Defining Critical Infrastructure
It Can Consist of Data, Voice, Video but Must Be VitalHow should critical information infrastructure be defined?
See Also: The Cybersecurity Swiss Army Knife for Info Guardians: ISO/IEC 27001
The term is used all of the time, and we know that about 85 percent of the nation's critical information infrastructure is owned by the private sector.
Draft legislation circulating on Capitol Hill tales a stab at defining the term (see Draft Bill Eyes Strong DHS Role in Cybersecurity). A critical infrastructure information system, the draft says, means "any physical or virtual information system, no matter where such system exists, that controls, processes, transmits, receives or stores electronic information in any form, including data, voice or video, that is vital to the functioning of critical infrastructure or owned or operated by or on behalf of a state or local government."
Critical infrastructure (and the IT that helps support it) controls the likes of the nation's electricity, natural gas and oil generation and distribution, food production and allocation, public health, water supply, telecommunications and transportation.
The draft legislation also characterizes critical infrastructure as meaning any facility or function that, by the way of cyber vulnerability, destruction, disruption or unauthorized access would result in one or more of the following:
- Loss of thousand of lives.
- Major economic disruption, including the immediate failure of, or loss of confidence in, a major financial market; sustained disruption of financial systems that would lead to long-term catastrophic economic damage to the United States.
- Mass evacuations of a major population center for longer than 30 days.
- Severe degradation of national security or national security capabilities, including intelligence and defense functions, but excluding military facilities.
You probably knew all of this. But understanding the definition is merely the beginning.
Congress could take action soon to grant the federal government specific responsibilities to safeguard the mostly privately owned critical infrastructure, tasks that some believe is beyond its legal right. Getting involved to help determine the role government should have over the critical infrastructure, one way or another, is something that shouldn't be left solely to lawmakers.