com/threatlevel/2012/06/internet-security-fail/">wrote</a> about why anti-virus companies did not catch viruses such as Stuxnet and Flame, worms built to attack SCADA systems. He acknowledged anti-virus products made for regular consumers will not protect against well-resourced adversaries. This means many things. First, the use of COTS hardware and software in critical systems may be a terrible idea. Second, anti-virus companies will never reach the level of sophistication of a well-resourced adversary. </p>
<p>Given the growing awareness of the internals of SCADA systems, the once proudly used “security through obscurity” mantra no longer applies. Searching for the keyword “SCADA” on the <a href="http://en.wikipedia.org/wiki/Open_Source_Vulnerability_Database">Open Source Vulnerability Database</a> (OSVDB), an initiative that catalogues vulnerabilities on computers returns more than 300 hits (vulnerabilities). </p>
<h2>Living with malicious attacks</h2>
<p>Security systems based on prevention and interdiction are not offering the desired level of security, and are not enough for SCADA systems, which have different requirements to general corporate systems. SCADA systems are widely spread, they rely on multiple technologies, they have limited resources, they are a mixture of real-time and not real-time operations and more importantly they have different needs regarding their availability, reliability and security, among other things. </p>
<p>Rather than trying to achieve an attack-free system, the focus is shifting to provisioning of an acceptable level of services even in the presence of malicious attacks. Various researchers from Cyberspace and Security Group at RMIT are tackling these issues, including devising <a href="http://ieeexplore.ieee.org/xpl/login.jsp?tp=&arnumber=6373723&url=http%3A%2F%2Fieeexplore.ieee.org%2Fiel5%2F9424%2F4389054%2F06373723.pdf%3Farnumber%3D6373723">new models</a> to improve availability of services even if cyber attacks occur (through replication of essential services). They are also working on <a href="http://ieeexplore.ieee.org/xpl/login.jsp?tp=&arnumber=5683323&url=http%3A%2F%2Fieeexplore.ieee.org%2Fxpls%2Fabs_all.jsp%3Farnumber%3D5683323">detecting attacks in real-time</a> (using new clustering algorithms to summarise data and detect abnormal behavior). The future is about making systems robust enough that they can survive and keep operating during an attack.</p><img src="https://counter.theconversation.com/content/37511/count.gif" alt="The Conversation" width="1" height="1" />
<p class="fine-print"><em><span>Zahir Tari receives funding from ARC (Australian Research Council)
- LP110100602: Detecting Supervisory Control and Data Access (SCADA) malicious programs to protect Australian critical infrastructures.
- LP100100404: Designing Distributed Intrusion Detection Systems for Critical Industrial Infrastructures
- LP100200538: Developing Smart Embedded Host‑based Intrusion Detection Systems</span></em></p><p class="fine-print"><em><span>Carlos Queiroz is affiliated with ACM and IEEE.</span></em></p>A security rethink is required for protecting critical infrastructure - and it relies on accepting not all attacks can be prevented.Zahir Tari, Professor in Distributed Systems, School of Computer Science and IT, RMIT UniversityCarlos Queiroz, PhD, RMIT UniversityLicensed as Creative Commons – attribution, no derivatives.