Elgin M Brunner and Manuel Suter INTERNATIONAL CIIP HANDBOOK 2008 / 2009 AN INVENTORY OF 25 NATIONAL AND INTERNATIONAL CRITICAL INFORMATION INFRASTRUCTURE PROTECTION POLICIES Series Editors Andreas Wenger, Victor Mauer and Myriam Dunn Cavelty Center for Security Studies, ETH Zurich CSS ETH Zurich Elgin M Brunner and Manuel Suter INTERNATIONAL CIIP HANDBOOK 2008 / 2009 AN INVENTORY OF 25 NATIONAL AND INTERNATIONAL CRITICAL INFORMATION INFRASTRUCTURE PROTECTION POLICIES Series Editors Andreas Wenger, Victor Mauer and Myriam Dunn Cavelty Center for Security Studies, ETH Zurich Contents Preface Abbreviations Introduction 13 33 Part I: CIIP Country Surveys 45 Australia Critical Sectors  Past and Present Initiatives and Policies Organizational Overview Early Warning and Public Outreach Law and Legislation 47 47 48 51 59 61 Brazil Critical Sectors Past and Present Initiatives and Policies Organizational Overview Early Warning and Public Outreach Laws and Legislation 83 83 85 88 93 96 Austria  Critical Sectors  Past and Present Initiatives and Policies Organizational Overview Early Warning and Public Outreach Law and Legislation Canada Critical Sectors Past and Present Initiatives and Policies Organizational Overview Early Warning Law and Legislation Estonia Critical Sectors  Past and Present Initiatives and Policy Organizational Overview Early Warning and Public Outreach Law and Legislation 65 65 66 70 74 75 101 101 102 106 109 111 115 115 116 121 124 126 Edited by Foxit Reader Contents Copyright(C) by Foxit Software Company,2005-2008 For Evaluation Only Finland Critical Sectors Past and Present Initiatives and Policies Organizational Overview Early Warning and Public Outreach Law and Legislation 129 129 130 134 139 140 Germany Critical Sectors  Past and Present Initiatives and Policies Organizational Overview Early Warning and Public Outreach Law and Legislation 159 159 160 169 175 177 France Critical Sectors Past and Present Initiatives and Policies Organizational Overview Early Warning and Public Outreach Law and Legislation Hungary Critical Sectors  Past and Present Initiatives and Policy Organizational Overview Early Warning and Public Outreach Law and Legislation India Critical Sectors Past and Present Initiatives and Policies Organizational Overview Early Warning and Public Outreach Law and Legislation Italy Critical Sectors Past and Present Initiatives and Policies Organizational Overview Early Warning and Public Outreach Law and Legislation Japan Critical Sectors Past and Present Initiatives and Policies Organizational Overview  145 145 147 150 154 156 179 179 180 183 186 189 193 193 194 198 203 204 211 211 212 215 220 221 225 225 226 230 Contents Early Warning and Public Outreach Law and Legislation 235 238 Malaysia Critical Sectors Past and Present Initiatives and Policies Organizational Overview Early Warning and Public Outreach Laws and Legislation 261 261 262 263 267 270 Republic of Korea Critical Sectors Past and Present Initiatives and Policies Organizational Overview Early Warning and Public Outreach Law and Legislation The Netherlands  Critical Sectors Past and Present Initiatives and Policies Organizational Overview Early Warning and Public Outreach Law and Legislation New Zealand Critical Sectors  Past and Present Initiatives and Policies Organizational Overview Early Warning and Public Outreach Law and Legislation Norway Critical Sectors Past and Present Initiatives and Policies Organizational Overview Early Warning and Public Outreach Law and Legislation Poland Critical Sectors  Initiatives and Policy Organizational Overview Early Warning and Public Outreach Law and Legislation 241 241 242 245 254 256 273 273 275 282 289 290 293 293 294 297 303 303 307 307 309 314 317 319 321 321 322 327 331 335  Contents Russia Critical Sectors Past and Present Initiatives and Policies Organizational Overview Early Warning and Public Outreach Law and Legislation  337 337 348 347 354 355 Spain Critical Sectors  Past and Present Initiatives and Policy Organizational Overview Early Warning and Public Outreach Law and Legislation 373 373 374 378 387 389 Singapore Critical Sectors Initiatives and Policy Organizational Overview Early-Warning Approaches Law and Legislative Action  Sweden Critical Sectors  Past and Present Initiatives and Policies Organizational Overview Early Warning and Public Outreach Law and Legislation Switzerland Critical Sectors  Past and Present Initiatives and Policies Organizational Overview Early-Warning Approaches and Public Outreach Law and Legislation United Kingdom Critical Sectors Past and Present Initiatives and Policies Organizational Overview Early Warning and Public Outreach Law and Legislation United States Critical Sectors Past and Present Initiatives and Policies Organizational Overview  359 359 360 364 367 369 391 391 392 395 404 405 407 407 408 412 416 418 421 421 422 424 430 432 433 433 435 443 Contents Early Warning and Public Outreach Law and Legislation 454 456 Part II: International Organizations and Forums 463 European Union (EU) Critical Sectors Initiatives and Policies Research and Development Law and Legislation 465 465 468 473 478 Group of Eight (G8) Okinawa Charter on Global Information Society G8 Principles for Protecting Critical Information Infrastructures High-Tech Crime Sub-Group Activities 489 490 490 493 The Forum of IncidentResponse and Security Teams (FIRST) FIRST History Organization Global Initiatives North Atlantic Treaty Organisation (NATO) Civil Communication Planning Committee (CCPC) Civil Protection Committee (CPC) Industrial Planning Committee (IPC) Food and Agriculture Planning Committee (FAPC) Civil Aviation Planning Committee (CAPC) Planning Board for Inland Surface Transportation (PBIST) Planning Board for Ocean Shipping (PBOS) Coordination Special Report to the NATO Parliamentary Assembly 2007 Organisation for Economic Co-operation and Development (OECD) OECD Guidelines for the Security of Information Systems and Networks: Towards a Culture of Security OECD Guidelines for the Protection of Critical Information Infrastructures Culture of Security Website OECD Forums and Workshops United Nations (UN) UN Institute for Disarmament Research (UNIDIR) UN General Assembly Resolutions UN ICT Task Force 485 486 486 487 495 495 497 498 500 500 501 501 501 502 503 504 505 506 507 509 509 510 512  Contents The World Summit on the Information Society (WSIS) International Telecommunication Union (ITU) The World Bank Group The Global Information and Communication Technologies Department (GICT) Information Technology Security Handbook The World Bank’s e-Security / e-Finance efforts 513 514 519 519 520 521 Conclusion 525 Conclusion Critical Sectors Past and Present Initiatives and Policy Organizational Overview Early Warning and Public Outreach Legal Issues International Issues 527 527 533 535 538 540 541 Appendix 547 A1 Countries at a Glance A2 Bibliography / Important Documents A3 Important Links A4 List of Experts 549 591 615 641  Preface The nature of risks and vulnerabilities in modern societies is becoming more and more transnational today An open, non-hierarchical dialog on newly recognized vulnerabilities at the physical, virtual, and psychological levels is needed to create new knowledge and a better understanding of new risks and of their causes, interactions, probabilities, and costs It was on the basis of these premises that the “Crisis and Risk Network” (CRN; www.crn.ethz.ch) was launched in the year 2000 as a joint Swiss-Swedish initiative CRN is an initiative for international dialog on security risks and vulnerabilities, risk analysis and management, emergency preparedness, and crisis management Through the interchange of views, the CRN helps to promote a better understanding of the complex challenges and opportunities confronting the risk community today and serves to establish a collaborative relationship and exchange among experts The International Critical Information Infrastructure Protection (CIIP) Handbook is the product of a joint effort within the CRN partner network The first edition of the CIIP Handbook, published in 2002, provided an inventory of national protection policies in eight countries: Australia, Canada, Germany, the Netherlands, Norway, Sweden, Switzerland, and the United States The 2002 Handbook proved to be such a success that it had to be reprinted soon after first publication The 2004 edition offered updates on the existing country surveys, six new country studies (Austria, Finland, France, Great Britain, Italy, and New Zealand), overview chapters on international protection efforts, legal issues, and current trends in research and development, as well as a more profound methodological section and more in-depth analysis in general The expert base and the number of staff working on the Handbook were both expanded The 2006 edition continued the tradition of the past two editions and went beyond it at the same time: it not only further expanded the country survey section by including India, Japan, Korea, Malaysia, Singapore, and Russia, but it was also accompanied by a second volume with in-depth analysis of key issues related to Appendix European Union (EU) Community Research and Development Information Service (CORDIS) (http://cordis.europa.eu/en/home.html) Critical Information Infrastructure Research Coordination (CI2RCO) (http://www.ci2rco.org) ENISA Build on Synergies – Achieve Impact (http://www.enisa.europa.eu/doc/pdf/management_board/decisions/enisa_wp_ 2008.pdf ) ENISA Inventory of CERT Activities in Europe (http://www.enisa.europa.eu/cert_inventory/downloads/Enisa_CERT_inventory pdf ) ENISA Who is Who Directory on Network and Information Security (http://www.enisa.europa.eu/doc/pdf/deliverables/wiw_v2_2006.pdf ) European Network and Information Security Agency (ENISA) (http://www.enisa europa.eu/index.htm) European Security Research Advisory Board (ESRAB) (http://ec.europa.eu/enterprise/security/articles/article_2006-04-06_en.htm) European Security Research and Innovation Forum (ESRIF) (http://www.esrif.eu) Europe`s Information Society Thematic Portal (http://ec.europa.eu/information_society/index_en.htm) Full text of the Treaty of Lisbon (2007) (http://europa.eu/lisbon_treaty/full_text/index_en.htm) Information Society and Media Directorate General (http://ec.europa.eu/dgs/information_society/index_en.htm) 637 Appendix Group of Eight (G8) G8 Information Centre (http://www.g8.utoronto.ca) G8 Paris Conference on Dialogue between the Public Authorities and Private Sector on Security and Trust in Cyberspace (http://www.g8.utoronto.ca/crime/paris2000.htm) Okinawa Charter on Global Information Society (http://www.g7.utoronto.ca/summit/2000okinawa/gis.htm) North Atlantic Treaty Organization (NATO) Civil Emergency Planning (http://www.nato.int/issues/cep/index.html) Index of organizations involved in Civil Emergency Planning (http://www.nato.int/ issues/cep/role.html) NATO Summit Bucharest (http://www.summitbucharest.ro) Organization for Economic Cooperation and Development (OECD) Organization for Economic Cooperation and Development; Directorate for Science, Technology and Industry (http://www.oecd.org/department/0,3355,en_2649_33703_1_1_1_1_1,00.html) Organization for Economic Cooperation and Development; Policy Brief – The Future of the Internet Economy (http://www.oecd.org/dataoecd/20/41/40789235.pdf ) 638 Appendix United Nations (UN) International Telecommunication Union (ITU) (http://www.itu.int/home/index.html) United Nations (http://www.un.org) United Nations Information and Communication Technologies Task Force (http:// www.unicttaskforce.org) The World Bank Group Global Information and Communication Technologies (http://info.worldbank.org/ict/index.cfm.) InfoDev-Security.net (http://www.infodev-security.net/) Information for Development (infoDev) Program (http://www.infodev.org/en/index.html) World Bank Group (http://www.worldbank.org/) 639 A4 List of Experts Australia • Alex Webling, Attorney-General’s Department, Australian government (2006 + 2008) • Patrick Drake-Brockman, Attorney-General’s Department, Australian govern- • Adam Cobb, Director Stratwise Strategic Intelligence (2004) • Ivan Timbs, National Office for the Information Economy (NOIE) (2002) ment (2006) Austria • Otto Hellwig, Technische Universität Graz (2004 + 2006 + 2008) • Thomas Pankratz, Austrian Federal Ministry of Defense, Bureau for Security • Gerald Torst, Stabsstelle IKT-Strategie des Bundes, Federal Chancellery of the • Nieves Kautny, University of Vienna (2006) • Ralph Schưllhammer, University of Vienna (2006) Policy (2004 + 2006) Republic (2004 + 2006) Brazil • Mariana Balboni, Brazilian Internet Steering Committee (2008) • Regina Maria De Felice Souza, Agờncia Nacional de Telecomunicaỗừes Presi- • João Henrique de A Franco, CPqD Telecom & IT Solutions (2008) • Sérgio Luis Ribeiro, CPqD Telecom & IT Solutions (2008) dency (2008) Appendix Canada • Claudia Zuccolo, Public Safety Canada (2006 + 2008) • Marta Khan, Public Safety Canada (2006 + 2008) • Michel De Jong, Public Safety Canada (2006 + 2008) • Suki Wong, Public Safety Canada (2006 + 2008) • Janet Bax, Public Safety and Emergency Preparedness Canada (PSEPC) (2006) • Phil Beahen, Public Safety and Emergency Preparedness Canada (PSEPC) • Robert Corley, Public Safety and Emergency Preparedness Canada (PSEPC) • Peter Hill, Public Safety and Emergency Preparedness Canada (PSEPC) (2006) • Andrew McAllister, Public Safety and Emergency Preparedness Canada (PSEPC) • Craig Oldham, Public Safety and Emergency Preparedness Canada (PSEPC) • Julie Spallin, Public Safety and Emergency Preparedness Canada (PSEPC) • Louise Forgues, Office of Critical Infrastructure Protection and Emergency Pre- • Jacques L Grenier, Office of Critical Infrastructure Protection and Emergency • Shannon Hiegel, Office of Critical Infrastructure Protection and Emergency Pre- • Colin Knight, Office of Critical Infrastructure Protection and Emergency Pre- • Dan Lambert, Solicitor General (2004) • Paul Pagotto, Office of Critical Infrastructure Protection and Emergency Pre- 642 (2006) (2006) (2006) (2006) (2006) paredness (OCIPEP) (2004) Preparedness (OCIPEP) (2002) paredness (OCIPEP) (2004) paredness (OCIPEP) (2002) paredness (OCIPEP) (2004) Appendix Estonia • Thomas Viira, Estonian Informatics Center (2008) • Jaak Tepandi, Institute of Informatics, Tallinn University of Technology (2008) Finland • • Veli-Pekka Kuparinen, National Emergency Supply Agency (NESA) (2004 + 2006 + 2008) Ilkka Kananen, National Emergency Supply Agency (NESA) (2004 + 2006 + 2008) • Hannu Sivonen, National Emergency Supply Agency (NESA) (2006 + 2008) • Mika Purhonen, National Emergency Supply Agency (NESA) (2004) • Markku Haranne, Ministry of the Interior, Rescue Services Unit (2004) France • Stanislas de Maupeou, SGDN - DCSSI - Sous-direction opérations Chef du • Isabelle Valentini, Secretary-General for National Defense (SGDN) (2006) CERTA (2008) Germany • Susanne Jantsch, Consultant (2002 + 2004 + 2006 + 2008) • Monika John-Koch, Federal Office of Civil Protection and Disaster Assistance • Dirk Reinermann, Federal Office for Information Security (BSI) (2004) • Stefan Ritter, Federal Office for Information Security (BSI) (2004) • Thomas Beer, Industrieanlagen-Betriebsgesellschaft (IABG) (2004) • Willi Stein, Federal Office for Information Security (BSI), ┼ (2004) (BBK) (2008) 643 Appendix • Christine Scharz-Hemmert, Industrieanlagen-Betriebsgesellschaft (IABG) • Ralf Bendrath, Political Scientist (2002) • Jưrn Brưmmelhưrster, Consultant (2002) (2002) Hungary • Bence Birkás, CERT-Hungary (2008) • Ferenc Suba, CERT-Hungary (2008) • Lajos Muha, Dennis Gabor College, Budapest (2008) • Barbara Locher, Ministry of Economics and Transport (2008) • Peter Csokany, National Communication Authority (2008) • Csaba Sandor, Electronic Government Center (2008) India • Subimal Bhattacharjee, Argus Integrated Systems (2006) • Luthra & Luthra Law Offices (2006) Italy • Roberto Setola, Complex Systems and Security Laboratory, Università Campus • Tommaso Palumbo, Postal and Communication Police (2006 + 2008) • Paolo Donzelli, Prime Minister’s Office - Dept for Innovation and Technologies • Sandro Bologna, Italian National Agency for New Technologies, Energy and the • Giovanna Dondossola, CESI (2004) 644 Bio-Medico (2004 + 2006 + 2008) (2006) Environment (ENEA) (2004) Appendix Japan • Mika Shimizu, East-West Centre (2006 + 2008) • Tomoko Makino, Ministry of Internal Affairs and Communications (MIC) • Tohru Nakao, Ministry of Internal Affairs and Communications (MIC) (2008) • Yoshihiro Sato, National Information Security Center (NISC) (2008) • Toshihiko Suguri, National Information Security Center (NISC) (2008) • Japanese experts from the Ministry of Internal Affairs and Communication (MIC) • Ministry of Foreign Affairs (MOFA) (2006) • National Police Agency (NPA) (2006) • Cabinet Secretariat, and the Ministry of Economy, Trade and Industry (METI) (2008) (2006) (2006) Republic of Korea • Heung Youl Youm, Professor at the Department of Information Security Engi- • Seok-Koo Yoon, Director National Cyber Security Center (NCSC) (2006) neering of Soonchunhyang University (2008) Netherlands • Eric Luiijf, TNO Defense, Security and Safety (2002 + 2004 + 2006 + 2008) • Williët Brouwer, Programme Manager Critical Infrastructure Protection, Ministry • André Griffioen, Deputy Programme Manager Critical Infrastructure Protection, • Ronald de Bruin, KWINT, ECP.nl (2002 + 2004) of the Interior (2008) Ministry of the Interior (2008) 645 Appendix New Zealand • Mike Harmon, Centre for Critical Infrastructure Protection (CCIP) (2004 + 2006) • Richard Byfield, Centre for Critical Infrastructure Protection (CCIP) (2006) Norway • Stein Henriksen, Norwegian National Security Authority (2002 + 2004 + 2006  +  2008) • Håkon Styri, Norwegian Post and Telecommunications Authority (2008) • Einar Oftedal, Norwegian National Security Authority (2008) • Lene Bogen Kaland, Norwegian National Security Authority and National Infor- • Laila Berge, Ministry of Justice and the Police (2006) • Dagfinn Buset, Ministry of Justice and the Police (2006) • Roger Steen, Directorate for Civil Protection and Emergency Planning (DSB) • Kjetil Sørli, Directorate for Civil Protection and Emergency Planning (DSB) • Cort Archer Dreyer, Ministry of Trade and Industry (2002) • Havard Fridheim, Norwegian Defence Research Establishment (FFI) (2002) • Arthur Gjengstư, Secretary to the Norwegian Commission on the Vulnerability of mation Security Co-ordination Council (2008) (2002 + 2004) (2004) Society (2002) Poland • Tomasz Prząda, Polish Internal Security Agency (2008) • Michał Młotek, Polish Ministry of Interior and Administration (2008) • Krzysztof Silicki, NASK / CERT Polska (2008) • Mirosław Maj, NASK / CERT Polska (2008) 646 Appendix Russia • Anatoly Streltsov, professor at the Institute of Information Security, Lomonosov • Martin Wählisch, Humbolt University Berlin (2006) Moscow State University (2006 + 2008) Singapore • Experts form the Ministry of Home Affair (MHA) (2006) Spain • Experts from the Directorate of the Centre for the Protection of National Infrastructure (CNPIC) (2008) Sweden • • Linda Englund, Swedish Emergency Management Agency (SEMA) (2006 + 2008) Jan Lundberg, Swedish Emergency Management Agency (SEMA) (2002 + 2004 + 2006 + 2008) • Lars Nicander, Swedish National Defence College (2004) • Henrik Christiansson, Swedish Defence Research Agency (FOI) (2004) • Georg Fischer, Swedish Defence Research Agency (FOI) (2004) • Sara Siri, Swedish Emergency Management Agency (SEMA) (2004) • Peter Stern, Swedish Emergency Management Agency (SEMA) (2002) • Peter Wallstrưm, Cell Network (2002) • Peter Westrin, FOI, Swedish Defence Research Agency (2002) • Manuel W Wik, Swedish National Defence College (2002) 647 Appendix Switzerland • Experts from the Federal office for Civil Protection (FOCP) (2008) the Reporting and Analysis Center for Information Assurance (MELANI) (2008) the Federal Office for National Economic Supply (NES) (2008) • Ruedi Rytz, Federal Strategy Unit for Information Technology (ISB) (2002 + 2004 + 2006) • Anton Lagger, Federal Office for National Economic Supply (2004 + 2006) • Marc Henauer, Federal Office of Police/DAP (2004 + 2006) • Michel Dufour, Dufour Consulting (2002 + 2004 + 2006) • Gérald Vernez, General Staff of the Swiss Armed Forces (2006) • Riccardo Sibilia, armasuisse (2006) • Oliver Vaterlaus, AWK Group (2006) • André Schmid, InfoSurance Foundation (2004) • Kurt Haering, Director Foundation InfoSurance (2002) • Ueli Haudenschild, Federal Office for National Economic Supply (2002) • Thomas Kưppel, Former Official of the Federal Office of Police (2002) United Kingdom • Experts from the Centre for the Protection of National Infrastructures (CPNI) • John Neil Park, the National Infrastructure Security Coordination Centre • Ted Barry, National Infrastructure Security Coordination Centre (NISCC) • Stephen Cummings, National Infrastructure Security Coordination Centre 648 (2008) (NISCC) (2004 + 2006) (2004) (NISCC) (2004) Appendix United States • Scott C Algeier, Executive Director IT-ISAC (2002 + 2006 + 2008) • Erica B Russel, Deputy Coordinator for International Critical Infrastructure Pro- • John A McCarthy, Critical Infrastructure Protection Project, George Mason Uni- • Emily Frye, Critical Infrastructure Protection Project, George Mason University tection Policy, Department of State (2006) versity School of Law (2004) School of Law (2004) European Union (EU) • Marcelo Masera, European Commission, Institute for the Protection and Security • Martin Wählisch, Humboldt University Berlin (2006 +2008) • Ronald De Bruin, European Network and Information Security Agency (ENISA) of the Citizen Joint Research Centre (2006 + 2008) (2006) Group of Eight (G8) • Harry Hoverd, Home Office, United Kingdom (2006) North Atlantic Treaty Organization (NATO) • Denisa-Elena Ionete, Civil Emergency Planning, NATO Headquarters (2008) • Evert G J Somer, NATO Headquarters (2006) • Silla A Jonsdottier, NATO Headquarters (2004) 649 Appendix Organization for Economic Cooperation and Development (OECD) • Anne Carblanc, Organization for Economic Cooperation and Development • Peter Lübkert, Organization for Economic Cooperation and Development • Laurent Bernat, Organization for Economic Cooperation and Development (OECD) (2006 + 2008) (OECD) (2006) (OECD) (2006) United Nations (UN) • Experts from the International Telecommunication Union (ITU) (2008) • Robert Shaw, International Telecommunication Union (ITU) (2006) • Christine Sund, International Telecommunication Union (ITU) (2006) 650 CSS ETH Zurich The Center for Security Studies at ETH Zurich was founded in 1986 and specializes in the fields of international relations and security policy The Center coordinates and develops the Crisis and Risk Network (CRN), a Swiss-Swedish initiative for international dialog on risks and vulnerabilities that is aimed at enhancing knowledge of the complex causes, interactions, probabilities, and costs of risks in modern societies The CIIP Handbook focuses on national governmental efforts to protect critical information infrastructure and provides an overview of CII protection practices in a range of countries and international organizations ... the field of CIIP in order to foster increased collaboration between topical experts in CIIP in 2 009 An online version of the CIIP Handbook will be part of this community 43 Part I CIIP Country...CSS ETH Zurich Elgin M Brunner and Manuel Suter INTERNATIONAL CIIP HANDBOOK 2 008? ??/ 2 009 AN INVENTORY OF 25 NATIONAL AND INTERNATIONAL CRITICAL INFORMATION INFRASTRUCTURE... ICT Task Force 485 486 486 487 495 495 497 498 500 500 501 501 501 502 503 504 505 506 507 509 509 510 512  Contents The World Summit on the Information Society (WSIS) International Telecommunication