Canada’s Critical Infrastructure: Stay Calm and Get on with it…. Andrew Graham School of Police Studies Queens University 1 The Future of Security: Anticipating a Changing Landscape 2012 Security Conference Toronto May 1 & 2, 2012
My Purpose Outline my research for the Macdonald-Laurier Institute Suggest a more holistic view of critical infrastructure risks Suggest a future agenda 2
3
4
What I Did… Background research Series of interviews – government, private operators Focused on both the policy and operation sides No claims to completeness or finality Trying to open up discussion about the real issues 5
What I found….. CI is massive, complex and widely dispersed No one is in control and it is highly unlikely that anyone claiming to be is rational 6
7
What I found….. Public perceptions revolve around the available heuristic, not systematic information – white noise issue There is a residual notion that “Government needs to do more” with no idea of what that more means and if it would be effective 8
What I found….. Government action has been varied with the federal government playing a relative passive, information-sharing role. And slow at it to boot. Other levels of government have had to be more tactical although it varies across the country. 9
What I found….. There is no real information on real threats and if there were, it would not be shared openly The risk landscape is rich but hardly registered in a systematic way that risk management needs The system (if it exists) is very fragile but with many signs of resilience and strength 10
What I found….. Major risks are being ignored or poorly served because they are not sexy or headline grabbing CI resilience should be the goal and that takes a holistic approach with a strong emphasis on co-operation, developing and sharing knowledge and practice, and the human capacity link operational experience with the increased flow of risk information 11
Let’s be clear about the real risks… Real divide between policy makers and operators Terrorist versus biker gangs Losing knowledge is a major risk Control systems that themselves become vulnerable Working relationships spotty Maintenance and renewal 12
Risk perception varies, almost dangerously Available heuristic is an external terrorist threat – for real or pandering to American and media interests? What I heard: –Organized crime –Domestic political criminality (is that terrorism?) –System degradation –Poor information flow and recognition of signals 13
Failure to maintain and renew increases risk Real question here is risk of loss of CI not an attack Infrastructure deficit in Canada is enormous – Federal of Canadian Municipalities has it right Real and present risk of failure – Risks increase with failure to maintain Government and private sector problem 14
Control systems become risks and opportunities Controls monitoring CI become potential targets To what extent do they replace humans? Never ignore how powerful the information they provide can be for those capable of adding intuition and mindfulness to the new analytics 15
16 CI and the people element…
No number of control systems will work without experienced system operators System resilience depends upon informed instinct Generations are moving on and replacement is an issue 17
CI and the people element… Skills requirements shifting as systems become more complex, but also offer more and more information on their performance Need to emphasize growing need for CI systems to interact and for CI personnel to connect to security and policy Need some form of collective action on competency development – analogs exist 18
What we don’t know We don’t know Few centres of research and study free of political purse or control strings We need to map our dependencies and their inter- relationship so we can do better, e.g. supply chains, grids and cross-border dependencies – note good work of Conference Board of Canada on this 19
What we don’t know Little opportunity to build body of knowledge of leading practice, shared experiences, etc. No academic resources for research that would push the envelope and improve understanding Building competency within CI personnel is also about sharing knowledge 20
Bottom Line Time to panic? No Time to get more focused? Yes We need better risk assessment. We need a more alert public to real threats. We need to think more about the human side of CI – the people who run and know the systems. We need to learn more. 21 Most importantly, we need to stay calm and get on with it.
Andrew Graham School of Policy Studies Queen’s University 22