Canada’s Critical Infrastructure: When is Safe Enough Safe Enough? What has to Happen Now?
This two-part study, sponsored by the Macdonald-Laurier Institute focused on the state of risk and efforts at mitigation for Canada's critical infrastructure - the rail, power, road and fuel lines that keep us going. There were two parts to the report, the first i authored and the second i contributed to. You can access them by clicking on the title:
Canada's Critical Infrastructure: When is Safe Enough Safe Enough?
Solutions to Critical Infrastructure Problems: Essays on Protecting Canada's Infrastructure, edited by Jason Clemens and Brian Lee Crowley
Some Thoughts on this Research Work and Publication: Just Get on with It
Over the course of my research into this area, I heard it said many times: “It is going to take a disaster to make us take this seriously.” I do not buy that. What a disaster will probably show is that there was plenty being done in both government and the infrastructure industry, but that it was only being co-ordinated lightly, that the federal government was focused on higher level, less likely risks while the vulnerabilities and more active risks were less interesting, more real and more deadly and that, in the end, sharing information and common approaches were sadly lacking. What I just wrote is the standard lay-put of the findings of public enquiries into matters of this kind.
Solutions of the command and control kind will only go so far in this highly distributed environment. So, add to them cajole, engage and entice. The following are some of the steps that need to be taken to develop a system-wide capacity to identify CI risks, engage the right players in action and build resilient capacity:
· Expand the Risk Process: Move risk assessment out of the closed loop environment where it now lives through more open risk identification sessions with players at all levels across the country. Clearly, work has to be improved to separate the inherent threats that are out there from the real risks of actual attack, breakdown or control failure. These must be broken down into digestible chunks: national, regional and local, all graded with respect to severity and likelihood, all updated regularly. Above all such a system should be credible, made so by solid analysis, language that informs but does not incite, regular and consistent updates and the correction of errors once learned.
· Bring In Operators, not just Organizations: Engage actual CI operators and their internal expertise, not just the representation national organizations, which are often as distant from ground reality as the federal government in Ottawa. Such engagement would be separate from the formal communications efforts currently in place. Rather, it would be part of the risk identification and assessment process. It would also be part of the skills development process supported by the proposed CI Sector Council. As such, it would take a third party entity to make it work over time. That could be a combination of the Sector Council and the research centre(s) proposed below.
· Localize Police Involvement: Expand police involvement beyond the national institutions with their focus on terrorism to both provincial and municipal services. Local services are often attuned to other threats and risks that can have equally devastating impacts on CI.
· Avoid Isolated Reporting Channels and Get on Board with Analytics: Integrate CI reporting in existing police intelligence systems. Current efforts to develop special reporting of CI threats will die if they depend on police reporting separately and not through the rapidly developing local analytic systems local police services are creating. Such systems are forcing the integration of information about crime, local and participants in new ways. Current efforts to have CI incidents reported on their own track flies in the face of the potential for analytics to provide key insights about the nature of threats in specific communities.
· Centres of Excellence: Invest in continuing research by establishing independent centres of excellence in universities to build knowledge and capacity. It has been clear throughout the research for this paper that there is not a great deal of research into CI risks, risk techniques, comparative analysis of activities in other countries and the examination of the field that is much needed.
· CI Sector Council: Develop a CI Sector Council similar to those developed for the policing sector to foster thinking, research and action in the human resources elements of building CI capacity throughout the system. This has included the identification of core competencies, common training and the professional development of key personnel.
· Tax Incentives: Develop more incentives for the CI industry to invest in building both protection and response capacity through tax incentives based on capital investments and training for staff. This is easier said than done, but well worth pursuing as a medium term objective. What is clear is that such incentives are preferable to a public expenditure program.
· Test Scenarios in the Real World: Through Public Safety Canada, funded centres of excellence and with CI industry partners, develop test scenarios for individual targets as well as regions potentially affected by CI failure. These must be fulsome and complete, in that they cannot be simply those inside the system talking to those inside the system. CI failure is a social phenomenon that, when it happens, engage society fully. Therefore, such testing must engage communities in different ways. For example, it is impossible to consider a CI failure in power without involving policing, health, municipal services and transportation services. Hence, the mantra of all hazards must be taken seriously.
· Build Case Studies to Share Knowledge: Develop learning tools, not just incident reports and enquiries. To do this, a case study program needs to be created that shares knowledge within sectors and across sectors. Case studies are powerful tools for learning in that they provide context, give information about a challenge, what was done about it and what was learned in the process. All of this is outside the more judgemental and politicized environment of post-incident investigations. In addition, case studies let those with expertise share their experiences with others in a way that suits their culture: through structured stories. Sharing ways to solve problems is a way to prevent them.
In the end, all of these suggestions are aimed at developing a community of practice in a rather disbursed and varied community. There is no one big fix. Nor is there one big problem. Perhaps the WW2 slogan of “Take Calm and Carry On” needs to be adapted to “Take Calm and Get on with It.”
This two-part study, sponsored by the Macdonald-Laurier Institute focused on the state of risk and efforts at mitigation for Canada's critical infrastructure - the rail, power, road and fuel lines that keep us going. There were two parts to the report, the first i authored and the second i contributed to. You can access them by clicking on the title:
Canada's Critical Infrastructure: When is Safe Enough Safe Enough?
Solutions to Critical Infrastructure Problems: Essays on Protecting Canada's Infrastructure, edited by Jason Clemens and Brian Lee Crowley
Some Thoughts on this Research Work and Publication: Just Get on with It
Over the course of my research into this area, I heard it said many times: “It is going to take a disaster to make us take this seriously.” I do not buy that. What a disaster will probably show is that there was plenty being done in both government and the infrastructure industry, but that it was only being co-ordinated lightly, that the federal government was focused on higher level, less likely risks while the vulnerabilities and more active risks were less interesting, more real and more deadly and that, in the end, sharing information and common approaches were sadly lacking. What I just wrote is the standard lay-put of the findings of public enquiries into matters of this kind.
Solutions of the command and control kind will only go so far in this highly distributed environment. So, add to them cajole, engage and entice. The following are some of the steps that need to be taken to develop a system-wide capacity to identify CI risks, engage the right players in action and build resilient capacity:
· Expand the Risk Process: Move risk assessment out of the closed loop environment where it now lives through more open risk identification sessions with players at all levels across the country. Clearly, work has to be improved to separate the inherent threats that are out there from the real risks of actual attack, breakdown or control failure. These must be broken down into digestible chunks: national, regional and local, all graded with respect to severity and likelihood, all updated regularly. Above all such a system should be credible, made so by solid analysis, language that informs but does not incite, regular and consistent updates and the correction of errors once learned.
· Bring In Operators, not just Organizations: Engage actual CI operators and their internal expertise, not just the representation national organizations, which are often as distant from ground reality as the federal government in Ottawa. Such engagement would be separate from the formal communications efforts currently in place. Rather, it would be part of the risk identification and assessment process. It would also be part of the skills development process supported by the proposed CI Sector Council. As such, it would take a third party entity to make it work over time. That could be a combination of the Sector Council and the research centre(s) proposed below.
· Localize Police Involvement: Expand police involvement beyond the national institutions with their focus on terrorism to both provincial and municipal services. Local services are often attuned to other threats and risks that can have equally devastating impacts on CI.
· Avoid Isolated Reporting Channels and Get on Board with Analytics: Integrate CI reporting in existing police intelligence systems. Current efforts to develop special reporting of CI threats will die if they depend on police reporting separately and not through the rapidly developing local analytic systems local police services are creating. Such systems are forcing the integration of information about crime, local and participants in new ways. Current efforts to have CI incidents reported on their own track flies in the face of the potential for analytics to provide key insights about the nature of threats in specific communities.
· Centres of Excellence: Invest in continuing research by establishing independent centres of excellence in universities to build knowledge and capacity. It has been clear throughout the research for this paper that there is not a great deal of research into CI risks, risk techniques, comparative analysis of activities in other countries and the examination of the field that is much needed.
· CI Sector Council: Develop a CI Sector Council similar to those developed for the policing sector to foster thinking, research and action in the human resources elements of building CI capacity throughout the system. This has included the identification of core competencies, common training and the professional development of key personnel.
· Tax Incentives: Develop more incentives for the CI industry to invest in building both protection and response capacity through tax incentives based on capital investments and training for staff. This is easier said than done, but well worth pursuing as a medium term objective. What is clear is that such incentives are preferable to a public expenditure program.
· Test Scenarios in the Real World: Through Public Safety Canada, funded centres of excellence and with CI industry partners, develop test scenarios for individual targets as well as regions potentially affected by CI failure. These must be fulsome and complete, in that they cannot be simply those inside the system talking to those inside the system. CI failure is a social phenomenon that, when it happens, engage society fully. Therefore, such testing must engage communities in different ways. For example, it is impossible to consider a CI failure in power without involving policing, health, municipal services and transportation services. Hence, the mantra of all hazards must be taken seriously.
· Build Case Studies to Share Knowledge: Develop learning tools, not just incident reports and enquiries. To do this, a case study program needs to be created that shares knowledge within sectors and across sectors. Case studies are powerful tools for learning in that they provide context, give information about a challenge, what was done about it and what was learned in the process. All of this is outside the more judgemental and politicized environment of post-incident investigations. In addition, case studies let those with expertise share their experiences with others in a way that suits their culture: through structured stories. Sharing ways to solve problems is a way to prevent them.
In the end, all of these suggestions are aimed at developing a community of practice in a rather disbursed and varied community. There is no one big fix. Nor is there one big problem. Perhaps the WW2 slogan of “Take Calm and Carry On” needs to be adapted to “Take Calm and Get on with It.”