Maitland Hyslop - Critical Information Infrastructures - Resilience and Protection (2007)

Critical Information Infrastructures
Critical Information
Infrastructures
Resilience and Protection
Maitland Hyslop
Maitland Hyslop
Strategic Development Director
Onyx Group
Aurora Court
Barton Road, Riverside Park
Middlesbrough, TS2 1RY
United Kingdom
Library of Congress Control Number: 2007924497
Critical Information Infrastructures: Resilience and Protection

by Maitland Hyslop
ISBN 978-0-387-71861-3 eISBN 978-0-387-71862-0
Printed on acid-free paper.
© 2007 Springer Science+Business Media, LLC

All rights reserved. This work may not be translated or copied in whole or in part without the
written permission of the publisher (Springer Science+Business Media, LLC, 233 Spring Street,
New York, NY 10013, USA), except for brief excerpts in connection with reviews or scholarly
analysis. Use in connection with any form of information storage and retrieval, electronic
adaptation, computer software, or by similar or dissimilar methodology now known or hereafter
developed is forbidden.
The use in this publication of trade names, trademarks, service marks, and similar terms, even if
they are not identified as such, is not to be taken as an expression of opinion as to whether or not
they are subject to proprietary rights.
987654321
springer.com
Contents
Chapter 1. Introduction ..................................................................... 1
Chapter 2. Definitions and Assumptions ........................................... 8
Chapter 3. Critical Infrastructures and Critical Information

Infrastructures: Approaches by Geography ..................... 19
Chapter 4. Critical Infrastructures and Critical Information

Infrastructures: by Type.................................................... 45
Chapter 5. Critical Information Infrastructure................................... 61
Chapter 6. Some Political, Economic, Social, Technological,

Environmental, Legal and Other Process Effects
on Critical Infrastructures ................................................ 77
Chapter 7. Comments on Standards in Information Security,

Disaster Recovery, Business Continuity
and Business Resilience .................................................... 94
Chapter 8. A Tangential Threat To OECD Resilience:

The Twenty-First Century East India Company............... 145
Chapter 9. Resilience and Outsourcing Call Centers Offshore:

A Case Study .................................................................... 150
Chapter 10. Information Infrastructure: Resilience,

Recovery, and Security ..................................................... 158
Chapter 11. A Suggested Approach to Individual, Corporate,

National, and International Resilience, Critical
Infrastructures, and Critical Information Infrastructures ........ 176
v
vi Contents
Chapter 12. General Summary and Conclusions ................................. 194
Chapter 13. A Manifesto for Change ................................................... 198
Appendix
1. Introduction ..................................................................................... 201
2. Bibliographies/Lists/Directories/Surveys/Search Engines ................. 202
3. Books – Arranged Alphabetically by Subject ................................... 206

Apache ............................................................................................. 206
Auditing and Security....................................................................... 206
Backup (In Terms of Backing Up Data on Computers) ................... 206
Carnivore ......................................................................................... 206
Certification for Security Professionals ............................................. 207
CISCO ............................................................................................. 209
Code (As In Computer Code) .......................................................... 209
Computer Security ........................................................................... 209
Corporate Security ........................................................................... 209
Crime/Forensics/Malice/Malware ..................................................... 210
Critical Infrastructure ...................................................................... 211
Cryptography ................................................................................... 211
Data/Databases and Related Issues .................................................. 212
Data Mining (The Process of Searching Data
for Specific Information) .................................................................. 213
Disaster Recovery and Contingency Planning
(Relevant To Technology) ................................................................. 213
eBusiness .......................................................................................... 215
Firewalls .......................................................................................... 215
Hacking............................................................................................ 216
Hardening ........................................................................................ 217
Java .................................................................................................. 219
Kerberos........................................................................................... 220
Linux ................................................................................................ 220
Microsoft and Microsoft Windows General ..................................... 220
Mobile Communications/Mobility ................................................... 221
.NET ................................................................................................ 221
Network Security ............................................................................. 221
Operational Risk .............................................................................. 223
Public Key Infrastructure (PKI) ....................................................... 223
Positive Messages ............................................................................. 223
Reliability ......................................................................................... 223
Contents vii
Radio Frequency Identification (RFID) ........................................... 223

Securing and Security ....................................................................... 223
Sniffing ............................................................................................. 226
Spam ................................................................................................ 226
Steganography .................................................................................. 226
Virtual Private Networks (VPNs) ..................................................... 227
Warfare and Politics ......................................................................... 227
Wireless ............................................................................................ 228
WordPerfect ..................................................................................... 228
4. Articles – Arranged Alphabetically By Subject ................................ 228

Asymmetric Warfare ........................................................................ 229
Banking ............................................................................................ 229
BS7799 ............................................................................................. 229
Critical Infrastructure ...................................................................... 229
Cryptography ................................................................................... 229
Computer Crime and Security .......................................................... 230
Cyberwar and Netwar ...................................................................... 230
Clash of Civilizations ....................................................................... 230
Data Related .................................................................................... 230
Defense ............................................................................................ 230
Digital Development ........................................................................ 230
Dot Com Dreams ............................................................................. 230
Elections........................................................................................... 230
Electronic Intrusion.......................................................................... 230
Electronic Mail ................................................................................. 231
Electronic Signature ......................................................................... 231
Erlang .............................................................................................. 231
Environment .................................................................................... 231
Freedom of Information .................................................................. 231
Fuel Crisis ........................................................................................ 232
Information Security and Warfare, etc. ............................................ 232
Java .................................................................................................. 232
Microsoft and Cisco ......................................................................... 233
National Information Infrastructure ................................................ 233
Network Security ............................................................................. 233
Optimistic Message Logging ............................................................ 233
Open Systems ................................................................................... 233
Obstructive Marketing ..................................................................... 233
Resilience, Robustness, Reliability .................................................... 233
Radio Frequency Identification (RFID) ........................................... 234
Security, etc. ..................................................................................... 234
Strategic Information Warfare.......................................................... 235
viii Contents
Telecommunications Networks......................................................... 235

URL (Uniform or Universal Resource
Locator – Web Address) Security ..................................................... 235
Utilities ............................................................................................ 235
Video Coding ................................................................................... 236
Wire Pirates ...................................................................................... 236
Year 2000 Issues (Y2K) .................................................................... 236
5. Regular Publications – Arranged Alphabetically By Title ................ 236
6. Links – Arranged Alphabetically by Subject and Site Name............ 239

Academia ......................................................................................... 239
Associations/Institutes/Societies/Organizations, etc. ......................... 241
Asymmetric and Information Warfare ............................................. 243
Australia........................................................................................... 244
Austria ............................................................................................. 244
Canada ............................................................................................. 245
Finland............................................................................................. 246
France .............................................................................................. 247
Germany .......................................................................................... 247
International Organizations ............................................................. 249
Italy .................................................................................................. 250
Lawyers ............................................................................................ 250
Police ................................................................................................ 250
The Netherlands ............................................................................... 251
New Zealand .................................................................................... 252
Norway ............................................................................................ 252
Russia ............................................................................................... 253
Sweden ............................................................................................. 253
Switzerland ...................................................................................... 253
United Kingdom .............................................................................. 255
United States .................................................................................... 256
Vendor Sites ..................................................................................... 258
General Information – Alphabetically by Site .................................. 261
Index....................................................................................................... 267
The Author
Maitland Hyslop has had a diverse career. He holds degrees and qualifica-
tions in Geography, African and Middle East Studies, International Market-
ing, Business Studies, and eCommerce. He is a UK Chartered Marketer and
a UK Energy Institute Consultant. In 2004 he was named one of the UK’s
top 100 eEntrepreneurs of the decade. His professional life started as an Army
officer, serving in the Parachute Brigade and Royal Logistic Corps of the British
Army. He has been a tutor and demonstrator at Durham University and a
Research Fellow in Telecommunications Security at Northumbria Univer-
sity. In the private sector he has run his own Real Estate Agency, Tetra Pak’s
African Packaging, Whessoe plc’s Oil Instrumentation, and GNC’s Computer
Integrator businesses. He is currently Strategic Development Director for Onyx
Group’s ISP/Hosting/Security/Consulting business. In the Public Sector he has
run the North East of England’s Inward Investment Team in the USA, devel-
oped the Telecommunications Infrastructure for the North East of England,
and was the Chief Executive of Ross and Cromarty Enterprise in Scotland. He
has additionally run a variety of Public Sector start-up and rescued companies.
He has worked all over the world, but principally in the UK, USA, Europe, the
Middle East, and Africa. In terms of Infrastructures he has written of them all.
He has worked in the oil and gas, finance, food, health, government service, and
law and order infrastructures at one time or another. He has run a manufactur-
ing plant, managed and protected national icons, and run transport operations
in the UK and abroad. He has written a defining thesis on water and identified
key threats from waste water in Middle Eastern cities. He has first-hand experi-
ence of the AIDS epidemic in Africa and has been heavily involved in education
and education charities. In short, he has theoretical and operational experience
in all infrastructures, but principally Information Infrastructure. He has over
50 published articles and five other books to his name. He spends much of his
spare time kayaking and coaching.
ix
Acknowledgments
This book would not have been possible without the help of a number of
people. Primarily, this work stems from the times I had the privilege of being
a postgraduate and tutor at Durham University and a research fellow at
Northumbria University. At Durham I was mentored by Professor Gerald
Blake, and part of this work is due to his encouragement, Shell International’s
support, and my stipend as a tutor at Hatfield College. At Northumbria,
the period associated with their Disaster and Development Center was not
only a pleasure but a rare opportunity to pursue ideas. Thanks to Kel Fidler,
Vice Chancellor, the University Management, and to Dr. Andrew Collins, the
Center’s Director. Thanks to Michel Frenkiel, with whom I had the pleasure
of working on the European Commission’s eJustice Project, and who is also
a prime mover of this book. He opened my eyes to a number of different
issues. Thanks to Eric Goetz at I3P in Dartmouth College, NH, USA. If he
hadn’t asked me to join one of their working groups this book would not have
started. Thanks to Alastair Waite, my colleague, and the CEO at Onyx Group,
for giving me some time and some encouragement to write this. Thanks to my
family and friends for their support. Thanks to all at Mills Advertising, par-
ticularly the Elphee’s, for helping with this manuscript. Finally thanks to Amy
Brais at Springer for taking the risk.
The opinions and errors in this book are entirely the author’s.
xi
Chapter 1
Introduction
Resilience is an increasingly important concept and quality in today’s world.

It is particularly important in the area of Critical Infrastructures. It is crucial
in the area of Critical Information Infrastructure. This is because, since the
year 2000, man has been dependent on information and telecommunications
systems for survival, particularly in the Organization for Economic Cooperation
and Development (OECD) countries, and because all other Critical Infra-
structures depend upon, to a greater or lesser extent, Critical Information
Infrastructure.1,2
Until, probably, the late 1980s it would be fair to say that the defense of
individual nation states depended upon a mixture of political will and armed
might. The fall of the Berlin Wall may have effectively ended the Cold War,
and with it a bipolar world, but it brought globalization and a multipolar
digital world in its wake. Simply put, a number of power vacuums were
created and these have yet to be fully filled and settled. In this “New World”
many changes were afoot. These changes include the increasing irrelevance
of nation states in federated structures and the export of democracy on the
back of globalization. One of the biggest changes, though, is the use of digital
technology by the OECD countries. This is on such a scale that these countries
have become both dependent upon information technology and as individual
states largely irrelevant to the new “global” electronic economy.3
1
This adaptation of Maslow’s hierarchy of needs is attributed to KPMG. It would
seem to be a by-product of the analysis of the Y2K problem – in that, suddenly, it was
realized exactly how dependent mankind has become on computers.
2
Maslow’s hierarchy available at www.businessballs.com/maslow.htm (Accessed: 6
January 2007).
3
The OECD consists of Australia, Austria, Belgium, Canada, Czech Republic,
Denmark, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Japan,
Korea, Luxembourg, Mexico, Netherlands, New Zealand, Norway, Poland, Portugal,
Slovak Republic, Spain, Sweden, Switzerland, Turkey, United Kingdom, and the
United States of America.
1
2 Critical Information Infrastructures: Resilience and Protection
In 2007, traditional armed conflict is only one of a number of ways of

both attacking and defending political and economic interests. Asymmetric
Warfare4 is an increasingly popular means of waging war on large entities
by smaller ones. Many terrorist groups now use the electronic environment
as a means of taking on much greater and bigger enemies. At the same time
the equal and opposite reaction to globalization has been the phenomenon
of Obstructive Marketing. Obstructive Marketing uses similar tactics to
Asymmetric Warfare to stop companies from going global.5
The nature of both the political and economic landscape has therefore
changed over the last 25 years. Because of this, the nature of defense has
changed too. In a parallel universe, fifty years ago, in the United Kingdom
(UK), this chapter might have been called “Defense of the Realm” and might
even have been an introduction to a handbook issued by the “War Office.”6
The fact is only something that is likely to be attacked or damaged needs to
be resilient or protected. Therefore, it could be said that this book is about
defense in its broadest sense. However, it is about a different sort of defense
than anything seen before.
Both at the time and with hindsight it was clear that the Poles could not win
the battle against the Germans in 1939 by pitting horses against tanks. Today
the west and north of the world needs to understand that it will not win a
modern battle fought with tanks or aircraft carriers in an Asymmetric War, or
an Obstructive Marketing environment. Whether understood widely or not,
it is the case that the west and north are engaged in an Asymmetric War. An
Asymmetric War is a battle between a force with many resources and one with
less. This may sound like a normal military conflict except that Asymmetric
Warfare is not necessarily a battle between military forces or states. It is
increasingly a battle between and, importantly, within infrastructures.
Critical Infrastructures themselves need some description and classification.
There are some familiar terms in the list. Most people would understand
that protection is required from flood defenses. They would understand that
a food and water supply is required to live, that waste water and sewage
treatment along with health services keeps diseases and illness in check, and
that transportation is needed for us to go about our daily lives. Some are
clear after some thought: financial, commercial, and industrial institutions
are required to maintain our standard of living, our way of life is determined
by the political fabric and government services, and a stable society promotes
a feeling of safety. These, too, are Critical Infrastructures. Others are not so
familiar: national icons and intellectual property. These are more difficult.
4
Hyslop, MP (2003) Asymmetric Warfare, Proceedings International Conference
on Politics and Information Systems: Technologies and Applications (PISTA ‘03),
Orlando, Florida, USA. 31 July 2003 – 2 August 2003.
5
Hyslop, MP (1999) Obstructive Marketing, MSc Thesis, Huddersfield University
Business School.
6
The name for the current UK Ministry of Defense.
Chapter 1 Introduction 3
Yet if the Monarchy, Wembley, Parliament, Nelson’s Column, Tea, Fish and
Chips, and the Magna Carta disappeared then Britain would clearly be the
poorer and “not British.” It would certainly be poorer if it lost the intellectual
property that keeps the country in the forefront of world development:
Universities, Formula 1, avionics, and so on. In the USA, the attack on the
World Trade Centre needs little comment in this respect. There may be others
that should be added to the list: people and education/intellectual property
may be two examples.
Historically, Critical Infrastructure has had a very physical feel to both
the term and artifacts. Critical Infrastructure could be seen. It was pipes,
stockpiles, or electricity pylons. As noted half the Critical Infrastructures listed
so far cannot be “seen” at all. It follows that protecting Critical Infrastructure
has moved from defending “things” to defending what might be generically
termed as “processes.” The defense of “things” requires other familiar tools
like walls, fences, alarms, decoys, police forces, armies, navies, and air forces.
In order to defend “processes” we need the same words but used in different
ways. Therefore, we need to understand how Critical Infrastructures are
protected today, both seen and unseen.
In the 1950s, a Critical Infrastructure was sometimes called a Strategic
National Asset. In those days, most of these assets were nationalized and
often had a complete Government Department named after them. Today
many of them have been privatized and their survival in any “battle” depends
upon a Public–Private Partnership that is so far incompletely understood
and certainly not formal, except perhaps in the United States of America
(USA). Critical Infrastructures are no longer truly “national,” no matter what
Governments might want to think. But, Critical Infrastructures remain key
to sustaining our way of life. The fact that they are not only under attack, but
have also escaped from a society’s control, gives great cause for concern.
The necessary partnership between the Public and Private Sectors must work
in order to protect our collective futures.
All of these Critical Infrastructures are bound together today by the most
important one of all: Telecommunications and Information. Most of the time
this is hidden from view and most people’s consciousness – but it is always
there. It is the most vulnerable point and the most fantastic achievement. It is
also the major battleground in an Asymmetric War or Obstructive Marketing
campaign.
Some ways in which today’s Critical Infrastructure is protected will be
familiar: such as the use of geography and physical security. Others will not,
such as Governance and Business Effectiveness. The processes of today are
not in the sole hands of any Government, they are in the hands of a number
of different partners. Hence, there is a need for a partnership of interests.
The Private Sector has had long experience of managing threats to processes.
Most businesses depend on processes for their livelihood. They manage
protection in very different ways to Governments. It is necessary to look not
only at how to protect modern Critical Infrastructures but also why and how
that protection will differ from any traditional understanding of defense.

In 2001–2003, the author argued that Asymmetric War7 fighting methods are
not new. They were practiced during previous World Wars, and almost all
other wars. They have characteristics of total war – where balance, timing,
effort, and resources are deployed in different measures to deny a strong
military power the full use of that power.
This is, simplistically, where the world is today concerning the attacks on
the USA, and their allies, and the responses in Afghanistan and Iraq.
However, this is likely to be just the start of a long campaign and it is
important to understand how it might develop in regard to infrastructures
and what the western and northern powers need to understand in order to
fight this Asymmetric War well.
Asymmetric Warfare is generally conducted in a covert planned military/
technical, criminal, or cultural manner and less frequently in a spontaneous
manner. Critical Information Infrastructure is both a target and a conduit
for Asymmetric Warfare. It is a target in that it represents an infrastructure
dominated largely by the major economic powers and is therefore seen as a
legitimate target by those who seek to destabilize these powers. It is a con-
duit because the infrastructure and the applications that sit on it, the Inter-
net/World-Wide Web in particular, give an opportunity to those asymmetric
combatants to plan, communicate, and sometimes even execute asymmetric
events. In particular, steganographic techniques are used for communication.
In 1999, the author defined Obstructive Marketing8 as:
Any process, legal or not, which prevents or restricts the distribution of a
product or service, temporarily or permanently, against the wishes of the
product manufacturer, service provider or customer.
The term “any process” reflects the global nature of the issue and accepts
that different mores will prevail in different parts of the world. The term
“legal or not” is used because what is legal and acceptable in one state is not
in another. The term “prevents or restricts,” because the sale of goods and
services can be stopped in an absolute or relative manner depending on the
subtlety of those who seek to obstruct the marketing efforts of others.
The term “distribution of product or service,” because distribution is central
to the marketing effort. The term “temporarily or permanently,” because time
always changes the picture in international relations and this affects business as
well as politics and international relations. The term “product manufacturer,
service provider, or customer,” because these are the players in Free Market
Capitalism. The addition of the words “or customer” to an original definition
reflects the later thought that customers, as well as providers, can be deprived
because of the potential techniques. This is both logical and common sense,
particularly from a marketing viewpoint, and particularly where the customer
7
Hyslop, MP (2003) op. cit.
8
is key. It is necessary to understand Obstructive Marketing and the lessons it

has for Critical Infrastructure Protection and the Public–Private Partnership.
An understanding of the relationships between Critical Infrastructures and
the Public and Private Sectors is required. In order to be well protected, Critical
Infrastructures need to be resilient. The concept of resilience is relatively
poorly understood. Resilience is a term that is frequently used incorrectly –
and most often incorrectly in the context of recovery from disasters. Resilience
in traditional Critical Infrastructures needs to be described in terms that will
be familiar. These terms include redundancy in power distribution, stockpiles
of fuel, and food. However, these traditional and familiar terms are not a
regular feature of these Infrastructures any longer.
The privatization of the utilities and the adoption of “Just in Time”
delivery techniques for food and fuel means there is very little “give” in the
system to cater for unexpected events. There is a very immature approach
to both resilience and recovery in the newer and less well-defined Critical
Infrastructures, particularly those surrounding those that now control
our lives, such as telecommunications and information. In this area, an
exploration of the strategic importance of the relationship between
telecommunications and systems resilience, recovery and security, and
both Asymmetric Warfare and Obstructive Marketing can demonstrate some of
the issues to be tackled and suggests a number of approaches. The processes
of dealing with Obstructive Marketing not only set a Corporate Security
approach but represent the Private Sector’s contribution to the Public–
Private Partnership.
To protect the Critical Infrastructures of the future will require a new
approach to defining threats. Such an approach has to both acknowledge and
manage risk. Terrorist risk has led to antiterror legislation. Antiterrorism
legislation victimizes, in general, those it seeks to protect. One has only to
walk through an USA or UK airport these days to understand the veracity
of this statement. Antiterrorism legislation is a victory for the terrorist and
usually represents a loss for democratic freedoms. What alternative is there
to antiterrorism legislation? There are a surprising number based on intelli-
gence, space planning, border controls, economic measures against terrorists,
amendment of terrorist tools by international treaty, technological “sniffers”
on planes, trains and rails, and a belief in a way of life. All of which would not
necessarily result in a definitive change for the worse in our way of life.
The efficacy of these measures can be predicted by using sophisticated risk
analysis tools. A risk-based approach to Critical Infrastructure Protection
(CIP) is therefore something that needs to be implemented within a Public–
Private Partnership. It needs many of the same institutional controls as that
exist now to be effective. Most of all, however, it requires a change in attitude.
Changes in attitude are notoriously difficult to implement in any society.
It is necessary to look at how a risk-based approach to Critical Infrastructure
Protection could change, by reducing, the way in which our lives are affected
by terrorism.
George Bernard Shaw famously commented that an unreasonable man

tries to make the world conform to him; whilst a reasonable man conforms to
the world. All progress therefore depends upon the unreasonable man. This
explains many of the tensions between Government Bureaucrats (reasonable
men for the most part) and Entrepreneurs (frequently unreasonable men).
It also explains why Governments and Bureaucrats when faced with a chal-
lenge usually resort to increased control measures. This is often at the expense
of understanding the problem to begin with.
The same applies to the Armed Forces. All the incumbent Chiefs grew up
with a certain set of toys. As this is written there is still a demand for more
Aircraft Carriers, at least in the UK. This is like the Poles ordering more but
bigger horses. Aircraft Carriers are no longer particularly relevant to
the needs of today’s defense, especially big ones. It is necessary to suggest
some “unreasonable” steps to take in order to protect Critical Infrastructure.
These suggestions will include reshaping the defense forces, a new Public–
Private Partnership, an adjustment to “Just in Time” and the outsourcing of
utility and food management plus some ideas on what each and everyone one
of us can do to assist the process in the meantime.
In the International Community, the approach to Critical Infrastructure
Protection is still one based on national interest. At the same time national
interest is becoming harder to define. Communities of different sorts appear
all the time. Some are based on social affinity, others on economic and many
new ones based on hobbies and interests on the Internet. In order to properly
engage in Critical Infrastructure Protection, some new ways of looking at
International Cooperation are also required. These necessarily become
supra- or extranational in nature. The current international bodies do not
seem to be sufficiently aware of the problem to promote a common approach.
This is evident from the divergent approaches to Critical Infrastructure in
different parts of the world. Just as some changes in the way national bodies’
approach Critical Infrastructure will have to change, so will the approach of
International Institutions. This change will require organizations such as the
North Atlantic Treaty Organization (NATO) sitting with others to plan a new
partnership to protect assets and infrastructure necessary to both.
To summarize the subject of Critical Infrastructure protection is therefore
about defense. The modern context for this recognizes Asymmetric Warfare
and Obstructive Marketing to be realities. These help to define, describe, and
categorize Critical Infrastructure. Protection is relatively obvious for physical
Infrastructure, not so obvious for what might be called process infrastructure.
Issues ranging from Geography to Governance as defense mechanisms are
important. The symbiotic relationship about Critical Infrastructure between
Public and Private sectors demands a new sort of partnership. How this
partnership should be established needs to be discussed. Risk management
is a key to success.
Risk management needs to suggest how and what to implement in
terms of a common approach. This process will identify change as a major
issue, the sorts of changes required need to be defined further. Finally, an

International Model for the protection of Critical Infrastructure should be
proposed combining both defense and humanitarian approaches. Once these
are properly defined and worked through, then Critical Infrastructures will
be on their way to becoming resilient.
It should be noted that these suggestions are also important in another
context, that of Climate Change. In order for the world to combat Climate
Change effectively similar types of defense mechanisms to those required for
resilience need to be built. A proper approach to resilience helps the world
come to terms with the impact of Climate Change.
At the end of this book is an introductory bibliography for materials related
principally to Critical Information Infrastructure.
Chapter 2
Definitions and Assumptions
In general this book is very OECD focused, and specifically UK, USA, and
Europe centric. It discusses, in fairly broad terms, the shape the OECD and
these countries are in to bounce back from damage to Critical Infrastructures.
It looks specifically at the OECD because its constituents have the greatest
reliance on a particular technology: telecommunications. Over 95% of the
world’s data traffic goes through the OECD.9 Such a figure has statistical
significance; and defines an approach to life. This book is therefore also
focused on Critical Information Infrastructure. It is impossible in a work
such as this to review all the threats and potential challenges to such wide-ranging
foundations of our modern society. However, it is possible to identify a number
of common themes of relevance to each of the main areas. To start, however,
we need a common understanding of what Critical Infrastructure and Critical
Information Infrastructures are. This is surprisingly difficult, and one of the
reasons there is some concentration in this book on the USA, UK, Australia,
and New Zealand is because they have taken the definition and understand-
ing of Critical Infrastructures further than most others in the OECD. There is
the start of a common theme in the approaches of these countries.
Resilience has a number of meanings. It is therefore important to be clear
from the outset what is meant by Resilience in this book. Some common
definitions of Resilience10 are the following.
Resilience General Definition

Resilience generally means the ability to recover from (or to resist being
affected by) some shock, insult, or disturbance. It is particularly, in this
context, about being able to “bounce back” to an original form.
9
From data available at http://www.oecd.org/oecddata and http://news.netcraft.com
(Accessed: 6 January 2007).
10
Definitions available at http://en.wikipedia.org/wiki/Resilience. (Accessed:
6 January 2007).
8
Chapter 2 Definitions and Assumptions 9
Resilience in Materials Science

Resilience in materials science is defined as the capacity of a material to absorb
energy when it is deformed elastically and then, upon unloading, to have this
energy recovered.
Resilience in Ecology
Resilience in ecology is about the following: The rate at which a system returns
to a single steady or cyclic state following a perturbation or the magnitude of
disturbance that can be absorbed before the system changes its structure by
changing the variables and processes that control behavior.
Resilience in Psychology
Resilience in psychology describes the capacity of people to cope with stress
and catastrophe.
Resilience in Business
Resilience in business is the ability of an organization, resource, or structures
to sustain the impact of a business interruption, recover, and resume its
operations to provide minimum services.
Resiliency
Resiliency is an American term that is gaining some credibility in Disaster
Recovery and Business Continuity Circles. In short it is most akin to “Resilience
in Business” description above. However, it is also used as an American
substitute for the word resilience.11
Resilience in this Book

Resilience in this book means the ability, primarily, of the world’s north,
western, and capitalist societies, summarized as the OECD, to withstand
shocks to their critical infrastructures, including telecommunication
infrastructures, without altering their basic form.
11
Resiliency available at www.resiliency.com (Accessed: 6 January 2007).
A consistent approach is required to definitions in terms of both Critical

Infrastructure and Critical Information Infrastructure. This consistency is
provided by Dunn and Wigert (2004).12 Thus Critical Infrastructure Sectors
are the following:
Sectors whose incapacitation or destruction would have a debilitating impact
on national security and the economic and social well-being of a nation.
However, the definition of critical sectors varies among countries. Each
country uses different standards of what is critical. The definitions vary over
time. Furthermore, some of these infrastructures are always critical, some are
occasionally critical, while others only become critical in the case of the failure
of other vital infrastructures.13
Although this does not seem immediately helpful an analysis of the
definitions of Critical Infrastructures of the countries surveyed by Dunn and
Wigert (2004)14 certainly is. Therefore, the common Critical Infrastructure
Sectors (the common list) are the following:
• Finance
• Food supply
• Health
• Government services
• Law and order
• Manufacturing
• National icons
• Transport
• Water
• Waste water
This book will suggest the addition of two others: People and Education/
Intellectual Property, for reasons that should become clear.
Critical Infrastructure Protection is delivered by different groups in different
countries. In the USA, it is a primary role of the National Guard to defend
CriticalInfrastructure. However, successive mission changes have led to the
National Guard having a dual mission, homeland defense, and support of
the regular army.15 In the UK, it was the primary task of the Territorial Army
to defend the homeland. However, successive reviews have meant that, these
days, the Territorial Army is increasingly deployed as part of and in support
12
Dunn, M and Wigert, I (2004) Critical Information Infrastructure Protection, The
International CIIP Handbook 2004. Zurich, Switzerland. Centre for Security Studies.
Available at http://www.isn.ethz.ch/crn/publications/publications_crn.cfm?pubid=224
13
Ibid pp. 227ff.
14
Ibid.
15
Supporting information available at http://www.csmonitor.com/2005/0902/p02s01-
usmi.html (Accessed: 6 January 2007).
of regular army tasks.16 These two examples alone indicate the difficulty of
identifying precisely who does defend Critical Infrastructure. The situation is
different in other countries. However, one of the reasons for writing this book
was the increasingly obvious point that there is no one clearly and specifically
tasked with Critical Infrastructure Protection as their sole mission in the USA
or the UK.
Dunn and Wigert (2004)17 comment as follows on Critical Information
Infrastructure:
In our view, CIP is more than CIIP, but CIIP is an essential part of CIP.
There is at least one characteristic for the distinction of the two concepts.
While CIP comprises all critical sectors of a nations’ infrastructure, CIIP
is only a subset of a comprehensive protection effort, as it focuses on the
Critical Information Infrastructure. The definition of exactly what should
be subsumed under CI, and what under CII, is another question. Gener-
ally, the CII is that part of the global or national Information Infrastruc-
ture that is essentially necessary for the continuity of a country’s critical
infrastructure services. The CII, to a large degree, consist of, but is not
fully congruent with the information and telecommunications sector, and
includes components such as telecommunications, computers/software, the
Internet, satellites, fiber-optics etc. The term is also used for the totality
of interconnected computers and networks and their critical information
flows.
Protection of the CII has become especially important due to two reasons:
1) their invaluable and growing role in the economic sector; and 2) their
interlinking role between various infrastructure sectors and the essential
requirement that other infrastructures function at all times.18 There are,
moreover, several features that demand a clear distinction between CI and
CII: First of all, the system characteristics of the emerging Information
Infrastructure differ radically from traditional structures, including earlier
Information Infrastructures. They differ in terms of scale, connectivity, and
dependencies.19 This means that understanding them will require new analytical
techniques and methodologies that are not yet available. Secondly, it appears
that cyber-threats are evolving rapidly both in terms of their nature and of their
capability to cause harm, so that protective measures require continual technological
improvements and new approaches.
16
Supporting information available at www.mod.uk (Accessed: 6 January 2007) and
http://en.wikipedia.org/wiki/Territorial_Army (Accessed: 6 January 2007).
17
Dunn, M and Wigert, I (2004) op. cit.
18
Wenger, A, Metzger, J and Dunn, M (2002) Critical Information Infrastrcuture
Protection: Eine sicherheitpolitische Herausforderrung. In: Sillman, Kurt, R and
Wenger, A (eds.). Bulletin zur Schweizeruschen Sicherheitspolitik. pp. 119–142.
19
Parsons, TJ (2001) Protecting Critical Information Infrastructures. The Co-ordination
and Development of Cross-Sectoral Research in the UK. Plenary Address at the Future
of European Crisis Management, Uppsala, Sweden, March.
Moreover, there are several “drivers” that will likely aggravate the problem
of CIIP in the future: these are the interlinked aspects of market forces,
technological evolution, and emerging risks.20
On the one hand we are facing an ongoing dynamic globalization of information
services, which in connection with technological innovation (e.g. localized wireless
communication) will result in a dramatic increase of connectivity and lead to
ill-understood behavior of systems, as well as barely understood vulnerabilities.
This assessment ties into the fact that security has never been a design driver.
And since pressure to reduce time to market is intense, a further explosion of
computer and network vulnerabilities is to be expected.21 We are therefore faced
with the potential emergence of infrastructures with in-built instability, critical
point of failure, and extensive interdependencies. Additionally, increasingly large
parts of the CI will be in the private sector and even in the hands of another
nation-state.
This prospective view clearly indicates a need to distinguish conceptually
between the two concepts of CIP and CIIP. However, the two cannot and should
not be discussed as completely separate concepts. As stated above, CIIP is an
essential part of CIP. An exclusive focus on cyber-threats that ignores important
physical threats are just as dangerous as the neglect of the virtual dimension – what
is needed is a sensible handling of both interrelated concepts.
The International CIIP handbooks, Dunn and Wigert (2004),22 developed
by the Swiss Federal Institute of Technology in Zurich have a high reputa-
tion. They are one of few authoritative sources of any research on Critical
Infrastructure and Critical Information Infrastructure. However, they have
a problem, confirmed by research for this book, with defining these terms.
They comment that Critical Infrastructure is both global and national, and
so is Critical Information Infrastructure. Critical Infrastructure is reviewed,
as is to a lesser extent, Critical Information Infrastructure, against country
models. Yet Critical Infrastructure is essentially national in character, and
Information Infrastructures (particularly the Internet and World Wide Web)
are essentially international (more properly borderless) in character. Their
handbook is called Critical Information Infrastructure Protection and this
suggests a primacy of Information Infrastructure with which this book
would concur.
As an aside, controlling these different types of infrastructure becomes even
more difficult when post terrorist attacks, the media in particular, becomes
vocal about seeing visible responses to Critical Infrastructure attacks. In the
UK, for example, this has led to the very disappointing political reaction
that the National Information Security Coordination Centre (NISCC) is
20
Ibid.
21
Naf, Michael (2001) Ubiquitous Insecurity: How to ‘Hack’ IT Systems. In: Wenger,
Andreas (ed). The Internet and the Changing Face of International Relations and
Security: An International Journal, Vol. 7, pp. 104–118.
22
to be subsumed into a Critical National Infrastructure body in 2007 – thus

depriving the UK and its allies of a potential leadership role in cross-border
management of Information Infrastructure. This goes against the grain of the
view that Critical Information Infrastructure now has primacy over Critical
Infrastructures.
The key point is that Critical Infrastructure remains essentially national
in character, whereas Critical Information Infrastructure is increasingly
borderless in character.
This approach, of course, demands a number of assumptions:
• The continued relevance of a nation state or similar
• The continued relevance of Capitalism or similar
• The continued relevance of democracy or similar
• The continued relevance of maintaining a “green” agenda or similar
• The continued relevance of technological progress or similar
And these are taken as “given.” Comments are made on each; but this book
is not necessarily concerned about a substantive debate on these subjects.
Although society does not regularly look at the reasons for its own
existence, it is important to understand why Resilience is important in such a
context. Cynically or otherwise our societies are based on certain principles.
In hedonistic times these get blurred or confused. However, at the root of
society is a certain set of beliefs. It is worth reprising these because they are
why Resilience is important. They do define society as a whole.
A reasonable starting point, because of the dominance of the USA,
within the OECD, on our way of life could be the American Declaration of
Independence as follows:
When in the Course of human events it becomes necessary for one people to dis-
solve the political bands which have connected them with another and to assume
among the powers of the earth, the separate and equal station to which the Laws
of Nature and of Nature’s God entitle them, a decent respect to the opinions of
mankind requires that they should declare the causes which impel them to the
separation.
We hold these truths to be self-evident, that all men are created equal, that
they are endowed by their Creator with certain unalienable Rights, that among
these are Life, Liberty and the pursuit of Happiness. — That to secure these
rights, Governments are instituted among Men, deriving their just powers from
the consent of the governed, — That whenever any Form of Government becomes
destructive of these ends, it is the Right of the People to alter or to abolish it,
and to institute new Government, laying its foundation on such principles and
organizing its powers in such form, as to them shall seem most likely to effect
their Safety and Happiness.23
23
American Declaration of Independence available at http://www.ushistory.org/
declaration (Accessed: 6 January 2007).
At least in theory the Government of the USA (and other Governments)

has certain responsibilities to its citizens. Over time this has taken, in part,
the form of the construction of various infrastructures to secure life, liberty,
and happiness. The preservation of infrastructures designed to ensure that
this happens is clearly important. Resilience in such infrastructures is also
important. The USA Constitution states the position even more clearly:
We the People of the United States, in Order to form a more perfect Union, establish
Justice, insure domestic Tranquility, provide for the common defense, promote the
general Welfare, and secure the Blessings of Liberty to ourselves and our Posterity,
do ordain and establish this Constitution for the United States of America.
The United States Bill of Rights as represented by the major amendments to
the Constitution:
Amendments:
First Amendment – Freedom of speech, press, religion, peaceable assembly,
and to petition the government. Congress shall make no law respecting an
establishment of religion, or prohibiting the free exercise thereof; or abridging
the freedom of speech, or of the press; or the right of the people peaceably to
assemble, and to petition the Government for a redress of grievances.
Second Amendment – Right for the people to keep and bear arms, as well as to
maintain a militia. A well regulated Militia, being necessary to the security of a
free State, the right of the people to keep and bear Arms shall not be infringed.
Third Amendment – Protection from quartering of troops.
No Soldier shall, in time of peace be quartered in any house, without the
consent of the Owner, nor in time of war, but in a manner to be prescribed by law.
Fourth Amendment – Protection from unreasonable search and seizure.
The right of the people to be secure in their persons, houses, papers, and
effects, against unreasonable searches and seizures, shall not be violated, and no
Warrants shall issue, but upon probable cause, supported by Oath or affirmation,
and particularly describing the place to be searched, and the persons or things
to be seized.
Fifth Amendment – Due process, double jeopardy, self-incrimination, private
property. No person shall be held to answer for any capital, or otherwise infamous
crime, unless on a presentment or indictment of a Grand Jury, except in cases
arising in the land or naval forces, or in the Militia, when in actual service in time
of War or public danger; nor shall any person be subject for the same offence to
be twice put in jeopardy of life or limb; nor shall be compelled in any criminal
case to be a witness against himself, nor be deprived of life, liberty, or property,
without due process of law; nor shall private property be taken for public use,
without just compensation.
Sixth Amendment – Trial by jury and other rights of the accused. In all criminal
prosecutions, the accused shall enjoy the right to a speedy and public trial, by an
impartial jury of the State and district wherein the crime shall have been com-
mitted, which district shall have been previously ascertained by law, and to be
informed of the nature and cause of the accusation; to be confronted with the
witnesses against him; to have compulsory process for obtaining witnesses in his
favor, and to have the Assistance of Counsel for his defense.
Seventh Amendment – Civil trial by jury. In suits at common law, where the
value in controversy shall exceed twenty dollars, the right of trial by jury shall be
preserved, and no fact tried by a jury, shall be otherwise reexamined in any Court
of the United States, than according to the rules of the common law.
Eighth Amendment – Prohibition of excessive bail, as well as cruel and unusual
punishment. Excessive bail shall not be required, nor excessive fines imposed,
nor cruel and unusual punishments inflicted.
Ninth Amendment – Protection of rights not specifically enumerated in the Bill
of Rights. The enumeration in the Constitution, of certain rights, shall not be
construed to deny or disparage others retained by the people.
Tenth Amendment – Powers of states and people.
The powers not delegated to the United States by the Constitution, nor prohi-
bited by it to the states, are reserved to the states respectively, or to the people.24
This constitution gives a clear statement of what the USA society is built
upon; and therefore what needs to be defended. The infrastructures that have
been built around both the Declaration of Independence and the Constitution
to create the USA are the infrastructures that need to be defended. Later in
this book, the global nature of Critical Information Infrastructure is noted.
It is worth remembering that most of the Critical Information Infrastructure
in regard to space and the Internet is in the hands of the USA.
It might have been possible to add the Ten Commandments here; but they,
despite the rise of the Christian right in the USA and the importance of
Christianity across the OECD, seem of little relevance to a modern capitalist
state – and, in fact, can be seen to be the antithesis of a modern capitalist state.
This is already a critical problem for churches in the OECD. Having said this,
the Church is leading on defending personal conscience in the USA and UK.
It is recognized that this is a simplistic approach but it is a model, particularly
as almost all the OECD countries subscribe to these “ideals” in one way shape
or form.
Another way of defining our way of life is through Capitalism:
Although nowadays there are ideological capitalists - people who support a set of
ideas about the economic benefits and importance of “free markets” - the term
capitalism was first used to describe the system of private investment and indus-
try with little governmental control which emerged, without an ideological basis,
in the Netherlands and Britain in the 17th and 18th centuries. A “capitalist”
was an individual who invested money (or capital) in a given business venture.
The “Classical economists” [Adam Smith, David Riccardo, et.c], aided by Karl
Marx were responsible for positing this de facto set of business arrangements
as an ideology. In the United States, thinkers as diverse as Hayek, Friedman
and Ayn Rand, have promoted “Capitalism” as every bit as much an ideology as
24
USA Constitution available at http://usconstituion.net (Accessed: 6 January 2007).
Marxism. In practice, many modern western economies developed under heavy

government support and subsidy.25
The link between Government and the success of Capitalism is as old as
Capitalism itself.
A third unifier of the OECD is clearly technology and particularly information
technology. The way in which life is ordered, goods bought and sold, money
transferred, information exchanged, internet used, etc., is more prevalent within
the OECD than in any other group of countries. Most data information traffic
is between OECD countries in 2007; and more information is stored on digital
means in the OECD countries than anywhere else.
So there are three unifying features within the OECD and hence this study of
Resilience: the first is a broadly common political and social ideal, the second
is a common economic approach, and the third is a unifying technology. This
is what the Critical Infrastructures and Critical Information Infrastructures
support, and this is why they need defending. Resilience in each of these areas
is crucial.
Importantly, there has been a migration of these infrastructures from
primarily Government ownership in the 1950s to a much more public/private
split 50 years later. If we take the UK’s list of Critical Infrastructures and
look, very simply, at what has happened to it over a 50 year period:
TABLE 1. UK Infrastructure Ownership

Infrastructure 1957 2007 Comments
Communications General Post Office BT and others run Ownership has
ran the UK’s Post telecommunications; moved from
and the Royal Mail is Public to
Telecommunications now privatized Private
Emergency Police, Fire Police, Fire Ownership still
services Ambulance Ambulance public – but
many more
private providers
Energy Nearly all Public, Nearly all private Ownership has
heavy state moved from
investment in oil Public to
companies such as Private
BP
Finance Nationalized Bank Independent Bank Ownership has
of England, local of England, moved from
national banks international Public to
private banks Private
Food National Policy on No National Policy Ownership has
Food Production On Food moved from
Production some Public to
generally
Private
(continued)
25
Definition available at http://academic.brooklyn.cuny.edu/history/virtual/glossary.htm
TABLE 1. (continued)
Infrastructure 1957 2007 Comments
Government and Public Public with Has grown not shrunk
Public Service Quangos26 and as other parts have
Agencies, Some moved from Public to
Private Delivery Private sector, e.g.
now one civil
servant+ for every
serviceman (see next
table)
Public safety Government Government Moved from
Department Agency Central Government
to a Quango
Health Public Public/Private Ownership has
moved from Public
to Private
Transport Largely Public Largely Private Ownership has moved
from Public to
Private
Water Public Private Public to Private
The ability to defend Critical Infrastructures has changed too.

In simple terms:
TABLE 2. UK Defense of Infrastructures

Defense force 195727 200628 Comments
Army More than 107,370 Less than one-third
Air Force 690,000 46,560 overall size
Navy 38,710
Police Less than 80,000 130,000+
Size of UK Civil Less than 300,000 570,000 (not includ More than double
Service of which less than ing Quangos) of the size – and now
50,000 were which over 100,000 one civil servant
devoted to MOD (over 200,000 or Quango/agency
or related activities if agencies are employee for every
included) devoted serviceman
to the MOD or
related activities
26
A Quango is a Quasi-Autonomous Non Government Organization – these are bodies
that perform Governmental functions with Government Funding but are outside the
formal Civil Service. As a consequence the true size of the public government sector
is often masked.
27
Figures from http://www.citizenshippast.org.uk (Accessed: 6 January 2007).
28
Figures from http:///www.dasa.mod.uk/natstats/tsp1/gender.html (Accessed: 6
January 2007) and http://www.police999.com/ukinfo/figures06.html and http://
www.civilservice.gov.uk/management/statistics/publications/xls/pses_q4_2005.
xls (Accessed: 6 January 2007).
Arguably, the UK is defending a more complex international and national

infrastructure now split between public and private sectors, with less than
half the operatives it had in 1957, yet with twice as many people administering
them. This seems, at face value, to be the inverse of the required development.
At the same time there is less, not more, clarity on the who, what, and where
of Critical Infrastructures.
This is not just an issue that faces the UK – but is a trend across the OECD.
It would be naïve to assume that society does not change. It does. In general,
it can be assumed that society has changed because its leaders wanted it to
change. Wars have been fought to preserve a political position on which leaders
have agreed. War, after all, is the extension of politics by other means.29 But
what happens when society begins to change without its leaders’ agreement?
This is potentially the issue concerning Critical Information Infrastructure.
Society has often changed without its population’s consent, notwithstanding
“no taxation without representation,” rarely without leaders’ consent. How
resilient is society to change without either leaders’ or population’s consent?
What happens if society is “sleepwalking” into some form of revolution that
may be wanted or unwanted? Has every leader in the OECD agreed to be
part of a pervasive information technology that now runs the lives of all their
citizens? Of course, this sort of statement may be a little over the top, but if
this had been a political, rather than a technical, revolution, how different
would have been the view of the leadership? The fact is that the infrastructure
is now here, it is here to stay, but there is little general understanding about it,
and, it can be argued, very little protection.
Since the year 2000, as noted in the introduction, Maslow’s hierarchy of
needs has basically changed to include the computer, information technology,
and telecommunications infrastructure. So pervasive is this, now, to our lives
that Resilience in this area is a major feature of this book. Put together,
elements of the computer, information technology, and telecommunications
infrastructures are so important that a term has been coined to describe
the collective: Critical Information Infrastructure. Critical Information
Infrastructure protection is now, perhaps, the most significant issue for both
countries and businesses – and, for that matter, any other organization that
relies on information of any sort for success. As all of us do to a greater or
lesser extent, this does means all of us.
Clearly, this book looks at the subject of Resilience in a particular manner,
but equally draws on all the common definitions for support. For society to be
resilient, it must absorb energy, it must return or change to another acceptable
steady state, it must cope with stress and catastrophe, it must sustain interruption
to business and recover and resume operations, and it must “bounce back.” To
do this it must understand both what resilience is, what its critical infrastructures
are, and how to protect them, and what, as a society, it both is and the values it
espouses. Resilient societies, it is suggested, do not lose sight of these things.
29
Clausewitz, Karl von (1833) ‘On War’ – various editions available through http://
www.amazon.com (Accessed: 6 January 2007).
Chapter 3
Critical Infrastructures and Critical
Information Infrastructures:
Approaches by Geography
This review of Critical Infrastructures and Critical Information Infrastructures

looks at the major issues from different geographical viewpoints. The purpose
of this is to give some understanding to the issues and importance of the over-
all subject in a number of different countries. The key countries looked at here
are the UK, the USA, Australia, and New Zealand. Europe is also covered
in some detail. This is simply because in any literature search they are clearly
leaders in this field.
In the USA Dr. Jim Kennedy of Lucent comments as follows:
It has always been the policy of the United States to ensure the continuity
and security of the critical infrastructures that are essential to the minimum
operations of our economy and government. This critical infrastructure includes
essential government services, public health, law enforcement, emergency serv-
ices, information and communications, banking and finance, energy, transportation,
and water supply.
So even before the events of 9/11, the Executive Branch of our government,
the President through Presidential Decision Directive 63 (PDD 63) issued May
22, 1998, ordered the strengthening of the nation’s defenses against emerging
unconventional threats to the United States, including those involving terror-
ist acts, weapons of mass destruction, assaults on critical infrastructures, and
cyber-based attacks.
But how many of us really understand what an immense undertaking that
was? What is the critical infrastructure in the United States?
• More than 3,000 government facilities
• 7,569 Hospitals
• Telecommunications: 2 billion miles of cable; 1000s of telephone switching
central offices
• Energy: 2,800 Electric power plants; 300,000 oil and natural gas producing
sites; 104 nuclear power plants
• Transportation
– 5000 public airports
– 500,000 highway bridges
19
– 2 million miles of pipelines

– 300 coastal ports
– 500 major urban public transit operators:
• 4,893 banks or savings institutions have more than $100 billion in assets
• 66,000 chemical and hazardous material producing plants
• 75,000 dams
• 51,450 fire stations responding to 22,616,500 calls for assistance each year.
US business and every individual rely in some manner on the above every day.
We depend on their operational resiliency and continuity of operations.
Initially, critical infrastructure assurance was essentially a state and local
concern. With the massive use of information technologies and their significant
interdependencies it has become a national concern, with major implications for
the defense of our homeland and the economic security of the United States.
However, given all of the focus on critical infrastructure still one in three criti-
cal infrastructure operations goes without a business continuity or continuity of
operations plan and three out of five of those operations with plans have never
tested their plans as “fit for purpose.”30
Clearly Critical Infrastructure and Critical Information Infrastructure is
an important issue in the USA.
What Critical Information Infrastructure/Infrastructure is:
Critical Information Infrastructure is perceived as an essential part of national
security in numerous countries today and has become the nucleus of the US
terrorism and homeland security debate after 11 September 2001. A critical
infrastructure is commonly understood to be an infrastructure or asset the
incapacitation or destruction of which would have a debilitating impact on the
national security and the economic and social welfare of a nation.31
In the USA, the important initiative and policy on Critical Infrastructure
and Critical Information Infrastructures is the following:
Executive Order on Critical Infrastructure Protection

By the authority vested in me as President by the Constitution and the laws of
the United States of America, and in order to ensure protection of information
systems for critical infrastructure, including emergency preparedness commu-
nications, and the physical assets that support such systems, in the information
age, it is hereby ordered as follows:
30
Kennedy, J (2006) Critical Infrastructure Protection is all about Operational Resilience and
Continuity, Continuity Forum, 17 November. Available at http://www.continuitycentral.
com/feature0413.htm (Accessed: 6 January 2007).
31
Dunn, M and Wigert, I (2004). op. cit.
Chapter 3 Critical Infrastructures and Critical Information Infrastructures 21
Section 1. Policy.
(a) The information technology revolution has changed the way business is trans-
acted, government operates, and national defense is conducted. Those three
functions now depend on an interdependent network of Critical Information
Infrastructures. The protection program by this order shall consist of con-
tinuous efforts to secure information systems for critical infrastructure,
including emergency preparedness communications, and the physical assets
that support such systems. Protection of these systems is essential to the tel-
ecommunications, energy, financial services, manufacturing, water, transporta-
tion, health care, and emergency services sectors.
(b) It is the policy of the United States to protect against disruption of the
operation of information systems for critical infrastructure and thereby help
to protect the people, economy, essential human and government services,
and national security of the United States, and to ensure that any disruptions
that occur are infrequent, of minimal duration, and manageable, and cause
the least damage possible. The implementation of this policy shall include
a voluntary public-private partnership, involving corporate and nongovern-
mental organizations.
Sec. 2. Scope. To achieve this policy, there shall be a senior executive branch
board to coordinate and have cognizance of Federal efforts and programs that
relate to protection of information systems and involve:
(a) cooperation with and protection of private sector critical infrastructure,
State and local governments, critical infrastructure, and supporting pro-
grams in corporate and academic organizations;
(b) protection of Federal departments, and agencies, critical infrastructure;
and
(c) related national security programs.
Sec. 3. Establishment. I hereby establish the “President’s Critical Infrastructure
Protection Board” (the “Board”).
Sec. 4. Continuing Authorities. This order does not alter the existing
authorities or roles of United States Government departments and agen-
cies. Authorities set forth in 44 U.S.C. Chapter 35, and other applicable
law, provide senior officials with responsibility for the security of Federal
Government information systems.
(a) Executive Branch Information Systems Security. The Director of the Office of
Management and Budget (OMB) has the responsibility to develop and over-
see the implementation of government-wide policies, principles, standards, and
guidelines for the security of information systems that support the executive
branch departments and agencies, except those noted in section 4(b) of this
order. The Director of OMB shall advise the President and the appropriate
department or agency head when there is a critical deficiency in the security
practices within the purview of this section in an executive branch department
or agency. The Board shall assist and support the Director of OMB in this
function and shall be reasonably cognizant of programs related to security of
department and agency information systems.
(b) National Security Information Systems. The Secretary of Defense and the
Director of Central Intelligence (DCI) shall have responsibility to oversee,
develop, and ensure implementation of policies, principles, standards, and
guidelines for the security of information systems that support the opera-
tions under their respective control. In consultation with the Assistant to
the President for National Security Affairs and the affected departments
and agencies, the Secretary of Defense and the DCI shall develop policies,
principles, standards, and guidelines for the security of national security
information systems that support the operations of other executive branch
departments and agencies with national security information.
(i) Policies, principles, standards, and guidelines developed under this subsec-
tion may require more stringent protection than those developed in accord-
ance with subsection 4(a) of this order.
(ii) The Assistant to the President for National Security Affairs shall
advise the President and the appropriate department or agency head
when there is a critical deficiency in the security practices of a depart-
ment or agency within the purview of this section. The Board, or one
of its standing or ad hoc committees, shall be reasonably cognizant
of programs to provide security and continuity to national security
information systems.
(c) Additional Responsibilities: The Heads of Executive Branch Departments
and Agencies. The heads of executive branch departments and agencies are
responsible and accountable for providing and maintaining adequate lev-
els of security for information systems, including emergency preparedness
communications systems, for programs under their control. Heads of such
departments and agencies shall ensure the development and, within available
appropriations, funding of programs that adequately address these mission
areas. Cost-effective security shall be built into and made an integral part of
government information systems, especially those critical systems that sup-
port the national security and other essential government programs. Addi-
tionally, security should enable, and not unnecessarily impede, department
and agency business operations.
Sec. 5. Board Responsibilities. Consistent with the responsibilities noted in section
4 of this order, the Board shall recommend policies and coordinate programs for
protecting information systems for critical infrastructure, including emergency
preparedness communications, and the physical assets that support such systems.
Among its activities to implement these responsibilities, the Board shall:
(a) Outreach to the Private Sector and State and Local Governments. In consul-
tation with affected executive branch departments and agencies, coordinate
outreach to and consultation with the private sector, including corporations
that own, operate, develop, and equip information, telecommunications,

transportation, energy, water, health care, and financial services, on protec-
tion of information systems for critical infrastructure, including emergency
preparedness communications, and the physical assets that support such
systems; and coordinate outreach to State and local governments, as well
as communities and representatives from academia and other relevant ele-
ments of society.
(i) When requested to do so, assist in the development of voluntary standards
and best practices in a manner consistent with 15 U.S.C. Chapter 7;
(ii) Consult with potentially affected communities, including the legal, audit-
ing, financial, and insurance communities, to the extent permitted by law,
to determine areas of mutual concern; and
(iii) Coordinate the activities of senior liaison officers appointed by the
Attorney General, the Secretaries of Energy, Commerce, Transporta-
tion, the Treasury, and Health and Human Services, and the Director
of the Federal Emergency Management Agency for outreach on critical
infrastructure protection issues with private sector organizations within
the areas of concern to these departments and agencies. In these and
other related functions, the Board shall work in coordination with the
Critical Infrastructure Assurance Office (CIAO) and the National
Institute of Standards and Technology of the Department of Com-
merce, the National Infrastructure Protection Center (NIPC), and the
National Communications System (NCS).
(b) Information Sharing. Work with industry, State and local governments,
and nongovernmental organizations to ensure that systems are created and
well managed to share threat warning, analysis, and recovery information
among government network operation centers, information sharing and
analysis centers established on a voluntary basis by industry, and other
related operations centers. In this and other related functions, the Board
shall work in coordination with the NCS, the Federal Computer Incident
Response Center, the NIPC, and other departments and agencies, as appro-
priate.
(c) Incident Coordination and Crisis Response. Coordinate programs and policies
for responding to information systems security incidents that threaten infor-
mation systems for critical infrastructure, including emergency preparedness
communications, and the physical assets that support such systems. In this
function, the Department of Justice, through the NIPC and the Manager of
the NCS and other departments and agencies, as appropriate, shall work in
coordination with the Board.
(d) Recruitment, Retention, and Training Executive Branch Security Profes-
sionals. In consultation with executive branch departments and agencies,
coordinate programs to ensure that government employees with responsibil-
ities for protecting information systems for critical infrastructure, includ-
ing emergency preparedness communications, and the physical assets that
support such systems, are adequately trained and evaluated. In this func-
tion, the Office of Personnel Management shall work in coordination with
the Board, as appropriate.
(e) Research and Development. Coordinate with the Director of the Office of
Science and Technology Policy (OSTP) on a program of Federal Govern-
ment research and development for protection of information systems for
critical infrastructure, including emergency preparedness communications,
and the physical assets that support such systems, and ensure coordination
of government activities in this field with corporations, universities, Feder-
ally funded research centers, and national laboratories. In this function, the
Board shall work in coordination with the National Science Foundation, the
Defense Advanced Research Projects Agency, and with other departments
and agencies, as appropriate.
(f) Law Enforcement Coordination with National Security Components. Pro-
mote programs against cyber crime and assist Federal law enforcement agen-
cies in gaining necessary cooperation from executive branch departments and
agencies. Support Federal law enforcement agencies, investigation of illegal
activities involving information systems for critical infrastructure, including
emergency preparedness communications, and the physical assets that sup-
port such systems, and support coordination by these agencies with other
departments and agencies with responsibilities to defend the Nation’s secu-
rity. In this function, the Board shall work in coordination with the Depart-
ment of Justice, through the NIPC, and the Department of the Treasury,
through the Secret Service, and with other departments and agencies, as
appropriate.
(g) International Information Infrastructure Protection. Support the Depart-
ment of State’s coordination of United States Government programs for
international cooperation covering international Information Infrastructure
protection issues.
(h) Legislation. In accordance with OMB circular A-19, advise depart-
ments and agencies, the Director of OMB, and the Assistant to the
President for Legislative Affairs on legislation relating to protection
of information systems for critical infrastructure, including emergency
preparedness communications, and the physical assets that support
such systems.
(i) Coordination with Office of Homeland Security. Carry out those func-
tions relating to protection of and recovery from attacks against informa-
tion systems for critical infrastructure, including emergency preparedness
communications, that were assigned to the Office of Homeland Security by
Executive Order 13228 of October 8, 2001. The Assistant to the President
for Homeland Security, in coordination with the Assistant to the President
for National Security Affairs, shall be responsible for defining the respon-
sibilities of the Board in coordinating efforts to protect physical assets that
support information systems.
Sec. 6. Membership. (a) Members of the Board shall be drawn from the executive
branch departments, agencies, and offices listed below; in addition, concerned
Federal departments and agencies may participate in the activities of appropri-
ate committees of the Board. The Board shall be led by a Chair and Vice Chair,
designated by the President. Its other members shall be the following senior
officials or their designees:
(i) Secretary of State;
(ii) Secretary of the Treasury;
(iii) Secretary of Defense;
(iv) Attorney General;
(v) Secretary of Commerce;
(vi) Secretary of Health and Human Services;
(vii) Secretary of Transportation;
(viii) Secretary of Energy;
(ix) Director of Central Intelligence;
(x) Chairman of the Joint Chiefs of Staff;
(xi) Director of the Federal Emergency Management Agency;
(xii) Administrator of General Services;
(xiii) Director of the Office of Management and Budget;
(xiv) Director of the Office of Science and Technology Policy;
(xv) Chief of Staff to the Vice President;
(xvi) Director of the National Economic Council;
(xvii) Assistant to the President for National Security Affairs;
(xviii) Assistant to the President for Homeland Security;
(xix) Chief of Staff to the President; and
(xx) Such other executive branch officials as the President may designate.
Members of the Board and their designees shall be full-time or permanent part-
time officers or employees of the Federal Government.
(b) In addition, the following officials shall serve as members of the Board and
shall form the Board’s Coordination Committee:
(i) Director, Critical Infrastructure Assurance Office, Department of
Commerce;
(ii) Manager, National Communications System;
(iii) Vice Chair, Chief Information Officers’ (CIO) Council;
(iv) Information Assurance Director, National Security Agency;
(v) Deputy Director of Central Intelligence for Community Management;
and
(vi) Director, National Infrastructure Protection Center, Federal Bureau of
Investigation, Department of Justice.
(c) The Chairman of the Federal Communications Commission may appoint a
representative to the Board.
Sec. 7. Chair. (a) The Chair also shall be the Special Advisor to the President
for Cyberspace Security. Executive branch departments and agencies shall
make all reasonable efforts to keep the Chair fully informed in a timely man-
ner, and to the greatest extent permitted by law, of all programs and issues
within the purview of the Board. The Chair, in consultation with the Board,
shall call and preside at meetings of the Board and set the agenda for the
Board. The Chair, in consultation with the Board, may propose policies and
programs to appropriate officials to ensure the protection of the Nation’s
information systems for critical infrastructure, including emergency prepared-
ness communications, and the physical assets that support such systems. To
ensure full coordination between the responsibilities of the National Security
Council (NSC) and the Office of Homeland Security, the Chair shall report
to both the Assistant to the President for National Security Affairs and to the
Assistant to the President for Homeland Security. The Chair shall coordinate
with the Assistant to the President for Economic Policy on issues relating to
private sector systems and economic effects and with the Director of OMB on
issues relating to budgets and the security of computer networks addressed in
subsection 4(a) of this order.
(b) The Chair shall be assisted by an appropriately sized staff within the White
House Office. In addition, heads of executive branch departments and agen-
cies are, to the extent permitted by law, to detail or assign personnel of such
departments and agencies to the Board’s staff upon request of the Chair,
subject to the approval of the Chief of Staff to the President. Members of
the Board’s staff with responsibilities relating to national security informa-
tion systems, communications, and information warfare may, with respect
to those responsibilities, also work at the direction of the Assistant to the
President for National Security Affairs.
Sec. 8. Standing Committees. (a) The Board may establish standing and ad hoc
committees as appropriate. Representation on standing committees shall not be
limited to those departments and agencies on the Board, but may include repre-
sentatives of other concerned executive branch departments and agencies.
(b) Chairs of standing and ad hoc committees shall report fully and regularly
on the activities of the committees to the Board, which shall ensure that the
committees are well coordinated with each other.
(c) There are established the following standing committees:
(i) Private Sector and State and Local Government Outreach, chaired
by the designee of the Secretary of Commerce, to work in coor-
dination with the designee of the Chairman of the National
Economic Council.
(ii) Executive Branch Information Systems Security, chaired by the
designee of the Director of OMB. The committee shall assist OMB
in fulfilling its responsibilities under 44 U.S.C. Chapter 35 and other
applicable law.
(iii) National Security Systems. The National Security Telecommunications

and Information Systems Security Committee, as established by and con-
sistent with NSD-42 and chaired by the Department of Defense, shall
serve as a Board standing committee, and be redesignated the Committee
on National Security Systems.
(iv) Incident Response Coordination, co-chaired by the designees of the
Attorney General and the Secretary of Defense.
(v) Research and Development, chaired by a designee of the Director of
OSTP.
(vi) National Security and Emergency Preparedness Communications.
The NCS Committee of Principals is renamed the Board’s Committee
for National Security and Emergency Preparedness Communications.
The reporting functions established above for standing committees
are in addition to the functions set forth in Executive Order 12472 of
April 3, 1984, and do not alter any function or role set forth therein.
(vii) Physical Security, co-chaired by the designees of the Secretary of
Defense and the Attorney General, to coordinate programs to ensure
the physical security of information systems for critical infrastruc-
ture, including emergency preparedness communications, and the
physical assets that support such systems. The standing committee
shall coordinate its work with the Office of Homeland Security and
shall work closely with the Physical Security Working Group of the
Records Access and Information Security Policy Coordinating Com-
mittee to ensure coordination of efforts.
(viii) Infrastructure Interdependencies, co-chaired by the designees
of the Secretaries of Transportation and Energy, to coordinate
programs to assess the unique risks, threats, and vulnerabilities
associated with the interdependency of information systems for
critical infrastructures, including the development of effective
models, simulations, and other analytic tools and cost-effective
technologies in this area.
(ix) International Affairs, chaired by a designee of the Secretary of State,
to support Department of State coordination of United States.
Government programs for international cooperation covering international

Information Infrastructure issues.
(x) Financial and Banking Information Infrastructure, chaired by a

designee of the Secretary of the Treasury and including representa-
tives of the banking and financial institution regulatory agencies.
(xi) Other Committees. Such other standing committees as may be
established by the Board.
(d) Subcommittees. The chair of each standing committee may form neces-
sary subcommittees with organizational representation as determined by
the Chair.
(e) Streamlining. The Board shall develop procedures that specify the manner in
which it or a subordinate committee will perform the responsibilities previ-
ously assigned to the Policy Coordinating Committee. The Board, in coor-
dination with the Director of OSTP, shall review the functions of the Joint
Telecommunications Resources Board, established under Executive Order
12472, and make recommendations about its future role.
Sec. 9. Planning and Budget. (a) The Board, on a periodic basis, shall propose
a National Plan or plans for subjects within its purview. The Board, in coor-
dination with the Office of Homeland Security, also shall make recommenda-
tions to OMB on those portions of executive branch department and agency
budgets that fall within the Board’s purview, after review of relevant program
requirements and resources.
(b) The Office of Administration within the Executive Office of the President
shall provide the Board with such personnel, funding, and administrative
support, to the extent permitted by law and subject to the availability of
appropriations, as directed by the Chief of Staff to carry out the provisions
of this order. Only those funds that are available for the Office of Home-
land Security, established by Executive Order 13228, shall be available for
such purposes. -To the extent permitted by law and as appropriate, agencies
represented on the Board also may provide administrative support for the
Board. The National Security Agency shall ensure that the Board’s informa-
tion and communications systems are appropriately secured.
(c) The Board may annually request the National Science Foundation, Depart-
ment of Energy, Department of Transportation, Environmental Protec-
tion Agency, Department of Commerce, Department of Defense, and the
Intelligence Community, as that term is defined in Executive Order 12333
of December 4, 1981, to include in their budget requests to OMB funding
for demonstration projects and research to support the Board’s activities.
Sec. 10. Presidential Advisory Panels. The Chair shall work closely with pan-
els of senior experts from outside of the government that advise the President,
in particular: the President’s National Security Telecommunications Advisory
Committee (NSTAC) created by Executive Order 12382 of September 13,
1982, as amended, and the National Infrastructure Advisory Council (NIAC
or Council) created by this Executive Order. The Chair and Vice Chair of these
two panels also may meet with the Board, as appropriate and to the extent per-
mitted by law, to provide a private sector perspective.
(a) NSTAC. The NSTAC provides the President advice on the security and continuity
of communications systems essential for national security and emergency pre-
paredness.
(b) NIAC. There is hereby established the National Infrastructure Advisory
Council, which shall provide the President advice on the security of infor-
mation systems for critical infrastructure supporting other sectors of the
economy: banking and finance, transportation, energy, manufacturing,
and emergency government services. The NIAC shall be composed of not
more than 30 members appointed by the President. The members of the

NIAC shall be selected from the private sector, academia, and State and
local government. Members of the NIAC shall have expertise relevant to the
functions of the NIAC and generally shall be selected from industry Chief
Executive Officers (and equivalently ranked leaders in other organizations)
with responsibilities for the security of Information Infrastructure sup-
porting the critical sectors of the economy, including banking and finance,
transportation, energy, communications, and emergency government serv-
ices. Members shall not be full-time officials or employees of the executive
branch of the Federal Government.
(i) The President shall designate a Chair and Vice Chair from among the
members of the NIAC.
(ii) The Chair of the Board established by this order will serve as the
Executive Director of the NIAC.
(c) NIAC Functions. The NIAC will meet periodically to:
(i) enhance the partnership of the public and private sectors in protecting
information systems for critical infrastructures and provide reports on
this issue to the President, as appropriate;
(ii) propose and develop ways to encourage private industry to perform
periodic risk assessments of critical information and telecommunica-
tions systems;
(iii) monitor the development of private sector Information Sharing and
Analysis Centers (ISACs) and provide recommendations to the Board
on how these organizations can best foster improved cooperation among
the ISACs, the NIPC, and other Federal Government entities;
(iv) report to the President through the Board, which shall ensure appro-
priate coordination with the Assistant to the
President for Economic Policy under the terms of this order; and
(v) advise lead agencies with critical infrastructure responsibilities, sector
coordinators, the NIPC, the ISACs, and the Board.
(d) Administration of the NIAC.
(i) The NIAC may hold hearings, conduct inquiries, and establish sub-
committees, as appropriate.
(ii) Upon the request of the Chair, and to the extent permitted by law, the
heads of the executive branch departments and agencies shall provide
the Council with information and advice relating to its functions.
(iii) Senior Federal Government officials may participate in the meetings
of the NIAC, as appropriate.
(iv) Members shall serve without compensation for their work on the
Council. However, members may be allowed travel expenses, including
per diem in lieu of subsistence, as by law for persons serving intermit-
tently in Federal Government service (5 U.S.C. 5701–5707).
(v) To the extent permitted by law, and subject to the availability of

appropriations, the Department of Commerce, through the CIAO,
shall provide the NIAC with administrative services, staff, and other
support services and such funds as may be necessary for the perform-
ance of the NIAC’s functions.
(e) General Provisions.
(i) Insofar as the Federal Advisory Committee Act, as amended (5 U.S.C.
App.), may apply to the NIAC, the functions of the President under
that Act, except that of reporting to the Congress, shall be performed
by the Department of Commerce in accordance with the guidelines and
procedures established by the Administrator of General Services.
(ii) The Council shall terminate 2 years from the date of this order, unless
extended by the President prior to that date.
(iii) Executive Order 13130 of July 14, 1999, is hereby revoked.
Sec. 11. National Communications System. Changes in technology are caus-
ing the convergence of much of telephony, data relay, and internet communi-
cations networks into an interconnected network of networks. The NCS and
its National Coordinating Center shall support use of telephony, converged
information, voice networks, and next generation networks for emergency pre-
paredness and national security communications functions assigned to them in
Executive Order 12472. All authorities and assignments of responsibilities to
departments and agencies in that order, including the role of the Manager of
NCS, remain unchanged except as explicitly modified by this order.
Sec. 12. Counter-intelligence. The Board shall coordinate its activities with those
of the Office of the Counter-intelligence Executive to address the threat to pro-
grams within the Board’s purview from hostile foreign intelligence services.
Sec. 13. Classification Authority. I hereby delegate to the Chair the authority
to classify information originally as Top Secret, in accordance with Executive
Order 12958 of April 17, 1995, as amended, or any successor Executive Order.
Sec. 14. General Provisions. (a) Nothing in this order shall supersede any
requirement made by or under law.
(b) This order does not create any right or benefit, substantive or procedural,
enforceable at law or equity, against the United States, its departments,
agencies or other entities, its officers or employees, or any other person.
GEORGE W. BUSH
THE WHITE HOUSE,
October 16, 2001.32
32
Bush, GW (2001) Executive Order on Critical Infrastructure Protection. Available
at http://www.whitehouse.gov/news/releases/2001/10/20011016-12.html (Accessed:
6 January 2007).
The Executive Order represents a clear political statement about the

importance of Critical Infrastructure and Critical Information Infrastruc-
ture. It is important to understand that this is probably the clearest statement
of this nature from any administration. It does, however, have a weakness in
that there is a lack of absolute clarity on who is overall responsible – there is
much coordination, different bodies, and consultation. No specific depart-
ment is charged with either building resilience or defense, although it may be
inferred that the Department of Homeland Security has a leading role.
In the UK, Critical Infrastructure is termed Critical National Infrastruc-
ture. MI5, the security service comments as follows:
The Government places a high value on ensuring that the UK is both well
prepared for and protected against national emergencies of all kinds . . .
Major disruption could result from a range of events such as adverse environ-
mental conditions, major accidents, epidemics, or deliberate terrorist or elec-
tronic attack. Strengthening our national resilience to such events requires the
joint effort of all Government departments together with the businesses, organi-
zations and communities that are fundamental to our daily lives.
Many of the mechanisms to deal with a national crisis and to protect our national
assets are already well established, but ensuring a coordinated response among all
the stakeholders who play a part in protecting and preparing the UK can be com-
plex. The concept of a Critical National Infrastructure (CNI) helps to introduce a
common understanding of key sectors and functions that need to be preserved in the
face of any disruptive challenge and protected in the public interest.
The Government views the CNI as those assets, services and systems that
support the economic, political and social life of the UK whose importance is
such that any entire or partial loss or compromise could:
• cause large scale loss of life;
• have a serious impact on the national economy;
• have other grave social consequences for the community, or any substantial
part of the community; or
• be of immediate concern to the national government.
The Government considers that there are ten “sectors” of economic, political
and social activity in which there are critical elements. They are:
• Communications
• Emergency Services
• Energy
• Finance
• Food
• Government and Public Service
• Public Safety
• Health
• Transport
• Water
Not every activity within these sectors is critical, but application of the criteria
outlined above assists Government and managers within each sector to identify
where best to concentrate protective security effort.33
In the UK Critical Infrastructure Protection and Critical Information Infra-
structure Protection is well understood. The definition of the “sectors” is slightly
different from the common list described elsewhere, but still comprehensive.
The threats are also well understood. Organizations exist to advise and warn.
No specific department is charged with either building resilience or defense.
On the 25 November 2005, the European Commission launched a Green
Paper on “Critical Infrastructure Protection”:
The European Commission has adopted a green paper on a Program for critical
infrastructure protection which outlines the options on what would enhance preven-
tion, preparedness and response to the Union’s critical infrastructure protection. The
Green Paper provides options on how the Commission may respond to the Council’s
request to establish an “European Program for Critical Infrastructure Protection”
(EPCIP) and a “Critical Infrastructure Warning Information Network” (CIWIN)
and constitutes the second phase of a consultation process that began with a Com-
mission Communication on critical Infrastructure Protection that was adopted in
October 2004.
The Green Paper addresses such key issues as:
What should EPCIP protect against? The key principles being:
• The type of framework needed
• Definition of EU Critical Infrastructure
• National Critical Infrastructure
• Role of Critical Infrastructure owners/operators
• The Critical Infrastructure Warning Information Network (CIWIN)
• Funding
• Evaluation and monitoring
The options presented by the EPCIP Green Paper are a combination of
measures and are to be viewed as complementary to current national efforts.
The Commission expects that by presenting this green paper, it will receive
concrete feedback concerning the policy options outlined in this document.
Critical Infrastructure can be damaged, destroyed or disrupted by delib-
erate acts of terrorism, natural disasters, negligence, accidents or computer
hacking, criminal activity, and malicious behavior. To save the lives and prop-
erty of people at risk in the EU from terrorism, natural disasters, and acci-
dents, any disruptions or manipulations of Critical Infrastructures should, to
the extent possible, be brief, infrequent, manageable, geographically isolated,
and minimally detrimental to the welfare of the Member States, their citizens,
and the European Union.
33
Available at http://www.mi5.gov.uk (Accessed: 6 January 2007).
The recent terrorist attacks in Madrid and London have highlighted the
risk of terrorist attacks against European infrastructure. The EU’s response
must therefore be swift, coordinated, and efficient.
The damage or loss of a piece of infrastructure in one State may have nega-
tive effects on several others and on the European economy as a whole. This is
becoming i.ncreasingly likely as new technologies (e.g., the Internet) and mar-
ket liberalization (e.g., in electricity and gas supply) mean that much infra-
structure is part of a larger network. In such a situation, protection measures
are only as strong as their weakest link. This means that a common level of
protection may be necessary. A common EU level framework for the protec-
tion of critical infrastructure in Europe could be put in place in order to make
sure that each Member State is providing adequate and equal levels of protec-
tion concerning their critical infrastructure and that the rules of competition
within the internal market are not distorted.
The Commission has organized seminars and invited the submission of
ideas and comments by Member States. The submissions have formed the
basis for further critical infrastructure protection development. Both Mem-
ber States and industry associations have participated in the seminars. As a
result, the Commission has put forward a green paper on the subject.
The objective of the green paper is to receive feedback concerning EPCIP
policy options by involving a broad number of stakeholders. The effective
protection of critical infrastructure requires communication, coordination, and
cooperation nationally and at EU level among all interested parties – the owners
and operators of infrastructure, regulators, professional bodies, and industry
associations in cooperation with all levels of government, and the public.34
In Europe there is again a good understanding of Critical Infrastructures,
but the operational side of things is not well developed. No specific depart-
ment is charged with either building resilience or defense.
In some parts of Australia as much as 90% of critical infrastructure is
privately owned. As such, Critical Infrastructure Protection (CIP) cannot be
carried out solely by government.
CIP brings together a significant number of existing strategies, plans, and
procedures that deal with the prevention, preparedness, response, and recovery
arrangements for disasters and emergencies. It is not a new discipline, but is a
coordinated blending of existing specializations, including:
• Law enforcement and crime prevention
• Counter terrorism
• National security and defense
• Emergency management, including the dissemination of information
• Business continuity planning
34
European Commission (2005) Critical Infrastructure Protection. Green Paper.
Available at http://www.europaworld.org/week247/commission251105.htm (Accessed:
6 January 2007).
• Protective security (physical, personnel and procedural)

• e-security
• Natural disaster planning and preparedness
• Risk management
• Professional networking
• Market regulation, planning and infrastructure development.
CIP requires the active participation of the owners and operators of infra-
structure, regulators, professional bodies, and industry associations, in coopera-
tion with all levels of government, and the public. To ensure this cooperation
and coordination, all of these participants should commit to the following set
of common fundamental principles of CIP. These principles are to be read as a
whole, as each sets the context for the following.
CIP is centered on the need to minimize risks to public health, safety, and
confidence, ensure our economic security, maintain Australia’s international
competitiveness, and ensure the continuity of government and its services.
The objectives of CIP are to identify critical infrastructure, analyze vulner-
ability and interdependence, and protect from, and prepare for, all hazards.
As not all critical infrastructure can be protected from all threats, appropriate
risk management techniques should be used to determine relative severity and
duration, the level of protective security, set priorities for the allocation of
resources, and the application of the best mitigation strategies for business
continuity.
The responsibility for managing risk within physical facilities, supply chains,
information technologies, and communication networks primarily rests with
the owners and operators. CIP needs to be undertaken from an “all hazards
approach” with full consideration of interdependencies between businesses, sec-
tors, jurisdictions, and government agencies. CIP requires a consistent, coopera-
tive partnership between the owners and operators of critical infrastructure and
governments. The sharing of information relating to threats and vulnerabilities
will assist governments, and owners and operators of critical infrastructure to
better manage risk.
It is stated that care should be taken when referring to national security
threats to critical infrastructure, including terrorism, so as to avoid undue con-
cern in the Australia domestic community, as well as potential tourists and inves-
tors overseas.
Stronger research and analysis capabilities can ensure that risk mitigation
strategies are tailored to Australia’s unique critical infrastructure circum-
stances.35 Again Australia has a very clear understanding of the issues. No specific
department is charged with either building resilience or defense.
35
Australian Government Attorney General (2006) Trusted Information Sharing Network
for Critical Infrastructure Protection. Available at http://www.tisn.gov.au (Accessed:
6 January 2007).
In New Zealand, most systems assume the continuing supply of power and
telecommunications.
Ownership of Infrastructure
• The ownership of critical infrastructure is diverse.
• Central government departments own items such as the computers running the
SWIFTT benefits payment system.
• The Defense and Police forces have computer systems and communications
networks.
• Hospitals use computer systems for accounting and administration.
• The Reserve Bank currently operates banking settlements systems.
• State-owned enterprises such as Transpower and Airways own critical networks.
• Much critical infrastructure is in the private sector, including telecommunica-
tions and local electricity distribution.
The situation is more complex than the above would suggest. There are many
different models for infrastructure-owning organizations to have parts of infra-
structure outsourced or managed by another company. Furthermore, although
some infrastructure providers have IT or telecommunications networks, these
are many cases dependent on circuits provided by a telecommunications carrier
such as Telecom or Telstra Saturn.
While the government does not own or directly control much of the criti-
cal infrastructure of New Zealand, it does have a role in assuring itself that
this infrastructure is adequately protected. Infrastructural businesses differ
from others in that customers’ interest in their continued ability to supply may
exceed the commercial interests of the business to do so. This is especially a
concern where the infrastructure business is a monopoly provider, since the
The following diagram shows how the various critical infrastructures depend
on each other.
Banking / Finance Transport
Electric Power Telecommunications
Emergency Services Oil and Gas Government Services
FIGURE 1. New Zealand Critical Infrastructure Dependencies (Source: New Zealand

Government)
competitive pressure to maintain service is reduced or absent. A hypothetical

example would be a power company that risked infrastructure failure through
underinvestment of funds and time in engineering while choosing, instead to
focus on, an area that might increase profitability.
Risks in Critical Infrastructure

Given the concerns expressed above over the adequacy of commercial incen-
tives in respect of infrastructure security, Government needs to consider how
it can assure itself that sufficient risk management is being undertaken.
A reasonable approach is to establish the extent to which infrastructure
owners use risk management methods.
Best practice risk management starts with a formal model of risk and
mitigation. There are a number of formal risk assessment models available.
The following diagrams show a summary of risk assessment and mitiga-
tion as applied to the critical infrastructure. These models are adapted from
Australian and New Zealand Standards.
This diagram shows the critical services depending on infrastructure, some
areas of which depend on other services. The components of the infrastruc-
ture, referred to as assets, are subject to vulnerabilities. Vulnerabilities may be
exploited by threats. The action of a threat on a vulnerability may be mitigated
through various strategies.
Critical
Threats
Services
Also
needs
Makes
use of Critical
Infrastructure
Composed
of
Assets Vulnerabilities Mitigations
Residual
Risk
FIGURE 2. New Zealand Infrastructure Threats and Vulnerabilities (Source: New

Zealand Government)
Threats
Assets Vulnerabilities Mitigations
Residual
Risk
FIGURE 3. New Zealand Risk Mitigation Cycle (Source: New Zealand Government)
After risks have been mitigated there is always some residual risk, which needs
to be assessed. If it is found unacceptable further mitigation measures will need
to be applied.
Risk has two components: the consequence, or impact of an event; and the
likelihood of the event. Because infrastructure is obviously valuable, physical
risks have generally already been considered and some measure of protection
applied. The risk of damage to infrastructure from physical threats therefore
tends to have a low likelihood, albeit a high consequence. This section, however,
focuses on the more rapidly developing and less immediately obvious risks that
are associated with the growing dependence on IT.
IT Threats to Critical Infrastructure

IT threats (i.e., threats that do not include physical attack) to critical infra-
structure may be categorized both by the motivation and resourcing of the
attacker or other threat agent, and by the means of attack.
Threat agents could be the following:
• Staff making mistakes
• Disaffected staff or contractors
• Recreational hackers
• Individuals seeking personal gain, e.g. through theft or extortion
• Agents of organized crime, competing commercial interests or issue groups

• Agents of foreign governments
These vary in the extent of knowledge and resource.
The types of IT-borne attack include the following:
• Denial of service attacks via the Internet
• Hacking or cracking, whether leading to systems damage or breach of con-
fidentiality
• Malware – programs with covert malicious intent, including viruses, worms,
and trojan horses
• Malicious or inadvertent damage by insiders
• The unlawful interception of messages (or actual theft of laptop or other
computers)
Since the Internet has become so ubiquitous in developed nations, most IT-
borne attacks have been carried out over the Internet. Internet-based attacks
have certain characteristics that explain their prevalence and impact:
Internet attacks involve action at a distance, in many cases crossing national
borders, which offers the attacker a degree of anonymity and reduces the likeli-
hood of punishment. This reduces the deterrent effect of legislation [New Zealand
is unusual among Western countries, in that it currently does not have legislation
directed against hacking. A Bill to address this is before the House.].
Like other IT-borne threats, Internet attacks often involve the use of com-
puters for automatic repetition of some process, such as the use of dictionary
searching tools to crack passwords, or viruses that replicate themselves with-
out limit. This factor can leverage one individual’s cleverness into an attack
on infrastructure that has global impact. The size of the impact in this sce-
nario bears no relation to the quantum of resources available to the attacker.
Once written, automated attack tools [The authors of such tools are not
necessarily malign or reckless, since they are in many cases intended for legiti-
mate uses such as assessing one’s own network for vulnerabilities.] become
widely available on the Internet, and may be used by individuals who do not
understand the tools or the consequences. The Internet provides a wealth of
opportunity for attacks on systems connected to it.
Vulnerability of Infrastructure to IT-Borne Attacks

Any area of infrastructure that uses IT-based control systems is vulnerable in
principle. The greatest area of risk, in terms of the adverse consequence that
could result, is any potential for unaccess to the IT systems used to manage
infrastructure networks.
Where access is restricted to secure locations, the vulnerabilities are those of
physical security and the risk that staff will do something malicious or mistaken.
Access through telecommunications (i.e., dial-up) to unstaffed network man-
agement facilities (e.g. electricity substations) is used by some infrastructure
providers for efficient and prompt fault resolution. This introduces a new
range of vulnerabilities, since there is a need for authentication of callers to
the facility. The authentication system needs to be of strength commensu-
rate with the risks posed by unaccess. The authentication system itself needs
timely maintenance to ensure that, for example, resigning employees have
their access revoked.
Interconnecting systems with the Internet provides benefits in terms of
cost savings and functions that can be offered. Large infrastructure pro-
viders typically have their corporate business networks connected to the
Internet, and have some kind of links between these and their network
management systems. While awareness of Internet threats is high in many
providers, it is hard to guarantee that unaccess to network management
facilities is impossible.
Homogeneity of IT Systems
In information technology, New Zealand follows global trends in the choice
of equipment and standards. Over the last decade the diversity of IT in wide
use has decreased. This has happened because of a desire for common open
standards on the part of IT purchasers, partly as a measure to prevent vendor
lock-in and monopoly pricing; the overwhelming success of the Internet, due
in part to the quality and openness of the engineering on which it is built,
effectively displacing other ways of connecting computer systems; and the exit
of smaller computer manufacturers with unique equipment from the market
(mainly for the reasons above) and the trend for specialized equipment to
increasingly be based on off-the-shelf computers and operating systems.
These trends have led to a situation in which almost all computer networks
use Internet protocols, almost all Internet routers are made by Cisco, most
server computers use a version of Microsoft Windows or a flavor of Unix,
desktop computers almost all use a version of Microsoft Windows, and where
specialist machines such as are those in the power grid are increasingly con-
trolled through widely understood machines of the types above. This is not
meant to imply that these products are inherently less secure than alternatives.
However, while homogeneity of systems leads to benefits in terms of efficiency
and ease of use, it also makes all computers more vulnerable to attack. This
is because having a large number of users increases the chance that lurking
security problems are discovered and exploited, and because of the number of
machines that can be compromised when problems do come to light.
The process of convergence to common IT standards may not be complete.
Telephony, which is already dependent on digital technology, may move to use
Internet protocols and Internet-style routers instead of the specialist switches
and PABXs currently used. The Ministry of Social Policy has recently installed
just such a system across all Department of Work and Income branches. This
does not imply such a move is inherently risky; indeed, it should pay dividends
in terms of efficiencies and greater effectiveness. However, it is part of the

general convergence of many kinds of technology to a few types whose details
are very widely known.
Complexity
Continued technological development involves increasing complexity. Although
the diversity of building blocks of IT systems is decreasing, the complexity of
the blocks themselves is increasing very quickly. Each generation of computer
chips has several times more transistors than its predecessor, and each new ver-
sion of Microsoft Windows adds millions of lines of program code. More and
more of these elements are interconnected in novel ways to offer greater levels
of automation and control.
In this environment it is hard or impossible to test every possible combination
of circumstances and user input. Commercial pressures tempt developers to ship
products with known problems (some of which are security related), leaving
solutions to the problems for product updates. Consequently problems, including
security problems, are often found with widely used systems.
Availability of IT Security Staff

Securing computer systems and maintaining their security requires consid-
erable expertise. Retaining staff with this expertise is difficult. Because of
the premium these people can attract, they are often contractors or consultants.
Anecdotal evidence suggests that IT skills in general, and IT security skills in par-
ticular, are becoming scarce in New Zealand. There is a similar view in Australia.
In an attempt to address this shortfall the Commonwealth Government is consid-
ering promoting specific centers of excellence in some universities.
With IT security skills in demand in US and Europe, they will always
command a premium in New Zealand and Australia. The challenge for infra-
structure owners is to manage risk in this environment. Government can help
through initiatives to pool knowledge and expertise.
Legal Issues
Criminal Law
Globally, there are two main areas of criminal law that relate to hacking or other
IT-borne attacks: so-called cybercrime, where electronic means are used to commit
a non-IT crime such as theft and the making of uncomputer access.
There are international moves to agree definitions of cybercrime and
to facilitate pursuit of offenders across international boundaries. The EU
is attempting to negotiate such a treaty among its members. If it succeeds,
other jurisdictions may well try to harmonize legislation. The New Zealand
Police has also been considering cybercrime through its membership of the
Australasian Centre for Policing Research.
Most developed nations have now enacted legislation making unaccess to
computer systems a crime. New Zealand has yet to do this, though a Bill is
before the House (the lack of such a statute may harm New Zealand’s inter-
national reputation if not rectified soon). Enacting this legislation will make it
easier to pursue New Zealand residents who break into computers, and also will
make it more likely that requests by New Zealand law enforcement agencies for
assistance to track computer vandals in other jurisdictions will meet with favor.
As currently framed [Crimes Amendment Bill No. 6 as amended by Supple-
mentary Order Paper No. 85], the Bill before the House does not address denial
of service attacks. This type of attack, discussed elsewhere in this paper, is an
increasing problem on the Internet in New Zealand and overseas. There is a risk
that New Zealand’s legislation will remain out of step with other countries and
with the real world if no attempt is made to make denial of service attacks a
crime. Ministry of Justice officials are aware of this issue and are considering
further amendments to the Bill to take it into account.
Disclosure
Gathering reliable numbers about incidents of this nature is hard since companies
are understandably reticent about making disclosures that might harm customer
confidence or shareholder value. There is sometimes a public perception that the
public sector is more susceptible to IT-related attacks than the private sector,
but this may be due to the greater requirements for information disclosure in the
public sector.
Without reliable figures planning protective strategies is difficult. A solution
to this might be some trusted group that maintained an incident database in a
suitably anonymous form.
Liability
Companies that own infrastructure would be unlikely to be liable in a legal sense
if their infrastructure failed, unless it could be shown that they had failed to
operate in accordance with widely accepted relevant standards.
An exception is the banking industry. As a condition of a banking license, the
directors of a bank are required to attest to prudent operation of their bank.
This may make them personally liable in the event of failure.36
36
New Zealand Government (2006) Protecting New Zealand’s Critical Infrastructure
Available at http://www.e.govt.nz/archive/policy/trust-security/niip-report/chapter3.html
The description by the New Zealand Government of the issues surrounding

Critical Infrastructures and Critical Information Infrastructures is repeated in
full here. It is one of the most comprehensive and succinct of any. No specific
department is charged with either building resilience or defense.
The OECD takes an interest in all aspects of Critical Infrastructure and Critical
Information Infrastructure Security. The 2005 report on the Promotion of a Cul-
ture of Security in OECD Countries highlighted that an important focus for many
government national implementation plans was on ensuring the resilience of Criti-
cal Information Infrastructures (CII), whose protection may involve coordination
beyond national borders. By analyzing the drivers for and challenges to the develop-
ment of CII security policies in a number of volunteer countries, the OECD helps
governments to share experiences and practices on assessing and managing risks
to CII, on the emerging and existing models for public–private information sharing
and on national responses to the growing need for cross-border collaboration.
Electronic Authentication
Providing assurance to a party regarding who or what that party is interacting with is
a key requirement for trust in a digital environment. Electronic authentication fosters
trust and helps reduce security risks. Building on work since 1998 aimed at enabling
cross-jurisdictional interoperability of authentication, the OECD is finalizing policy
and practical guidance for electronic authentication to help countries in establishing
their approaches to authentication and to facilitate cross-border exchanges.
Malware and Identity Theft

Malicious software is used for extortion schemes targeting large and small busi-
nesses (e.g., via distributed denial of service attacks) and identity theft targeting
individuals (e.g., via phishing scams) and, with armies of hundreds of thousands
of zombie PCs called “botnets,” it could also be used for other criminal purposes
such as cyber terrorism. OECD work on malware, conducted in cooperation
with the Asia-Pacific Economic Co-Operation (APEC), aims to provide gov-
ernments with a holistic understanding of the phenomenon, taking into account
its cross-border dimension. It will help them develop and implement coordinated
policies for effectively fighting criminal malware-based activities, including iden-
tity theft, from the economic, technological, regulatory, and educational fronts.
Digital Identity Online

Identity management (IDM) holds the promise to help mitigate security
risks that have been amplified by the trend towards broadband-enabled
“anytime-anywhere” Internet access. However, protecting information in a
complex (fixed, wireless, mobile), dynamic, and interoperable computing

environment raises security challenges related to the secure information sharing
and dissemination as well as regarding confidentiality, integrity, and availability
of the information stored and maintained in an IDM system. The OECD will
examine these challenges in the context of its broader work on IDM.
RFID, Sensors, and Pervasive Networks

RFID tags, location devices, and sensor devices can be invisible to individuals,
hold the potential to become pervasive in the long term and, in combination with
ubiquitous networks, could collect and process data everywhere, all the time.
Considering this emerging trend, the OECD is exploring the applicability of the
OECD Privacy Guidelines and Security Guidelines in such environments.37
The OECD is clearly very much aware of the issues involved in the pro-
tection of Critical Infrastructure and Critical Information Infrastructures.
Any review of the major international organizations would conclude that the
OECD is particularly aware of the issues involved. No specific department is
charged with either building resilience or defense.
The coverage of Critical Infrastructure and Critical Information Infra-
structure from a geographical viewpoint in other areas is well-documented
by Dunn and Wigert’s (2004) Critical Information Infrastructure Protection
Handbook.38 Once again this book highlights the awareness of the problems – but
no specific departments are charged with either building resilience or defense.
Sweden and Switzerland may be exceptions to this general rule with the Swed-
ish Defense Force’s “Network Defense”39 program and Switzerland’s VBS40
approach.
This review tells us that there is a broad consensus on what defines a
Critical Infrastructure, that the management of risk is important, that the
law is a recurrent issue, and that Information Technology is tending to
dominate any discussion on critical infrastructures, with some serious issues
regarding homogeneity and staffing. It also demonstrates that thought lead-
ership in this area is not proportional to the size of country. If any coun-
tries have thought through the issues with regard to Critical Infrastructure
Protection and Critical Information Infrastructure Protection, it is the New
Zealanders, Swedes, and Swiss. Much has been done in terms of awareness
37
A variety of articles on this subject from the OECD are available at http://www.oecd.
org/searchResult/0,2665,en_2649_201185_1_1_1_1_1,00.html (Accessed: 6 January
2007).
38
39
Details of Swedish Armed Forces are available at http://www.mil.se (Accessed: 6 January
2007).
40
Details of the Swiss Armed Forces are available at http://www.vbs-ddps.ch (Accessed:
6 January 2007).
and information sharing, a little less in terms of public–private partner-

ships. Despite the understanding that the threats to Critical Infrastructures
are high, and that the threat through and from Critical Information Infra-
structure is particularly high, it is the case, that with a couple of exceptions,
little has been done to build a resilience and defense program. A review of
the ability of Intelligence Agencies in various different countries to deal
with the issue presents a mixed picture.
Recent disarray in the CIA and other agencies in the OECD balance their
claims to have solved a number of potential in-country attacks.41
41
Fidker, S and Sevatopulo, D (2006) The Spies Who Lost It. CNP Online, 12 May, Avail-
able at http://www.cnponline.org/index.php?tg=articles&idx=More&topics=86&article=5
8 (Accessed: 6 January 2007).
Chapter 4
Critical Infrastructures and Critical
Information Infrastructures: By Type
This Chapter seeks to identify issues relevant to each of the common Critical
Infrastructures. Each infrastructure is looked at briefly from a general perspective;
then some comments are made about each infrastructure from an international,
national, and then a local and individual perspective. There are many threats
to these infrastructures and so this review may seem pessimistic. However, it
remains a challenge to the society to deliver solutions to problems such as
these.
Geologists tell us that stocks of oil and gas are running out and there are
no more to be found. If the financial markets really take this message to
heart then there will be, in all likelihood, a collapse. The world’s economy
will become destabilized and war will replace trade as the only reliable
way for nations to secure enough food, water, and energy for themselves.
Unless we change our approach to the use of fossil fuels it is also the case
that Global Warming may continue unabated.42 A rush for coal has been
predicted.43 This is on the basis that there is still much of it about; it is
readily accessible, and not unduly expensive to extract. Nuclear energy
has been the focus of much recent attention for future sustainable energy.44
However, this has well-documented dangers. Alternative energy sources
such a wind, solar, tide, and wave technologies are increasingly viable but
not necessarily, yet, large scale enough to deliver the required amounts of
energy.45
42
Leggett, J (2006) Half Gone: Oil, Gas, Hot Air and the Global Energy Crisis,
Portobello Books.
43
Jaccard, M (2006) Sustainable Fossil Fuels, The Unusual Suspect in the Quest for
Clean and Enduring Energy. CUP.
44
Kirby, A (2005) Analysis: Is Nuclear Power the Answer? BBC News. Available at
http://news.bbc.co.uk/1/hi/sci/tech/4216302.stm (Accessed: 6 January 2007).
45
Culture Change, available at http://www.culturechange.org (Accessed: 6 January
2007), amongst others, limits the medium term impact of alternative sources of energy
at around 30% of current consumption albeit, with the capability, in time, to take over
completely.
45
At an international level the competition for resources is truly breathtaking

in an historical context. Russia has virtually nationalized a joint venture with
Shell in Sakhalin46 and effectively turned off gas and oil supplies to various
parts of Europe47,48 in the last two years; both actions would have been the
cause for war a century ago.
China is exercising a diplomatic offensive around the world in a bid to
win resources from the west to meet its own requirements.49 This competition
is trampling on nuclear treaties, human rights agreements, humanitarian
developments, and views in ways that have not been seen for decades. This is
an important issue for the OECD.
At a national level in the UK, there has been a shift from self-sufficiency
in energy to dependency. Self-sufficiency was based on energy resources from
the North Sea and Atlantic Ocean. Now dependency is based on, clearly
unreliable, energy resources from Eastern Europe and Siberia. This shift has
not been well planned, nor is the contingency planning (or the resilience)
in place. This is clearly evidenced by the documented gas shortages for UK
industry in the winter of 2005/2006, and the discussions on contingency and
resilience that followed.
At local and individual level the increasing demand for energy in all parts
of the world puts increasing pressure on relatively scarce international and
national resources. The sustainable use of timber, wind, and alternatives to
electricity (such as clockwork, candle/natural light, etc.) are technologies
and skills that have not received the same technological and developmental
input as fossil fuel derived energy sources, with one or two exceptions. Thus
resilience in energy is probably at an all time low.
For four decades, insurance losses have been rising at 10% a year.50 If this
continues by around 2060 wealth will be destroyed faster than it can be created.
Global warming will be a significant issue here. The possible extent of losses
caused by extreme natural catastrophes in one of the world’s metropolitan
or industrial centers would be so great as to cause the collapse of the world’s
financial markets.51 At the same time the amount of capital available for
46
Macalister, T and Parfitt, T (2006) $20bn Gas Project Seized by Russia. The Guardian.
12 December. Available at http://www.guardian.co.uk/russia/article/0,,1970064,00.
html (Accessed: 6 January 2007).
47
BBC News (2006) Gas Row Sends Shiver Through EU. 2 January. Available at http://
news.bbc.co.uk/2/hi/europe/4574264.stm (Accessed: 6 January 2007).
48
Halpin, T, et al. (2007) Russia Turns off Europe’s Oil Supply, The Times, 8 January.
49
Navarro, P (2006) The Coming China Wars: Where They Will Be Fought and How
They Can Be Won. Financial Times Prentice Hall.
50
Amongst general insurance sites that say the same thing the big trends in insurance
are commented on Insurance 2020: Innovating beyond Old Models. Available at http://
www-935ibm.com/services/us/index.wss/ibvstudy/bcs/a1024461 (Accessed: 6 January
2007).
51
See amongst others: Mills, E (2005). On Insurance Risk and Climate Change. 23
September. Available at http://www.lbl.gov/science-articles/archive/sabl/2005/September/
05-insurance-risk.html (Accessed: 6 January 2007).
projects around the world – be they business or developmental – is at an all

time high. This apparent contradiction highlights a management issue where
the link between the availability of capital and its deployment is very different
to that a century ago.
At an International level the competition for finance remains fierce.
The main issue is probably the USA debt and the China surplus, the second
Russia (about which comment has already been made). The China surplus has
been used to buy USA treasury bonds, this in turn finances the USA debt.
This effectively puts China in a strong position to control the health
of the USA economy.52 This situation may be one of the defining issues of
the twenty-first century. It is of such importance that the future success of the
OECD economy is inextricably linked to it.
At a national level in the UK, there are two key concerns. The first is
the health of the City of London. This is based on international finance
and insurance. This is a driver for the whole of the south-east of the UK,
and has a particularly significant effect on housing, land prices, and retail
sales. This health is threatened by a number of factors relating to financial
markets and the UK in particular; and previous comments regarding losses
in the insurance market. The second is the grounding of the UK economy in
property wealth. This is threatened by a collapse in world markets (see Energy
above), and difficulties in the international money and insurance markets.
(Not to mention domestic debt and other issues.)
At a local and individual level it remains the case that financial health depends
upon the ability to compete in world markets. This is increasingly under threat
from relatively high taxation; job losses to more favorable labor markets, the
rise of China, the rise of India, etc. Thus resilience in terms of finance is under
threat – particularly for the larger, mixed and trading, economies.
Food, after water, is the most important human need. As there are now
more obese people in the world than there are malnourished then part of
the problem is clearly one of political will, distribution, and management.53
On the other hand the declining number of species used to grow basic
foodstuffs such as wheat, maize, and rice gives great cause for concern.54
This is because a relatively minor disease mutation could, potentially, wipe
out most of the major basic food supply very quickly.55 Equally worrying is
climate change. Climate change is having a vast, and quick, effect on food
52
Pesek, Jr, W (2005) If China Shuns Dollar, Look Out US Bonds. 28 January.
Available at http://bloomberg.com/apps/news?pid=71000001&refer=columnist_
pesek&sid=aEBBmwvtNuxA (Accessed: 6 January 2007).
53
BBC News (2006) Overweight Top World’s Hungry. 15 August. Available at http://
news.bbc.co.uk/1/hi/health/4793455.stm (Accessed: 6 January 2007).
54
Plants For a Future. Available at http://www.pfaf.org/leaflets/intro.php (Accessed: 6
January 2007).
55
See, amongst others, Borlaug, N (2006) A Warning 6 April. Available at http://
3billionandcounting.com/phpbb/viewtopic.php?p=418&sid=f02536aecea00f7caa329
ec86009cf2f (Accessed: 6 January 2007).
supplies. Harvests in key areas56,57 are down – raising the potential specter of
famine in the OECD for the first time in over a century.
At an international level the critical problem is the availability of grain
stockpiles. These are their lowest level for 25 years.58 The latest USDA report
shows that global wheat production for 2006–2007 will drop from 11 million
metric tons to 585 million tons, or 5.4% below the previous year. Carryover
stocks from previous harvests, meanwhile, will decline to 119.3 million tons –
the lowest stocks in 25 years. If this continues, there will not be enough grain to
feed millions of hungry people on all continents. The level of wheat stockpiles
relative to consumption has hit the lowest level on record. Deutsche Bank
estimates global corn stockpiles have fallen to their lowest level since 1979.
Drought also has cut a swath across Europe, China, India, Africa and South
America. The USDA lowered the 2006–2007 predicted wheat production
for Australia, the world’s third largest grain exporter, down 55% to just 11
million tons from 24.5 million tons the previous year. Only a month earlier,
the USDA estimated it would be 19.5 million tons. Reducing its estimate
for the second time in a month, AWB – Australia’s primary wheat exporter
– predicted on October 25, 2006 the severe drought could reduce the nation’s
wheat production by 65% to only nine million tons and force the import of feed
grains. The Grains Council of Australia predicts barley production could drop
even more steeply – about 75%, from 10 million to 2.5 million tons.59
At a national level consumer food supply is dominated by the supermarkets.
These have developed the delivery of cheap food through just-in-time delivery
down to a fine art. The average amount spent by the UK household on food
has halved in a generation, in real terms, and the quality has undoubtedly
risen.60 At the same time world markets, the policies of successive domestic
governments, and the European Union have led to a decline in the overall
national emphasis placed on food production. This is to the extent that the
major national emphasis on the land is for recreational opposed to food
production. The fragility of this overall situation was more than adequately
demonstrated by the UK fuel strike of 2000. This placed food supplies to the
population in jeopardy within 48 hours, and was the main reason the strike
came to an end.61
56
See, amongst others, information available at http://www.heatisonline.org/soils.cfm
57
Making Money: Wheat Is the New Gold. The Week, 13 January 2007, p. 13.
58
Morrison, K (2006) Grain stockpiles at lowest for 25 years. 12 October. Available at
http://www.ft.com/cms/s/0c021878-5a16-11db-8f16-0000779e2340.html (Accessed: 6
January 2007).
59
Figures available at www.usda.gov and http://www.realtruth.org/articles/466-odfs.
html (Accessed: 6 January 2007)
60
Statistics available at http://statistics/defra.gov.uk/esg/publications/efs/2005 (Accessed: 6
January 2007).
61
Lewis,R, et al. Miles and Miles and Miles. 10 May. The Guardian. Available at http://
www.guardian.co.uk/food/focus/story/0,13296,951962,00.html (Accessed: 6 January
2007).
For a fascinating and ambivalent report on the state of food security in

the UK, see Department for Environment Food and Rural Affairs report of
December 2006,62 which does actually call for an increase in resilience. This
report has some interesting contrasts with other EU countries, particularly
France’s very high self-sufficiency ratio. Locally and individually the main
problem, again, is the lack of local food sources and the increasing inability of
individuals, or even those with the knowledge, to grow food. During the Second
World War almost all members of the UK population grew some food of their
own, allotments (areas for individuals to grow food) dropped by 50% in the
1970s and 1980s and despite a halt in decline, less than 5% of the population
grow any of their own food.63 Thus resilience in terms of food is under threat.
Health is not obviously a problem for the OECD countries, with death rates
in all age groups at arguably the lowest level ever, overall health good and the
causes of ill health, and the required remedies much more understood than
50 years ago.64 However, a number of factors give rise for some concern on
health too. One is overall hygiene and cleanliness and another is the immune
system. Health is clearly dependent upon these. Yet standards of personal
hygiene and cleanliness are declining, as is the standard of the same in many
hospitals. Another example might be the lack of care given to personal
manners regarding sneezing and coughing, which need to improve.65 Another,
the rise of sexually transmitted diseases particularly in OECD nondrug
using young.66 Immune systems are prevented from developing because of
emphasis on the wrong sort of cleanliness and hygiene in the young. The old
are kept in unclean homes and become reservoirs for MRSA.67 The second is
personal weight control. Obesity in the western world tops more than 25% of
the population. This has an effect on health and productivity. The last point
is exercise – with still fewer than 25% of the population taking more than 3
sessions of 30 minutes exercise per week.68
Internationally the failure to eradicate polio completely, with new outbreaks
in Nigeria69 and elsewhere, and the worldwide fear of avian flu70 gives the lie to
62
DEFRA (2006) Food Security and the UK. December, available at http://statistics.
defra,gov.uk/esg/reports/foodsecurity/foodsecurity.doc (Accessed: 6 January 2007).
63
http://www.sovereignty.org.uk/features/footnmouth/urbanag2.html
64
http://www.oecd.org/document/46/0,2340,en_2649_37407_34971438_1_1_1_37407,00.html
65
A variety of sites on how to lessen the impact of all types of flu. Example available at
http://dallascounty.org/department/hhservcies/servcies/publichealthalert/dcouments/
Drbuhner_presentations_to_schools.pdf (Accessed: 6 January 2007).
66
More information at http://www.jca.apc.org/fem/bpfa/NGOreport/C_en_Health.
html#2-3-f (Accessed: 6 January 2007).
67
MRSA (Watch 2007) MRSA Hits Nursing Home Residents. 5 January. Available at http://
tahilla.typepad.com/mrsawatch/care_homes/index.html (Accessed: 6 January 2007).
68
Amongst others available at http://www.activeatwork.org.uk (Accessed: 6 January 2007).
69
Raufu, A (2002) Polio Cases Rise in Nigeria As Vaccine Is Shunned for Fear of
AIDS. 15 June. British Medical Journal. Available at http://www.bmj.com/cgi/content/
full/324/7351/1414/a (Accessed: 6 January 2007).
70
CBS (2005) European Avian Flu Fears Lead To Drug Stockpiling. 18 October. Available
at http://www.cbc.ca/world/story/2005/10/18/bird-flu-pharmacies051018.html (Accessed
on: 6 January 2007).
any complacency on health. The increasing failure of antibiotics on a world

level to deal with bacterial infections and the difficulty in treating old and new
viruses, compound the problem.71 The international outlook for health is not
necessarily good.
At a national level health is rapidly becoming a problem. All the difficulties
noted above can generally be found in the UK. The standard of health of
the nation’s youngsters is poor, and they are unlikely to live longer than their
parents and are certainly going to have shorter lives than their grandparents.
The cause of this is a mixture of poor personal health, eating and drinking
disorders, drugs, lack of exercise and a view that all ills can be cured by the
National Health Service. Despite recent improvements many health measures
are behind those of the rest of the OECD in the UK.72 On top of all of this
Global Warming brings the return of tropical diseases.73
At a local and individual level there is more of the same. Local Doctors
have little interest in prevention and so little is done to ensure the resilience in
individuals from a health point of view, whether this is from attitude, exercise,
or life structure. This means that, at least in the UK, the young population
has less idea of how to look after themselves than their parents, and is
demonstrably less healthy. Thus resilience in terms of health can be said to be
under threat.
At an international level “government” services are provided by the major
multilateral organizations, and by the federations. None of these have a
particularly strong reputation for resilience under pressure. The most effective
are probably the OECD and NATO, a clear personal opinion.
Government services in a national setting ensure the continuation of society
on a day to day basis. In the best circumstances they are the “oil” that allows
society to operate smoothly. In times of crisis they should really come into
their own – they become the bedrock for the continuity the society requires.
This is certainly recognized by those who seek to attack them.
One such attack occurred in the UK in January 2005.74 This was an
Information Infrastructure Trojan attack on UK Government Services.
A reasonable proxy for the effectiveness of Government Services is eGovern-
ment. The take up of eGovernment is slow in some countries, and slipping
71
CSP (1998) Stop Squandering Antibiotics. 28 May. Available at http://www.cspinet.
org/new/antibiot.htm (Accessed: 6 January 2007).
72
Health at a Glance – OECD Indicators 2003. Briefing Note (United Kingdom).
Available at http://www.oecd.org/dataoecd/20/47/16502649.pdf (Accessed: 6 January
2007).
73
Chittenden, M (2006) Tropical Diseases Back As Europe Warms Up, Sunday Times,
7 January 2007.
74
Goodwin, B (2005) UK Critical Infrastructure Under Massive Attack. 16 June. Computer
Weekly. Available at http://www.computerweekly.com/Articles/2005/06/16/210416/
uk-critical-infrastructure-under-massive-attack.htm (Accessed: 6 January 2007).
in some countries previously in the vanguard, e.g., the UK.75 The well-
documented difficulties at the UK Home Office demonstrate a weariness of
approach, process, and procedure in a department of State that should be
in the vanguard of protecting the UK’s infrastructure.76 Resilience in society
depends on effective government services.
There is absolutely no point in having a well-run social services department
if the infrastructure does not work. Yet in the UK, Councils continue to
raid infrastructure budgets (Northumberland and Nottinghamshire to name
two) to support social services. This is putting the cart before the horse, and
demonstrates politically skewed priorities.
The resilience of Government services, and certainly some local government
infrastructure services, is under threat. In a previous Chapter it has already
been noted that there is no effective defense organization for Critical
Infrastructures and Critical Information Infrastructures.
Law and order in the context of Critical Infrastructure means a number of
things. It means the continued existence and prevalence of law and order; it means
the continued ability to make laws and maintain order in a democratic society; it
means the ability to enforce laws and orders; and it means the consent of society
to be governed by those laws and orders. There is no effective international
position on law and/or order with regard to Critical Infrastructures. No nego-
tiations, no treaties, exist that specifically cover Critical Infrastructures in an
international context. Some bilateral activity has taken place. The USA has
enacted legislation that has some international reach.
At a national level there is, in the UK, an interesting position between
the Government and the Judiciary. Much legislation regarding Critical
Infrastructure is related to antiterrorist legislation. This legislation, in the
UK, has eroded many freedoms held since the Magna Carta. This has led
to significant disagreements between the Judiciary, who wish to preserve the
freedoms – and the Government who wish to tighten legislation.77 This is a
fascinating conundrum. The ability of terrorists of any nature to win battles
is determined largely by the reaction of their foe to attacks.
In an Asymmetric War the terrorists win when the Government starts
changing the way of life within its society to counter perceived or actual
threats. In a technological age when the country is fighting an expensive war
in Iraq it is no longer beyond the wit of technology to introduce both the
technology and profiling to identify potential difficulties. Both France and
the UK are in the European Union – yet from a legislative point of view
75
eGov Monitor (2005) Q&A with Marcus Robinson, Accenture. 17 June. Available at
http://www.egovmonitor.com/node/1522/print (Accessed: 6 January 2007).
76
The real Home Office failures. The Guardian. 2 May 2006 . Available at http://
www.guardian.co.uk/letters/story/0,,1765297,00.html#article_continue.
77
Porter H, The Future’s Brown, The Future’s Bleak, The Observer, 24 September
2006. Available at http://www.guardian.co.uk/commentisfree/story/0,,1879864,00.
html (Accessed: 6 January 2007) for relevant comment.
the freer country is currently France – why should this be so? It has to be
because the Government has chosen it to be so; if it has chosen it to be so it
has decided that the way of life enjoyed by its citizens is to be changed,
and has legislated accordingly. This is worrying on a number of levels. The
legislation introduced has often been ill thought through and has had to be
revised a number of times. This indicates a knee-jerk reaction to events rather
than a considered approach to preserving a national way of life. This is not
the reaction of people committed to the preservation of our society’s values.
At a local and individual level the preservation of law and order is more
often about confidence than the law and order itself. This requires that
legislation that has a local impact, such as the Civil Contingencies Act (qv)
in regard to Critical Infrastructures, is both well understood and resourced.
Much ground is being made up in terms of awareness and understanding,
but no real new economic resource has been put behind this (especially when
compared to expenditure on Iraq, for example).
In a western world that is concentrating on the Knowledge Economy and
the provision of services over and above the delivery of manufactured goods, it
may be difficult to understand why manufacturing is a Critical Infrastructure.
Manufacturing adds value to a number of raw, or partly manufactured, materials
to create a useful product. This adds value in the process. This value tends to be,
but is not always, greater than the value created within a service product. It is of
national importance because of the value it adds, the people it employs and the
technological advantages the possession of a manufacturing base confers on
countries from a research, development and defense perspective.
Internationally there has been a wholesale shift in manufacturing away
from high labor cost markets to low labor cost manufacturing centers. Simply
put, a move from the OECD to Eastern Europe, China, India, and other Far
East economies. Comment has already been made regarding the effect of this
on the USA under Finance.
Peter Le Magnen comments as follows:
Since 1997, the European Investment Monitor (researched and powered by
Oxford Intelligence on behalf of Ernst & Young) has captured details of more
than 17,000 FDI projects in Europe.
Historically, the trend has been for Western Europe to attract the lion’s share
of this investment. However, in the past eight years, the flow of investment
has shifted steadily eastwards: in the initial phases to the mainstream central
European countries of Poland, Hungary and the Czech Republic but, in the run-
up to the 10 accession states joining the EU in May 2004 and the subsequent
period, the shift has been further east into Romania, Bulgaria and Russia.
Already, the EU accession countries and the rest of central and Eastern
Europe account for one third of all foreign investment projects into Europe,
against a backdrop of rising investment into the region. In the short term (the
next two to three years), this trend will continue and it would not be surprising
to see these countries accounting for up to 40% of all investment projects into
Europe in a few years’ time. Already, nearly 35% of companies identified by
Oxford Intelligence’s CorpTracker product are declaring future investment

plans for central and eastern Europe and in certain sectors this level is now at,
or approaching, 50% of projects – notably in the automotive sector and general
industrial sectors. The CorpTracker helps government agencies and service
providers to locate companies with international location plans and fast track
them into the market.
It is in the new technology areas, driven by research and product innovation, which
“old Europe” will continue to attract the bulk of investment. As each industrial sector
or product matures, the drift eastwards will increase. This is because cost reduc-
tion continues to be the main driver for companies to maintain or increase margin.
The business service sector will remain a major generator of jobs and investment in
the West but, again, as these processes become established and mature, the drive to
reduce costs will result in certain functions moving further east.
Medium to Long Term

In the medium to longer term (five to 15 years), there will be significant increases
in investment into Western Europe, as the two powerhouses of the Far East, India
and China, move into a globalization phase for their indigenous companies. This
will follow the trend set by Korea and Japan in the 1980s and 1990s in their
expansion drive to gain market share in Western economies.
The countries that will gain the manufacturing units of these companies are
likely to be not only the newly-emerged central European markets, but also
North African countries, such as Morocco, Egypt, Algeria and Tunisia. However,
the establishment of technical support, sales, business support, research and
development (R&D) and localization, and key administrative and HQ functions
will continue to focus on the key centers of Western Europe. The UK will be best
positioned to be the main recipient for this type of investor.
Looking at the type of activity on which the different markets can expect
to compete, the CorpTracker database supports the shifts described above.
Greenfield activity is increasingly moving eastwards, as are the lower-cost service
functions. However, the higher-value activity, such as sales and marketing and
technical support functions, are still strongly focused on old Europe.
The type of activity generated by the investing companies will vary considerably,
depending on the sector in question. Comparing three important sectors for
Europe – automotive, business services and medical technologies – highlights
some key differences in investment activity. When looking at R&D investment,
medical technology companies play an important role, while sales and marketing
functions are much more significant in the business services area and far less
important in the automotive sector.78
78
Lemagnen, P (2005). Steady Shift to The East. 5 January. Available at http://
www.fdimagazine.com/news/fullstory.php/aid/999/Steady_shift_to_the_east.html
In International, National, Local, and Individual terms the threat from the
east to the manufacturing base of the west is severe. There is some hope that
the core elements of research and development may remain – but if the figures
coming out of China and India for qualified graduates are maintained then
even this must be considered under threat. Thus without the manufacturing
base, and without trained personnel, there is little hope that added value can
continue to be added in a manufacturing sense over the long term. The resilience
of manufacturing is clearly under threat in the west, and OECD in general.
Icons are important. They give a sense of place and identity. The removal of
statues of Lenin from the former Soviet Union characterized both Glasnost
and the end of the Soviet era. The removal of the Berlin Wall signified the
end of a divided Europe. The attack on the World Trade Centre needs little
comment. The slapping of effigies of Saddam Hussein with the soles of shoes
as they were brought down after the invasion of the Iraq signified the view of
the population about his removal (at least initially). The delays over the com-
pletion of the national stadium at Wembley in the UK have filled the news
and sports pages of the UK’s newspapers for months. Internationally icons
may seem to have little relevance. However, there are some international icons:
world heritage sites; the Antarctic; Mecca; Canterbury Cathedral, and the
Vatican that define all of us as a civilized race. The destruction by the Taliban
of Buddhist statues from the third century in Afghanistan is a case in point.79
The destruction of international icons represents a failure in international
cohesion. So important are they that there have been agreements between
enemies to preserve particular icons.
The Hague Convention of 1899 states as follows in Article 27:
Article 27: In sieges and bombardments all necessary steps should be taken to
spare as far as possible edifices devoted to religion, art, science, and charity,
hospitals, and places where the sick and wounded are collected, provided they are
not used at the same time for military purposes. The besieged should indicate
these buildings or places by some particular and visible signs, which should
previously be notified to the assailants.
This convention was particularly important during World War Two.80
Nationally icons are very important. They are symbols of a nation, of a
society, and of a region. They bond people together. They can rejuvenate
and restore. Cities as diverse as Barcelona (Spain) and Newcastle-upon-Tyne
(UK) have recognized the need for new icons in order to redefine themselves.
Comment has already been made of Wembley – but Nelson’s Column, Fish
and Chips, the Magna Carta all define the UK in one way, shape, or form. The
loss of one or all represents a change for the worse in the national psyche.
79
Voices in Muslim World Decry Taliban Vow to Destroy Statues. Available at http://
www.tibet.ca/en/wtnarchive/2001/3/11_5.html (Accessed: 6 January 2007).
80
Information on the Hague Conventions is available at http://net.lib.byu.edu/~rdh7/
wwi/hague.html and http://en.wikipedia.org/wiki/Hague_Conventions_(1899_and_
1907) (Accessed: 6 January 2007).
A review of Yale’s Avalon Project81 indicates that an update of the Hague

Conventions is required in a number of areas. Even with an update, how does
international law deal with attacks on national icons that are not committed
by members of nation states? This is a recurrent problem in today’s world.
From earliest times the ability to move freely about the world has been
a privilege constantly sought. Formal rights of passage under agreed rules
and the acknowledgement of free movement have characterized all great
civilizations at some point or another. This is not to be confused with mass
migrations, which are different. Mass migrations tend to be informal; rights
of passage and free temporary movement tend to be formal. The passport
is the universal document for free passage.82 Even so-called closed societies
have always maintained some sort of contact with the rest of the world –
except where these societies were not “civilized” but “isolated” from the rest
of mankind. The free passage of goods and services has defined common
markets and free trade, and has characterized the growth of world trade since,
at the very least, the end of the second world war.83
Internationally the expansion of land, sea, and air transport systems charac-
terizes political stability and open economic trading agreements. The European
Union and the United States are classic examples. Both have demolished
transportation barriers both internally and, largely, externally. More closed
societies, societies at war with themselves or others close down the open links
to the outside world via transportation systems. They make it difficult to move
around, and do business. The existence, and preservation, of international
transportation links is a good proxy for resilient societies.
Nationally, the state of country’s transportation system can be an equally
good proxy for the state of the nation. Resilient countries must, by definition,
have good transportation systems and good alternatives to systems when they
break down. Thus the pressure on all parts of the UK’s transportation system
gives rise to some overall concern about the resilience of the country itself.
Listen to the rush-hour traffic news bulletins and the nightmare of the road
system is all too apparent; listen to the inability of Heathrow to cope with fog
prior to Christmas84 and the UK’s ability to compete with Schipol (Netherlands)
is once again in doubt85; listen to the news that the UK is almost the only coun-
try in Europe to close down its rail system over Christmas and the ability to
switch from road to rail is recognized as merely a pipe dream86; understand the
81
The Avalon Project. Available at http://www.yale.edu/lawweb/avalon/20th.htm (Accessed:
6 January 2007).
82
Passports. Available at http://www.ucalgary.ca/~rosenede/passport/passports.html
83
A range of information is available at http://www.wto.org (Accessed: 6 January 2007).
84
Fog Causes Chaos . . . Available at http://www.worldtravelguide.net/news/2759/news/
Fog-causes-third-day-of-chaos-at-Heathrow.html (Accessed: 6 January 2007).
85
Heathrow Must be Allowed to Expand. Available at http://comment.independent.
co.uk/leading_articles/article37336.ece (Accessed: 6 January 2007).
86
Christmas Rail Chaos http://skynews.typepad.com/my_weblog/2006/12/christmas_rail_.html
inability to put a complete merchant fleet to sea in order to maintain trading

routes and it is understood that the country is fully dependent upon others
for survival. Add in the concern for interconnectors87 on gas pipelines and all
parts of the transport system are under pressure. These are worrying features
for a mixed and trading nation’s long-term survival. The argument that this
is a problem of growth and success is entirely spurious: as is evidenced by the
ability of some developing countries to ensure transportation infrastructures
receive priority precisely in order to maintain growth.88
Locally and individually the ability to survive without reliance on the road
system in particular is also of concern. The privatization of both the rail and
public road transportation systems in the UK cut off many communities. The
travel to work patterns of great swathes of the population have changed since
the 1960s: no longer is there a hub and spoke system of daily commutes in
any particular village, town, or region. The basis of the individual’s ability
to live in today’s society, outside of the big cities, is defined by the need for a
motorized vehicle and fuel. Individuals can no longer take a bike, or walk, to
work, simply because they live too far from their work. Calls to do so entirely
miss the point.89
Water is probably second, if not equal, to oil as a source of international
conflict.90 The effects of a lack of clean water to developing communities is well
documented and repeatedly demonstrated by TV channels. The distribution of
water and ownership of storage vessels has, in the UK and elsewhere, shifted
from public ownership to private ownership over the last 50 years. Investment
in water distribution is no longer something carried on through the taxation
system for the benefit of all citizens – but something that is left to the vagaries
of the market.
At an international level the following example will highlight the problem:
We depend on the Nile 100% for our life. If anyone, at any time, thinks to deprive
us of life we will not hesitate to go to war. President Anwar Sadat, 1978.
A survey of the popular and specialist press over the last three decades
would indicate that the most valuable, and vital, commodity in the Middle
East is oil. A similar look at the catalysts of regional warfare would indicate
the Arab–Israeli conflict. However it is contended that, first, the most
valuable commodity in the Middle East is water and, second, that water is
87
Centrica (2006) Inquiry into the European Commission Green Paper A European Strategy
For Sustainable, Competitive And Secure Energy. 18 April. Available at http://www.centrica.
com/files/reports/2005cr/files/EU_GreenPaper_response.pdf (Accessed: 6 January 2007).
88
(Malaysia’s) Developed Infrastructure. Available at http://www.msc.com.my/xtras/
whymalaysia/infrastructure.asp (Accessed: 6 January 2007).
89
Transport Choices of Car Users in Rural and Urban Areas. Available at http://
www.dft.gov.uk/stellent/groups/dft_localtrans/documents/page/dft_localtrans_504026.
hcsp (Accessed: 6 January 2007).
90
Hyslop, MP (1983) Fresh Water Conflict in the Middle East, MA Thesis, Durham
University.
likely to emerge as the most likely threat to peace in the region over the next
two decades.
Controversy over Israeli control of water resources in southern Lebanon,
and the Saudi belief that drilling for water is now more important than
drilling for oil, gives a foretaste of the status water may achieve in the political
balance of the Middle East.
The Middle East is an arid zone. It has only four rivers of major international
significance in the Nile, Tigris, Euphrates and Jordan – and the latter is a
dubious contender. Over 50% of the area is desert; much of the rest is of
marginal agricultural potential.
Most of the population and food supply is concentrated on coasts, valleys,
or oases. Aridity is alleviated in part by groundwater resources, but these
are not equally distributed between states and do not respect international
boundaries.
Historically, the population of the region was divided, crudely, between
the nomadic tribes of the deserts and the sedentarists of the fertile valleys.
For the most part these two groups lived in a relative, symbiotic harmony.
The emergence of new states cut across this relationship. The process was
reinforced by the increasing nationalism of the new states. Water resources
became either over-abundant or restricted by the new boundaries. Dispropor-
tionate population growth and industrial/technical development exacerbated
the differences in water resources and requirements between states.
In general terms water requirements per caput in the region reach a critical
level at between 1,000 and 1,500 liters per day for all purposes. A survey of
the major regional countries shows that this critical level has already been
reached in Israel, Syria, Libya, the Saudi peninsula, Egypt, Iraq and Turkey,
from as early as 1984.
Water is the life giver. Despite a myriad of technological developments
it is unlikely that these, or improvements in distribution, can stave off the
deterioration of an already critical position. The economic development of
many states has relied on the uninterrupted supply of oil. A shortage of water
stems the flow of oil and foreign exchange: it is essential to both the extrac-
tion and treatment of the mineral. Water can thus be said to be the most
valuable commodity in the Middle East today.
A number of historical, current, and possible confrontations over water
emphasize the politico-military implications of water – related concentrations on
the Saudi Peninsula, Israel, Egypt, Libya, Turkey, and Iraq to name but a few.
It would be inadequate to suggest that the stability of the Middle East
rests solely on the provision of an adequate supply of water in all countries
comprising the region. Statistics showing critical levels are open to varying
interpretations and political statements relating to water may be surrogates
for more subtle signals. Nevertheless, water is in short supply.
Today the competition is not between desert and valley but between urban
and rural, between sect and sect, and between nation and nation. The legacy
of colonialism, in form of international boundaries, has not been helpful.
A number of the most powerful countries of the Middle East, all of whom
have large and growing populations, do not have sufficient renewable resources
within their boundaries to provide enough water for their own populations
today, let alone in the future.
Will Egypt invade Sudan? In the general run of international relations this
would be unthinkable, as would, until recently, Israeli retention of the Litani.
History is littered with military invasions provoked by equally simple pretext:
famine and population pressure being two examples for which there are a
number of representative cases.
The simplicity of the need must not be obscured by the overtones of either
current international diplomatic discussions or language. Yet the subtleties of
relations over water must not be underestimated either. The complex political,
diplomatic, economic, religious, and social ties of the Middle East states
makes discussion about such a basic need as water difficult.
This brief account can do little more than brush the surface of an intriguing
subject. Water will remain a potential “boiling-point” in the Middle East.91
At a national level the water resources of the UK have moved from public
to private ownership over the last 50 years. The owners are, more often than
not, non-UK companies. This means that the most basic human requirement,
that of the provision of clean water, has been lost from national “ownership.”
Not only this but the fragmented nature of water companies in the UK means
there is no “national” plan, no “national” grid, and no “national” will to
ameliorate water shortages in the Southeast by transporting water from the
water-rich north. If, at the same time the national gas grid was laid, a national
water grid was laid then many current problems would have been ameliorated.
At the same time the ability to control run off, despite the efforts of the UK
Department of Food and Rural affairs and the UK Environment Agency, has
been curtailed as never before. This is simply because there is more run-off
from drained land, and the built environment, and less money to control it.
Thus the quality of ground water is deteriorating as it is polluted by an ever
increasing number of harmful substances.92,93
Waste water is not usually fit for human consumption. It is characterized
by sewage, industrial effluent, storm water run-off, and temperature-modified
sea water. Each of these has the ability to affect resilience. Sewage reduces the
ability of rivers to take-up oxygen, and can kill the relevant fauna and flora.
Industrial effluent poisons rivers and seas, the disastrous effects of which have
lasted for decades in Europe, since the industrial revolution, and are increasingly
apparent in Russia, India, China, and South America. Storm water run-off
91
Ibid. Abridged and updated.
92
Demand-side Management and Urban Infrastructure Provision. Available at http://
www.sussex.ac.uk/Units/gec/ph3summ/marvin3.htm (Accessed: 6 January 2007).
93
Public–Private Partnerships for Funding Municipal Drinking Water Infrastructure:
What Are the Challenges. Available at http://policyresearch.gc.ca/doclib/SD/DP_SD_
PPP_200605_e.pdf (Accessed: 6 January 2007).
carries petrochemicals from roads, and fertilizers, insecticides, and manure from
farms, into water courses and underground water systems. Waste water from
power stations on both land and close to the sea modifies the eco-systems of
watercourses and seas. At worst chemicals such as Cadmium can enter the human
food chain with catastrophic results. Waste Water needs careful management.94
At an international level the increasing levels of waste water damage to the
planet are a factor in global warming, species extinction, poor health, and the
spread of many diseases. Waste water management at an international level is
critical for the resilience of the planet.
Over the last 30 years, and in no small way due to EU legislation, waste
water management in the UK has much improved. However, many problems
remain, not least in regard to the pollution of underground water reservoirs
and damage to fish stocks both in rivers and at sea.95,96
At the local and individual level waste water management has ceased to
feature as a function or process to be managed. It is done by someone else. So
the use of domestic waste water for fertilizer and the ability to use waste water
for some domestic functions has generally been lost or is ignored. This in
turn puts greater pressure on the need for more fresh water. Poor waste water
management, plus global warming, will further the increase of pests such as
mosquitoes with associated malaria, over time.
Two additions to the list of Critical Infrastructures are proposed. These
are people and education/intellectual property. It might seem Malthusian97
to add people to the list of Critical Infrastructures. It is necessary to go back
to Stalin again, “Quantity has a quality all of its own.”98 The message here is
that both the numbers and type of people are important in any society. It is a
lesson that is important to learn and understand.
Possibly the best example of why this is important is Zambia – where over 50%
of the young male population has been wiped out by AIDS with devastating
consequences.99 At the other end of the scale the ability of countries such as China
and India to deliver more than 10 times the number of graduates in computer-
related studies than some leading western countries (the UK, for example) means
that there will be a shift of leadership at some stage from west to east.100
94
World Water Assessment Program: Case Studies. Available at http://www.unesco.org/
water/wwap/case_studies/index.shtml (Accessed: 6 January 2007).
95
Water. Available at https://www.oecd.org/department/0,2688,en_2649_34311_1_1_
1_1_1,00.html (Accessed: 6 January 2007).
96
Water. Available at http://ec.europa.eu/environment/water/index.html (Accessed: 6
January 2007).
97
Thomas Robert Malthus. Available at http://cepa.newschool.edu/het/profiles/malthus.
htm (Accessed: 6 January 2007).
98
Quote available, and correct source and context, at http://www.thecompleatstrategist.
com/index.asp?PageAction=VIEWPROD&ProdID=968 (Accessed: 6 January 2007).
99
Introduction to AIDS in Zambia. Available at http://www.avert.org/aids-zambia.htm
100
Navarro, P (2006) op. cit.
In the future a high level of education and an equally high level of intellectual
property development, the latter being roughly a consequence of the former,
is probably the single characteristic that may allow the economies of the west
to survive. Education really follows from people. A highly educated workforce
is likely to be a high value-added society. This is seen in some Scandinavian
countries. In the UK the current Labor Government came to power in 1997 on
the back of an “Education, Education, Education” manifesto (among other
things). It has made some headway – but the UK still turns out semiliterate
and seminumerate school graduates to a frustrated business and commercial
community.101 Ten years on the same mantra is heard – but with no real plans
to ensure that every child leaves a UK school fully able to read, write, and
count and use IT. In fact, as this goes to print the Government has abandoned
its IT targets. This is national disgrace in terms of the resilience this book
is seeking. The majority of the acknowledged Critical Infrastructures, and
two additional ones in terms of people and education/IPR, are clearly under
threat. It would be difficult to describe any of them as naturally resilient for a
variety of reasons: political, economic, and social. This is of serious concern
in societies that are under attack from various different sources at both the
political and economic level in particular. In the last Chapter some short-
comings in the approaches of different countries were noted. Combined with
known difficulties in most Critical Infrastructure areas, this would suggest
that our governments may not be taking the issue seriously enough. These
are priority areas in our societies. So far, there is little confidence they could
sustain, or recover from, an attack of any real nature. Having said this, the
success of the Intelligence Agencies in apparently countering the threats to
Critical Infrastructures should not be underestimated.102
101
Education, education, education. Available at http://www.pkblogs.com/eureferendum/
2006/12/education-education-education.html (Accessed: 6 January 2007) and STA-
TISTICS OF EDUCATION – Education and Labour Market Status of Young People
in England aged 16–18: 1992–1998.Available at http://www.dfes.gov.uk/rsgateway/DB/
SBU/b000092/735-00.htm (Accessed: 6 January 2007).
102
Report into the London Terrorist Attacks on 7 July 2005. Available at http://
www.cabinetoffice.gov.uk/publications/reports/intelligence/isc_7july_report.pdf
Chapter 5
Critical Information Infrastructure
The review of Critical Infrastructure so far gives a somewhat confusing

picture. There is a lack of clarity between Critical Infrastructures and
Critical Information Infrastructures in almost all documentation related
to Critical Infrastructure. Although the terms are not used specifically in
an interchangeable manner, it remains the case that there is a considerable
amount of overlap in the use of the terms. However, a common list of what are
termed Critical Infrastructures has been arrived at. They are complemented
by Critical Information Infrastructure. This Chapter seeks to place Critical
Information Infrastructure in its correct context.
It is important to understand the proportionality of Critical Information
Infrastructure. By this is meant the importance relative to other Critical
Infrastructures. One way of doing this is by understanding the dependency of
Critical Infrastructures on Critical Information Infrastructure.
The Critical Infrastructures looked at have been, the common list, referred
to earlier:
• Finance
• Energy
• Food Supply
• Health
• Government Services
• Law and order
• Manufacturing
• National Icons
• Transport
• Water
• Waste Water
• People
• Education
Each of these has a reliance on Critical Information Infrastructure to
a greater or lesser extent. It is not necessary, here, to repeat the comments
contained in the country reviews. Looking at the points already made about
these infrastructures we can say that within the OECD these are more
strongly linked to Critical Information Infrastructure than elsewhere, because
Information Infrastructure is more prevalent in the OECD than elsewhere,
61
and it can be said that in the areas of Finance, Food, Manufacturing, and
Transport there is total reliance on Critical Information Infrastructure. That
this is so should be reasonably obvious.
However, for the sake of clarity it is worth pointing out that Finance depends
on the electronic investment, commercial, and personal banking services to be
maintained; food depends on the supermarket, and other outlets, reordering and
“just-in-time” processes to function as a supply chain; manufacturing depends on
a variety of Manufacturing Resource Programs to succeed and Transport depends
heavily on electronic information, ticketing, and electronic control measures.
This is without necessarily introducing the Internet into the equation.
All other Critical Infrastructures also have heavy dependence on electronic
information systems. In many cases they are now dependent on Information
Infrastructure; it is just that in these cases there is a possibility of returning
to some form of manual alternative. This is not the case in Finance, Food,
Manufacturing, and Transport. These infrastructures would simply not
survive a collapse in the Critical Information Infrastructure.
Critical Information Infrastructure is proportionally more important
than all other infrastructures because there is a dependence on Critical
Information Infrastructure by all other infrastructures. It is important,
therefore, to understand how well advanced the various parts of the Critical
Information Infrastructure industry is in protecting itself and customers
from this perspective. In doing this it is worth bearing in mind the approach
of the Petroleum Industry. The American Petroleum Institute103 and the
UK’s Institute of Petroleum (now the Energy Institute)104 have developed
a series of approaches and standards to their business that has, over time,
made operation of electrical and electronic equipment “intrinsically safe” in
hazardous petrochemical environments. The operation of Critical Information
Infrastructure has similar demands in terms of an approach. As yet, most
of this development is in private hands and not coordinated, except at an
information level, by any national or international body.
Critical Information Infrastructure can be broken down into the key areas
of connectivity, hosting, security, hardware, and software. The major countries
also have official bodies looking at the performance of different related indus-
tries. In addition, a number of national and international mechanisms for
developing public–private partnerships and the sharing of information have
been established. A review of these activities in relation to Critical Information
Infrastructure follows.
There is no international body specifically responsible for Critical
Information Infrastructure. A number of international bodies with some
concern for Critical Information Infrastructure have already been mentioned.
The International Telecommunications Union (ITU)105 has responsibility at
an international level for telecommunications – but this does not extend to the
103
Available at http://www.api.org (Accessed: 6 January 2007).
104
Available at http://www.energyinst.org.uk (Accessed: 6 January 2007).
105
Available at http://www.itu.int/home/index.html (Accessed: 6 January 2007).
Chapter 5 Critical Information Infrastructure 63
Internet, computers, and information security just yet. However, significant

progress is being made in addressing these issues.
In the USA a major connectivity company is Verizon.106 Verizon’s Web sites
carry no major policies or views on Critical Information Infrastructure, yet
are responsible for the resilience of whole swathes of the US communication
network. The same picture emerges with their competitors. In the UK BT’s
Web site,107 the major telecommunication provider carries very little on
Critical Information Infrastructure or resilience. BT generally gives good
advice on resilience, but sometimes, as in the Manchester fire,108 it can fall
foul of an incomplete understanding of its own network in terms of
resilience. Global Crossing109 is a major provider of fiber and connectivity
within and between countries, yet there is nothing on Information Infrastructure
protection on their Web site.
In terms of where data is hosted and by whom then yet again there is little
the industry is doing to advise clients on Information Infrastructure. Sun
Microsystems110 carries some information on their Web site as does Hewlett
Packard.111 Data centers and server farms carry little information on their
sites. SunGard112 carries much useful information; it is in the business of
ensuring availability. China is major source of both components and “grey”
market goods that provide all markets, but particularly relevant to the
server market. Langchao,113 a major Chinese server manufacturer, carries
details of how products deal with Information Security – but not how it
looks at the issue of Critical Information Infrastructure. With Chinese Bank
servers114 implicated in “phishing” attacks care in the selection of equipment
is clearly required.
In addition to the availability companies such as SunGard the security
companies such as Checkpoint115 and RSA116 carry much relevant information
on their Web sites. The related businesses of insurance, such as Marsh,117 and
106
Available at www.verizon.com (Accessed: 6 January 2007).
107
Available at www.bt.com (Accessed: 6 January 2007).
108
BBC News (2004) Fire cuts off 130,000 phone lines. 29 March. Available at http://
news.bbc.co.uk/1/hi/england/manchester/3577799.stm (Accessed: 6 January 2007).
109
Available at www.globalcrossing.com (Accessed: 6 January 2007).
110
Available at http://onesearch.sun.com/search/onesearch/index.jsp?qt=Critical%20
Information%20Infrastructure&charset=UTF-8 (Accessed: 6 January 2007).
111
Available at http://search.hp.com/query.html?lang=en&submit.x=8&submit.y=6&qt
=Critical+Information+Infrastructure&la=en&cc=us (Accessed: 6 January 2007).
112
Available at http://www.sungard.com (Accessed: 6 January 2007).
113
Available at http://www.langchao.com/english/prodserv_is.html (Accessed: 6 January
2007).
114
Available at http://news.netcraft.com/archives/2006/03/12/chinese_banks_server_
used_in_phishing_attacks_on_us_banks.html (Accessed: 6 January 2007).
115
Available at http://search.checkpoint.com/search/?sp-a=sp090e5c03&sp-q=Critical
+information+Protection (Accessed: 6 January 2007).
116
Available at http://www.rsasecurity.com/programs/texis.exe/webinator/search/?pr=
default_new&query=Critical+Information+Infrastructure&x=15&y=8 (Accessed: 6 January
2007).
117
Available at http://www.marsh.co.uk (Accessed: 6 January 2007).
consultants, such as Deloitte’s118 (and the other of the “Big Four”) also carry
detailed information. The Deloitte and PriceWaterhouseCoopers annual
surveys (qv) on security are benchmarks.
There is an argument about hardware. Who controls it; who has the
ultimate capability of controlling hardware? Nearly every router is a Cisco
product, most chips are Intel’s, and many PCs are from Dell. A review of
their Web sites suggests that they are not totally engaged in Critical Informa-
tion Infrastructure protection; yet they are, to many, the Critical Information
Infrastructure. Cisco has its Critical Information Assurance Group. A review
of its Web site suggests an appropriate interest in the subject – but perhaps
not the breadth and depth that might be expected of a body defining Critical
Infrastructure at an International level.119 Intel carries little in the way of
information on Critical Information Infrastructure,120 and nor does Dell.121
There is another argument raging with regard the security and relevance
of both open and closed source software. This discussion can be monitored
on Professor Ross Anderson’s blog,122 and associated sites. There is more on
this subject in a later Chapter. The major provider of software to the world
is Microsoft.
Microsoft’s statement on Homeland Security is as follows:
At Microsoft, we realize that the challenge of preventing, deterring, and respond-
ing to threats to our nation’s security is complex and constant. It requires an
intelligent understanding of the big picture coupled with the knowledge and
expertise to solve the operational complexities of information-sharing across
multiple agencies on a daily basis.
For that reason, we believe that the ability to seamlessly share information
is the key to protecting our nation and its citizens. Information technology is
uniquely suited to meet the real-world requirements of providing information
to the right people at the right place and time so they can act and make critical
decisions. As a technology leader, we are actively embracing this challenge.
Collaborating with partners and customers, Microsoft is delivering an actionable
road map to proactively address the nation’s Homeland Security needs. Fueled
by $6.5 billion US in research and development (R&D) and the largest network
of partners in the world, we’re building on existing technology assets and open
standards to implement reliable, fully integrated Homeland Security solutions.
118
Available at http://www.deloitte.com (Accessed: 6 January 2007).
119
Available at http://www.cisco.com/pcgi-bin/search/search.pl?searchPhrase=Critical
+Information+Infrastructure&accessLevel=Guest&language=en&country=US&Sea
rch+All+Cisco.com=cisco.com&x=12&y=14 (Accessed: 6 January 2007).
120
Available at http://mysearch.intel.com/corporate/default.aspx?culture=en-US&
q=Critical+Information+Infrastructure&searchsubmit.x=26&searchsubmit.y=12
121
Available at http://search.euro.dell.com/results.aspx?s=gen&c=uk&l=en&cs=&k=Criti
cal+Information+Infrastructure&cat=ans&x=4&y=8 (Accessed: 6 January 2007).
122
Ross Anderson’s Web site/blog. Available at http://www.cl.cam.ac.uk/~rja14 (Accessed:
6 January 2007).
Microsoft’s responsibility as a technology leader:

Microsoft is committed to helping local and regional governments and federal
agencies fulfill the requirements of the national response system. We are
prepared to help these agencies realize their potential in their mission to prevent,
deter, and respond to threats. As a responsible industry leader, we embrace this
challenge.
The Big Picture

Microsoft understands that addressing the Homeland Security challenge doesn’t
start with technology. Instead, powerful technology enables individuals and
organizations—from police and fire professionals to intelligence analysts and
customs officers—to share information and succeed in their critical operations.
Actionable Road Map

As the world’s largest software company, Microsoft is a leader in turning
possibilities into realities through innovative technology. Informed by our
experience in enterprise environments and realized through our world-class
partners, we deliver end-to-end solutions designed to be scalable to local,
regional, and national levels; solve operational complexities; and meet the
ultimate requirements for affordability and reliability.123
Microsoft also has a 40 page blueprint for justice and public information
sharing.124 However, given the size of Microsoft and the terms of the
Executive Order there does seem to be a mismatch between ambition (the
USA Presidential Executive Order) and reality (the Industry approach).
Antivirus and malware companies should properly be considered to be
ambivalent about Critical Information Protection (!) – because if Critical
Information Infrastructures become truly secure these companies will be out
of business! This is perhaps more than a little unfair, and they will certainly
see it as so – but the point is a valid one. Their sites do, however, contain much
useful information.
There are risks in software development:
Dependencies and many risks arise because of dependencies our project has on
outside agencies or factors. We cannot usually control these external dependen-
cies, so mitigation strategies may involve contingency plans to acquire a necessary
component from a second source, or working with the source of the dependency
to maintain good visibility into status and detect any looming problems. Here
are some typical dependency-related risk factors:
123
Available at http://www.microsoft.com/industry/government/actingonthechallenges.
mspx (Accessed: 7 January 2007).
124
Available at http://www.microsoft.com/industry/government/HLSinformationsharing.
mspx (Accessed: 7 January 2007).
• customer-furnished items or information

• internal and external subcontractor relationships
• inter-component or inter-group dependencies
• availability of trained, experienced people
• reuse from one project to the next125
and, of course, the software companies themselves and those who would seek
to damage the code.
The Federal Communication Commission (FCC) is an independent United States
government agency, directly responsible to Congress. The FCC was established by
the Communications Act of 1934 and is charged with regulating interstate and inter-
national communications by radio, television, wire, satellite and cable. The FCC’s
jurisdiction covers the 50 states, the District of Columbia, and U.S. possessions.126
In a search of the FCC site for the term “Critical Information Infrastructure” the
closest we get to any particular theme is a release on a bird-flu pandemic.
The FCC is clearly not greatly interested in Critical Information Infrastruc-
ture resilience per se. However, its brief suggests it should be interested. This
is, of course, an oversimplification because there is much overlap with the
Department of Homeland Security.
The Department of Homeland Security, as noted in the Executive Order
in Chap. 3, has responsibility for Critical infrastructures. Its role in Critical
Information Infrastructure is defined by the 2002 Act. The relevant part of
which is as follows:
Under Secretary for Information Analysis and Infrastructure Protection shall
be as follows:
(1) To access, receive, and analyze law enforcement information, intelligence
information, and other information from agencies of the Federal Government,
State and local government agencies (including law enforcement agencies),
and private sector entities, and to integrate such information in order to—
(A) identify and assess the nature and scope of terrorist threats to the
homeland;
(B) detect and identify threats of terrorism against the United States; and
(C) understand such threats in light of actual and potential vulnerabilities
of the homeland.
(2) To carry out comprehensive assessments of the vulnerabilities of the key
resources and critical infrastructure of the United States, including the
performance of risk assessments to determine the risks posed by particular
125
Wiegers, KE (1998) Know Your Enemy: Software Risk Management. Software
Development. October.
Available at http://www.processimpact.com/articles/risk_mgmt.html (Accessed:
7 January 2007).
126
The FCC Web site is available at http://www.fcc.gov/aboutus.html (Accessed:
7 January 2007).
types of terrorist attacks within the United States (including an assessment

of the probability of success of such attacks and the feasibility and potential
efficacy of various countermeasures to such attacks).
(3) To integrate relevant information, analyzes, and vulnerability assessments
(whether such information, analyzes, or assessments are provided or
produced by the Department or others) in order to identify priorities for
protective and support measures by the Department, other agencies of the
Federal Government, State and local government agencies and authorities,
the private sector, and other entities.
(4) To ensure, pursuant to section 202, the timely and efficient access by the
Department to all information necessary to discharge the responsibilities
under this section, including obtaining such information from other agencies
of the Federal Government.
(5) To develop a comprehensive national plan for securing the key resources
and critical infrastructure of the United States, including power production,
generation, and distribution systems, information technology and
telecommunications systems (including satellites), electronic financial and
property record storage and transmission systems, emergency preparedness
communications systems, and the physical and technological assets that
support such systems.
(6) To recommend measures necessary to protect the key resources and critical
infrastructure of the United States in coordination with other agencies of
the Federal Government and in cooperation with State and local government
agencies and authorities, the private sector, and other entities.
(7) To administer the Homeland Security Advisory System, including—
(A) exercising primary responsibility for public advisories related to threats
to homeland security; and
(B) in coordination with other agencies of the Federal Government, providing
specific warning information, and advice about appropriate protective
measures and countermeasures, to State and local government agencies
and authorities, the private sector, other entities, and the public.
H. R. 5005—13
(8) To review, analyze, and make recommendations for improvements in
the policies and procedures governing the sharing of law enforcement
information, intelligence information, intelligence-related information,
and other information relating to homeland security within the Federal
Government and between the Federal Government and State and local
government agencies and authorities.
(9) To disseminate, as appropriate, information analyzed by the Department
within the Department, to other agencies of the Federal Government with
responsibilities relating to homeland security, and to agencies of State and
local governments and private sector entities with such responsibilities in
order to assist in the deterrence, prevention, preemption of, or response to,
terrorist attacks against the United States.
(10) To consult with the Director of Central Intelligence and other appropriate
intelligence, law enforcement, or other elements of the Federal Government
to establish collection priorities and strategies for information, including
law enforcement-related information, relating to threats of terrorism
against the United States through such means as the representation of
the Department in discussions regarding requirements and priorities in the
collection of such information.
(11) To consult with State and local governments and private sector entities to
ensure appropriate exchanges of information, including law enforcement-
related information, relating to threats of terrorism against the United
States.
(12) To ensure that—
(A) any material received pursuant to this Act is protected from un
disclosure and handled and used only for the performance of official
duties; and
(B) any intelligence information under this Act is shared, retained, and
disseminated consistent with the authority of the Director of Central
Intelligence to protect intelligence sources and methods under the
National Security Act of 1947 (50 U.S.C. 401 et seq.) and related
procedures and, as appropriate, similar authorities of the Attorney
General concerning sensitive law enforcement information.
(13) To request additional information from other agencies of the Federal
Government, State and local government agencies, and the private sector
relating to threats of terrorism in the United States, or relating to other
areas of responsibility assigned by the Secretary, including the entry into
cooperative agreements through the Secretary to obtain such information.
(14) To establish and utilize, in conjunction with the chief information officer
of the Department, a secure communications and information technology
infrastructure, including datamining and other advanced analytical tools,
in order to access, receive, and analyze data and information in furtherance
of the responsibilities under this section, and to disseminate information
acquired and analyzed by the Department, as appropriate.
(15) To ensure, in conjunction with the chief information officer of the
Department, that any information databases and analytical tools developed
or utilized by the Department—
H. R. 5005—14
(A) are compatible with one another and with relevant information
databases of other agencies of the Federal Government; and
(B) treat information in such databases in a manner that complies with
applicable Federal law on privacy.
(16) To coordinate training and other support to the elements and personnel
of the Department, other agencies of the Federal Government, and State
and local governments that provide information to the Department, or
are consumers of information provided by the Department, in order to
facilitate the identification and sharing of information revealed in their

ordinary duties and the optimal utilization of information received from
the Department.
(17) To coordinate with elements of the intelligence community and with
Federal, State, and local law enforcement agencies, and the private sector,
as appropriate.
(18) To provide intelligence and information analysis and support to other
elements of the Department.
(19) To perform such other duties relating to such responsibilities as the
Secretary may provide.127
There is very little operational “meat” in this. The role of the Information
Infrastructure Department includes the exchange of information between public
and private entities. However, until recently little progress has been made on this.
The establishment of the working parties related to I3P128 in Dartmouth, NH, is
a step forward. To find real operational progress in these areas we need to look
at a number of ground-up initiatives, rather than top down initiatives. The best
known of these is probably William Pelgrin’s program129 at New York State.
In Europe it has already been noted that ENISA’s130 role is not operational
and that the operational role is left to others. If research is then undertaken to
establish what is, actually, going on, operationally in Europe – little is found.
There are initiatives on a national level, some strategic coordination – but
a common approach to Critical Information Infrastructure across Europe
there is not. ETSI131 and ETIS132 perform roles in the telecommunications
sector, but this is not the same as an encompassing approach to Information
Infrastructure. An attempt was made with ETR2A133 to develop an approach,
but this foundered on its host’s internal difficulties.
Critical Information Infrastructure resilience in the UK is probably the
responsibility of NISCC:134
A fundamental role for any government is to ensure the continuity of society in
times of crisis. This often involves providing extra protection to essential services
and systems to make them more resistant to disruption and better able to recover
quickly. In the UK, these essential services and systems are known as the Criti-
cal National Infrastructure (CNI). The role of NISCC (pronounced “nicey”)
is to minimize the risk to the CNI from electronic attack; other parts of govern-
ment work to protect the CNI from physical attack or natural disasters.
127
Available at http://www.dhs.gov/xlibrary/assets/CII_Act.pdf (Accessed: 7 January 2007).
128
All details of I3P work is available at www.thei3p.org (Accessed: 7 January 2007).
129
Access to the William Pelgrin and New York State Program is available at http://
www.cscic.state.ny.us/about/director/bio.htm (Accessed: 7 January 2007).
130
ENISA’s role is available at http://www.enisa.eu.int (Accessed: 7 January 2007).
131
ETSI’s role is available at http://www.etsi.org (Accessed: 7 January 2007).
132
ETIS’ role is available at http://www.etis.org (Accessed: 7 January 2007).
133
ETR2A’s role is available at http://etr2a.org (Link not active 7 January 2007).
134
NISCC’s role and activities available at http://www.niscc.gov.uk (Accessed:
7 January 2007).
NISCC was set up in 1999 and is an inter-departmental centre drawing on

contributions from across government. Defense, Central Government Policy,
Trade, the Intelligence Agencies and Law Enforcement all contribute expertise
and effort.
In the UK the majority of the CNI is run by the private sector and NISCC
works closely with a wide range of companies many of which have strong
international links or are foreign-owned. CNI issues transcend geographical
borders and problems can strike anywhere in the world. NISCC therefore
operates in a global context.
NISCC has no regulatory, legislative or law enforcement role; it seeks to achieve
its aim through four broad work streams:
Threat Assessment. Using a wide range of resources to investigate, assess and
disrupt threats.
Outreach. Promoting protection and assurance by encouraging information
sharing, offering advice and fostering best practice.
Response. Warning of new threats; advising on mitigation; managing disclosure
of vulnerabilities; helping the CNI investigate and recover from attack.
Research and Development. Devising the most advanced techniques and methods
to support efforts across all work streams.135
OFCOM136 is the independent regulator for telecommunications in the
United Kingdom. Hopefully, it will have some impact on Critical Information
Infrastructure. At present it is coming to terms with the convergence of the
industry, and the convergence, in itself, of watchdogs it superseded.
In the USA there is a very clear understanding, and central idea, of what
Critical Infrastructure and Critical Information Infrastructure is, while this
is not quite so clear cut in the UK. The UK’s system is one where there
are always checks and balances to issues. However, the lack of clarity and
purpose of Critical Infrastructure Protection is a relative weakness compared
to the approach of other states. As noted earlier in this book the decision to
subsume NISCC into a CNI body is the reverse of what should be happening
in a modern world.
Most other countries in the OECD have similar types of bodies governing
or regulating industries. In terms of Critical Information Infrastructure many
of them are operationally weak. All are relatively strong in terms of initiating
Public–Private Partnerships and Information Sharing Organizations.
Public–Private Partnerships are important to Critical Information
Protection. This is because much of the infrastructure is in private hands. Yet
in a review of OECD countries the Government takes no active operational
steps. It acts as a facilitator in almost every case. This is not really good enough
given the importance of the infrastructure.
135
Information on NISCC available at http://www.niscc.gov.uk (Accessed: 7 January 2007).
136
Role of OFCOM available at http://www.ofcom.org.uk (Accessed: 7 January 2007).
The commonly understood information sharing bodies, in a public–private

context, for Critical Information Infrastructure are CERTs and WARPs.
These abound, in one form or another, across the OECD.
CERTS, or Computer Emergency Response Teams, are now established in
much of the OECD.137
An example is the one at Manchester University in the UK and this is how
it works:
MAN-CERT: Computer Emergency Response Team Incident Response
Team Services
The team offers:
• a central reporting point for security incidents: [email protected]
• services of a computer security team: Computer Emergency Response Team,
always willing to give advice and pointers to more information on matters of
computer security.
• a vulnerability alert service. We currently subscribe to a service from Secunia
who send us advisory notices of known security vulnerabilies for the products
that we use. We have registered the vast majority of operating systems and
packages known to be in use on campus. More can be added if required. Cur-
rently, the advisories are sent to the security coordinator who forwards them
on to the cert-announce mailing list. The list is closed and moderated, please
contact the IT security coordonator if you would like to join.
• a mailing list for general discussion of security matters, security-forum@lists.
man.ac.uk is available. This list is open to any member of the university. Please
do not post sensitive information here such as vulnerability exploit code or
usernames and passwords.
• liaison with other CERT teams: sharing information about vulnerabilities,
prevention methods and incidents.
The MAN-CERT works particularly closely with JANET-CERT. Their
WWW pages are an invaluable collection of original documents and pointers to
information pertaining to various aspects of computer security.
Incident Response Procedures

When the CERT team receives a report indicating one of our machines is causing
problems or has been compromised in some way, the following action will be taken:
The report is logged in a call logging system. The CERT members are notified
and one of the team will take ownership of the report and deal with it.
The address is blocked at the campus firewall. This should prevent the machine
from causing any further disruption to systems off campus. The owner of the
machine or the support unit for the address range will then be informed and
asked to investigate and clean up. The CERT team is available to give advice
137
An inventory of CERTs in Europe is available at.http://www.enisa.eu.int/cert_inven-
tory/pages/01.htm (Accessed: 7 January 2007).
about how to clean up machines. In the event that a breach of the IT Security
policies that is subject to disciplineray proceedings has occurred, then the user’s
Head of School and, in the case of a student user, the Head of Student Upport
and Services will be informed.
If it is suspected that UK law has been broken, then the police will be informed.
Once confirmation is received that a machine has been cleaned, the block at the
campus router will then be removed.
Requests for removal should be sent to [email protected].
A full description of the procedures followed and the action taken in response to
a security incident is available.
Reporting an Incident
If your system suffers from a security incident (un access, possibly resulting in
system or data files being unlawfully read or modified) read this first and then
contact the MAN-CERT (Computer Emergency Response Team). Please do
the same if you notice suspicious activity at your computer, particularly activity
targeting another system.
Do not delay informing MAN-CERT because you are unsure of the
perpetrator’s identity, or because a disciplinary action against the offender
may be pending. The primary role of the CERT team in this case is ‘damage
limitation’ and helping with evidence gathering: we will inform the other site
about the attack and either ask them for help in investigating the intrusion from
their end, or alert them to possible damage done from your system. At this stage
we (or the other site) are not interested in the offender’s identity, all we want to
do is to limit, and repair, any damage done. The identity of your system will not
be revealed to sites not directly involved in the incident.
Unsolicited E-mail (SPAM)

Unfortunately this nuisance exists, and seems to be on the increase. Unwanted
email is a concern throughout Internet (including JANET), consuming resources
and causing distress to individual end users. MC’s e-mail team have implemented
an anti-spam service, this document also describes actions taken by MC to
prevent systems under its control from being used for spam distribution and for
the detections of spam. You may wish to consult UKERNA document describing
the problem in detail and discussing various possible actions against unsolicited
mail. CIAC (an US DoE agency dealing with computer abuse) issued guidelines,
with emphasis on filtering. Individual recipients of spam messages may wish to
consider the recommendations from the e-mail team. If you feel strongly against
spam (aka UCE: Unsolicited Commercial Email), you may wish to read about
an anti-spam campaign.
Defamatory Material
It should be emphasized that circulation of offensive or defamatory material
in any form (including email) is prohibited by the University of Manchester
General Regulations, Regulation XV. Any instances of violation of this
prohibition should be reported to [email protected]. Please include
copies of offending material, including all email headers.
Why so Much Security?

We are frequently asked “Why do I need more security than just a password?”
Well for a good introduction to help answer this question, see here.
Information on network-related security risks is available here. This document
categorises networked PC’s, work stations and computers by the type of information
they hold and the by the importance of their integrity of service. It also recom-
mends practical steps for Novell and Unix systems to ensure their service integrity
is provided at a level commensurate with the type of service provided.
Further general information about how to secure workstations or PCs running
Linux can be found here, kindly provided by Simon Hood of the Specialist Unix
team. More detailed information can be obtained here. People running UNIX/
Linux systems should at least read the essential sections before connecting their
machine to the network.
Securing obsolete (“legacy”) systems requires special treatment, described here.138
CERTS can be run across any type or size of community – some cover
countries.
NISCC in the UK have introduced WARPs, or Warning Action and
Reporting Points. These points are helpful to both the Government and
Private Sector in providing information that helps keep networks secure. In
NISCC’s words:
WARPs (Warning, Advice and Reporting Points) are part of NISCC’s information
sharing strategy to protect the UK’s Critical National Infrastructure from elec-
tronic attack. WARPs have been shown to be effective in improving information
security by stimulating better communication of alerts and warnings, improving
awareness and education, and encouraging incident reporting. Membership of a
WARP can also reduce the costs of good Security
Four sections relating to WARPs are described below:
• Introduction to WARPs
• WARP Strategy
• WARPs in the News
• WARPs in action
138
The full details of the Manchester CERT are available at http://www.itservices.
manchester.ac.uk/security/computeremergencyresponseteam/index.htm (Accessed: 7
January 2007).
NISCC is promoting Information Sharing with the Central Sponsor for

Information Assurance (CSIA) to provide assistance in setting up WARPs.
This assistance comes in the form of a WARP Toolbox which is freely available
to qualifying organizations or communities that want to set up their own WARP.
With the WARP Toolbox you can:
• get help in producing a business case for a WARP;
• read guidelines, case studies and reference documents;
• download customisable documents, presentations and spreadsheets;
• download publications which you can re-use;
• obtain software to help build and run a WARP.
For more information on the WARP Toolbox or to register your interest in
creating a WARP contact: [email protected]
Introduction to WARPs
WARP members agree to work together in a community and share information
to reduce the risk of their information systems being compromised and therefore
reduce the risk to their organization. This sharing community could be based on
a business sector, geographic location, technology standards, risk grouping or
whatever makes business sense.
WARPs can deliver more effective and lower cost security by providing to
members:
• A trusted environment
• Security information filtering
• Access to expert advice
• Early warning of threats
• Strategic decision support
• Improved awareness
The WARP Toolbox website supports the development and provision of three
core WARP services, which, between them, deliver all the benefits listed above:
Filtered Warning Service – where members receive only the security information
relevant to their needs as determined by categories selected in an on-line tick-
list. These categories cover Warnings & Advisories associated with Vulnerabilities
& Fixes; Threats & Incidents and Good Practice
Advice Brokering Service – where members can learn from other members’
initiatives & experience using a bulletin board messaging service restricted
to WARP members only. Subjects can be anything which adds value to the
members e.g. patch management; training; supplier/product evaluations,
security awareness
Trusted Sharing Service – where reports are anonymous so members can
learn from each others attacks & incidents without fear of embarrassment
or recrimination.
WARP Strategy
WARPs perform some of the tasks of CERTs but are not expected to provide the
technical response service of most CERTs. A WARP provides to its community
a service of early warnings of alerts and vulnerabilities, specifically tailored for
its community; this can avoid the duplication of each member sorting through
dozens of sources, or even worse, not having time to monitor developing threats.
The WARP also provides a limited help-desk service for the community, geared
to the specialized needs and building on the knowledge of the community
membership. It also provides a trusted focus for incidents and attacks to be
reported, to help find assistance or co-operation in dealing with the problem.
Such reports will be valuable to members, but when sanitized and anonymous,
sharing them with other communities can be equally valuable, and will encourage
reciprocal Information Sharing.
WARPs can be set up by a few able and enthusiastic individuals, to serve their
community, whether this is a group of small businesses, a particular industry
association, or a local community.
The concept is particularly applicable to local government organizations,
where it can be applied in several ways. A WARP can be a mechanism to link and
support a group of authorities (e.g. the London Boroughs). WARPs can be used
to support dispersed elements of a single local or regional authority. A WARP
could supply its services to the citizens of a local community.
The benefits include early warning of new electronic attack threats and
vulnerabilities, trusted sharing of incident information, increased exchange of
best practice, collaboration on dealing with problems, increased user awareness
and education, and greater confidence in using Internet-based services, to name
but a few.
The greatest strength of WARPs and CERTs comes from their willingness
to co-operate with each other, to share experience, expertise, and information.
NISCC encourages and supports this process.
The following article describes WARPs within the context of NISCC’s
Information Sharing strategy:
WARPs and Information Sharing

NISCC also works closely with other organizations such as the Information
Assurance Advisory Council to promote Information Sharing and WARPs. The
following article was published by IAAC from their series of briefing papers for
senior management entitled Information Sharing: A “no-brainer” approach to
improved risk management (July 2003)_which identifies WARP membership as
a solution to more effective risk management.
From a practical standpoint some have realized much of the difficulty in
managing Critical Information Infrastructure.
After 9/11 the Manhattan Downtown Alliance, and John Gilbert of Rudin
Management,139 took a new look at managing information infrastructure.
Their answer is to look at the problem holistically from a “Smart” building
perspective. They look at the whole problem from the CFO’s point of view,
from a real estate and cost point of view. They do not totally agree with a
number of Department of Homeland Security perspectives because they have
developed a new approach to resilience within a “Smart” building, rather than
a recovery or continuity plan. In wireless technology they suggest the use Wi-Fi
for convenience and Wi-Max for resilience. They are encouraging customers
to take responsibility for the “first mile” of connectivity (from the building)
as opposed to the Telco’s last mile approach to the building. This is turn-
ing some traditional thoughts on their head. Despite 9/11 economics rule,
customer-driven resilience is an important starting point for a new approach.
Overall the subject of Critical Information Infrastructure is fascinating.
It is fascinating in its own right. It is also fascinating in respect to how the
subject is dealt with in different environments. Dunn and Wigert (2004)140 call
their handbook Critical Information Infrastructure, but much of it is about
Critical Infrastructure. However, they are on the right lines because there is
a dependency, almost a total dependency by all Critical infrastructures on
Critical Information Infrastructure. It has been previously noted that Critical
Infrastructures tend to be national, whereas Critical Information Infrastructure
tends to be multinational. It is understood that many of the providers of
connectivity, hardware, software, and security to this global infrastructure
are USA based. Yet the providers seem to have little interest in the subject
relative to the importance placed on the subject by the politicians, who
themselves seem a little confused by it when it comes down to the distinction
between Critical Infrastructures and Critical Information Infrastructures.
The telecommunication standards bodies at international, European, and
national level have some interest in the subject, but it is not as well developed
as their interest in telecommunications per se. The national regulatory
bodies have not yet really got to grips with the subject either. There are many
Public–Private partnerships, but these are not well developed. There are also
many Information Sharing initiatives. The CERTs and WARPs work well,
as do Critical Information Infrastructure initiatives generally, when driven
bottom-up rather than top-down.
Overall this gives a pretty confused picture, and when it comes to resilience
or building resilience, not much is really in evidence from either a theoretical
or practical point of view.
139
Hyslop, MP (2004) Conversation with John Gilbert, 6 December 2004.
140
Dunn, M, et al. (2004) op. cit.
Chapter 6
Some Political, Economic, Social,
Technological, Environmental, Legal,
and Other Process Effects on Critical
Infrastructures
There are so many political, economic, social, technological, environmental,

legal, and other effects on Critical Infrastructures that this Chapter can only
highlight a few. A reasonable view would be that everything of this nature
affects Critical Infrastructure. The major political driver with regard to
Critical Infrastructure and particularly Critical Information Infrastructure
in the OECD and, arguably, in the rest of the world is the USA government.
Therefore much of this Chapter’s political section relates to effects that have
an origin in the USA. The economics section looks at some of the actual
resilience of Capitalism and some of the dangers marketers face. Social,
technological, and environmental sections look at some current issues rel-
evant to Critical Infrastructures. The legal section looks at the USA Patriot
Act and the recent Civil Contingencies Act in the UK. Some comments are
made about risk management.
The export of democracy as a political ideal has been used by the United
States of America since President George W. Bush came to power. It has
been used to back the invasions of Afghanistan and Iraq and has been sug-
gested as a potential weapon against others states and religions. The export
of democracy has had an arguably, important affect on United States of
America itself (terrorism in response?) and an obvious effect on the Infra-
structures, both physical and information, of others. Rather than target a
list of relevant examples the following column in the Washington Times by
Ernest W. Lefever141 gives the current context:
President Bush in his State of the Union address said: “Our nation is committed
to an historic, long-term goal: We seek the end of tyranny in our world.”
He earlier vowed to devote his second term to this high purpose. He told a recent
Kansas rally “our troops” are helping to “change the world by spreading liberty
and freedom,” acknowledging “Some dismiss that goal as misguided idealism.”
141
Lefever, E (2006) Can We Export Democracy. Washington Times. Available at http://www.
washingtontimes.com/commentary/20060311-102356-4785r.htm (Accessed:7 January 2007).
77
On Feb. 15, the Bush administration asked for an additional $75 million to
promote freedom in Iran by funding political dissidents there. In response, Rep.
Henry J. Hyde, a staunch Republican, cautioned Secretary of State Condoleezza
Rice against efforts to push democracy where it is an alien concept.
President Bush’s confidence in America’s ability to spread democracy and
freedom was not shared by most of his White House predecessors. Woodrow
Wilson, the notable exception, failed to understand the limits of America’s
capacity to sponsor democracy abroad. His idealism fed utopian expectations
here and abroad. Then reality intruded. The unraveling of history in the wake
of his Fourteen Points enunciated in 1918 prompted some critics to say, “He
reached for utopia and gave us hell.”
All our presidents, including the Founders, believed in “American excep-
tionalism,” the idea America had a special mission beyond its borders. The
Declaration stated that, “all men,” not just Americans, “are endowed by their
Creator with certain unalienable rights, which among them are Life, liberty
and the pursuit of happiness.” The Founders hoped other peoples would fol-
low America’s example and enjoy the blessings of liberty. Yet, their world and
ours, has been drenched in “wars and rumors of wars,” tyranny, conquest and
oppression. In the 20th century alone, hundreds of millions have suffered under
brutal tyrants or been killed in war. Today, genuine freedom and democracy
are the exception for the peoples who live in the 190-plus member states of the
United Nations.
America remains the major example and promise of freedom and democracy,
but these lofty goals can be won only through a long struggle by the peoples
who are denied them. We can and should assist those who seek a better way,
but these blessings are the fruit of those who earn them. Abraham Lincoln, who
understood the heavy price of freedom in a bitterly divided nation, spoke of his
“oft-expressed personal wish that all men everywhere could be free,” but he rec-
ognized the severe limits to promoting democracy abroad.
President John Quincy Adams perhaps best understood America’s unique but
limited role: “Wherever the standard of freedom and independence has been or
shall be unfurled, there will be America’s heart, her benediction and her prayers.
She goes not abroad in search of monsters to destroy. She is the well-wisher to
the freedom and independence of all. She is the champion and vindicator only
of her own.”
Ronald Reagan also emphasized this more modest national aspiration when
he likened America to “a shining city on a hill,” a beacon for all who yearn to
be free. His words can serve as a warning to Americans who speak too glibly of
exporting democracy or establishing freedom in other countries.
Of course, there were times and places when America’s role abroad was sub-
stantial, even decisive. During the 1940s, we knew Nazi Germany and Imperial
Japan had to be defeated. Our intervention was not a crusade, but a just war to
protect the Western democratic heritage. By winning that war and occupying
two defeated peoples, we were able to impose democratic disciplines on disparate
societies that had seen a substantial measure of democracy.
Chapter 6 Effects on Critical Infrastructures 79
In today’s dangerous world, America, the most powerful and generous nation
on Earth must steel itself against the arrogance of power. Shakespeare said:
“O, it is excellent to have a giant’s strength; but it is tyrannous to use it like a
giant.” And Reinhold Niebuhr cautioned America to use its great might “with
fear and trembling.
The political effects of the export of democracy on Critical Infrastructures
both in the USA and elsewhere have been well documented. This theme will
be returned to in a later Chapter, but one response to the export of democracy
and other initiatives has been the rise of Asymmetric Warfare.
A further view on Asymmetric Warfare will be given later. Suffice at this
point to record that:
By the advent of the 21st Century, not only is it likely that many of the conflicts
facing the United States and her allies will be of an asymmetrical and devolving
nature, (but) it is also likely that the threats will come from diverse and differing
vectors. Particularly of concern is the possibility that conventional terrorism and
low-intensity conflict will be accompanied or compounded by computer/infra-
structure attacks that may cause damage to vital commercial, military, and gov-
ernment information and confront communications systems. Unfortunately, it
would appear that while the United States gains tremendous advantages from
its advanced information and battlefield management systems, we also become
increasing vulnerable to cyber-attacks from our adversaries.In other words, we
would anticipate efforts to cause widespread fear by computer-generated attacks
on electrical, water, banking, government information, emergency response sys-
tems and other vital infrastructures, while simultaneously suffering terrorist
tactics involving multiple conventional explosives and/or chemical/biological/
nuclear devices. Even a country as large and sophisticated as the United States
could suffer greatly at the hands of an educated, equipped, and committed group
of fewer than 50 people. At the present time, such an attack could realistically
be expected to cause an effect vastly disproportionate to the resources expended
to undertake it.142,143
“War is the continuation of politics by other means,” said Clausewitz144.
Antulio J. Echevarria II writes “In fact, Clausewitz’s varied usage of Politik
and the historical context within which he wrote indicate that he meant three
things by the term. First, Clausewitz did intend Politik to mean policy, the exten-
sion of the will of the state, the decision to pursue a goal, political or otherwise.
142
Staten, CL (1998) Asymmetric Warfare, the Evolution and Devolution of Terrorism;The
Coming Challenge for Emergency and National Security Forces. 27 April. Emergency
Response Institute. Available at http://www.emergency.com/asymetrc.htm (Accessed: 7
January 2007).
143
The Changing Face of War. Available at http://www.henciclopedia.org.uy/autores/
Laguiadelmundo/GlobalWar.htm (Accessed: 7 January 2007). Gives an interesting per-
spective on the changing nature of war.
144
Clausewitz, Karl von (1833) op. cit.
Second, Politik also meant politics as an external state of affairs, the strengths
and weaknesses provided to a state by its geo-political position, its resources,
alliances and treaties, and as an ongoing process of internal interaction between
a state’s key decision-making institutions and the personalities of its policy
makers. Lastly, Clausewitz used Politik as an historically causative force, pro-
viding an explanatory pattern or framework for coherently viewing war’s various
manifestations over time.145
The Revolution in Military Affairs and associated doctrine that has driven
much of the USA’s war fighting capability over the last decade has been predicated
in large part on the selective and specific identification of Critical Infrastructure
targets accompanied by electronic warfare directed at information systems. It is
useful to reflect that formal attack on the United States by any similarly capable
power will also result in attacks on the USA’s Critical Infrastructures.146
So far this book has been a little pessimistic about the capability of Critical
Infrastructures to withstand shocks and rebound, resilient. To start a brief
look at Economics, Baker comments on the ability of the USA to survive in
an optimistic manner is as follows:
I give you this little statistical litany not just for its own intrinsic appeal, but as
a healthful antidote to some of the wishful thinking about America’s inevitable
decline you can read in the rest of the media.
Historically speaking, indeed, America’s economic hegemony has never been
greater. However messy Iraq and Afghanistan get, it would be unwise to bet that
the US will not continue to be Top Nation for quite a while yet.
What could undermine long-term US dominance? Some fret that the precari-
ous American fiscal position could do it. However, this is mostly hyperventila-
tion. The fiscal deficit, at a cyclically adjusted 2.5 per cent of GDP, is on the
large side, but American public debt as a proportion of GDP — at less than 70
per cent — still puts the United States comfortably among the more frugal of
the world’s big nations.
The inevitable unraveling of global financial imbalances could certainly harm US
demand growth in the short term, as both public and private sectors increase savings,
but, assuming these extra savings are efficiently allocated by America’s highly flex-
ible capital markets, they might even end up improving long-run potential.
The ageing population will surely crimp American economic activity. Most
economists expect trend growth to slip a bit in the early part of the next decade as
the proportion of the population in work begins to drop. Yet relative to the rest of
the world this may not matter that much. America’s demographics — a reasonable
145
Echevarria 11, AJ (1995) War and Politics: The Revolution in Military Affairs and the
Continued Relevance of Clausewitz. Winter 1995–1996. Joint Services Quarterly. Avail-
able at http://www.clausewitz.com/CWZHOME/ECHEVAR/ECHJFQ.htm (Accessed: 7
January 2007).
146
For a slightly different approach to this subject see Smith, R (2005) The Utility of
Force. Allen Lane.
birth rate and strong immigration flows — are actually rather better than for most
other industrialized countries. A century ago, China’s population was almost six
times that of the US. In 50 years’ time, on current trends, it will be less than three
times the size.
The only real threat to American economic hegemony, I suspect, is the willing-
ness of its people to continue to tolerate the pains associated with its success.
Income and wealth inequalities have grown rapidly in the past ten years — even as
the long-term growth rate has accelerated — and, given the continuing direction
associated with globalization, they may get even worse over the next 20 years.147
On the other side of the fence, so to speak, it is necessary to bear in mind
that processes such as Obstructive Marketing change completely the way in
which marketing is viewed. Obstructive Marketing is:
Any process, legal or not, which prevents or restricts the distribution of a product
or service, temporarily or permanently, against the wishes of the product manu-
facturer or service provider.148
It recognizes that there are challenges to the positive, western, consumer-
oriented practice of marketing that have, hitherto, gone unremarked and
unanticipated. The process is indicative of the dangers involved in stepping
outside a traditional domestic market, a friendly international market, or a
global market characterized by sales to wealthy clone zones of western con-
sumerism. With few exceptions this is so far what globalization has been
about. Since the end of Cold War many of the impediments to Free Market
Capitalism have been summarily dismissed. It was assumed that this was
something everybody wanted. Obstructive Marketing demonstrates that such
an attitude is incorrect.
Obstructive Marketing offers a wide range of techniques that can slow,
resist, obstruct, or modify the behavior of companies employing traditional
marketing approaches. In addition the identification of these Obstructive
Marketing techniques gives these same companies additional weapons to use
in markets over and above those traditionally thought of as marketing tools.
This is important because it brings marketing out of a singular western
approach to a rather more sophisticated mainstream global approach, an
environment where things are not quite so simple. Most of business in the
capitalist world is conducted along honorable lines, while it should not be
assumed that this is the case when companies step outside the boundaries
of the capitalist world and try to do business as capitalists in noncapitalist
environments. A whole new range of approaches is appropriate to deal with
different business ethics, mores, cultures, family values, and legal systems to
name a few. By understanding the differences and trying to marry these to, for
example, the USA’s Foreign Corrupt Practices Act, the extraterritoriality of
147
Baker, G (2006) America’s Economic Hegemony Is Safe. 25 April 2006. The Times.
148
USA law, and the drive for globalization on western terms then a better and
more successful development may be achieved.
Obstructive Marketing is therefore an example of how traditional market-
ing techniques are restricted, particularly in overseas markets, and also a new
way of approaching marketing in some difficult areas. This requires some
depth of understanding and also the ruthlessness to pursue policies that allow
businesses, in Machiavelli’s terms, to remain virtuous in the long run.
Globalization by western companies is only just beginning. It is made
possible by the demise of military confrontation in traditional sense between
east and west, free market legislation, open currency markets, and massive
amounts of available capital, particularly in the USA. Nevertheless this proc-
ess has really only gone as far as reinforcing early victories in existing western
markets and establishing bridgeheads in rich pockets of other parts of the
world. At the same time it has taken advantage of a temporary maladjust-
ment in some potentially competitive areas: China and Eastern Europe for low
wages for example. It has not yet extended reach and depth on a true global
basis. As it attempts to do so further Obstructive Marketing issues will arise,
principally from China, India, and Russia who will all have their own idea of
how to globalize in their own way. Sometimes globalization is characterized as
a world event – it is not, western companies and capital dominate it. This is not
necessarily going to remain the case in the long run. However, while companies
such as Microsoft continue to have a turnover close to the GDP of China, the
period of uncertainty is likely to continue for a considerable period.
In addition to the implications for the Marketing Mix there are also
implications for Directors/Management. This does not just mean marketing
management. It means the seven (the six usual suspects plus the Chief Informa-
tion Officer!) regular executive constituents of a board, the chairman, and the
nonexecutive directors, too. All have a responsibility to ensure that the business
is run properly. (This is now enshrined in the Sarbanes-Oxley Act in the USA
and the various standards and guides that exist in the UK on Governance.)
In a public company it is the responsibility of the board and management
to deliver a return to shareholders. In a private company it is the responsibil-
ity of the board and management to meet the objectives set by the business
owner. In a public service organization, or a company limited by guarantee,
it is the responsibility of the board of management to deliver the objectives
set by the institution. It is not on the agenda to have the integrity of these
purposes compromised by any internal or external issues. There is, therefore, a
duty of care imposed on the directors and management of an organization to
ensure delivery of the business objectives. This has to be achieved by exerting
continuous due diligence over business developments.
Some writers, Friedman (1999)149 for example, would say that this approach
to functions is a load of nonsense, and potentially outdated. They would say
149
Friedman, TL (1999) The Lexus and the Olive Tree. FSG. New York.
that under the three new democracies; the democracy of the PC, the democ-
racy of Finance (availability of credit), and the democracy of the Internet
– this is all old news. In the New World every product or service becomes a
commodity and it does not matter where it comes from; the consumer is king
and price will drop to meet the demand of the consumer. So do not worry
about the old rules just adapt to deliver the product and service as fast and as
cheaply as possible and the “devil take the hindmost.” A key example of the
differences between these two philosophies would be between the telephone
companies and the computer companies. Telephone companies generally
have some sort of statutory duty to provide a service so equipment has to be
delivered to a standard and last; this is much less so in the computer industry
where products change every six months. Moore’s Law150 used to double chip
speeds every eighteen months, and so what if it does not work it is out of date
and you need a new one. Other areas where the fast approach is dangerous
are in motor cars – as the Detroit moguls are fond of saying151, “We do not
build computers - our products can kill people if we don’t get them right.” Oil
and gas equipment, defense equipment, and food are all areas where the new
paradigm may not apply except in improving productivity. (Note: it is only
in the technology-based areas that there is currently growth – other areas are
marginal).152 So Friedman’s argument is only true in part, and is specifically
unhelpful in dealing with Critical Infrastructures.
Every revolution has had an impact on productivity and cost, but eventu-
ally a new balance emerges in which the traditional bargain is struck between
buyer and seller – where one side provides a good or service of a particular
quality in return for compensation.
It seems to be a peculiarly USA idea that this should mean the lowest
price, as this tends to develop careless products and dangerous practices. The
Lopez153 event in the car industry is now acknowledged as a wrong turn down
the low cost route – reality has returned and prevailed. The law also tends to
lag these events – so there is a period of anarchy (as there was during the agri-
cultural and industrial revolutions) – but it does eventually catch up. There
is a general human concern with right and wrong, and the rule of law that is
not going to be changed by any new model. What all this means is that there
is going to be a considerable period of uncertainty, change, and challenge for
many producers of goods and services. To survive productivity will need to
continue to increase, and speed to market will be extremely important. This
150
Definition available at http://en.wikipedia.org/wiki/Moore’s_law (Accessed: 7 January
2007). Not as applicable as it was.
151
Comment of Fleer, CS (1998) CEO of United Technology, to audience at SAE 1998.
152
Ernst and Young (1995) US Manufacturing Abroad. Ernst and Young.
153
Lopez revolutionized purchasing for GM and Volkswagen. Volkswagen got the best
out of him, because unlike GM, they did not allow him to completely dominate the supply
chain. A resume on the Lopez affair is available at http://www.laramie.willshireltd.com/
NewWorldOrder.html (Accessed: 7 January 2007).
change and rate will also mean more opportunities for Obstructive Marketing
episodes. So, in general, the comments made above with regard to each busi-
ness department will prevail and will require attention. Such an understand-
ing will help the management of Critical Infrastructures by ensuring that each
is aware of such issues.
The UN believes that inequality is the key social problem of our time:
The 2005 Report on the World Social Situation: the Inequality Predicament was
launched on August 25. The Report sounds alarm over persistent and deepening
inequality worldwide, focusing on the chasm between the formal and informal
economies, the widening gap between skilled and unskilled workers, the growing
disparities in health, education and opportunities for social, economic and politi-
cal participation.
The 2005 Report on the World Social Situation (RWSS) will focus on the
international aspects of inequality. As emphasized by the ten-year review of
the implementation of the Copenhagen Declaration and Program of Action,
there has been uneven progress in many areas of social development (e.g., access
to health and education), with important regression in others (e.g., inequality
and social integration). The analysis of the underlining causes for this state of
affairs highlights several issues, among which the reduced emphasis received in
the decade since Copenhagen in the commitments made during the World Sum-
mit on social development especially in the areas of equality, equity and social
justice stands out.
Actual trends in inequality and the changing nature that inequality itself
has acquired in the recent decade call for a more in-depth analysis. Thus the
main assumption of the RWSS 2005 is that issues of equity and inequality has
acquired such importance nowadays that it renders a difficult task to strengthen
the development agenda without first addressing the segmentation of society
that, among other reasons, rising levels of inequality have produced.154
In addition to the key principal point of inequality it can be noted that dif-
ferent parts of the world have different levels of access to Critical Infrastruc-
tures. This is also an inequality, but only in part. This is because inequality
itself is not always viewed as inequality. Sometimes it is a different sort of
equality. Sometimes, there is the view that no one should have access to these
Critical Infrastructures at all. For example, one of the most difficult social,
and political, issues of all is how to deal with divergence of view between
an essentially nation-state, capitalist oriented, “Christian” but secularly gov-
erned, OECD and a nonnation-state, religious, fundamental, society based on
Islam. Balancing these two social and political approaches is one of the great
challenges of our time.
If it is accepted that Global Warming is indeed occurring, and there are
still arguments about this, it does not really matter if it is caused by natural
154
UN (2005) Report on the World Social Situation. Available at: http://www.un.org/esa/
socdev/rwss/rwss.htm (Accessed: 7 January 2007).
or human events. In terms of Critical Infrastructures the effect of Global

Warming is profound. Taking a quick look at the common list there will be
some startling results of even relatively minor changes in temperature. Some
of these have already been alluded to and most have already been witnessed
in whole or in part:
• Finance City of London floods
• Energy Power generators fail
Nuclear power plants flood
• Food supply Harvests shrink
• Health New diseases
• Government services Under pressure
• Law and order Under pressure
• Manufacturing Current locations inadequate
• National icons Damaged
• Transport Disrupted
• Water Scarce, in the wrong place
• Waste water Contaminated
• People In the wrong place
• Education Disrupted
On the whole Technology should be understood to have a positive effect on
Critical Infrastructures. Technology has already contributed to the London
Flood Barrier, protecting London and the City from flooding for the last
twenty years or so. Technology has already delivered improvements in the effi-
ciency of power stations, and a reduction in pollution. Harvests have grown
over the last generation because of technology. Health has been maintained,
and new treatments found for disease. Efficiencies in law and order have been
delivered by improved systems based on technology advances. National Icons
can be viewed by more people, especially remotely. Transport has benefited
enormously from technology – improved fuel efficiency, safety, and less pollu-
tion to name a few obvious ones. Water has become available to more people,
and waste water has been treated more effectively, much due to advances in
technology. People are better educated, have access to more information, and
education has never been available to so many on such a scale. This is now.
However, there is a warning note for the future. What new has really been
created that will take things forward? Has the growth of understanding and
the ability to analyze data improved the chances of a future built from tech-
nology advances in the same way as the past 100 years has been transformed
by technology? Two examples will suffice to give pause for thought. The first
is the man born in 1923 who in his first 80 years experienced the introduction
of cars, telephones, electricity, air travel, space travel, antibiotics, computers,
and genetics on a widespread basis. His father knew nothing of most of these
things. Statistically, he is likely to live longer than his son born in 1954 who
in his first 50 years saw nothing that was not already seen by his father. It is
a fact that those who were born at the beginning of the twentieth century
probably saw more change in their lifetimes than subsequent generations. The
second is new drugs. Why have most of the good drugs been found without
the aid of statistical analysis and computers? It remains a fact that the rate of
discovery of new drugs has slowed. These examples do not bode well for the
future resilience of Critical Infrastructures.155
The USA Patriot Act of 2001 is one of a number of USA Acts that have
extraterritorial reach. Comments on others are made elsewhere in this book.
Here is noted the effect of USA legislation on non-USA individuals and
organizations. The following is the conclusion from Joseph Tompkins’ paper
for the IMF on this subject:
First, the Act is very broad in nature. While U.S. financial institutions and
persons are directly affected, the Act has significant impacts on non-U.S. banks
and persons. The Act creates broad new information-gathering obligations for
U.S. financial institutions, which have an indirect effect on non-U.S. financial
institutions, and which create significant new costs for all those affected. The Act
also creates new and unprecedented investigative and law enforcement authority
for U.S. government officials, not just with respect to terrorist activities, but for
money laundering and a wide range of other crimes.
Second, the Act is a work in progress. It contains many provisions that are
ambiguous or subject to great discretion in their application by U.S. government
officials. Some of those uncertainties will be resolved by regulations and other
guidance issued by the Department of 40 Treasury and other Executive Branch
agencies. Other ambiguities will have to be ultimately resolved by U.S. courts
or perhaps by clarifying legislation from the Congress. In the meantime, those
affected by the Act must be diligent in attempting to comply with its provisions,
but also vigilant to make certain that the Act is implemented in a manner that
is fair and consistent with fundamental rights. The government officials charged
with exercising the new authority given them under the Act hopefully understand
that their authority must be carried out in a fair and responsible manner. To do
otherwise would be self-defeating, not only for the immediate tasks at hand, but
also for the fundamental liberties and the principles that the USA PATRIOT
Act was designed to protect.156
Probably the most significant piece of legislation applicable to Critical
National Infrastructure in the UK is the Civil Contingencies Act. Jim Birtles
of the Business Continuity Institute comments as follows:
In the United Kingdom, all Civil Protection activity at the local level was empow-
ered by Civil Defense legislation dating from 1948. This legislation had defined
155
Cuatrecasas, P (2006) Drug Discovery in Jeopardy. 1 November. The Journal of
Clinical Investigation. Available at http://www.pubmedcentral.nih.gov/articlerender.
fcgi?artid=1626142 (Accessed: 7 January 2007).
156
Tompkins, JB (2002) The Impact of the USA Patriot Act on Non-USA Banks. Inter-
national Monetary Fund Seminar on Current Developments in Monetary and Financial
Law. 7–17 May. Available at www.imf.org/external/np/leg/sem/2002/cdmfl/eng/tompki.
pdf (Accessed: 7 January 2007).
the events local responders should prepare for in terms of “hostile attack” from
a foreign power. With the ending of the Cold War such a threat evaporated and
local efforts in recent years have been focused on preparing for civil emergen-
cies such as localized flooding and major transport accidents. The provisions for
Emergency Powers were based on the Emergency Powers Act 1920 which defined
an emergency in terms of certain services and resources which provided the com-
munity with the essentials of life. Clearly, the 1920 Act is out of date and doesn’t
reflect the threats which the UK now faces (for example, the 1920 Act did not
cover terrorist threats or threats to the environment).
Background
After the fuel crisis and severe flooding in the autumn and winter of 2000,
the Deputy Prime Minister launched a review of current emergency planning
arrangements. This included a public consultation with representatives from
both public and private sectors. In addition to a formal BCI presence, a number
of BCI members were involved in the process as a natural extension of their
normal responsibilities.
The review reinforced the Government’s viewpoint that the existing legisla-
tion was out of date for modern civil protection efforts and new legislation was
needed. The development of the new legislation was initiated by a further public
consultation working on a draft Bill. This exercise ran from June to September
2003, setting out the proposals for a new framework for civil protection work
at the local level and a new framework for the use of special legislative meas-
ures. The resulting draft Bill was then scrutinized by a Joint Parliamentary
Committee. Following amendments in the light of further consultation, and the
recommendations of the Committee, the Bill was introduced to Parliament in
January 2004. Whilst developing the Bill, the Cabinet Office implementation
team worked in close consultation with a number of key stakeholders, including
the BCI, in an open and comprehensive policy-making process. The Bill was
passed by Parliament on 17th November 2004 and received Royal Assent on
18th November to become the Civil Contingencies Act 2004 (The “Act”). The
Act came into force in April 2005 and compliance will be enforced and audited
from September 2005 onwards, allowing 6 months grace for implementation.
However, the BCM promotion duty will not be enforced until 12 months later,
in April 2006, when the whole of the Act will become subject to full audit and
enforcement.157
Given the reviews in Chaps. 3–5 it might be expected that significant atten-
tion would have been given by the Governments of the United States and
the United Kingdom, in particular, to resolving the particular issues regard-
ing the deficiencies in certain Critical Infrastructures. It may be unfair to say
so but it would seem that the current political reaction has a lot to do with
legislative window-dressing as opposed to practical and real problem solving
157
Courtesy of Jim Birtles, FBCI. Available at http://www.thebci.org/ccact.htm (Accessed:
7 January 2007).
in key Critical Infrastructure problem areas. One of the problems here, of

course, is that many of these Infrastructures, and particularly Information
Infrastructure, are not in the hands of Governments any more.
National governments, such as the USA and the UK, have taken action
in recent years to improve corporate governance standards in the wake of a
number of high profile private sector corporate financial scandals. Thus in
the USA the implementation of the Sarbanes-Oxley Act, a series of corporate
governance recommendations and increased vigilance by the Financial Serv-
ices Authority158 in the UK and the various UK Governance Reports,159 and a
focus on Information Security from the European Commission have all had the
purpose of improving corporate governance and the accountability of senior
management. This has led to an increase in regulatory control for business.
Such governance and regulation also affects banks. Banks are inextrica-
bly entwined with corporate governance and financial accounting standards.
They have the additional burden of monitoring transactions associated with
economic crime, specifically drug money laundering. The Basle Committee
for Banking Supervision160 basically sets the standards of operation for inter-
national banks. All reputable banks are associated with the committee. Basle
I (1988 Basle Capital Accord) set out the regulatory framework for banks and
other financial institutions to cover potential losses, specifically rules govern-
ing risk-weighted capital ratio. This was broadly set at 8%. In other words a
bank’s capital should not fall below 8% of its risk-weighted assets.
Basle II161 is a sophistication of Basle I. It is more sensitive to credit and
market-related risks. For the first time the accord deals with operational risk:
“The risk of loss, resulting from inadequate or failed internal processes,
people and systems, or from external events.”
Capital must be held to cover these risks. Less capital is needed if the risks
are well managed.
The Accord is not mandatory but:
• The European Union (EU) is taking a strong line and is expecting all banks
and investment firms to comply
• The US Federal Reserve expects the top 11 US banks to comply, others are
expected to comply
• Some countries, India and China, are not expected to comply
158
FSA is the regulator of all providers of financial services in the UK; Bank of England
retains responsibility for systemic risk. Further information available at http://www.fsa.
gov.uk (Accessed: 7 January 2007) and at http://www.bankofengland.co.uk (Accessed: 7
January 2007).
159
A good summary is available at http://learningmatters.com/dwn/21397/21397ref0.html
160
More information is available at http://www.federalreserve.gov/generalinfo/basel2
161
More information is available at http://www.pwc.com/extweb/industry.nsf/docid/
0DE78A7E597CB7B985256EFF00571250 (Accessed: 7 January 2007).
Basle II will be implemented in the EU via the Risk Based Capital Direc-
tive (CAD III). The Accord is likely to have the biggest impact in Europe and
the USA.
The biggest impact of Basle II will be a significant increased cost of com-
pliance. The total cost is estimated between $½ trillion and $1 trillion dollars
with an average expenditure of around £50 million per bank. Against this
must be taken the benefits of compliance (a strong reputation) and the poten-
tial reduction in required capital ratios for those that do comply.
The USA Sarbanes-Oxley Act162 of 2002 was introduced in response to
a number of corporate governance scandals in the USA. The main drivers
were those issues surrounding the financial management, or otherwise, at
Enron, WorldCom, and Tyco. Although it is clear that Sarbanes-Oxley is
the most complete corporate anticrime law ever published in the USA, it is
still unclear exactly how companies are to comply. It is important to note
that the Act is intended to have international reach. There are implications
for subsidiaries of USA companies abroad, who are expected to comply,
and for subsidiaries of foreign companies in, or linked to, the USA who will
also be expected to comply. This is particularly so if they have any reporting
requirements with the USA Securities and Exchange Commission. This is
also important for companies listed on a variety of Stock Exchanges.
The Sarbanes-Oxley Act covers all aspects of corporate governance, with
particular emphasis on financial statements, audit requirements, and board
control.
The Sarbanes-Oxley Act impacts all USA companies and their subsidiar-
ies at home and abroad. It impacts all foreign companies with subsidiaries or
dealings with USA parent or subsidiary companies. It impacts all companies
with reporting requirements to the Securities and Exchange Commission.
Currently, it specifically affects all companies with a market capitalization
in excess of $75 million. Senior Management faces prison (up to 20 years) or
large fines (up to $5 million) or both, for infringements.
The Sarbanes-Oxley Act was passed in 2002 and came into force on 15 June
2004. Compliance deadline was 15 April 2005. It should be noted that as this
book is written, a number of amendments are proposed to the Act. The Act
has the purpose of enforcing a change not only in USA governance but also
in international governance. It therefore has a potential worldwide impact.
Although the major impact of Sarbanes-Oxley is clearly focused on finan-
cial controls the aim of the Act is to be more wide ranging. This is partly
because all aspects of a business are related to finance. Thus papers on the
impact of Sarbanes-Oxley on travel and health and safety have already been
written. To a certain extent Sarbanes-Oxley is a “bandwagon” that many have
162
Sarbanes Oxley Act is available at http://www.soxlaw.com (Accessed: 7 January 2007).
Deloittes also have information available at http://www.deloitte.com (Accessed: 7 January
2007).
joined. However, the key point is that when linked to current and proposed
Corporate Governance changes in Europe/UK, Basle II accords, and the focus
by the European Commission on Information Security standards, Sarbanes-
Oxley will represent a fundamental shift in corporate governance standards.
Section 404 of the Act deals the Management Assessment of Internal Con-
trols. As most management information and financial information is now
held digitally it is critical to have information systems and telecommunica-
tions that assist, rather than detract from, compliance.
There have been some interesting negative effects from the Act. These are
noted elsewhere.
A number of significant changes to accounting, governance, and reporting
standards are affecting companies across the world. In addition, forthcom-
ing changes to operational risk assessments affecting banks under the Basle
II accords will have an impact on how businesses interact with their banks.
All these changes have an impact on telecommunications and information
technology requirements. In addition new accountancy standards are being
implemented across the world.
The European Union wishes to introduce a common capital market.163
It follows that this requires a common financial language. This language
is known as the International Accounting Standard and interpreted by the
International Financial Reporting Standard.
From 2005 all listed companies (listed on an EU regulated Stock Exchange)
across the European Union will have to prepare their consolidated financial
statements based upon International Financial Reporting Standards. They
will no longer be able to produce accounts based upon national standards.
In addition to the EU member states, over 70 countries currently permit or
require the use of International Financial Reporting Standard by some or all
of their domestic listed companies or have announced plans to do so. There
are about 7,000 such companies, of whom 2,500 are in the UK.
It is not possible to pick and choose which standards are adopted. Listed
companies must adopt the entire International Financial Reporting Stand-
ard. For everyone else it is an all or nothing choice. An entity whose financial
statements comply with International Financial Reporting Standard must
make an explicit and unreserved statement of such compliance in the notes
to its accounts. Financial statements shall not be described as complying with
International Financial Reporting Standards unless they comply with all the
requirements of International Financial Reporting Standards. The Interna-
tional Accounting Standards Board is currently in the process of discussing
an international version of Financial Reporting Standard for Smaller Entities
for small and nonpublicly accountable entities.
163
More information on IFRS available at http://business.timesonline.co.uk/section/0,16649,00.
html (Accessed: 7 January 2007) and at http://www.ifrs.co.uk (Accessed: 7 January 2007).
Any companies that meet the above definition will need to prepare consoli-
dated financial statements using International Financial Reporting Standard
for accounting periods commencing on or after 1 January 2005. The adoption
of International Financial Reporting Standard is a major cost to business. In
most cases this process of adopting International Financial Reporting Stand-
ard should already be underway. However, research suggests that many com-
panies have made little or no progress towards this goal.
Implications for Information Infrastructure Resilience and Recovery of
these regulatory changes can be summarized thus:
The adoption of the measures is likely to require:
• New software systems
• Review of hardware systems
• New means of communicating with/from customers
• New risk assessments and dependencies
A general checklist from a telecommunications and IT perspective would
include:
• Impact assessment
• Risk assessments and dependencies review
• Contract review including a liability review
• Systems and integration review
• Capacity and capability required
• Reporting/data retention
Such a checklist implies the need for strategically integrated systems, a
robust telecommunication infrastructure, a business continuity plan and a
disaster recovery plan. These measures are likely to add some measure of
resilience to business. Most risk management tools are inquisitive and pre-
scriptive, in other words they ask you lots of questions, and then tell you what
to go and do.
Dependency Modeling provides a way of capturing a model of an organi-
zation, whereby it uncovers all kinds of possibly unforeseen vulnerabilities,
measures the risks, and helps reduce the vulnerabilities to cut out the most
serious problems, thereby reducing the risk.
Stock Markets hate uncertainty, it always depresses prices. They prefer
hard news – even bad news – to uncertainty. Since earliest times, uncertainty
has been one of the greatest problems faced by mankind. Mankind achieves
by making decisions, and uncertainty paralyses the decision making proc-
ess. Uncertainty promotes paroxysms of discussion, argument, and some-
times conflict.
Some of the oldest writings known to historians are concerned with
man’s wrestle with uncertainty, and over thousands of years he has evolved
a number of ways to attempt to handle it, from sacrifices to influence the
harvest, to fortune telling such as astrology, to more scientific means such as
market research and economic modeling.
Risk management concerns itself with uncertainties about the future that
could bring down an organization. It is among the most important disci-
plines of modern management, yet it is poorly understood. It is concerned
with statistics and unpredictability, yet most managers – even many trained
scientists – do not grasp statistical behavior at the intuitive level.
Subconsciously we all confuse a very small probability of a major disaster,
with a small disaster.
The formal parts of an organization are those most often emphasized.
These are the parts about which we make decisions and over which we have
some control. We will sometimes refer to them as the controllable parts of the
organization, although we have at best only partial control over them. They
include our mission, our organizational structure, our recruitment policy, the
systems we use, the hardware we buy, the training we provide, the procedures
we enforce, and so on.
But a fuller picture includes factors over which we have virtually no control,
such as national strikes, equipment failures, outbreaks of fire, the weather, the
existence and intentions of hostile parties, human frailty, and so forth. These
uncontrollables, each of which affects many business functions, do not just
occur singly, but may arise in combination, and of course the number of com-
binations is enormous.
It is unfashionable to speak much of these uncontrollables since they make
us feel uncomfortable and helpless. Yet every organization on the planet is
susceptible to certain combinations of things all going wrong at the same
time. But as risk analysts we know that we all depend on things over which we
have little or no control. These things constitute the essential luck we need to
continue functioning. Our job is to arrange things so that we rely on as little
of this luck as possible. This leads us to the following definitions:
• Risk is sensitivity to those things we cannot control.
• Risk Management is the science of understanding and reducing our
sensitivity to those things we cannot control.
Understanding risk involves understanding why we depend on things we
cannot control, through an understanding of Dependency Relationships.
The formal part of the organization can be thought of as being under con-
stant attack by the uncontrollable part. Risk Management is about designing
the former to be maximally resilient to the latter. While we cannot control
the root causes, the uncontrollables, nevertheless the effects are more under
our control through management of the dependency relationships within the
organization.
Interdependency relationships are unique to the particular organization,
and only by coming to terms with the actual relationships in that organi-
zation can anything really valuable be done to understand, manage, and
reduce risks. Dependency Modeling was developed to capture these inter-
dependencies in a highly visual model so that the consequence of failures
could be uncovered in the safe, virtual environment of the computer.
Having created the model it is relatively easy to:

• Infer the risk to the organization implied by the model
• Illustrate the risk graphically in easy-to-understand terms
• Find which scenarios are the most dangerous to the organization
• Find variations of the organizational structure which carry less risk
• Evaluate the effectiveness of any countermeasures
• Determine which factors are important and which can be ignored
• Support management proposals with evidence
• Avoid spending money on measures which are likely to be ineffective
• Find ways of reducing risk without necessarily spending money”
Using the methodology above also allows us to create an Obstructive Mar-
keting Risk Model. The risk model, of course, would be different for each
company looking to deal with Obstructive Marketing threats. This modeling
is important because it has allowed the concept of Obstructive Marketing to
move from an idea, to a concept, through examples, to a scientific base, to
a plan to control it. Clearly, the model has developed from the who, when,
where, how, and why questions. This is not only a complete cycle, but com-
pletes the requirement concerning the ordering experience. Obstructive Mar-
keting is therefore sufficiently real for a plan to be constructed to deal with
the various aspects of it.164
In this Chapter a variety of political, economic, social, technical, environ-
mental, legal, regulatory, and risk issues have been looked at. Although there
is some optimism in the political, economic, technical, legal, and regulatory
areas from this and previous Chapters, it is the case that the “common list” of
Critical Infrastructures is affected adversely by many of these processes. For
the management of Critical Infrastructures to be successful they must remain
a priority in the development of each of these processes form a national per-
spective. Unfortunately, this is not, overall, the case. The primacy of Critical
Information Infrastructure is once again emphasized.
164
From Hyslop, MP (1999) op. cit. These comments also appeared in Hyslop, MP et al.
(1996) Advanced Inventory Management. Whessoe plc. Some parts of this latter descrip-
tion are accredited to Professor John Gordon and Chris Baker.
Chapter 7
Comments on Standards in Information
Security, Disaster Recovery, Business
Continuity, and Business Resilience
This Chapter looks at some aspects of the private sector approach to resilience.
There are a number of ways this can be approached by both business and as a
subject. However, over the last twenty years or so, there has been continuous
development of an approach related to firstly disaster recovery, then business
recovery, then business continuity, and, most recently, a move toward busi-
ness resilience; which will potentially obsolete all the former. This progression
has seen the development of some standards. These have been focused on the
regulated businesses. This Chapter charts this journey and ends by comparing
a significant number of the different standards now in use. As this book goes
to press the new Business Continuity Standard in the UK, BS25999, has been
published, which is really the next step in the business continuity industry’s
development. As with all Critical Infrastructures, the mission critical elements
of a business are almost always related to Information Infrastructures these
days. Hence the concentration on standards related to Information Infra-
structure. This Chapter reproduces text from articles by the author originally
published in Continuity Planning’s online newsletter.165
There have been, are, three developing themes in the business risk manage-
ment industry – business recovery, business continuity, and business resilience
– and all have a common driver: regulation. In the latter’s case, however, there
is also the business strategy driver to consider.
Regulation during the 1980s in the banking industry, especially in Europe
and the City of London, drove players to evolve procedures that could recover
financial data, in particular, from disrupted media in such a way that information
could be retrieved and businesses could continue to operate. At the same time,
companies, such as Kroll166 and Control Risks,167 were starting to look, again
in regulated businesses and/or high-profile businesses, at the risks to business
and began drawing up procedures to handle them. The personnel involved at
the time were often ex-forces or maverick IT-types.
165
All articles available at http://www.contingencyplanning.com (Accessed: 7 January 2007).
166
More information available at http://www.kroll.com (Accessed: 7 January 2007).
167
More information available at http://www.controlrisks.com (Accessed: 7 January 2007).
94
Chapter 7 Information Security, Disaster Recovery, Business Continuity 95
In the mid 1980s a number of London banks and their subsidiary “network”
management companies168 started to develop bespoke approaches for their
clients. Many of these approaches have stood the test of time in a number of
ways, or, at the very least, have provided a foundation for future developments.
The sort of advice they gave at the time, however, is almost unrecognizable
just 20 years later.
The following is the checklist given to Managing Directors, in the 1980s, to
control sensitive information of a company that excelled in electronic innovations:
• Is there a classification for company information?
• Does the procedure require certain controls?
• Are copies of the procedure issued to all employees?
• Is each employee provided with somewhere safe to lock things away?
• Is there a shredder beside each photocopier?
• Is all sensitive waste shredded?
• Are microfiche readers controlled and negatives disposed of securely?
• Are microfilms prepared by outside contractors securely handled?
• Is telephone equipment checked form time to time for eavesdroppers?
• Is data transfer, whether by computer or telefax, secured against intervention
from outsiders from a physical as opposed to a virtual sense?
• Are board and conference rooms checked on a frequent, random basis to
detect bugging?
• Is access closely controlled to rooms and stores where confidential
documents are kept?
Electronic data transfer at that time was limited to a few major international
centers. e-Mail existed via the company’s own satellite system, but only on a
limited basis. Even so, the controls in place then for managing data were more
relevant to the recovery of the business than to the preservation of the data.
In fact, the preservation of data and information was not a particularly big
issue. This was a private company and the owner pretty much decided what it
was or what it was not appropriate to keep. Today, even as a private company,
this organization could not be quite so independently minded as to the sort of
information it chose to keep – especially in Europe and the United States, and
even in a relatively lightly regulated industry. In the international field, the
company operated freely and carried little in the way of data or presentations,
except that which employees kept in their heads or on traveling overheads. (In
1989, one Managing Director had an early Amstrad laptop confiscated at six
airports during a two-week trip through Africa.) Decisions were made on the
spot and contracts were rarely more than two pages long.
In the banking industry, then as now the most regulated of services, things
were being looked at a little differently. Again, a number of London (and
New York) banks were involved. Their checklist for computer security still
has some resonance today.
168
E.g. Hambros Bank’s Network Security Management Limited.
96 Critical Information Infrastructures : Resilience and Protection
Computer Security:
• Are standards for system design, new applications, changes, etc., written
down in company manual and invariable followed?
• Are new systems and system changes looked at from a fraud vulnerability
point of view?
• Is ownership of all data and programs clearly assigned?
• Is a system manager designated for each installation, network, and PC?
• Is access to all computer resources restricted on a need-to-know basis?
• Is access established on the lowest privileged principle?
• Is access to sensitive files restricted, depending on the privilege level of users?
• Have standard file names been removed from all systems?
• Are “default” and other low-level accounts closely monitored?
• Are all computer installations and communications physically secured?
• Is access to all terminals physically controlled?
• Are dial port and other means of open access kept to the minimum, and
then on a secure basis?
• Are dial port numbers ex-directory and in a different telephone area from
the company’s voice lines?
• Have all remote users been warned about the dangers of decoy and virus
programs and of logging on after a suspected communications failure?
• Does the system’s console sound and print a warning when repeated failures
to log on are identified?
• Does network software enable the identity of the remote user to be traced?
• Must all passwords be more than seven characters long and alphanumeric?
• Are passwords changed at regular intervals and always after an employee’s
service has been terminated?
• Is there an automatic procedure for checking that a user does not repeat or
rotate passwords?
• Are all password files kept in an encrypted form?
• Is the use of all resources journalized onto tape and printer?
• Are all system failures logged and followed up?
• Are test and production facilities kept completely separate?
• Are restricted utilities catalogued and closely controlled?
• Are temporary files to programs and files audited?
• Are diagnostic and engineering programs kept off-line under secure
conditions?
• Is all line testing equipment kept under secure conditions?
• Are all IP addresses kept securely?
• Have all router passwords been changed from their default?
• Is all audit software kept off-line and loaded only when needed?
• Are copies of important programs and files retained under secure conditions
in remote stores?
• Is all printed output kept securely while awaiting collection by the owner?
• Is all unwanted output shredded prior to disposal?
• Have proper contingency plans been prepared for all important applications
and resources?
• Are all new programs and modifications reviewed by a “peer group” before
being accepted for production purposes?
• Are all program changes and new applications approved by audit before
being accepted for production purposes?
• Are all source programs kept off-line under secure conditions and loaded on
the authority of the owner of senior data processing manager?
• Are printed source listings kept secure and released against signature when
required?
• Are interrelated applications designed to automatically check control totals,
with the minimal of manual intervention?
These same requirements can be seen today underpinning, in particular,
FDA 21 CFR Part II, the Payment Card Industry (Data Security Standard),
as well as being part of the original basis for what has become ISO 17799.
The 1980s were dominated by procedures driven by regulation in the bank-
ing industry in London and New York. This was a time that saw the beginning
of a European approach to business recovery and continuity. By 2005, the
approach was to be driven heavily by the United States. Information security
and business continuity processes were being developed. As before this is
looked at very much from a European/USA perspective. It is the case that, so
far, even many other OECD countries are well behind both the USA and UK
in developing and implementing these sorts of techniques.
The UK’s greatest contribution to information security is probably what
was originally known as British Standard 7799. The development of this
standard, largely by Brian Doswell, spawned an array of consulting services:
Survive! and the Business Continuity Institute being the best known. Such
was the success of this approach that the original British Standard eventually
became the International Standard Organization’s Standard 17799. The key
elements of ISO 17799 are:
• Information Security Policy
• Organizational Security
• Asset Classification and Control
• Personnel Security
• Physical and Environmental Security
• Communications and Operations Management
• Access Control
• Systems Development And Maintenance
• Business Continuity Management
• Compliance
(Now there is also BS 25999 dealing with Business Continuity too.)
The important issue here, if compared to the checklists at the head of the
Chapter, is that there is a shift of emphasis from Business Recovery to Busi-
ness Continuity. A number of the issues mentioned in the early checklists
of the first article are codified and structured with the aim of ensuring that
business continues in the event of a disaster rather than faces the need to just
to recover. Research by the major consultancy companies, Price Waterhouse
Cooper169 and Deloittes170 in particular, has demonstrated that there was an

increasing chance of business survival for those businesses that took Business
Continuity seriously.
The Information Security and Business Continuity “industry” was greatly
assisted during the 1990s by the great Y2K issue. Y2K led to a frenzy of infor-
mation technology investment and security in parallel to the expanding “bubble”
of information technology stocks. It is perhaps not long enough in the past to
have an unbiased view of this period. However, what can be said is that it did
identify, certainly from the year 2000, that man was as reliant on computers for
survival as he was on food, water, shelter, etc. In fact, many of these basics could
not be supplied unless computers worked. Computers were really important.
Business Continuity, but particularly Information Continuity, came of age.
The anticipation of difficulties concerning the Y2K problem led govern-
ments and regulatory bodies to require certain important industries to take
Business Continuity seriously. This assisted the development of the Business
Continuity industry. Using ISO 17799/25999 as a basis many organizations, par-
ticularly regulated bodies were required to produce Business Continuity Plan-
ning manuals. The overall methodology for this approach is a cycle of analysis,
solution design, implementation, testing and acceptance, and maintenance.
Analysis meant both impact analysis and threat analysis. Impact analysis
looked at the difference between critical and noncritical organizational structures.
The recovery/continuity requirements looked at the time frame, the business
requirements and the technical requirements for critical functions. Threats
analysis included disease, earthquakes, fire, flood, cyber attack, hurricane, utility
outage, and terrorism. Following analysis a recovery requirement document
was generally produced.
Solution design looked principally at what the base application and
application data requirements plus the time frame in which these were to be
available. The solution design phase also determines:
• The crisis management command structure
• The location of a secondary work site
• Telecommunications architecture
• Data replication methodology
• The application and software required at a secondary site
• The type of physical data requirements at the secondary work site
Implementation is the execution of the design. Testing and organizational
acceptance may cover:
• Crisis command team call-out testing
• Technical testing of move from primary to secondary locations
169
The State of Information Security 2006. Available at http://www.pwc.com/extweb/
pwcpublications.nsf/docid/3929AC0E90BDB001852571ED0071630B (Accessed:
7 January 2007).
170
The 2006 Technology, Media & Telecommunications Security Survey. Available at
http://www.deloitte.com/dtt/research/0%2C1015%2Ccid%25253D122104%2C00.html
• Technical testing of move from secondary to primary locations

• Application test
• Business process test
Maintenance is concerned with confirming the accuracy of the manual,
testing the technical solutions and testing the documented organization
recovery procedures. This is probably the most important part – not least
because a plan is worthless unless it is regularly tested and kept up to date.
Research by Hyslop (1999)171 through members of the Executive Club of
Chicago in 1999 demonstrated the importance of Business Continuity planning.
Most businesses that suffered some sort of information technology, or other for
that matter, disaster generally went out of business. Those that had some form
of Business Continuity plan tended to survive. In those days (8 years is a long
time in this industry) more than 66% of businesses would admit in an anon-
ymous poll to having had some form of competitive, criminal, or culturally
inspired interruption to their business. In the regulated businesses both the fear
of, and the actual, incident level was higher. Business Continuity, as Business
Recovery had been before it, was driven by the need of the engines of capitalism
to keep turning. More importantly the same research demonstrated a need for
a strategic business approach to handling business information. This more stra-
tegic approach is about building resilience into a business, as a form of DNA.
This is, actually, a radically different approach to business recovery and busi-
ness continuity, which are essentially tactical responses.
In Europe the key engines were in London and Frankfurt. Both these
financial centers were much further forward in planning for Business
Continuity than their European colleagues. In the Far East, another financial
center, Hong Kong, has led the way. Of course, in the USA it has been New
York and Chicago. The 1990s saw the expansion of both the Internet and the
World Wide Web, still based pretty much around data traffic between OECD
countries, and the rise of globalization. Both of these phenomena increased
the threats to both the regulated and nonregulated industries.
The World-Wide Web, Internet, and Globalization not only changed the
threats they also changed the rules of the game. All of a sudden there was a com-
pletely different universe. However, for those that operate within the electronic
economy there is a whole set of new requirements to be met. In an intercon-
nected world you need to be able to stay interconnected. To do so it is no longer
appropriate to recover or find a way of continuing operations, it is important
for those operations to “bounce-back” immediately. Business Resilience there-
fore became practically more important than recovery or continuity, although
it has not been particularly well articulated. In addition, there have been a
number of events that have further changed the threat pattern. These include 11
September 2001 and Enron. These, amongst other events, will hopefully lead a
greater need, and hopefully concentration, on strategic resilience rather than
tactical recovery and continuity programs.
171
There has been a progression from very simple measures to protect business data
and information to the creation of a whole industry dedicated to business continu-
ity. After 11 September 2001 and Enron the slight drop in attention paid to both
business recovery and business continuity prior to both these events was replaced
by rising attention driven primarily by regulation and, increasingly, compliance.
What had started as a very much financial market driven approach in the
UK, Europe, and the USA became an approach dominated by regulation
from federated authorities: the USA, the European Union, and the world’s
financial organizations in particular.
Business Resilience, however, is very different from both Business Recovery
and Business Continuity. In many ways it is a Holy Grail. Most research indicates
that over 75% of companies who fail to institute some form of Business Recov-
ery or Business Continuity process fail to recover from a disaster or attack.172
Resilience means the ability to bounce back from a setback in “original form,”
so there should be no need for either recovery or continuity, and businesses
should not fail. Clearly, in the case of companies hit by some form of disaster
or attack, such a definition means that the company will survive. As business
information becomes increasingly held within information technology systems,
and away from the heads and filing cabinets of managers, resilience becomes
increasingly important for business survival. This is not the only reason for
developing resilient companies. Internal and external auditors are increasingly
looking for more sophisticated record keeping in order to ensure compliance
with a range of regulations. These auditors want to see resilient companies,
because resilient companies will not lose track of, primarily, financial data.
Business Resilience is the ability, as noted, to bounce back in original form.
Regulation and compliance are important drivers. There are, however, at least
three more issues that will drive the move towards resilient companies. These
are asymmetric warfare, obstructive marketing, and the rise of an American
led and dominated electronic economy.
The following regulation and compliance issues have some form of
correspondence with what was known as Business Recovery and Continuity
and what is now required, in terms of formal compliance at today’s date, with
regard to early measure for Business Resilience.
Guidelines for publicly traded companies on stock exchanges:
• Turnbull Guidelines (UK) – Address business continuity, risk management,
and appropriate internal controls for companies listed on the London Stock
Exchange, which first mandated requirements of this type. Stock exchanges
around the globe are watching the impact this has when the compliance date
has been reached and what the domino effect will be.
• NYSE (proposed) Rule 446 – Addresses business continuity, risk management,
and appropriate internal controls for companies listed on the New York
172
Data available at http://www.prem.co.uk/DRStatistics.html (Accessed: 7 January
2007) amongst others.
Stock Exchange. NASD has required that all of its members implement risk
management and business continuity programs.
• Sarbanes-Oxley Act (2002) – Requires auditors (internal and external) to
provide a detailed report on a company’s internal controls to the SEC. This
will be published in the annual reports in its entirety.
Regulations related to privacy, security, risk management, and corporate
governance:
• HIPAA (US) – Includes seven specific business continuity management
points with 2003 compliance by large corporations. Includes federal civil
and criminal penalties.
• Expedited Funds Availability Act (US) – Demonstrated BC plans to ensure
prompt availability of funds (federally chartered financial institutions).
• Gramm-Leach-Bliley Act (US) – Wide range of organizations providing
financial services beyond banks (for example, auto dealers, retail stores,
financial planners, tax preparers, and insurance and real estate industries)
requiring appropriate controls in place for a strong focus on client pri-
vacy. An unusual addition to this act is that it also includes vendors and
suppliers to the institutions identified.
• Presidential Decision Directive (PDD) 63 (US, 1998 and later updates) –
Calls for an effort to ensure the security and continuous availability of criti-
cal infrastructures (physical, IT, and telecommunication) by 2003.
• Telecommunications Regulations 2000 (UK).
• Australian Commonwealth Criminal Code (December 2001 update)
– Establishes criminal penalties for officers and directors of organizations
that experience a major disaster and fail to have a proper business continuity
plan in place.
• Telecommunications Act of 1996 (US).
• Foreign Corrupt Practices Act (FCPA) – Addresses internal controls and
criminal penalties.
Additional regulations and guidelines:
• Computer Fraud and Abuse Act of 1986, revised 1996
• Computer Security Act of 1987, Public Law 100-235
• Federal Financial Institutions Examination Council (FFIEC): Information
Systems Examination Handbook
• Federal Reserve Commercial Bank Examination Manual, Section 4060
Computer Services
• Federal Deposit Insurance Corporation, BL-22-88: Contingency Planning
for Financial Institutions
• Federal Reserve Board, Policy Statement, SR89-16: Interagency Policy on
Contingency Planning for Financial Institutions SP-5
• Federal Reserve Board, Policy Statement, SR97-15 (SPE): Corporate Busi-
ness Resumption and Contingency Planning SP-5
• Federal Reserve Board, Policy Statement, SR98-9 (SUP): Assessment of IT

in the Risk-Focused Framework173
amongst others.
A number of recent surveys seem to indicate that whilst CEOs believe that
Business Resilience, and the Recovery and Continuity procedures that precede
and build it, is important most CSOs/CIOs are reporting budget restrictions.
(See Continuity Planning, March 2006 Newsletter.)174 This is a simple matter
of market economics: “If everyone else is taking the risk why should WE
protect ourselves and increase our costs” says the CEO, reasonably. The real
answer is that he or she is playing Russian roulette with the business. The
banks, oil, and utility companies have at least realized this (compliance may
have pushed them but they are looking for wider Resilience solutions for
sensible and pragmatic commercial reasons now).
Asymmetric Warfare and Obstructive Marketing are covered again in
a later Chapter. Suffice to say they are also important in the context of
Business Resilience.
In Europe there is a growing awareness that the USA could be developing
the means and legal framework to control the global electronic economy.
Such a move would make the rise of China and India potentially irrelevant.
If you are not part of the USA club, the argument goes, then you are out
of the new market! The pros and cons of such an approach are for a later
Chapter. However, consider the following: what would be required of companies
to participate in such an electronic market? Regulation and compliance, yes.
Asymmetric Warfare and Obstructive Marketing defenses, yes. In other words
Business Resilience is the passport to the new Electronic capitalism.
This is a very different environment to Business Recovery in the 1980s!
If your CEO is, as suggested, cutting back on the Information Security budget
then the following should help to refocus his or her mind. Previously the migration
from Business Recovery to Business Resilience has been discussed. No business is
really free from the need to act on Information Security Standards in some way
shape or form. As we know, Information Security is now the business.
The major standards covered here are:
• ISO 17799
• Sarbanes-Oxley
• Health Insurance Portability and Accountability Act (HIPAA) 1996
• Food and Drug Administration 21 Code of Federal Regulation Part ll
• Federal Energy Regulatory Commission/North American Electric Reli-
ability Council
173
More detail available at http://ftp.hp.com/pub/services/continuity/info/corp_gov_
bca_5983-1677EN.pdf (Accessed: 7 January 2007).
174
Available at http://www.contingencyplanning.com/archives/2006/mar (Accessed: 7
January 2007).
• Payment Card Industry Data Security Standard

• Federal Financial Institutions Examinations Council
• Gramm-Leach-Bliley Act
• Basel 11
• Control Objectives for Information and Related Technology (COBIT)
• ITIL
• EU Directive on Data Protection
• UK Data Protection Act
The bad news is that one or more of these enforceable or voluntary standards
are likely to be relevant to your business (and there are some not mentioned
here that are particularly relevant to specific industries). The good news is that
using, for example, ISO 17799 as a base some sense can be made of the overall
requirements – as many of these standards demand similar approaches.
ISO 17799 Section 3.1 Information Security Policy: Issue and Maintain
Information Security Policy. This is a requirement of all other standards.
ISO 17799 Section 4.1 Organizational Security: Management Framework.
This is a requirement of all other standards.
ISO 17799 Section 4.2 Organizational Security: Security of Third Party
Access. This is a requirement of all other standards though not explicitly of
the Payment Card Industry and Basel ll.
ISO 17799 Section 4.3 Organizational Security: Security of Outsourcing.
This is a requirement of all other standards though not explicitly of the Pay-
ment Card Industry and ITIL.
ISO 17799 Section 5.1 Asset Classification and Control: Accountability
for Assets. This is a requirement of all other standards though not explicitly
of the Payment Card Industry.
ISO 17799 Section 5.2 Asset Classifications and Control: Information
Classification. This is a requirement of all other standards though not
explicitly of the Payment card Industry.
ISO 17799 Section 6.1 Personnel Security: Security in Job definition and
resourcing. This is a requirement of all other standards.
ISO 17799 Section 6.2 Personnel Security: User Training. This is a require-
ment of all other standards – though not explicitly of the Payment Card Industry.
ISO 17799 Section 6.3 Personnel Security: Responding To Security Inci-
dents. This is a requirement of all other standards, though not explicitly of
the Payment Card Industry.
ISO 17799 Section 7.1 Physical and Environmental Security: Secure Areas.
This is a requirement of all standards.
ISO 17799 Section 7.2 Physical and Environmental Security: Equipment
Security. This is a requirement of all standards.
ISO 17799 Section 7.3 Physical and Environmental Security: General
Controls. This is a requirement of all Standards.
ISO 17799 Section 8.1 Communications and Operations Management:
Operational Procedures and Responsibilities. This is a requirement of all
standards but not explicitly of the Payment Card Industry.

System Planning and Acceptance. This is a requirement of all standards but
not explicitly of HIPAA, FERC/NERC, Payment Card Industry, FFIEC and
GLBA, and Basel ll.
Protection Against Malicious Software. This is a requirement of all standards.
Housekeeping Routine. This is a requirement of all standards but not explicitly
of the Payment Card Industry and ITIL.
Network Management. This is a requirement of all standards.
Media Handling and Security. This is a requirement of all standards.
Exchanges of Information and Software. This is a requirement of all standards.
ISO 17799 Section 9.1 Access Control: Business Requirement for Access
Control. This is a requirement of all standards.
ISO 17799 Section 9.2 Access Control: User Access Management. This is
a requirement of all standards.
ISO 17799 Section 9.3 Access Control: User Responsibilities. This is a
requirement of all standards.
ISO 17799 Section 9.4 Access Control: Network Access Control. This is a
requirement of all standards.
ISO 17799 Section 9.5 Access Control: Operating System Access Control.
This is a requirement of all standards.
ISO 17799 Section 9.6 Access Control: Application Access Control. This
is a requirement of all standards.
ISO 17799 Section 9.7 Access Control: Monitoring System Access and
Use. This is a requirement of all standards.
ISO 17799 Section 9.8 Access Control: Mobile Computing and Telework-
ing. This is a requirement of all standards, though not explicitly of ITIL.
ISO 17799 Section 10.1 Systems Development and Maintenance: Security
Requirements of Systems. This is a requirement of all standards though not
explicitly of HIPAA and FFIEC/GLBA.
in Application Systems. This is a requirement of all standards.
ISO 17799 Section 10.3 Systems Development and Maintenance: Crypto-
graphic Controls. This is a requirement of all standards though not explicitly
of COBIT.
of System Files. This is a requirement of all standards though not explicitly
of HIPAA and Payment Card Industry.
in Development and Support Processes. This is a requirement of all standards
though not explicitly of HIPAA, FERC/NERC, Payment Card Industry,
FFIEC/GLBA, and Basel ll.
ISO 17799 Section 11.1 Business Continuity Management: Aspects of

Business Continuity Management. This is a requirement of all standards
though not explicitly of Payment card Industry and the EU Directive.
ISO 17799 Section 12.1 Compliance: Compliance With Legal Requirements.
This is a requirement of all standards, though not explicitly of FERC/NERC,
Payment Card Industry, and Basel ll.
ISO 17799 Section 12.2 Compliance: Reviews of Security Policy and
Technical Compliance. This is a requirement of all standards.
ISO 17799 Section 12.3 Compliance: System Audit Considerations. This is
a requirement of all standards.
Health warning: Implicitly all standards expect much the same approach.
Get advice before acting on these comparisons!
It should be noted that ISO 17799 is also a good basis for compliance with
the Sarbanes-Oxley Act. In November 2007 the Markets in Financial Instru-
ments Derivatives will be another regulation, primarily for the Financial Sec-
tor, to take into consideration in Europe.175
In such a short description as this it is not possible to do full justice to each of
the standards. However, the general idea should be clear. It is no longer acceptable
to be reactive in handling Information Security. CSOs/CIOs have all got to be
proactive in managing Information Security. If that is a problem for your CEO
dig out the compliance issues that affect your industry in addition to the generic
ones quoted here and see how you get on with an accountability discussion.
However, these standards still really only address the tactical issues.
Alternatively think about this: The following tables and the above description
of the developments in the recovery and continuity business areas demonstrate
the immense amount of activity that has been devoted to this area. A contention
could be that this is looking through the wrong lens. This is very operationally
based activity with, frequently, very little visibility at C-suite level. Further it’s
not really about resilience in a true sense, and nor is this activity truly strategic.
At worst it can be described as a quick tactical response to an irritating problem.
However, this book should have identified by now that the issue is actually much
bigger than this. Any self-respecting CEO would expect his CFO to have a firm
handle on the finances of the business.
Yet, time and again, the matter of information management in a company
is dealt with 2–4 levels down from the C-suite. This is because the issue of
information management and security is looked at completely incorrectly.
A reasonable analogy is that of Brands. Brands at one stage were given no value
on balance sheets. Now they are. Information management is given no value on
a balance sheet. Is this truly appropriate? What does information management
deliver? Well it can be argued that it is the DNA of businesses. Businesses with
“good” DNA do well; those with “poor” DNA do badly. Another way of
175
Information on MiFID available at http://www.fsa.gov.uk/Pages/About/What/
International/EU/fsap/mifid/index.shtml (Accessed: 7 January 2007).
looking at it is that proper information management represents the difference

between the net book value of a company and the market capitalization.
The value difference between these two figures represents the “good” DNA,
the excellent direction, and the effective management’s contribution to the
business’ value. This should make the strategic importance of information
management and security, and the need to be involved, especially, in Critical
Information Infrastructure Protection of importance to C-suite members.
This implies an executive board member, the CIO. This is a concept that has
developed well in the USA, so far less well elsewhere. It is absolutely critical
to understand that a strategic approach to business information security and
resilience in Information Infrastructure is vital for the future success of any
business. This can be undertaken on a full-time basis, for large companies, or
a part-time basis for SMEs.176 The key responsibilities of the CIO would be:
• Develop a strategic corporate policy for Information Infrastructure
• Managing and mitigating the Information Infrastructure corporate risk
profile
• Institute corporate standards for Information Infrastructure
• Design, implement, and maintain an integrated corporate Information
Infrastructure
• Plan investment and finance with regard to Information Infrastructure
• Liaise with other Chief Officers with regard to their corporate and depart-
mental requirements
• Engineer appropriate business processes to use the Information Infrastruc-
ture appropriately
• Deliver an effective corporate knowledge base and information sharing pro-
tocols
• Monitor performance, strengths, and weaknesses in the Information Infra-
structure and correct as necessary
• Advocate a quality approach to Information Infrastructure
• Evaluate the potential of new technologies
• Establish appropriate user fora
• Adopt appropriate business recovery and continuity plans
• Act as the company’s Information Infrastructure spokesman
• Lead the corporate crisis management team
• Comply with business specific and generic requirements with regard to
Information Infrastructure
• Maintain an appropriate dialogue with other C-suite members
• Deliver a resilient organization based on an excellent Information Infrastructure
Note: The major standards discussed in this Chapter are compared, in a little
more detail, in the following tables:
176
Many SMEs use part time HR Directors. The same principle can be applied to
CIOs. Onyx Group, www.onyx-group.net, is a company that handles part-time CIOs,
business recovery, continuity, and resilience – and all associated services.
TABLE 3. Comparison of international information security standards
Payment card industry
ISO 17799 Sarbanes-Oxley COSO HIPAA FDA 21 CFR FERC/NERC data security standard
Section: 1
Section: 2
Section: 3.1 Internal Environment Security Standard: (c) Protection of records 1201. Cyber Security Maintain an Information
Commitment to 1. Sanction Policy (R) throughout the records Policy Security Policy:
Requirement: Competence (a) 2. Assigned Security retention period 1210. Information 12. Maintain a policy
Information Security Organizational Responsibility (R) Protection that addresses
Policy Structure information security
Objective: Human resource
Policies and practices
Issue and maintain an Objective Setting
information security Risk Appetite
policy across the Risk tolerance
organization Risk Assessment
Likelihood and Impact
Section: 4.1 Internal Environment Security Standard: (c) Protection of records 1201. Cyber Security Maintain an Information
Commitment to 2. Assigned Security throughout the records Policy Security Policy:
Requirement: Competence responsibility (R) retention period 1210. Information 12. Maintain a policy
Organizational Security Organizational (a) 1. Information System Protection that addresses
Structure Activity Review (R) information security
Objective: Human resource
Infrastructure: A manage- Policies and Practices
ment framework should
be established to initiate Control Activities
and control the imple- General Controls
mentation of informa-
tion security within the Information and
organization Communication
(continued)
Section: 4.2 Internal Environment Security Standard: (c) Protection of records 1207. personnel N/A
Requirement: Management’s Phi- (b) 1. Written contract or throughout the records 1210. Information
Organizational Security losophy and Operating other arrangement retention period Protection
Objectives: Style
Third-party access: To Human resource
maintain the security Policies and Practices
of information assets Risk Assessment
accessed by third parties Likelihood and Impact
Control Activities
General Controls
Section: 4.3 Internal Environment Security Standard: (c) Protection of records 1207. personnel N/A
Requirement: Commitment to (b) 1. Written contract or throughout the records 1210. Information
Organizational Security Competence other arrangement retention period Protection
Objectives: Human resource
Outsourcing: To Policies and Practices
maintain the security Risk Assessment
of information when Likelihood and Impact
information processing Control Activities
is outsourced to another General Controls
organization Information and
Communication
Monitoring
Section: 5.1 Control Activities Physical Standard: (c) Protection of records 1202. Critical Cyber N/A
Requirement: General Controls (d) 2. Device and media throughout the records Assets
Asset Classification and Controls – Account- retention period 1210. Information
Control ability (A) Protection
Objectives:
Accountability for assets:
All major informa-
tion assets should be
accounted for and have
a nominated owner
Section: 5.2 Risk Assessment Security Standard: (c) Protection of records 1202. Critical Cyber N/A
Likelihood and Impact 1. Risk Analysis (R) throughout the records Assets
Requirement: Event Identification (a) 1. Risk Manage- retention period 1210. Information
Asset Classification and Event Categories ment (R) Protection
Control
Objectives:
Information Classifica-
tion: Information
should be classified
to indicate the need,
priorities, and degree of
protection
(continued)
Section: 6.1 Internal Environment Security Standard: (c) Protection of records 1207. Personnel Implement Strong Access
Requirement: Human Resource (a) 1. Sanction Policy (R) throughout the records Control Measures:
Personnel Security Policies and Practices (a) 3. Authorization and/ retention period 8. Assign a unique ID
Objectives: Control Activities or Supervision (A) to each person with
Security in Job defini- General Control (a) 3. Workforce Clear- computer access
tion and resourcing: Information and ance procedure (A)
To reduce the risks of Communication (a) 3. Termination
human error, theft, Procedures
fraud, or misuse of
facilities
Section: 6.2 Internal Environment Security Standard: (c) Protection of records 1207. Personnel N/A
Human Resource Poli- (a) 5. Security throughout the records 1211. Training
Requirement: cies and Practices reminders (A) retention period
Personnel Security Control Activities (I) Users of electronic
General Control record/eelectronic
Objectives: Information and Com- signature systems have
User Training: To ensure munication appropriate education,
that users are aware of training and experience
information security
threats and concerns
and are equipped to
support security policy
in the course of their
normal work
Section: 6.3 Event Identification: Security Standard: Validation of systems and 1211. Training N/A
Requirement: Event Interdependencies 1. Sanction Policy the ability to discern 1214. Electronic
Personnel Security Risk Response: (a) 5. Protection from invalid or altered Incident Response
Objectives: Identify Risk Responses Malicious Software records Actions
Responding to Security Select Responses (a) 6. Response and (c) Protection of records 1215. Physical
Incidents and Malfunc- Control Activities reporting (R) throughout the records Incident response
tions: Incidents affect- General Controls (a) 7. Emergency Mode retention period Actions
ing security should be Information and Operation Plan (R)
reported through appro- Communication
priate management Monitoring
channels as quickly as
possible
Section: 7.1 Control Activities: Security Standard: (c) Protection of records 1205. Physical Secu- Implement Strong Access
Requirement: General Controls (a) 3. Authorization and/ throughout the records rity Perimeter Control Measures:
Physical and Information and or Supervision (A) retention period 1206. Physical Access 9. Restrict physical access
Environmental Security Communication 3. Workforce Clearance Controls to cardholder data
Objectives: Monitoring Procedure (A) 1208. Monitoring
Equipment Security: Physical Standard: Physical Access
Equipment should be (a) 1. Facility Access
physically protected Control
from security threats (a) 2. Facility Security
and environmental Plan
hazards (a) 2. Access Control
and validation Pro-
cedures
(continued)
Section: 7.2 Control Activities: Physical Standard: (c) Protection of records 1205. Physical Secu- Implement Strong Access
Requirement: General Controls Workstation Use (R) throughout the records rity Perimeter Control Measures:
Physical and Information and Workstation Security retention period 1206. Physical Access 9. Restrict physical access
Environmental Security Communication 1. Device and media Controls to cardholder data
Objectives: Controls – Disposal 1208. Monitoring
Equipment Security: (R) Physical Access
Equipment should be (d) 2. Media reuse (R) 1210. Information
physically protected Protection
from security threats
and environmental
hazards
Section: 7.3 Control Activities: Physical Standard: (c) Protection of records 1205. Physical Secu- Implement Strong Access
General Controls (a) 1. Facility Access throughout the records rity Perimeter Control Measures:
Requirement: Information and Control retention period 1206. Physical Access 9. Restrict physical
Physical and Communication (d) 2. device and media Controls access to cardholder
Environmental Security Controls – Account- 1208. Monitoring data
ability (A) Physical Access
Objectives: 1210. Information
General Controls: To Protection
prevent compromise or
theft of information
Section: 8.1 Internal Environment Security Standard: Validation of systems and 1214. Electronic N/A
Assignment of Authority 1. Information System the ability to discern Incident Response
Requirement: and Responsibility Activity review (R) invalid or altered Actions
Communications and Risk response: (a) 1. Sanction Policy records 1215. Physical
Operations Identify Risk Responses (R) (c) Protection of records Incident Response
Management Select Responses (a) 2. Assigned Security throughout the records Actions
Control Activities responsibility (R) retention period
Objectives: General Controls (b) 1. Written Contract (f) Use of operational
Operational Procedures Monitoring or Other Arrange- system checks to
and Acceptance: ment (R) enforce sequencing
Advanced planning and 6. Response and report- of steps and events as
preparation are required ing (R) appropriate
to ensure the availability Physical Standard (k) Use of appropriate
of adequate capacity (a) 2. Contingency controls over systems
and resources. Operations (R) documentation
Section: 8.2 Control Activities N/A Validation of systems and N/A N/A
General Controls the ability to discern
Requirement: Monitoring invalid or altered
Communications and records
Operations Manage- (c) Protection of records
ment throughout the records
retention period
Objectives:
System Planning and
Acceptance: Advanced
planning and prepara-
tion are required to
ensure the availability
of adequate capacity
and resources.
(continued)
Section: 8.3 Event identification: Security Standard: (c) Protection of records 1210. Information Build and Maintain a
Event interdependencies (a) 5. Protection from throughout the records Protection Secure Network:
Requirement: Risk Response: Malicious Software retention period 1212. Systems Man- Install and maintain a
Communications and Identify Risk Responses (A) agement firewall
Operations Manage- Select Responses 1214. Electronic Maintain a Vulnerability
ment. Control Activities Incident Response Management Program:
General Controls Actions 5. Use and regularly
Objectives: Information and Com- update antivirus
Protection Against Mali- munication software
cious Software. Precau- Monitoring
tions are required to
prevent and detect the
introduction of mali-
cious software
Section: 8.4 Event Identification: Security Standard: (c) Protection of records 1211. Training N/A
Event interdependencies (a) 7. Data backup Plan throughout the records 1216. recovery Plans
Requirement: Control Activities (a) 7. Disaster recovery retention period
Communications an d General Controls Plan (R)
Operations Manage- Monitoring (a) 7. Emergency Mode
ment Operation Plan (R)
7. Testing and Revision
Objectives: procedure (A)
House keeping: Routine Physical Standard:
procedures for imple- (a) 2. Contingency
menting the back-up Operations (R)
strategy (a) 2. Data Backup and
Storage (A)
Section: 8.5 Risk Assessment Technical Standard: (c) Protection of records 1203. Electronic Secu- Build and Maintain a
Control Activities (a) 2. Encryption and throughout the records rity Perimeter Secure Network:
Requirement: General Controls Decryption (A) retention period 1210. Information 1. Install and maintain a
Communications and Monitoring (e) 1. Transmission Protection firewall
Operations Manage- Secuirty 1212. Systems Man- Maintain a vulnerability
ment (e) 2. Integrity Controls agement Management Program:
Objectives: 5. Use and regularly
Network Management: update antivirus
Security management software
of networks spanning
organizational bounda-
ries and/or public
networks
Section: 8.6 Control Activities Physical Standard (c) Protection of records 1206. Physical Access Protect Cardholder Data:
General Controls (d) 1. device and media throughout the records Controls protect stored data
Requirement: Information and Com- Controls – Disposal retention period 1210. Information Implement Strong Access
Communications and munication (R) (e) Use of secure, Protection Control measures:
Operations Management (d) 2. media reuse (R) computer-generated 9. Restrict physical access
(d) 2. device and media audit trails, which are to cardholder data
Objectives: Controls – Account- retained for a certain
Media Handling and ability (A) period of time
Security: procedures for
protecting tapes, disks,
cassettes from damage,
theft, and unaccess
(continued)
Section: 8.7 Risk Assessment Security Standard (c) Protection of records 1210. Information Build and Maintain a
Risk Response: 1. Written contract or throughout the records Protection Secure Network:
Requirement: Select Responses other arrangement retention period 1. Install and maintain a
Communications and Control Activities Technical Standard firewall
Operations Management General Controls 2. Encryption and
Information and Com- Decryption (A)
Objectives: munication (d) Person or Entry
Exchanges of Information Monitoring Authentication (R)
and Software: Controls (e) 1. Transmission
for exchanges of Infor- Security
mation and software (e) 2. Integrity Controls
between organizations (A)
Section: 9.1 Internal Environment Security Standard (c) Protection of records 1203. Electronic Secu- Implement Strong Access
Human Resource Poli- 4. Access Authorization throughout the records rity Perimeter Control Measures:
Requirement: cies and Practices (A) retention period 1206. Physical Access 7. Restrict access to data
Access Control Control Activities: Controls by business-need-to-
General Controls 1207. Personnel know
Objectives: 1210. Information
Business requirements for Protection
Access Control: Access 1212. Systems
control policies and rules Management
Section: 9.2 Control Activities: Security Standard (c) Protection of records 1203. Electronic Secu- Implement Strong Access
General Controls 4. Access Authorization throughout the records rity Perimeter Control Measures:
Requirement: Monitoring (A) retention period 1206. Physical Access 7. Restrict access to data
Access control 4. Access Establishment (d) Limiting system access Controls by business-need-to-
and Modification (A) to individuals 1210. Information know
Objectives: (a) 5. Password Manage- (g) Use of authority Protection
User Access Management: ment (A) checks to ensure that 1212. Systems Man-
Formal procedures Technical Standard: only individuals can use agement
to control the alloca- (a) 2. Unique User Iden- the system
tion of access rights to tification (R)
information systems
and services.
Section: 9.3 Internal Environment Security Standard: (c) Protection of records 1203. Electronic Secu- Build and Maintain a
Human Resource Poli- (a) 5. Password manage- throughout the records rity Perimeter Secure Network:
Requirement: cies and Practices ment (A) retention period 1206. Physical Access 2. Do not use vendor-
Access Control Control Activities: Physical Standard: (d) Limiting system access Controls supplied defaults for
General Controls Workstation Use (R) to authorized individu- 1211. Training system passwords.
Objectives: Workstation Security als 1212. Systems Man- Implement Strong Access
User Responsibilities: Use of authority checks agement Control measures:
User awareness par- to ensure that only 8. Assign a unique ID
ticularly with the use authorized individuals to each person with
of passwords and the can use the system computer access
security of equipment (i) Users of electronic
record/electronic
signature system have
appropriate education,
training and experience
(continued)
Section: 9.4 Internal Environment: Security Standard (c) Protection of records 1203. Electronic Secu- Implement Strong Access
Human Resource Poli- 5. Password Management throughout the records rity Perimeter Control measures:
Requirement: cies and Practices (A) retention period 1207. Personnel 8. Assign a unique ID
Access Control Control Activities Technical Standard (d) Limiting system access to each person with
General Controls 2. Mechanism to Authen- to individuals computer access
Objectives: Monitoring ticate Electronic (g) Use of authority
Network Access Control: Protected Health checks to ensure that
Ensure that appropriate Information (A) only individuals can use
authentication mecha- (d) Person or Entity the system
nisms for users and Authentication (R)
equipment are in place
Section: 9.5 Internal Environment: Security Standard (c) Protection of records 1203. Electronic Secu- Build and Maintain a
Human Resource Poli- 4. Access Establishment throughout the records rity Perimeter Secure Network:
Requirement: cies and Practices and Modification (A) retention period 1207. Personnel 2. Do not use vendor-
Access Control Control Activities 5. Password management (d) Limiting system access 1209. Monitoring supplied defaults for
General Controls (A) to individuals Electronic Access system passwords.
Objectives: Monitoring Technical Standard: (g) Use of authority 1212. Systems Man- Implement Strong Access
Operating System Access (a) 2. Unique user identi- checks to ensure that agement Control measures:
Control: Security at fication (R) only individuals can use 8. Assign a unique ID
the operating system 2. Automatic Logoff (A) the system to each person with
level to control access. (d) Person or Entity computer access
Methods include ensure Authentication (R)
quality passwords, user
authentication, and the
recording of success-
ful and failed system
accesses
Section: 9.6 Control Activities: Security Standard: (c) Protection of records 1203. Electronic Secu- Build and Maintain a
* General Controls 4. Access Establishment throughout the records rity Perimeter Secure Network:
Requirement: and Modification (A) retention period 1207. Personnel 2. Do not use vendor-
Access Control 5. Password management (d) Limiting system access supplied defaults for
(A) to individuals system passwords
Objectives: Technical Standard: (g) Use of authority Implement Strong Access
Application Access Con- (a) 2. Unique user identi- checks to ensure that Control measures:
trol: Security to restrict fication (R) only individuals can use 8. Assign a unique ID
access within applica- (d) Person or Entity the system to each person with
tion systems Authentication (R) computer access
Section: 9.7 Control Activities: Security Standard: Validation of systems and 1203. Electronic Secu- Implement Strong Access
General Controls 5. Log-In Monitoring (A) the ability to discern rity Perimeter Control measures:
Requirement: Monitoring 1. Information System invalid or altered 1206. Physical Access 8. Assign a unique ID
Access Control Activity review (R) records Controls to each person with
8. Audit Controls (R) (c) Protection of records 1207. Personnel computer access
Objectives: throughout the records 1209. Monitoring Regularly Monitor and
Monitoring System Access retention period Electronic Access test Networks:
and Use: Systems should (d) Limiting system access 10. Track and monitor
be monitored to detect to authorized individuals all access to network
deviations from access (g) Use of authority resources and card-
control policy and pro- checks to ensure that holder data
vide evidence in case of only individuals can use
security incidents the system
(continued)
Section: 9.8 Internal Environment: Security Standard: (c) Protection of records 1203. Electronic Secu- Implement Strong Access
Human Resource Poli- (a) 4. Access Establish- throughout the records rity Perimeter Control measures:
Requirement:
cies and Practices ment and Modification retention period 1212. Systems Man- 8. Assign a unique ID
Access Control
Control Activities: (A) (d) Limiting system access agement to each person with
Objectives: General Controls to authorized individuals computer access
Mobile Computing and Monitoring (g) Use of authority checks
Teleworking: To ensure to ensure that only autho
information security rized individuals can use
when using mobile com- the system
puting and teleworking
facilities
Section: 10.1 Control Activities: N/A (c) Protection of records 1210. Information Maintain a Vulner-
General Controls throughout the records Protection ability Management
Requirement: Monitoring retention period Programme:
Systems development and (e) Use of secure, 6. Develop and maintain
Maintenance computer-generated secure systems and
audit trails, which are applications
Objectives: retained for certain
Security Requirements period of time
of Systems: To ensure (k) Use of appropriate
that security is built into controls over systems
information systems, documentation
including infrastructure,
business applications,
and user-developed
applications
Section: 10.2 Control Activities: Technical Standard: (c) Protection of records 1212. Systems Man- Maintain a Vulner-
General Controls 2. Transmission Security throughout the records agement ability Management
Requirement: – Integrity Controls (A) retention period Programme:
Systems development and (e) Use of secure, 6. Develop and maintain
Maintenance computer-generated secure systems and
audit trails, which are applications
Security in Applications period of time
Systems: To prevent (f) Use of operational
loss, modification, or system checks to enforce
misuse of user data in sequencing of steps and
application systems events as appropriate
(k) Use of appropriate
controls over systems
documentation
Section: 10.3 Control Activities: Technical Standard: (c) Protection of records 1203. Electronic Secu- Protect Cardholder Data:
General Controls (a) 2. Encryption and throughout the records rity Perimeter 4. Encrypt transmission
Requirement: Monitoring Decryption (A) retention period of cardholder data and
Systems development and (e) 2. Transmission (e) Use of secure, sensitive information
Maintenance Security computer-generated across public networks
– Encryption (A) audit trails, which are
Cryptographic Controls: period of time
Cryptographic systems (h) Use of device checks
and techniques should to determine validity
be used for information of source data input or
considered at risk operational instruction
documentation
(continued)
Section: 10.4 Control Activities: N/A (a) Validation of systems 1203. Electronic Secu- N/A
General Controls and the ability to dis- rity Perimeter
Requirement: Information and Com- cern invalid or altered 1210. Information
Systems Development and munication records Protection
Maintenance Monitoring (c) Protection of records 1212. Systems Man-
throughout the records agement
Objectives: retention period
Security of System Files: (e) Use of secure,
Access to system files computer-generated
should be controlled audit trails, which are
retained for certain
period of time
documentation
Section: 10.5 Control Activities: N/A (c) Protection of records N/A N/A
General Controls throughout the records
Requirement: Monitoring retention period
Systems Development and (k) Use of appropriate
Maintenance controls over systems
documentation
Objectives:
Security in Development
and Support Processes:
Project and support
environments should be
strictly controlled
Section: 11.1 Event Identification: Security Standard: (c) Protection of records 1211. Training N/A
Event Interdependencies 7. Disaster recovery Plan throughout the records 1214. Electronic
Requirement: Risk Response: (R) retention period Incident response
Business Continuity Man- Identify Risk Responses 7. Testing and Revision Actions
agement Select Responses Procedures (A) 1216. Recovery Plans
Control Activities: (a) 7. Applications
Objectives: General Controls and Data Criticality
Aspects of Business Con- Information and Com- Analysis
tinuity management: To munication
counteract interruptions Monitoring
to business activities
and to protect critical
business processes from
the effects of major
failures or disasters
Section: 12.1 Internal Environment: Security Standard: (c) Protection of records N/A N/A
Risk Appetite 1. Sanction Policy (R) throughout the records
Requirement: Commitment to Com- (a) 6. Response and retention period
Compliance petence reporting (R)
Event Identification: (b) 1. Written Contract
Objectives: Risks and Opportunities or Other Arrangement
Compliance With Legal Risk Assessment: (R)
Requirements: To Likelihood and Impact
avoid breaches of any Control Activities:
criminal and civil law, General Controls
statutory, regulatory, or Information and Com-
contractual munication
Monitoring
(continued)
Section: 12.2 Internal Environment: Security Standard: (a) Validation of systems 1212. Systems Man- Regularly Monitor and
Risk Appetite (a) 8. Technical Evalu- and the ability to dis- agement test Networks:
Requirement: Commitment to Com- ation that measures cern invalid or altered 1213. Test Procedures 10. Track and monitor
Compliance petence compliance with secu- records all access to network
Control Activities: rity requirements (R) (c) Protection of records resources and card-
Objectives: General Controls throughout the records holder data
Reviews of Security Monitoring retention period Regularly Monitor and
Policy and Technical (f) Use of operational sys- test Networks:
Compliance: Reviews tems checks to enforce 11. Regularly test
should be performed sequencing of steps and security systems and
against the appropriate events as appropriate processes
security policies and the
technical platforms and
information systems
should be audited
Section: 12.3 Monitoring Security Standard: (c) Protection of records 1213. Test Procedures Regularly Monitor and
(b) 8. Audit Controls (R) throughout the records test Networks:
Requirement: retention period 10. Track and monitor
Compliance all access to network
resources and card-
Objectives: holder data
System Audit Considera-
tions:
There should be controls
to safeguard opera-
tional systems and audit
tools during system
audits
ISO 17799 FFIEC & GLBA Basel II COBIT ® ITIL EU directive UK data protection
Section: 1
Section: 2
Section: 3.1 Security Process Risk Manage- Plan: 2.2.3 Responsibilities, Section 20: Measures to Seventh Principle
Roles and respon- ment Define a Strategic powers, and duties safeguard the security Technical and organi-
Requirement: sibilities Organizational IT Plan are clearly specified of communications zational measures
Information Management Define the IT by policy, processes, against un or unlawful
Security Policy Information Secu- Policy Manage- Organization procedures, and Article 4: Technical processing of personal
Objective: rity Strategy ment and relationships work instructions and organizational data
Issue and maintain an Communicate measures to safeguard
information security Management electronic communica-
policy across the Aims and Direc- tions services
organization tion
Manage Human
resources
Section: 4.1 Security Process Risk Manage- Deliver: 4.1.1 Establish a man- Section 20: Measures to First Principle:
Roles and respon- ment Ensure Systems agement framework safeguard the security Personal data shall be
Requirement: sibilities Organizational Security to initiate and man- of communications processed fairly and
Organizational Management age information lawfully
Security Information Secu- security Article 4: Technical
rity Strategy and organizational Second Principle:
Objective: measures to safeguard Personal data shall be
Infrastructure: Key Risk Assess- electronic communica- obtained only for one
A management ment Practices tions services or more specified and
framework should be lawful purposes
established to initi-
ate and control the Seventh Principle:
implementation of Technical and organi-
information security zational measures
within the organiza- against un or unlawful
tion processing of personal
data
Section: 4.2 Security Process N/A Deliver: 4.1.1 Identify the risks Section 20: Measures to Second Principle:
Roles and respon- Manage Third- arising from links safeguard the security Personal data shall be
Requirement: sibilities Party Services with third parties of communications obtained only for one
Organizational Ensure Systems or more specified and
Security Logical and Security Section 32: Subcontract- lawful purposes
Administrative ing and subsequent
Objectives: Access Control data processing should Seventh Principle:
Third-party access: To be in full compliance Technical and organi-
maintain the secu- regarding security of zational measures
rity of information personal data against un or unlawful
assets accessed by processing of personal
third parties Article 4: Technical data
and organizational
measures to safeguard Eighth Principle:
electronic communica- Personal data shall not
tions services be transferred to a
country or territory
outside the European
Economic Area, unless
adequate level of
protection for personal
data is ensured
(continued)
(continued)
Section: 4.3 Security Process Policy Manage- Plan: N/A Section 20: Measures to First Principle: Personal
Roles and respon- ment Manage Quality safeguard the security data shall be processed
Requirement: sibilities Outsourcing of communications fairly and lawfully
Organizational Policy Deliver:
Security Service Provider Manage Third- Section 32: Subcontract- Second Principle:
Oversight Party Services ing and subsequent Personal data shall be
Objectives: SAS 70 Reports Define and Man- data processing should obtained only for one
Outsourcing: To main- age Service be in full compliance or more specified and
tain the security of Security Testing Levels regarding security of lawful purposes
information when Outsourced personal data
information process- Systems Fifth Principle: Personal
ing is outsourced to Article 4: Technical data processed shall
another organization and organizational not be kept for longer
measures to safeguard than necessary
electronic communica-
tions services Seventh Principle:
Technical and organi-
zational measures
against un or unlawful
processing of personal
data
Section: 5.1 Security Process Risk Manage- Plan: 3.3.1 Configuration Section 20: Measures to Seventh Principle:
Roles and respon- ment Define the IT and Asset Manage- safeguard the security Technical and organi-
Requirement: sibilities Asset Manage- Organization ment process of communications zational measures
Asset Classification ment and relationships against un or unlawful
and Control Information 4.2.1 Ensure there is Article 4: Technical processing of personal
Security Risk an overview of the and organizational data
Objectives: Assessment most important measures to safeguard
Accountability for Information information sources electronic communica-
assets: All major Gathering and systems; allo- tions services
information assets Analyze Informa- cate responsibility
should be accounted tion for all information
for and have a and systems
nominated owner
Section: 5.2 Information Risk Manage- Plan: Assess risks 4.2.1 Rules for classi- Section 20: Measures to Seventh Principle:
Security Risk ment Define the fication are outside safeguard the security Technical and organi-
Requirement: Assessment Asset Manage- Information the sphere of ITIL of communications zational measures
Asset Classification Information ment Architecture against un or unlawful
and Control Gathering Article 4: Technical processing of personal
Analyze Informa- Deliver and organizational data
Objectives: tion Ensure Systems measures to safeguard
Information Classifi- Prioritize Security electronic communica- Eighth Principle: Per-
cation: Information responses tions services sonal data shall not
should be classified be transferred to a
to indicate the need, country or territory
priorities and degree outside the European
of protection Economic Area, unless
adequate level of
protection for personal
data is ensured
Section: 6.1 Personnel Secu- Policy Manage- Plan: 4.2.2 Includes job Section 20: Measures to Seventh Principle:
rity ment Manage Human descriptions, safeguard the security Technical and organi-
Requirement: Background Personnel resources applicant screen- of communications zational measures
Personnel Security Checks and Policy ing, confidentiality against un or unlawful
Screening Deliver: agreements Article 4: Technical processing of personal
Objectives: Agreements: Manage Facilities and organizational data
Security in Job defini- Confidentiality, measures to safeguard
tion and resourcing: Nondisclosure, electronic communica-
To reduce the risks and Authorized tions services
of human error, Use
theft, fraud, or mis- Job Descriptions
use of facilities
(continued)
(continued)
Section: 6.2 Personnel Secu- Policy Manage- Plan: 4.2.2 Includes training Section 20: Measures to Second Principle:
rity: ment Manage Human to make employees safeguard the security Personal data shall be
Requirement: Training Personnel Resources aware of security of communications obtained only for one
Personnel Security Policy threats and of or more specified and
Deliver: the importance Article 4: Technical lawful purposes
Objectives: of information and organizational
User Training: To Educate and Train security measures to safeguard Seventh Principle:
ensure that users are Users electronic communica- Technical and organi-
aware of informa- tions services zational measures
tion security threats against un or unlawful
and concerns and processing of personal
are equipped to sup- data
port security policy
in the course of
their normal work
Section: 6.3 Logging and Data Policy Manage- Deliver: 4.2.2 Includes Section 20: Measures to Seventh Principle:
Collection ment Manage Problems responding to safeguard the security Technical and organi-
Requirement: Personnel and Incidents security incidents as of communications zational measures
Personnel Security Intrusion Detec- Policy Manage Opera- quickly as possible against un or unlawful
tion and Virus Scanners tions through the right Article 4: Technical processing of personal
Objectives: response Incident channels and organizational data
Responding to Intrusion response Plan measures to safeguard
Security Incidents Response electronic communica-
and Malfunctions: tions services
Incidents affecting Business Continu-
security should be ity Considera-
reported through tions
appropriate man-
agement channels as
quickly as possible
Section: 7.1 Physical Security: Policy Manage- Deliver: ITIL Environmental Section 20: Measures to Seventh Principle:
Data centre ment Strategy Set safeguard the security Technical and organi-
Requirement: Security Physical Secu- Ensure Systems of communications zational measures
Physical and Environ- Cabinet and Vault rity Policy Security ITIL Environmental against un or unlawful
mental Security Security Manage Data Management Set Article 4: Technical processing of personal
Physical Security Manage Facilities and organizational data
Objectives: in Distributed measures to safeguard
Equipment Security: IS Environ- electronic communica-
Equipment should ments tions services
be physically pro-
tected from security
threats and environ-
mental hazards
Section: 7.2 Physical Security: Policy Manage- Deliver: Select locations for Section 20: Measures to Seventh Principle:
Data centre ment installing equip- safeguard the security Technical and organi-
Requirement: Security Physical Secu- Manage Facilities ment that involve of communications zational measures
Physical and Environ- Cabinet and Vault rity Policy the least risk from against un or unlawful
mental Security Security outside Article 4: Technical processing of personal
Physical Security and organizational data
Equipment Security: IS Environ- electronic communica-
Equipment should ments tions services
be physically pro-
tected from security
threats and environ-
mental hazards
(continued)
(continued)
Section: 7.3 Physical Security: Policy Manage- Deliver: Create an environ- Section 20: Measures to Seventh Principle:
Data centre ment ment that promotes safeguard the security Technical and organi-
Requirement: Security Physical Secu- Manage Data the safe handling of communications zational measures
Physical and Environ- Cabinet and Vault rity Policy Manage Facilities of information and against un or unlawful
mental Security Security systems Article 4: Technical processing of personal
Physical Security and organizational data
General Controls: To IS Environ- electronic communica-
prevent compromise ments tions services
or theft of informa-
tion
Section: 8.1 Security Process Intrusion Deliver: 4.2.3 Ensure there Section 20: Measures to Seventh Principle:
Roles and Respon- Detection are established safeguard the security Technical and organi-
Requirement: sibilities Incident Manage Problems responsibilities for of communications zational measures
Communications and Response and Incidents the management against un or unlawful
Operations Man- Logging and Data Plan Ensure Continuous of all IT resources Article 4: Technical processing of personal
agement Collection Systems Admin- Service and all parts of the and organizational data
istration Manage Opera- IT infrastructure measures to safeguard
Objectives: Intrusion Detec- tions including segrega- electronic communica-
Operational Proce- tion and tion of duties and tions services
dures and Accept- response security incident
ance: Advanced Intrusion Detec- handling
planning and tion
preparation are Intrusion
required to ensure Response
the availability of
adequate capacity Business Continu-
and resources ity Considera-
tions
Section: 8.2 N/A N/A Deliver: 3.3.4 Change Man- Section 20: Measures to Seventh Principle:
agement Process safeguard the security Technical and organi-
Requirement: Ensure Continuous of communications zational measures
Communications and Service 3.4.3 Improving against un or unlawful
Operations Manage Per- performance in Article 4: Technical processing of personal
Management formance and terms of through- and organizational data
Capacity put capacity and measures to safeguard
Objectives: response times; electronic communica-
System Planning other measures tions services
and Acceptance: include resource,
Advanced planning demand and work-
and preparation are load management,
required to ensure application sizing,
the availability of and modeling
adequate capacity
and resources
Section: 8.3 Malicious Code: Cyber Intel- Deliver: 3.3.2 Incident Con- Section 20: Measures to Seventh Principle:
Controls to ligence trol/Help Desk safeguard the security Technical and organi-
Requirement: Com- protect Against Patch Manage- Manage Problems of communications zational measures
munications and malicious Code ment and Incidents 4.2.4 Access Control, against un or unlawful
Operations Man- Firewalls Ensure Systems Antivirus control Article 4: Technical processing of personal
agement. Active Content Security policy and organizational data
Filtering Manage the Con- measures to safeguard
Objectives: Intrusion figuration electronic communica-
Protection Against Detection tions services
Malicious Software. Virus Scanners
Precautions are Incident
required to prevent response Plan
and detect the
introduction of
malicious software
(continued)
(continued)
Section: 8.4 Business Continu- Incident Deliver: ITIL does not Section 20: Measures to Seventh Principle:
ity Considera- Response normally go into safeguard the security Technical and organi-
Requirement: tions Plan Ensure Continuous details on house- of communications zational measures
Communications and Service keeping against un or unlawful
Operations Man- Manage Data Article 4: Technical processing of personal
agement and organizational data
measures to safeguard
Objectives: electronic communica-
House keeping: Rou- tions services
tine procedures for
implementing the
back-up strategy
Section: 8.5 Logical and Risk Manage- Deliver: 4.2.3 Communica- Section 20: Measures to Seventh Principle:
Administrative ment tions and Opera- safeguard the security Technical and organi-
Requirement: Access Control: Asset Manage- Ensure Systems tions Management: of communications zational measures
Communications and Network Access ment Security security measures against un or unlawful
Operations Man- Cyber Intel- for networks Article 4: Technical processing of personal
agement ligence and organizational data
Patch Manage- measures to safeguard
Objectives: ment electronic communica-
Network Manage- Firewalls tions services
ment: Security Active Content
management of Filtering
networks spanning Web Applica-
organizational tion Security
boundaries and or Intrusion
public networks Detection
Virus Scanners
Section: 8.6 Electronic and Physical Secu- Deliver: 3.4.2 Availability Section 20: Measures to Fifth Principle: Personal
Paper-Based rity Management safeguard the security data processed shall
Requirement: Media Han- Manage Data of communications not be kept for longer
Communications and dling: 3.4.4 Fallback Plan- than necessary
Operations Man- Handling and ning Section 22: During the
agement Storage period of storage, Seventh Principle:
Disposal 4.2.3 Communications confidentiality remains Technical and organi-
Objectives: Transit and Operations guaranteed zational measures
Media Handling and Management: han- against un or unlawful
Security: procedures dling and security Article 4: Technical processing of personal
for protecting tapes, of data carriers and organizational data
disks, cassettes from measures to safeguard
damage, theft, and electronic communica-
unaccess tions services
Section: 8.7 Logical and Active Content Deliver: 4.2.3 Communications Section 20: Measures to Seventh Principle:
Administrative Filtering and Operations safeguard the security Technical and organi-
Requirement: Access Control: Firewalls Ensure Systems Management: han- of communications zational measures
Communications and Access Rights Web Applica- Security dling and security against un or unlawful
Operations Man- Administration tion Security of data carriers and Article 4: Technical processing of personal
agement Network Access Virus Scanners network services and organizational data
Remote Access measures to safeguard
Objectives: Agreements should be electronic communica- Eighth Principle: Per-
Exchanges of included in the SLA tions services sonal data shall not
Information and be transferred to a
Software: Controls country or territory
for exchanges of outside the European
Information and Economic Area, unless
software between adequate level of
organizations protection for personal
data is ensured
(continued)
(continued)
Section: 9.1 Logical and Access Con- Deliver: Largely outside the Section 20: Measures to Seventh Principle:
Administrative trols/Authen- scope of ITIL safeguard the security Technical and organi-
Requirement: Access Control: tication Ensure Systems of communications zational measures
Access Control Access Rights Systems Security against un or unlawful
Administration Administra- Section 21: Prevent unac- processing of personal
Objectives: tion cess to communications data
Business requirements
for Access Control: Article 4: Technical
Access control poli- and organizational
cies and rules measures to safeguard
electronic communica-
tions services
Article 6: Processing of
traffic data restricted
to authorized persons
Section: 9.2 Logical and Access Con- Deliver: 4.2.4 Access Control: Section 20: Measures to Seventh Principle:
Administrative trols/Authen- network, computer safeguard the security Technical and organi-
Requirement: Access Control: tication Ensure Systems and application of communications zational measures
Access control Access Rights Active Content Security access control against un or unlawful
Administration Filtering Section 21: Prevent unac- processing of personal
Objectives: Network Access Web Applica- cess to communications data
User Access Manage- Authentication tion Security
ment: Formal proce- Operating Sys- Virus Scanners Article 4: Technical
dures to control the tems Access Systems and organizational
allocation of access Application Administra- measures to safeguard
rights to informa- Access tion electronic communica-
tion systems and Remote Access tions services
services
Section: 9.3 Personnel Secu- Access Con- Deliver: Outside the scope of Section 20: Measures to Seventh Principle:
rity: trols/Authen- ITIL, this is the safeguard the security Technical and organi-
Requirement: Training tication Ensure Systems responsibility of the of communications zational measures
Access Control Virus Scanners Security user organization against un or unlawful
Systems Section 21: Prevent unac- processing of personal
Objectives: Administra- cess to communications data
User Responsibilities: tion
User awareness Article 4: Technical
particularly with the and organizational
use of passwords measures to safeguard
and the security of electronic communica-
equipment tions services
Section: 9.4 Logical and Access Con- Deliver: 4.2.4 Access Control: Section 20: Measures to Seventh Principle:
Administrative trols/Authen- network, computer safeguard the security Technical and organi-
Requirement: Access Control: tication Ensure Systems access control of communications zational measures
Access Control Network Access Active Content Security against un or unlawful
Filtering Section 21: Prevent unac- processing of personal
Objectives: Web Applica- cess to communications data
Network Access Con- tion Security
trol: Ensure that Virus Scanners Article 4: Technical
appropriate authen- and organizational
tication mechanisms measures to safeguard
for users and equip- electronic communica-
ment are in place tions services
(continued)
(continued)
Section: 9.5 Logical and Access Con- Deliver: 4.2.4 Access Control, Section 20: Measures to Seventh Principle:
Administrative trols/Authen- computer access safeguard the security Technical and organi-
Requirement: Access Control: tication Ensure Systems control of communications zational measures
Access Control Operating System Active Content Security against un or unlawful
Access Filtering Section 21: Prevent unac- processing of personal
Operating System tion Security
Access Control: Intrusion detec- Article 4: Technical
Security at the tion and organizational
operating system Virus Scanners measures to safeguard
level to control Systems electronic communica-
access. Methods Administra- tions services
include ensure tion
quality passwords, Article 6: Processing of
user authentication, traffic data restricted
and the recording of to authorized persons
successful and failed
system accesses
Section: 9.6: Logical and Access Con- Deliver: 4.2.4 Access Control: Section 20: Measures to Seventh Principle:
Administrative trols/Authen- application access safeguard the security Technical and organi-
Requirement: Access Control: tication Ensure Systems control of communications zational measures
Access Control Application Active Content Security against un or unlawful
Access Filtering Section 21: Prevent unac- processing of personal
Application Access tion Security
Control: Security Virus Scanners Article 4: Technical
to restrict access and organizational
within application measures to safeguard
systems electronic communica-
tions services
Section: 9.7 Monitoring Access Con- Monitor: 4.2.4 Access Control: Section 20: Measures to Seventh Principle:
trols/Authen- Assess Inter- monitoring and safeguard the security Technical and organi-
Requirement: Logging and Data tication nal Control auditing informa- of communications zational measures
Access Control Collection Active Content Adequacy tion system access against un or unlawful
Filtering Section 21: Prevent unac- processing of personal
Monitoring System tion Security
Access and Use: Virus Scanners Article 4: Technical
Systems should and organizational
be monitored to measures to safeguard
detect deviations electronic communica-
from access control tions services
policy and provide
evidence in case of Article 6: Processing of
security incidents traffic data restricted
Section: 9.8 Logical and Policy Manage- Deliver: N/A Section 20: Measures to Seventh Principle:
Administrative ment safeguard the security Technical and organi-
Requirement: Access Control: Remote System Ensure Systems of communications zational measures
Access Control Authentication Access Con- Security against un or unlawful
Remote Access trols/Authen- Section 21: Prevent unac- processing of personal
Objectives: tication cess to communications data
Mobile Computing Active Content
and Teleworking: To Filtering Article 4: Technical
ensure information Web Applica- and organizational
security when using tion Security measures to safeguard
mobile computing electronic communica-
and teleworking tions services
facilities
(continued)
(continued)
Section: 10.1 N/A Systems Acquire: ITIL book software Section 20: Measures to Seventh Principle:
Administra- lifecycle support safeguard the security Technical and organi-
Requirement: tion Acquire and Main- and the business of communications zational measures
Systems development tain Application perspective set against un or unlawful
and Maintenance Software Article 4: Technical processing of personal
Acquire and Main- ITIL is not specifically and organizational data
Objectives: tain technology concerned with sys- measures to safeguard
Security Requirements Infrastructure tem development electronic communica-
of Systems: To tions services
ensure that security is
built into informa-
tion systems, includ-
ing infrastructure,
business applications,
and user-developed
applications
Section: 10.2 Logical and Cyber Intel- Acquire: ITIL book software Section 20: Measures to Seventh Principle:
Administrative ligence lifecycle support safeguard the security Technical and organi-
Requirement: Access Control: Patch Manage- Acquire and Main- and the business of communications zational measures
Systems development Application ment tain Application perspective set against un or unlawful
and Maintenance Access Systems Software Article 4: Technical processing of personal
Administra- ITIL is not specifically and organizational data
Objectives: tion concerned with sys- measures to safeguard
Security in Applica- tem development electronic communica-
tions Systems: To tions services
prevent loss, modifi-
cation or misuse of
user data in applica-
tion systems
Section: 10.3 Encryption Active Content N/A ITIL is not specifically Section 20: Measures to Seventh Principle:
Filtering concerned with sys- safeguard the security Technical and organi-
Requirement: Web Applica- tem development of communications zational measures
Systems development tion Security against un or unlawful
and Maintenance Virus Scanners Article 4: Technical processing of personal
Systems and organizational data
Objectives: Admini- measures to safeguard
Cryptographic Con- startion electronic communica-
trols: Cryptographic tions services
systems and tech-
niques should be
used for information
considered at risk
Section: 10.4 Logical and Systems Deliver: ITIL is not primarily Section 20: Measures to Seventh Principle:
Administrative Administra- concerned with safeguard the security Technical and organi-
Requirement: Access Control: tion Ensure Systems individual compo- of communications zational measures
Systems Development Operating System Security nents, such as files, against un or unlawful
and Maintenance Access Manage the Con- queues, data, or Article 4: Technical processing of personal
Application figuration messages and organizational data
Objectives: Access Manage Changes measures to safeguard
Security of System electronic communica-
Files: Access to tions services
system files should
be controlled
(continued)
(continued)
Section: 10.5 N/A N/A Deliver: ITIL is not specifically Section 20: Measures to Seventh Principle:
concerned with sys- safeguard the security Technical and organi-
Requirement: Ensure Systems tem development of communications zational measures
Systems Development Security against un or unlawful
and Maintenance Manage Changes Article 4: Technical processing of personal
and organizational data
Objectives: measures to safeguard
Security in Develop- electronic communica-
ment and Support tions services
Processes: Project
and support envi-
ronments should be
strictly controlled
Section: 11.1 Business Continu- Incident Deliver: 3.4.4 Business Conti- N/A Seventh Principle:
ity Considera- Response nuity Planning: an Technical and organi-
Requirement: tions Plan Ensure Continuous entire ITIL book zational measures
Business Continuity Service is dedicated to this against un or unlawful
Management Manage Problems topic processing of personal
and Incidents data
Objectives: Manage Data
Aspects of Business
Continuity manage-
ment: To counteract
interruptions to
business activi-
ties and to protect
critical business
processes from the
effects of major
failures or disasters
Section: 12.1 Regulatory N/A Plan: 4.3 Audit and Evalu- Section 20: Measures to Seventh Principle:
Guidance, Ensure Compliance ate: Security reviews safeguard the security Technical and organi-
Requirement: Resources, with External of IT systems of communications zational measures
Compliance and Standards requirements against un or unlawful
Informa- Article 4: Technical processing of personal
Objectives: tion Security Monitoring: and organizational data
Compliance With Strategy Monitor the Proc- measures to safeguard
Legal Require- esses electronic communica-
ments: To avoid Assess Inter- tions services
breaches of any nal Control
criminal and civil Adequacy
law, statutory, Obtain Independ-
regulatory, or con- ent Assurance
tractual
Section: 12.2 Security Testing: Risk Manage- Acquire: 4.3 Audit and Evalu- Section 20: Measures to Seventh Principle:
Testing Concepts ment ate: Security reviews safeguard the security Technical and organi-
Requirement: and Applica- Asset Manage- Install and of IT systems of communications zational measures
Compliance tion ment Accredit Systems against un or unlawful
Independent Intrusion Article 4: Technical processing of personal
Objectives: Diagnostic tests Detection Monitoring: and organizational data
Reviews of Security Key factors Vulnerability measures to safeguard
Policy and Techni- Outsourced and Penetra- Monitor the proc- electronic communica-
cal Compliance: Systems tion Testing esses tions services
Reviews should be Monitoring and Assess Inter-
performed against Updating nal Control
the appropriate Adequacy
security policies Obtain Independ-
and the techni- ent Assurance
cal platforms and
information systems
should be audited
(continued)
Section: 12.3 Security Testing: Intrusion N/A 4.3 Audit and Evalu- Section 20: Measures to Seventh Principle:
Testing Concepts Detection ate: Security reviews safeguard the security Technical and organi-
Requirement: and Applica- Vulnerability of IT systems of communications zational measures
Compliance tion and Penetra- against un or unlawful
tion Testing Article 4: Technical processing of personal
Objectives: and organizational data
System Audit Consid- measures to safeguard
erations: electronic communica-
There should be con- tions services
trols to safeguard
operational systems
and audit tools dur-
ing system audits
Chapter 8
A Tangential Threat to OECD
Resilience: The Twenty-First Century
East India Company177
This chapter sets out some very general and wide-ranging views, slightly
tongue in cheek, about a possible future trading bloc and consequences,
based on Critical Information Infrastructure and posing a potential threat
to European and OECD resilience in economic terms. This shows that the
existing Infrastructure is not just of use to potential asymmetric fighters. The
more detailed, and serious, work behind these views has been looked at in
the Universities of Northumbria and Nice, at the European Telecommunications
Resilience and Recovery Association and the Institut Pericles. The issue dealt
with here is about a different type of approach to resilience.
In the seventeenth century, one of the then major global powers, Britain,
took the step of establishing a monopoly of commerce between itself and the
Far East. The monopoly was given to the British East India Company. This
relationship culminated in the effective rule of India and control of much
of Britain’s import and export trade. The relationship lasted, in one form or
another, for over 250 years.
The company’s methods were based on a mixture of extraterritorial law
and the establishment of key trading relationships. The company annexed
territory on the grounds that the ruler was evil; it took over territory and
businesses in other ways; and became exempt from many taxes and duties.
Eventually the company became corrupt and was taken over by the State, and
became the basis of Britain’s Asian colonies. A shorter lived, but only by 50
years, enterprise by the Dutch led in turn to the Dutch Asian Colonies.
Essentially these enterprises were state-sponsored resource, globalization
and trading empires operating independently in an anarchic environment. The
wealth accumulated, directly and indirectly, to the sponsor states. They were
a cornerstone of modern-day capitalism, and changed trading practices for-
ever. They also enabled and financed further expansion elsewhere. Even today
177
This idea arose from a conversation between the author, then a Research Fellow
at Northumbria University, and Christian Tafani, Research Fellow, Institut Pericles,
University of Nice, at the ETR2A Conference in Sophia Antipolis in June 2005.
145
the major data highways in the Far East are based on the key trading sites
established by these companies and their allies over 200 years ago.
One view of Capitalism today might be that it has become the dominant
economic system across the world. At the same time as the system becomes
ubiquitous it also tends toward the lowest common denominator and
commoditization. All countries/economies cannot make money out of cars/
textiles/other consumer goods in such an environment. As a consequence
high-cost “advanced” economies start to move out of mass production/manu-
facturing and migrate towards “service” and “knowledge economies.”
The next decade will see both the continued rise of economies such as China
and India and the drift of manufacturing jobs from the advanced nations.
This may gather such momentum over the next five years that anyone who has
recently won an election may come to rue the day.
Some economies recognize that this is not going to be good enough to
sustain an ever-growing standard of living. They recognize that they will
still need to compete with China, and India, if, for no other reason, than to
maintain the cohesion, stability and tax take of their own societies. Some
advanced economies have sufficient critical mass to be in the position to
determine much more successfully than others their own fate. They have large
internal markets and relatively secure international trading patterns. It can be
assumed that Europe and the USA might be two such entities.
These two entities have very different social approaches. On the one hand
there is a purist, noninterventionist, capitalist approach modified by limited
Federal Government regulation, generating high-growth on the back of
Information Technology improvements in particular. On the other hand is
a much more socially motivated model that is constantly concerned that it
is not meeting its rival’s growth, jobs, and tax achievements. It has a looser
Federal structure, but a much more interventionist approach. This gives it
cause for concern about the long-term viability of the social model.
Both entities have historically been aggressive. Components of both are
more likely to settle their differences by war than other means. Both have
tried to take commercial advantage of the “anarchic” vacuum left by the end
of the Cold War. Europe has been the prime example of a Christian–Military
Complex for a millennium or more. The USA has been the prime example
of a Christian–Industrial–Military Complex for a century or more. As the
pace of change compresses the longevity of ascendancy the race is on for
dominance between a Christian–Military–Information Complex, as exemplified
by the USA, and the rest.
This scenario has led researchers at the Universities of Northumbria and
Nice to look closely at the implications for the future. The starting point is the
NU-UN Hypothesis, which states as follows:
That recent political, economic, social, technical, environmental and legal acts
in the United States, the EU and elsewhere will have the effect, coincidentally
or otherwise, of posing a security threat to EU political, economic, social and
technical progress particularly in regard to the Lisbon Agenda, growth and jobs.
Chapter 8 A Tangential Threat to OECD Resilience 147
Another way of interpreting this is to suggest that Europe’s future growth

is at risk from a USA-driven twenty-first century Information-based “East
India Company.”
Perceived and actual extraterritorial legislation from the United States is
impacting many businesses and economies. The legislation may not be directly
applicable outside the USA, but those involved in global supply chains
meeting USA OEM demands are already feeling the effects. An example is
the Sarbanes-Oxley Act – the governance and information technology
requirements of which impact throughout the supply chain. Another is
the Homeland Security Executive order, which also has extraterritorial
implications. Yet another is the Gramm-Leach-Bliley Act. Another is the
HIPPA Act. All of these have an impact not only on how USA companies
participate in the economy, but also how those who wish to interact with
the USA economy participate too. Additionally, as recent events in the
online gambling industry have shown, the USA is perfectly willing to take
protectionist steps to protect certain parts of the economy from online
competition – even when this falls foul of the World Trade Organization.178
At the same time as extraterritorial legislation is impacting business USA
political and social influence expands. From the former southern states of the
former USSR, through the Middle East and South America the influence of
the sole global superpower rises. Militarily the USA is more active than it,
arguably, has ever been in its history.
Despite the activities of Russia, India, and China the world’s resources in
the form of oil and other raw materials are still concentrated in the hands of
American companies and their allies. The development of competitors is limited,
even in places like Russia, because of the huge capital requirements of that
development. Those who hold within their national boundaries large natural
resources are destined to remain the poorer partners – as the oil- and diamond-rich
countries of the twentieth century, for example, have already found.
Any self-respecting USA multinational now seeks tax breaks before
committing to placing economically interesting projects in other countries.
Foreign Direct Investment from the USA is dominated by tax considerations.
Over and above all this the USA controls the new means of access and delivery,
the Internet. Any argument the contrary is simply wishful thinking – as any
map of data traffic and value traffic shows.
So it is contended that the USA, its businesses and its allies have constructed
a Twenty-first Century East India Company with remarkable similarities
to the British East India Company of the Seventeenth Century. It uses
extraterritorial law, the acquisition of resources, trading relationships, and
a new trading mechanism, eCommerce, to accumulate wealth to itself via a
range of commercial partners and military intervention.
178
Kirchgaessner, S and Pimlott, D (2006) US Could Face WTO Pressure Over Online
Protectionism. 4 October. Financial Times.
The good news about this is several fold. Europe is, in general, a good ally of
the USA for all sorts of sensible and pragmatic reasons. Staying that way
would mean, if not the creation of a modern day Dutch East India Company,
then at least participation in the “new” information-driven capitalist market
place. Recent cooperation on cyber crime has been strong.179 This could help
to ensure the preservation of manufacturing, service, and “knowledge” jobs
to the overall benefit of Europe. Further the split between a “new” capitalist
economy based on the USA and the “old” capitalist’ economy based on China
and India could mean benefit for everybody in terms of the overall global
standard of living increase.
On the other hand this could all turn out to be really bad news. The
inability of Europe to keep up and match an aggressive USA may lead to
further unemployment and recession, not more jobs and growth as the Lisbon
Agenda demands. Additionally, an effective global digital divide may cause
more trouble. China and India may wish to challenge the overall strategy;
Russia may feel marginalized, to yet unknown consequences; other groups
may feel even more victimized and marginalized and react with a variety of
cyber and traditional terrorist attacks – all aimed at the heart of the new
market. The on–off aim of Europe to try and create a new Internet is also
bad news –this will exacerbate differences rather than unite similarities for the
good of both.
The USA has a history of destabilizing those that do not entirely conform
to its wishes and is matched in Machiavellian intent, according to some, only
by China. It would be dangerous to be on the outside looking in, rather than
vice versa. The new European Commission has a strategy based on the Lisbon
Agenda. In order to deliver this strategy it has a number of severe challenges
to face. If it does not meet these challenges then the very idea of Europe is
under threat in a way that challenges the underlying tenets of the Union.
Of course, there’s no answer to this. However, there are some givens
in the equation. The first is that there is a need to progress in Europe and
so pragmatic developments and policies are required. A second is that the
Information Economy is not going to go away and so successful involvement
and participation is critical to future success. A third is that there is going to
be a hemorrhage of manufacturing and service jobs and so it will be necessary
to find a way of mitigating this to ensure social stability. A fourth, there will
be a shortage of resources in some of the competing regions and so ownership
of resources and infrastructures is critical for future success and negotiating.
Finally, war has changed; so it is important to understand that war is no
longer about tanks, aircraft, and battleships but about technical superiority,
asymmetries, and bugs. Given these a pragmatic approach to ensure the
delivery of the European social model is extremely important. Cooperation
179
EU Business (2006) US Joins European Cybercrime War. 30 August. EU Business.
Available at http://www.eubusiness.com/Internet/060929201838.df5jgr30 (Accessed:
7 January 2007).
Chapter 8 A Tangential Threat to OECD Resilience 149
between Europe and the USA under the aegis of the OECD could create a
sustainable electronic economic model of advantage to both.
A counter argument is that the supposed extraterritorial nature of USA
laws such as Sarbanes-Oxley are very counter intuitive and counter productive.
Sarbanes-Oxley has resulted in extreme costs, according to some, and has not
really addressed the Governance issues arising from Enron and WorldCom.
It has also resulted in a fall in the number of new business starts and a rise in
the number of Initial Public Offerings on the London markets as opposed to
the USA markets. This in turn has led to potential bids for the London Stock
Exchange from American Exchanges. Thus far from extending its hegemony,
the USA has actually “shot itself in the foot.” However, it remains the case
that this and other legislation can be perceived as being extraterritorial and
supportive of an alternative agenda.
The development of the social model for Europe is under challenge from
a perceived expansionist USA, which is acting in some ways as a latter day
East India Company. It is not clear that the European social model will be
able to sustain this challenge without modification, and such modification is
likely to require a much more aggressive pursuit of the Lisbon Agenda than
is currently evident. In the USA legislation of this nature is not always seen
in such a way.
Chapter 9
Resilience and Outsourcing Call
Centers Offshore: A Case Study
This Chapter seeks to demonstrate that holistic thinking is required when

outsourcing in business. Failure to think of the whole picture may lead to
Information Infrastructure, in particular, being corrupted. It emphasizes the
primacy of Information Infrastructures over other Infrastructures in the private
sector. Call centers are Information-Infrastructure-dependent businesses that
have been increasingly outsourced over recent years. This Chapter will be
an example of how to encourage a strategic approach to Information Infra-
structure, as opposed to a tactical approach to a business issue. This should
help the distinction between resilience, recovery, and continuity.
The future is not known for sure – so what sort of industries there will be is
not known for sure either. What is known is that it will be a bit like today, only
different. This has been the story of development so far. In telecommunications
the pace of change has been so fast that we know that this is likely to have an
impact on the “different” bit of this statement.
The technology exists today for us all in the “connected” world to regulate
our homes, order goods and services, transport ourselves, and communicate
with others by use of our mobile phone. In the “connected” world individual’s
hierarchy of needs has come down to the need to earn money to buy and
pay for a mobile phone – then everything is possible. This, of course, is the
case for the still privileged few. But the actual numbers of this privileged few
will shortly outnumber all persons living at the turn of the twentieth century.
This few is an enormous number of people – enormous numbers (however
relative), as Stalin said (qv), have a quality all of their own.
Call centers are pivotal to this “connected” world. They are the means by
which everything will work. They can be automated or “human” – either
way they have to be reliable and be, above all, user friendly. They must also
make money.
As English is the majority language for the privileged communicators (this
does not mean all users of mobile phones – but those who increasingly use
Information Infrastructure to run and organize their lives) it follows that call
centers must major in English. It will be some years yet before China, for
example, develops the tastes of the American, Japanese, or European middle
150
Chapter 9 Resilience and Outsourcing Call Centers Offshore 151
classes and this is where the money is: over 70% of the world’s GDP and more
of its disposable income.
A telecommunication infrastructure is also a requirement. This does not
just mean a satellite receiving station and/or a switching station. It means a
sophisticated fiber optic and wireless infrastructure supported by appropriate
disaster recovery and support services.
The biggest single risk factor in locating a call center is available personnel,
closely followed by disaster recovery. Such centers and infrastructure require
large capital investments. They cannot safely be located in areas of high
political or economic risk.
The support services required for such operations are varied. They run
from the computer service team on 24 hours standby to replace critical items
to the market research companies looking at forward buying trends in the
market place. Such a combination of skills can only be found in relatively
few sophisticated markets. The more call centers the more of these types of
services are required. These are not “unskilled” jobs – they demand high-tech
or high-marketing skills or a combination of both.
Few long-lived call centers have closed, and most have got bigger and added
further services.
In summary an international call center must:
• Have a market and a product
• Have a low cost base, but access to high quality services
• Have a reliable and user friendly environment
• Have English as the lead language
• Serve the major “disposable” income areas
• Have an infrastructure and disaster recovery services
• Have a labor pool
• Be located in areas of low political and economic risk
• Have high-tech and high-marketing skills to hand.
(N.B. Practical experience in places like Utah, Colorado, Leeds, Dublin,
Amsterdam demonstrates that, unfortunately perhaps, these requirements all
need to be met in the immediate geographical area and cannot be “telecom-
municated” in! (A paradox, but one worth remembering!)
Cost is critical not only to the development of call centers but also to
producing the new “embedded systems” and the marketing tools required
to ensure the continued development of the call center. House builders
and household goods makers are reluctant to take the risks of using such
technology because, although they are relatively slight, the costs involved
erode already tight margins on products. A further paradox therefore is that
the only areas to locate call centers and associated future products are in rela-
tively low labor cost areas, with access to high tech areas. These areas are to
be found in relatively few areas of the USA and Europe. If the other factors
required in location mentioned above are included, then the potential loca-
tions become even fewer.
It would be churlish to single out any particular region, but a potential list
would run as follows:
• Some regions of the USA
• Particular regions of the UK (The North and Scotland being prime – the
former in particular for user friendly voices!).
• The Republic of Ireland (Although there is a potential labor shortage now)
• The Netherlands and Belgium
• Potentially some emerging East European countries such as Romania,
Poland, and the Czech Republic, where English is becoming a relatively
common second language; the accents are pleasant and a high standard of
engineering, marketing, and infrastructure is present
This is a very short list, shorter, in fact, than those countries that could take
a major car plant, electronics plant, or engineering plant. The same list would,
more or less, fulfill most of the other requirements for the establishment of a
call center, but few others could compete, and where this has been tried it has
frequently met with embarrassing failure.
The sorts of support businesses that call centers attract can, as noted, only
attract labor from a high tech pool. These sorts of businesses are, however,
varied and not only demand high skill levels but also promote higher skill
levels in a region.
The System Integrators – the people who actually put the call center
together and then maintain it – need to maintain a pool of software and
hardware engineers skilled in wire and wireless communication. They,
in turn, attract the distributors for the major software and hardware
manufacturers. In their turn they attract the manufacturers of software
and hardware. Sales and marketing teams from these businesses peddle
their wares to associated applications: process control, finance houses, and
local government. This increases the level and sophistication of the use of
technology in an area and has a positive impact on productivity. This in
turn attracts new business and so the circle becomes an ever more virtuous
one. As long as a pool of relatively cheap labor remains then the call centers
usually stay put – as newly acquired local expertise drives improvements in
the industry.
Proper Disaster Recovery is not cheap. Fixed sites need to be prepared to
mirror existing operations in some cases. These need to be moved to by either
a flick of a switch, or physically in short order. The infrastructure required
to do either of these things successfully (and/or maintain the existing facility
with sufficient fail/safe attributes to make it virtually disaster proof) is simply
not available everywhere – not even in the G8 countries. The requirements
of disaster recovery therefore limit location further. The skills for Crisis
Management, Disaster Planning, are dependent on a pool of properly trained
people to be successful.
These, too, are not available everywhere. Where they exist they attract
additional management expertise – often dealing in food contamination
problems, environmental control, and critical infrastructures of all kinds.

This brings yet another level of expertise into play for the region.
Then comes the specialist support services: the data miners, the
forecasters, and the market research companies. These companies bring
research techniques that are at the very forefront of marketing practice.
These techniques have more than one market application – so they get
sold to the car manufacturer, the ice cream maker, and the international
engineering plant – all of whom become more efficient, raising further
the general efficiency of the region. Practical experience tells us that these
companies do move to call center loci.
English may be the lead language, but other languages are needed. The
general tendency is that international call centers improve the language
skills of an area in general. The Universities put on more courses; the adult
education centers change their syllabuses to match the demand for specific
labor. The region becomes more International in outlook – there is a bigger
pool of better-qualified labor. The effects of this can be staggering. The case
study is the Irish Development Agency’s approach. Some years ago they
went round all the schools, wrote to all the parents, spoke to all the children
(everyone) about the skills they would need in five years time because of the
businesses they intended to attract. The success of this program is absolutely
evident today in the high tech nature of the Republic of Ireland’s business
growth over the last ten years and the reduction in unemployment.
Training in other respects becomes important too and there are similar
knock on effects to those previously described from basic telephony training
to sophisticate programming courses at Universities.
Then there is the matter of cost. Few regions are in a position to offer
the incentives that can make call centers an attractive long-term economic
proposition. Even fewer can generate the support services required. Far
fewer can develop those into a forward thinking business. Those that can
need have no fear that the call centers they attract are mobile, unless other
factors such as risk profile changes come into play, and they can be confident
that by attracting them they are adding significantly to the overall skill and
competence base of their region.
A view that call centers enhance the technological and industrial environment
is not universally held. Many believe that they are merely temporary residents,
which milk the incentive round to best advantage. Practical experience would
seem to counter this – certainly historically and currently. What then of the
future?
This Chapter started with the premise that the future will be much the same
as the present but different: and that the “different” bit is likely to stem from
telecommunications and Information Infrastructure. It is certain that the
business of running our lives will be revolutionized. It is equally certain that
new industries will be created – not just to service the telecommunications
providers but also to generate new sorts of businesses currently unthought-of. The
receiving of calls will remain the critical part of the business, and requires an
infrastructure. Already leading telecommunication companies have advanced-

call center technology by connecting customers to a call center via a Web site.
The call centers have not physically moved to provide this service, but their
infrastructure has improved. Such innovations have a host of applications
from medicine through to catalogue shopping –this catalogue shopping will
be able to automatically restock the larder with your regular and favorite
foods, and suggest changes to your diet, which will already have been
prequalified to your taste and budget. The people driving these events
are not in Silicon Valley – they are frequently running call centers and
researchcenters in Troy (MI), Greeley (CO), Cork (Ireland), Sunderland
(UK), Noord-Brabant Netherlands, or Flanders (Belgium): not immediately
identifiable as centers of high tech excellence, but certainly becoming so.
The effects of the changes that will sweep the telecommunication industry
will be passed on to industry at large. Everything will become faster, and
companies will be able to react to all sorts of forces quicker. The ones that do
so first and will continue to do so are likely to be close to existing centers.
In the meantime we have seen 9/11, and much cost cutting in particular
service industries. There has been a consequent trend over the last few years
to outsource call centers from USA and European sites offshore to places
such as India and the Philippines. Typically a “seat” in a USA or European
call center will cost up to $100,000. Savings have been identified through
offshore outsourcing of $50,000 per “seat” and more. However, as with all
change, there are benefits and costs to offshore outsourcing.
Call centers are places customers call to seek satisfaction from suppliers on
such things as choice, orders, order tracking, service, complaints, and account
management of all descriptions. Call centers are typically “in-house” or “out-
sourced.” “In-house” call centers tend to be closely linked, both functionally
and in location, to their principals. “Outsourced” call centers tend to deliver a
similar function for a range of clients. Large, worldwide businesses have emerged
to handle this latter type of service. In-house call centers are rarely outsourced
offshore. However, recently some major companies have announced that they
will outsource the more minor functions of in-house call centers offshore. Out-
sourced call centers are increasingly being located offshore.
Many western financial, airline, and telecommunication companies, in
particular, have led the establishment of call centers to replace generic customer
services in High Street locations. Generic functions are concentrated in one
place and handled by telephone agents acting for a company contracted to
deliver a similar functional service to many principals. Fast moving consumer
goods and government services are also increasingly handled by call centers
– but these are unlikely to be outsourced offshore in quite the same way as
finance, airline, and telecommunication. Financial services, airlines, and
telecommunication companies have led the way in outsourcing. This trend is
unlikely to be followed by other sectors in quite the same way.
Call centre outsourcing has been a feature of western domestic markets
for many years. The trend to offshore outsourcing started some seven years
ago (2000) and has rapidly gathered pace over the last four years (since 2002).
This pace has been driven by cost as principally financial services; airlines and
large telecommunication companies seek to reduce overhead.180 It is difficult
to predict how long the current trend will last. Certainly, as long as there
is real or perceived benefit to offshore outsourcing then the trend is likely
to continue. However, there are some difficulties emerging. These are related
to over expansion of the sector and some anticipated consolidation, cultural
problems particularly in some financial sectors, quality issues at middle
management level, etc, and the emergence of an alternative.
Technology improvements have led to an alternative to offshore outsourcing
emerging. Ki work181 and home-working initiatives practices, particularly in
rural areas in both the USA and Europe, suggest that savings of more than
80% of those achieved in current offshore outsource locations can be achieved
in-country. This approach sees singleton agents working from home for
single or multiple principals. Recent studies also seem to demonstrate that
such savings are matched by retention rates, i.e., how many clients are kept
by the agent/call centre, some 3–5 times higher than those in offshore centers,
and lower “churn” rates, i.e., the agent staff stay longer. Concerns have also
emerged from customers and data protection commissioners over the location
of corporate individual data in “foreign” hands. The drive for offshore
outsourcing is frequently human resource cost driven (as the cost of agents is
often the single biggest cost) and often ignores the higher costs of data transfer
between principal and provider locations.
The pros and cons of outsourcing offshore can be summarized as follows:
Pros Cons/Risks
Lower operating/direct costs Getting the right partner
Fast implementation Quality (sometimes)
Change management by contract Culture
Quality (sometimes) Increased data transfer costs
Flexibility Technology
Political instability (see comments on
Asymmetric Warfare)
Breach of UK/European Data
Protection Legislation and possibly
USA Legislation.
Customer revolt
Ki work emerging
180
For more information on the advantages of outsourcing is available at: http://www.
outsource2india.com/why_outsource/articles/Call_center_outsourcing.asp (Accessed:
7 January 2007).
181
More information on Ki work is available at: http://www.ki-work.com (Accessed:
7 January 2007).
The following is a brief checklist of major areas for attention:

• Overall Internal Controls
• Effectiveness and efficiency of operations
• Reliability of financial reporting
• Compliance with applicable laws and regulations
• IT/Telecommunication
• Definition of relationships
• Risk assessments
• Management
• Performance and capacity
• Continuous Service
• Monitoring of processes
• Assurance
• International data transfer availability, cost, resilience, and recovery
Such a checklist again implies the need for strategically integrated systems,
a robust telecommunication infrastructure, and a tactical business continuity
and disaster recovery plan. In the case of call centers located offshore the
demands on resiliencies very high indeed, and not to be underestimated.
Approaches that deal with the issue from a tactical, human resource perspective,
and not from a strategic, business resilience, perspective are apt to miss the mark.
Ki work exploits the coming together of three forces, which change the way
in which contact/admin center work will be done:
• The recent trend toward offshoring creates a new focus on driving down
transaction costs, although operators are starting to be concerned about
quality trade-offs
• Broadband has become pervasive and the supporting network technology is
now ready for secure virtual call centers
• Increasing stress in the workplace is leading to changes in the way people
view work. Workers desire more flexibility and control over their work/life
balance. A new generation is less interested in the traditional command and
control approach to managing work relationships
In addition, organizations who have work that is suited to a contact/admin
center approach (which are referred to as process owners) are under relentless
pressure to reduce costs, improve quality, reduce staff turnover, and find the
right people.
The companies that manage those contact centers, commonly referred to as
outsource service providers, who account for 12.5% of all contact centers, face
the same problems. The only current solutions using command-and-control
structures are either to increase automation, to offshore to places like India,
or to focus more on customer value. Employees in command-and-control
organizations are subjected to increasing levels of stress and many are now
looking for ways to improve work/life balance. At the same time there is a
largely untapped and highly skilled workforce of independent home workers,
who are seeking more rewarding ways to work, and to have more flexibility
and control over their lives.
Ki workers work from home and are connected to one or more outsource
service providers over a secure broadband connection. Ki work manages the
network that gives them access to that work and supports them in their everyday
activities. It also provides some elements of the infrastructure that enable
process owners and outsource service providers to access the information they
need to manage that work. Ki work is a highly scalable and network-centric
solution that delivers real improvements in service, productivity, and cost and
that matches and integrates the needs of these three groups.
India, Philippines, and South Africa for English, and Mexico and South
America for Spanish are the most popular offshore destinations. In these
locations much money has been put into infrastructure, capitalizing companies
and lobbying. There is some doubt that the returns are there, even with current
growth rates being maintained. This will naturally lead to consolidation and
potential dangers for principals.
Chapter 10
Information Infrastructure:
Resilience, Recovery, and Security
This Chapter is concerned with bringing together much of the foregoing.

There is a little repetition here of earlier comments and statements. This is
supposed to be helpful by way of putting a number of ideas into a context.
It does this by exploring the strategic importance of the relationship between
Information Infrastructure, telecommunications resilience, recovery and
security and both Asymmetric Warfare and Obstructive Marketing. This
relationship is neither well documented nor well understood. However, it is
important to a philosophical and pragmatic approach for sustaining order,
development, and cohesion in Information Infrastructure. This is because it
is now clear that the success of the western/northern world economies, and
sustainability for other economies, is increasingly dependent on the reliable
operation of Information Infrastructure.
The year 2000 was an eventful year for Information Infrastructure and
associated industries. The world did not collapse as a result of the Year
2000 (Y2K) computer stability and calendar issue. Eos (2004)182 describes
how well things actually went. In the middle of the year mankind became
more dependent on computers for survival than anything else, this was
determined largely from Y2K related projects that identified the how and
why of the dependency. The dot.com bubble effectively burst. Bloor (2000)183
catalogues the end of the dot.com dreams. The following year, 2001, as the
first year of the millennium, was almost as important. 2001 was the year in
which the United States of America (USA) economy began to show signs
of massive productivity growth on the back of Business to Business (B2B)
productivity improvements enabled by telecommunications (as tracked by
The Economist, Bloomberg, Business Week, Europa (2004)184 and others); it
182
The Eos Life – Work Resource Centre Y2K Update. Available at http://www.eoslifework.
co.uk/Y2Kupdate.htm (Accessed: 3 January 2007).
183
Bloor, R (2000) The Destruction of Dot Com Dreams. Available at http://www.
it-analysis.com/article.php?articleid=1429 (Accessed: 3 January 2007).
184
Europa (2004) Available at http://www.europa.eu.int/abc/index2_en.htm (Accessed:
3 January 2007).
158
Chapter 10 Information Infrastructure: Resilience, Recovery, and Security 159
TABLE 4. Broadband access in OECD 2003. Proxy for telecommunications and data
usage (Source: OECD185)
Broadband access in OECD countries per 100 inhabitants, June 2003

Source: OECD
25
20
DSL Cable Modem Other

15
10
0
rla um
an a
o D
Sp U
ng al
en nd
Ic ada
O d
ch Ire ary
Tu and
n
m
xe str ly
ep d
lic
Fi tria
er ay
te or e
ew b ia
Po ico
er n
H land
M blic
ak re y
ep e
Sw Sw ds
N B ark
Au tes
a g
C ore
ni Ja nd
d an
an
N EC
E
ai
R lan
ni P anc
Ki g
an
ov G rke
itz ede
he lgi
Lu u Ita
R ec
do
Ze our
N m al
ub
D ela
G rw
u
n
ex
s
a
la
te p
m
nl
l
u
et e
t
m
K
un
St
F r
A
d
ze
U
Sl
U
saw a conservatism develop in the telecommunication players as a counter-point

to both Y2K and as a reaction to the dot.com bubble. This conservatism
was partly a result of reduced expenditure on computer and Information
Infrastructure related items post Y2K. This conservatism reduced the hype
of Business to Consumer (B2C) developments in favor of making B2B work.
At the same time developments in standards began to gather pace according
to the British Standards Institute and others. These changes were exacerbated
by the well-documented events of the 11 September 2001 at the World Trade
Center, New York, USA.
Telecommunications traffic remains massively skewed toward the biggest
world economies (OECD) and remains the driving force of the differential
growth rates between the OECD and others.
Information Infrastructure and associated systems are therefore clearly at
the heart of day-to-day life, economic development and globalization, and,
as a consequence, a key strategic resource. Information Infrastructure is a
Critical Infrastructure.
The elements of a telecommunication system are a transmitter, a medium
(line) and possibly a channel imposed upon the medium, and a receiver. The
transmitter is a device that transforms or encodes the message into a physical
185
Source available at http://www.oecd.org/document/16/0,2340,en_2649_34225_
35526608_1_1_1_1,00.html (Accessed: 7 January 2007).
phenomenon; the signal. The transmission medium, by its physical nature, is

likely to modify or degrade the signal on its path from the transmitter to the
receiver. The receiver has a decoding mechanism capable of recovering the
message within certain limits of signal degradation. In some cases, the final
“receiver” is the human eye and/or ear (or in some extreme cases other sense
organs) and the recovery of the message is done by the brain (see psychoacoustics.)
Free Dictionary.com (2004).186
Note that systems sit on Information Infrastructures and are therefore
both dependent upon them and part of them. Information Infrastructure
encompasses both the infrastructure and the systems.
From such a description it might be inferred that the term Information
Infrastructure resilience has the clear attributes of an oxymoron. Although
this is not true, what is true is that there are a series of dependencies involved
that ensure that the running of a secure Information Infrastructure network
is not a simple, or necessarily secure, task. These dependencies can be mapped
using appropriate software, an example would be the Dependency Modeling
Tool (Wong, 2003)187,188 and a probability of failure arrived at, as well as a
worst combination of events and single points of failure. In order to reduce
difficulties it is important that telecommunication infrastructures are as
resilient, and recoverable, as possible, and dependencies fully understood.
A review of available literature would suggest that Information Infrastruc-
ture resilience is one of the most underresearched and underdeveloped parts
of the telecommunications industry, little is written about it. It is certainly
important as is clear from the ease with which everything from hard wired
national telecommunication networks to the World Wide Web are brought,
frequently, to a crashing halt. The Hong Kong Monetary Authority’s (2002)189
lessons from 11 September 2001 summarize the main issues involved in such
events. General assumptions are also made about resilience, such as the more
open a physical network is the less resilient it is and the more recoverable a
system is the more resilient it is.
Arguments for and against open systems are well made by Anderson
(2002).190 These systems are part of the telecommunication network in that
186
Free Dictionary.com. Available at http://encyclopedia.thefreedictionary.com/Teleco
mmunications%20service (Accessed: 7 January 2007).
187
Wong, A (2003) Before and Beyond Systems: An Empirical Modeling Approach,
Ph.D. Thesis. Department of Computer Science, University of Warwick, UK, January.
Available at http://www.dcs.warwick.ac.uk/~allan (Accessed: 7 January 2007).
188
See also Professor John Gordon’s dependency modeling tool known now as VuRisk.
Available at http://www.johngordonsweb.co.uk/concept/about.html (Accessed:
7 January 2007).
189
Banking Development Department Hong Kong Monetary Authority (2002)
Business Continuity Planning After 9/11, Hong Kong Monetary Authority Quarterly
Bulletin, 11.
190
Anderson, R (2002) Security in Open Versus Closed Systems – The Dance of Boltzmann,
Coase and Moore. Available at http://www.ftp.cl.cam.ac.uk/ftp/users/rja14/toulouse.
pdf (Accessed: 7 January 2007).
they sit on top of the physical infrastructure. Anderson notes that the statistical
difference between the reliability of open and closed systems is negligible.
Although this is not necessarily the case for the physical networks, it is the
case that a view that closed networks are more secure than open networks is
one that is not statistically or commercially proven.
Reardon (2004)191 has commented on the dangers of allowing proprietary
and ostensibly secure systems, developed by commercial players such as
Microsoft to be deployed on a wide-scale basis. Anderson (2004)192 has
commented similarly, as has the Computer and Communications industry
Association.193 A counter argument is available.194
This Chapter is not going to argue for or against open networks; there is
merit in both open and closed systems. If the status quo is accepted it remains
the case that, open or closed, the resilience of the system needs to be improved
in order that the larger system of predominantly western and northern
society continues to operate successfully. Developing resilience in the existing
open systems raises a whole series of political, economic, social, technical,
environmental, and legal issues others have commented upon. If Anderson
(2002)195 is right then there is, in both systems and networks, an argument for
a greater “defense” role in maintaining networks. The United States House of
Representatives (1996 on)196 is looking ever more closely at this subject.
The “defense” issue is not just evident at a “control” level. It is also evident
at an operational level. Kendra et al. (2003)197 comment as follows in a defense
context in regard to the 11 September 2001 disaster:
Resilience thus requires:
• A high degree of organizational craftsmanship, composed in turn of individually
exercised craftsmanship
• The ability to respond to the singularities in the interactions of social,
technological and natural systems, which requires artistry; and
191
Reardon, M (2004) Microsoft and Cisco Clash on Security CNET.news.com.
17 September. Available at http://insight.zdnet.co.uk/internet/security/0,39020457,
39166968,00.htm (Accessed: 7 January 2004).
192
Anderson, R (2004) Trusted Computing. Available at http://www.cl.cam.ac.uk/
~rja14/tcpa-faq.html (Accessed: 7 January 2007).
193
Report on Cybernet Insecurity. Available at http://www.ccianet.org/papers/
cyberinsecurity.pdf (Accessed: 6 January 2007).
194
An argument that Microsoft is not a threat to US National Security is available
at http://news.netcraft.com/archives/2004/2005/28report_microsoft_not_a_threat_to_
us_national_security.html (Accessed: 6 January 2007).
195
Anderson, R (2004) op. cit.
196
United States. House of Representatives. (1996) The Cyber-Posture of the National
Information Infrastructure. Washington. Chairman: Willis H Ware. Available at http://
www.rand.org/publications/MR/MR976/mr976.html (Accessed: 7 January 2007).
197
Kendra, JM, et al. (2003) Elements of Resilience After the World Trade Centre
Disaster: Reconstituting New York City’s Emergency Operations Centre. Disasters,
27(1) pp. 37–53.
• A sense for what is the same and what is different from prior experience in
every new experience, so that responses are continually adjusted, anomalies
are sensed, and learning occurs and is incorporated into the next incremental
unit of response
This sort of resilience is demonstrated in High Reliability Organizations,
such as submarines and aircraft carriers. Rochlin et al. (1987)198 comment on
why these particular entities are so resilient.
Resilience is not robustness, which is withstanding stress; resilience is not
redundancy, which is about substitution; it is not resourcefulness, which is
about marshalling ingenuity; it is not rapidity, which is about timeliness; “but
these features may also be seen as having a telescoping relationship, wherein the
robustness, redundancy, resourcefulness and capacity for rapidity of elements
that constitute a socio-technical system contribute to the system’s overall
resilience.” Kendra et al. (2003).199
Resilience in children has been well documented. Grotberg (1998)200
identifies 15 elements of resilience – these can be compared to those that can
be seen in Rochlin et al.’s (1987)201 high reliability organization.
TABLE 5. Comparison of Resilience Qualities

Rochlin et al. (1987) – high
Grotberg (1998) – resilient children reliability organizations operator
characteristics characteristics
Trusted network Trust
Limits on behavior Discipline
Show how to do things right Teaching organization
Learn to be independent Learning organization
Assisted when sick Supportive
Am liked and loved Camaraderie
Am well behaved Behavioral norms
Am respectful Hierarchical empathic organization
Am responsible Clear responsibilities
Am confident Confident
Can communicate Formal and informal communication
Can solve problems Solve problems
Can control when things go wrong Adaptive
Opportunistic Opportunistic
Can get help when needed Can get help when needed
198
Rochlin, GI, et al. (1987) The Self-Designing High Reliability Organization: Aircraft
Carrier Flight Operations at Sea, Naval War College Review, Autumn.
199
Kendra, op. cit.
200
Grotberg, E (1998) The International Resilience Project, 55th Annual Convention,
International Council of Psychologists, Graz, Austria, July 14–18, 1997 (published
1998).
201
Rochlin, GI (1987) op. cit.
As Grotberg’s (1998)202 15 characteristics are also evident in the operator

characteristics of high reliability organizations, it would be reasonable to
suggest that such characteristics are those are to be expected in a resilient
telecommunication network. These characteristics need to be evident in both
the equipment, as both Rochlin et al. (1987)203 and Kendra et al. (2003)204
suggest, and the individuals who run it.
The characteristics required of a resilient Information Infrastructure
network would seem to be rare. They are clearly in defense-oriented situations.
They also seem to be evident in those organizations that have a defense
mentality. Individual observation would suggest that they are evident in
operations run by companies such as EDS205 and Qinetiq206; they are becoming
apparent in parts of the Financial Services industry, but seem to be absent
from much of elsewhere.
Information Infrastructure resilience is often confused with telecom-
munications disaster recovery and business continuity planning. It is of course
important to “bounce back” from difficulties, but it is also important that
such a return is to the “original” form. The current emphasis in the industry
with regard to disaster recovery and business continuity planning is akin to
planning “to close the stable door after the horse has bolted,” rather than
securing the door in the first place. The door does need to be more secured.
Information Infrastructure resilience is important. It is the strategic approach,
as opposed to the tactical approach.
Information Infrastructure recovery is an area of both applied and original
research that is much better covered than resilience – but that is because it
is a much less difficult area than resilience. British Standard (BS) 7799, the
Information Security Standard, and the British Standard Institute’s Business
Continuity Standard BS 25999 are both standards that deal with this subject
rather than true Information Infrastructure resilience. Recovery assumes that
something will go wrong, and puts plans in place to try and ensure recovery
from that wrong. At the simple level this is about replacing one router with
another, it is about building redundancy. Redundancy is very different
to resilience. Redundancy is a short-term fix; resilience is a long-term fix.
Long-term fixes tend to be more expensive than short-term fixes in the short
term, but cheaper in the long term. Recovery, and redundancy, is about what
to do when true resilience has failed. However, recovery, and redundancy, is
important and the better-prepared all are to recover from problems then the
better all round.
There is a lesser debate to be had regarding the disciplines of disaster recovery
and business continuity being part of resilience or recovery. This Chapter
202
Grotberg, E (1998) op.cit.
203
Rochlin, GI (1987) op.cit.
204
Kendra, JM (2003) op.cit.
205
More information available at http://www.eds.com (Accessed: 7 January 2007).
206
More information available at http://www.qinetiq.com (Accessed: 7 January 2007).
would argue that both these disciplines are part of the recovery process, once
resilience has failed.
Security is the state of being free from danger or injury; resilience is about
being able to return to original form after deformation.
Information Infrastructure security is again slightly different to resilience,
recovery, and redundancy. The four key things required to keep Information
Infrastructure secure are people, physical, systems, and electronic security.
This includes resilience, recovery, and redundancy. Secure communications
tend to be, currently, closed communications, confidential (security vetted
individuals), physically secure, system secure, and electronically secure. Most
of the time, most people are dealing with open systems that have few vetted
individuals and are both physically and electronically insecure. This is the
perception, and reality, despite open systems being statistically as likely to
be as secure, in certain circumstances, as closed software system according
to Anderson (2002).207 The more general trick will be to turn the statistically
secure open systems into those that are both accepted as such and operated
as such – then they will be both secure and resilient. This is another subject
completely that cannot be adequately covered here.
Information Infrastructure is now the critical infrastructure and all the
OECD economies are dependent upon it. Resilience, recovery, and redun-
dancy are not the same thing. Resilience is an underresearched but key area
of interest in the maintenance of Information Infrastructure and telecom-
munication systems. There are clear parallels between how children and high
reliability organizations become resilient and the qualities sought in a resilient
Information Infrastructure. Whether or not a system is open or closed is not
necessarily a security issue; but security is certainly dependent on resilience.
Security is about, as noted, being free from danger or injury. One of the
biggest current security threats to states at the moment is Asymmetric Warfare.
One of the biggest current security threats to business and commerce is
Obstructive Marketing. If Information Infrastructure is central to the OECD
countries’ economic performance then a link should exist between Informa-
tion Infrastructure, Asymmetric Warfare, and Obstructive Marketing.
Hyslop (2003)208 argued that Asymmetric War fighting methods are not new.
They were practiced during previous world wars, and almost all other wars.
They have characteristics of total war – where balance, timing, effort, and
resources are deployed in different measures to deny a strong military power
the full use of that power. This is, simplistically, where the world is today
with regard to the attacks on the USA, and their allies, and the responses
in Afghanistan and Iraq. However, this is likely to be just the start of a long
campaign and it is important to understand how it might develop and what
207
208
Hyslop, MP (2003) Asymmetric Warfare, Proceedings International Conference on
Politics and Information Systems: Technologies and Applications (PISTA’03), Orlando,
Florida, USA. 31 July 2003 – 2 August 2003.
the western and northern powers need to understand in order to fight this
asymmetric war well.
Consider an incomplete table of differences between two conflicting groups:
TABLE 6. Comparison of West v Al Qaeda
Western/Northern alliance An Al Qaeda type alliance
Believe they are right Believe they are right
Have lots to lose Have not much to lose
Have money Have less money
Have little faith Have lots of faith
Geographically concentrated Geographically dispersed
Perceived as strong, arrogant Perceived as weak
Not used to fighting Used to fighting
Hi-technology dependent Technology independent, parasitic
Family in decay Family strong
High crime Low crime
Weak group cohesion Strong group cohesion
Lowering education Rising education
“Own” resources, especially food and “Own” fewer resources, especially food
water and water
Use lots of resources Use fewer resources
Believe in capitalism Believe in god
Has massive conventional military Has limited conventional military
power power
Does not use terrorism Does use terrorism
Visible Not easily visible
Timing: operate to short term goals Timing: operate to long term goals driven by
driven by political considerations a sense of history
This table could be extended but it is clear it has little symmetry.

Asymmetric Warfare therefore brings all these sorts of pluses, minuses, and
inequalities into play in a contest between the two (or more) protagonists.
Clearly an Asymmetric War will involve many more factors than just a
conventional military contest. Asymmetric Warfare is generally conducted
in a covert planned military/technical, criminal, or cultural manner and less
frequently in a spontaneous manner.
Information Infrastructure is both a target and a conduit for Asymmetric
Warfare. It is a target in that it represents an infrastructure dominated by the
major powers and is therefore seen as a legitimate target by those who seek
to destabilize these powers. It is a conduit because the infrastructure and the
applications that sit on it, the Internet/World-Wide Web in particular, gives
an opportunity to those asymmetric combatants to plan, communicate, and
sometimes even execute asymmetric events. Steganographic techniques are
often used for communication.
Hyslop (1999)209 defined Obstructive Marketing as
Any process, legal or not, which prevents or restricts the distribution of a
product or service, temporarily or permanently, against the wishes of the product
manufacturer, service provider or customer.
209
The term “any process” reflects the global nature of the issue and accepts
that different mores will prevail in different parts of the world. The term
“legal or not” is used because what is legal and acceptable in one state is not
in another. Judgment must often be suspended in looking at global practices
from a purely western legal standpoint. (Otherwise, for example, it would be
impossible to discuss Islam in an unbiased fashion). The term “prevents or
restricts,” because the sale of goods and services can be stopped in an absolute
or relative manner depending on the subtlety of those who seek to obstruct
the marketing efforts of others. The term “distribution of product or service”
because distribution is central to the marketing effort. The term “temporarily
or permanently” because time always changes the picture in international
relations and this affects business as well as politics and international relations.
The term “product manufacturer, service provider, or customer” is used
because these are the players in Free Market Capitalism. The addition of the
words “or customer” to an original definition reflects the later thought that
customers, as well as providers, can be deprived as a result of the potential
techniques. This is both logical and common sense, particularly from a
marketing viewpoint, and particularly where the customer is key.
In the same way that a table can be drawn up to reflect the differences
between the main protagonists in an Asymmetric Warfare situation then
a similar table can be drawn up between those who seek to globalize their
business and those that may seek to prevent that globalization, an obstructive
marketing group.
TABLE 7. Comparison of Globalisation v Obstructive Marketing
Globalizing company Obstructive Marketing group
Believe they are right Believe they are right
Have lots to lose Have lots to lose
Have money Have some money
Have faith Have faith
Geographically concentrated Geographically dispersed (many, everywhere)
Perceived as strong, arrogant Perceived as weak
Used to dominating Used to serving
Hi-technology dependent Technology independent, parasitic
Independent of family Family dependent
Suffers from organized crime Suffer from casual crime
Tends to be independent of groups Tends to group cohesion
Lowering education – tasks carried out Rising education – multitasked and
independently e.g. checkouts in adaptable
supermarkets
“Own” resources “Own” fewer resources
Use lots of resources Use fewer resources
Believe in capitalism Believe in different things
Has massive economic power Has limited economic power
Visible Not easily visible
Operate to short-term goals driven by Operate to long term goals
quarterly results and shareholders
The table for Obstructive Marketing has some clear parallels with the table
for Asymmetric Warfare.
Obstructive Marketing is characterized by planned competitive, criminal,

and cultural attacks or, less frequently, casual attacks.
The consequences of these events on economic development as a whole can
be summarized in the following table. After Yip (1997)210 and Hyslop (1998)211
TABLE 8. Impact of Recent Events on Global Drivers

Key current global driver Likely impact of recent events
Common customer needs More differentiation
Global customers Regional markets reemerge
Global channels Regional channels
Transferable marketing More differentiation
Global scale economies Regional economies (except China)
Steep experience curves More measured approaches
Low transportation costs Higher transportation costs
Difference in in-country costs Continues – but slower
High product development costs Higher product development costs
Need for technology transfer Technology transfer less popular
Open trade policies Protectionism reemerges
Open technical standards Continues – but slower
Open marketing regulations Protectionism
High exports and imports Less imports
Interdependence More independence
Globalized competitors Regional competitors
Transferable competitive advantage Held competitive advantage
Asymmetric Warfare and Obstructive Marketing have striking similarities.

Both represent key threats to the political and economic fabric of western/
northern societies. These threats are strategic because they threaten the
political and economic stability of the western/northern societies.
The main parallels are:
• A contest between “big” and “small”
• A contest between “rich” and “less rich”
• A contest between “concentrated” and “dispersed” groups
• A contest between those perceived as “strong” and those perceived as
“weak”
• A contest between hierarchical and flat structure groups
• A contest between the hi-technology dependent and the not-technology
dependent
• A contest between those with relatively weak group cohesion and those with
strong group cohesion
210
Yip, G (1998) Global Strategy and the Role of Call Centers. Proceedings of the
International Call Center Summit. April, 20, 21, 22, 1998, Reston, Virginia, USA.
211
The main ideas on this were contained in Hyslop, MP (1998) The International Call
Centre, Elements for Survival. April. Telemarketing and Call Center Solutions. Avail-
able at http://findarticles.com/p/articles/mi_qa3700/is_199804/ai_n8806136 (Accessed:
7 January 2007).
• A contest between those that deal primarily with organized crime and those
that deal with casual crime
• A contest between the highly educated and the less/differently educated
• A contest between those that own massive resources and those who do not
• A contest between those that use lots of resources and those who do not
• A contest between those who basically believe in some form of Capitalism
and those who believe in something different
• A contest between those with massive economic power, and those with less
• A contest between highly visible entities, and the less visible
• A contest between those with short-term goals, and those with a very
different view of time.
It is clear from research (Hyslop, 1999)212 that the corporate world has
had, arguably, rather more success in dealing with Asymmetric/Obstructive
challenges than the political world. One reason for this is that both the cor-
porate world and its challengers share an attribute, faith, or a determined
belief (for example, delivering shareholder value concentrates the mind
wonderfully) in what they are doing, which is often missing from the political
world. Further it is clear that the corporate world has been dealing with the
problem, consistently rather than intermittently, for a considerable period of
time. This has lead to a whole industry growing up to deal with such threats.
In simple terms the Old World Order disappeared, and the Second World
War finally ended, with the collapse of the Berlin Wall and Communism
in the USSR at the end of the 1980s or early 1990s. This world order was
marked by relative certainty. There was the East, the West, and the Third
World where the other two competed, often by proxy, against each other.
The titanic struggle between two competing philosophies was governed by
mutually assured destruction and treaty.
The new world order that seemed to emerge after the early 1990s was greeted
with enthusiasm in the West, which saw an opportunity for both itself and its
new partners states in, particularly, the north of Europe to extend Capitalism
across the world. This was to be the era of globalization.
But not all saw it in such a way. China took the opportunity to develop
a different approach to wealth creation more akin to its own “permanent
revolution” ideology than the capitalism of the West. Others took exception
to the imposition of a foreign culture and there was a backlash, particularly
in those countries where faith predominates over capitalism. Further groups
took the opportunity to press their own special interests – these ranged
from corporately driven coups, through drug baron wars to fundamentalist
insurgency. There was no mutually assured destruction, just the opportunity
for more groups to destroy each other, and no treaties. The world became
212
unstable and writers such as Huntington (1993)213 predicted a clash between

ideologies that has more or less been vindicated. Others such as Fialka
(1997)214 saw parallels in the economic world and felt that war was now being
waged on an economic front.
In parallel to the change in world order was the Information Infrastructure
revolution. As with all true revolutions this changed the world too. This
revolution initially affected primarily the western and northern states
(primarily the OECD) – but held out great promise for the east and south as
a means of making up ground on the richer west and north.
Dramatic changes in the way capitalism operated followed as new and
more efficient means of handling, and making, money appeared. So much
so that by the end of the millennium the dependency of the western and
northern financial system on Information Infrastructure to operate was
total, hence part of the reason for targeting of the World Trade Centre on
the 11 September 2001. At the same time the telecommunication revolution
spread to most of the OECD population as digital technologies became
common, most particularly with the spread of the mobile telephone. Overlain
were the World Wide Web and the Internet – although this was not truly
world wide because most of the users paralleled the western and northern
associated states – and this allowed access to the new technology for many,
good, and bad.
This reliance and availability was not matched by a set of standards that
secured both the hardware and software. The dependency of the western/
northern political and economic systems on insecure hardware and software
led to a new environment in which the strategic dependency of the western/
northern societies on an insecure base became a “soft underbelly” that could
be attacked. Over the last ten years the political and economic infrastructure
of the west and north has been the subject of repeated attacks through the
Information Infrastructure, and its associated applications.
This has led to the comments of Anderson (2002)215 already noted and
more recently the following comment by Reardon (2004).216
The two companies (Microsoft and Cisco) have each proposed competing
“end to end” security architectures, marking the latest evolution in network
defense – an approach concerned not only with scanning for viruses but also
with policing networks to deny connections to machines that don’t conform
with security policies. For now at least, however, the twin offerings are not
interoperable. That means customers might be forced to choose between using
213
Huntington, SP (1993) The Clash of Civilizations, Foreign Affairs. Summer, v72,
n3, pp. 22(28).
214
Fialka, JJ (1997) War by Other Means, Norton, New York.
215
216
Reardon, M (2004) Microsoft and Cisco Clash on Security. CNET News.
17 September. Available at http://news.zdnet.co.uk/security/0,1000000189,39166968,00.
htm (Accessed: 7 January 2007).
technology from one company or the other, unless the two tech giants can strike
a deal to guarantee compatibility.
The current position is therefore that the world is a different place than it
was just 25 years ago in terms of Information Infrastructure. This world, it
may be argued, is characterized by a dependency, on behalf of the western/
northern political and economic system, on Information Infrastructure and
associated systems that are neither resilient nor secure, and that are under
attack through the use of both Asymmetric Warfare and Obstructive Marketing
techniques. In order that such a dependency and such attacks are minimized
it is important that the relationship between political, economic, social,
technological, environmental and legal, security, and Information Infrastructure
resilience and recovery is understood. In each of these areas steps need to be
taken to improve Information Infrastructure resilience and recovery in order
that Asymmetric Warfare or Obstructive Marketing, in particular, does not
compromise security. Before recommendations can be made on how to deal
with the issues in a systematic manner it is important to first understand the
threats to each of these areas.
Twenty-five years or more ago Governments, particularly in the aftermath
of the Second World War, had a view on what were and what were not strategic
political resources. An inventory of the time would see coal, steel, electricity,
gas, fuel, and food protected not just as industries under some political flavor but
also as true resources to be harbored in the case of national need. The 1980s
and later saw these strategic resources “privatized” or allowed to become
fallow. “Just –In- Time” became the order of the day. The shallowness of this
approach was revealed during the UK fuel crisis of 2000. This demonstrated
that national reserves were dependent on Information Infrastructure and just
in time deliveries – no strategic planning was in place to cover such eventualities.
Plans to repeat the protest in 2004 led to:
Secret plans have been agreed between the Home Office and the Food Chain
Emergency Group, set up after the 2000 fuel protests and incorporating Britain’s
biggest supermarkets and food manufacturers. Their plans to safeguard the
food and fuel chain from disruption go much further than tactics used by the
police to quash previous fuel protests, Townsend and Bright (2004).217 As noted
elsewhere it also led to the establishment of the Civil Contingencies Act.
Further investigation reveals that it is not just food and fuel that is dependent
on Information Infrastructure and just-in-time deliveries; complaints were
also received during the 2000 event from industrialists and the construction
industry amongst others. As the primary duty of a Government is to protect
its citizens, this left the national political machinery potentially in breach of
its main political duty.
217
Townsend, M and Bright, M, Army Guard on Food if Fuel Crisis Flares,
The Observer, 6 June 2004. Available at http://observer.guardian.co.uk/uk_news/
story/0,6903,1232432,00.html (Accessed: 7 January 2007).
The political machinery of any society depends on communication with its

constituents. For centuries the political machinery of democratic, and more
particularly, nondemocratic states has sought to exercise benign, or other-
wise, control over the messages received by the electorate. The anarchy of
the World-Wide Web enabled by the Information Infrastructure revolution
threatened the political communications strategies of all political entities
across the world. The ability of individuals to access information threatened
both stable and unstable regimes and required a different approach from
political entities in communicating with their constituents. The enemies of
some states are using insecure telecommunication infrastructure to launch
attacks.
In order to exercise some control over the telecommunication patterns
the USA introduced “Carnivore,” EPIC (2002).218 This is a development
of “sniffer” technology that allows security services to access and monitor
predominantly packet driven Information Infrastructure. In Europe
improvements in telecommunication and information security have become
one of main priorities of the European Union, according to Europa (2004).219
Dealing with Information Infrastructure security has got a profile; it has a
profile because the current state of affairs threatens the political status quo.
Ergo this is a strategic and not a tactical issue.
The British Government identifies civilian telecommunication and
information systems as targets according to the UK Ministry of Defense (2004).220
Zekos (1999)221 argues that the Internet alters the operating environment under
which a vast array of institutions including the State operates. He concludes
that there has been a shift of some components of the state’s sovereignty over
to other entities and that this carries the potential to limit sovereignty. This
may not be an elimination rather than a partial relocation to supranational
institutions, such as multinational companies. Hyslop (1999) has demon-
strated that 60% of USA companies have suffered from sort of telecommuni-
cation-related attack.
These issues have become so common that MI5 (2004),222 the UK’s domestic
intelligence service, comments as follows:
The theft, copying or destruction of information is a growing problem for many
organizations.
218
EPIC (2002) The Carnivore FOIA Litigation. Available at http://www.epic.org/
privacy/carnivore (Accessed: 7 January 2007).
219
Europa (2004) op. cit.
220
UK Ministry of Defense (2004) The Future Strategic Context for Defense.
Available at http://www.mod.uk/issues/strategic_context/military.htm (Accessed:
7 January 2007).
221
Zekos, G (1999) Internet or Electronic Technology: A Threat to State Sovereignty,
Commentary. The Journal of Information, Law and Technology (JILT (3) ). Available
at http://elj.warwick.ac.uk/jilt/99-3/zekos.html (Accessed: 7 January 2007).
222
MI5 (2004) Protecting Your Information. Available at http://www.mi5.gov.uk/
output/Page236.html (Accessed: 7 January 2007).
Criminals, foreign intelligence services, terrorists or business competitors may

attempt to access your information by breaking into your IT systems, obtaining
the data you have thrown away, or infiltrating your organization through a
disaffected member of staff.
Consider first the nature of the threat you might face, and where your
vulnerabilities lie. To what extent is your information at risk?
Threats to information may come from an “insider” in your organization.
The motivation of disaffected individuals may include personal gain, boredom,
revenge, or sympathy with some external cause. A vulnerable member of staff
could also be coerced or blackmailed. Follow the general advice under “Managing
staff securely – the “insider” threat”, and consider whether you should take
more detailed measures against espionage.
Your IT systems may be vulnerable. Make sure they are supplied and
maintained by reputable and reliable companies. For more detailed advice, see
the page on “Electronic attack”.
Look at how you dispose of waste documents and other forms of data.
Consider whether any of it might be of use to terrorists or others and read our
advice on “Confidential waste”.
Zekos (1999)223 also commented on the power of Information Infrastructure
to manipulate economic growth, security, and development. He and Hyslop
(1999)224 link both political and economic security.
In an interesting recent development the BBC Today programme (2004)225
announced that the changes in Britain’s gambling laws are a direct result of
Internet gambling and consequent loss of taxes.
The key social problem for most OECD societies is the Digital Divide.
Hammond (2001)226 explores this in more detail:
The United Kingdom is verging on the same type of “digital divide” that the U.S.
government discovered in America’s urban and rural communities last summer.
This gap in access to the Internet and technology between the “haves” and
“have nots” will only get worse, the consulting firm warns, unless the government
takes steps to intervene. The impact on the “have nots” would be severe, as the
ability to conduct everything from the most basic daily transactions to more
complicated business deals continues to shift into the online world.
The data shows that about four million new users, or eight percent of the
population, are getting online each year. “Far from evening out the emerging
223
Zekos, G (1999) Internet or Electronic Technology: A Threat to State Sovereignty.
Electronic Law Journal(3). Available at http://www2.warwick.ac.uk/fac/soc/law/elj/
jilt/1999_3/zekos (Accessed: 7 January 2007).
224
225
Today (2004) Will the Number of Casinos Rise After the Changes to the Gambling
Bill, BBC Radio 4, 19 October 2004, 07.32 hours.
226
Hammond, A (2001) Digitally Empowered Development, March/April. Foreign
Affairs. pp. 96–106.
inequalities, the wave of growth is likely to exacerbate them in relative terms,

leaving an unconnected or excluded group of over 20 million citizens,” the
company said.
Trendle (2002)227 identified a new social democracy damaging to companies.
She comments that companies are oblivious to the rising power of a new
social grouping called “advocacy networks.” Thereby combining the issues of
both economic and social security in a manner whereby social groups start to
exercise pressure, in a manner previously unknown, on businesses.
Technological security in the OECD is threatened in a number of ways.
It is threatened by espionage via Information Infrastructure. It is threatened
by the openness of international communication. It is threatened by the fact
that a transfer of technology research and development has occurred from
the military to the civilian market. These threats are summarized by Tolchin
and Tolchin (1992).228 However, Gompert (1998)229 argues that the size and
power of political, military, and information resources in the hands of the
USA merely reinforces technical superiority for the USA. This comment is,
however, in its own right, also a threat.
An Information Infrastructure threat to environmental security is not
necessarily immediately obvious. The impact of political, economic, and
technological development and uncertainty is well documented. The Trudeau
Centre for Peace and Conflict Studies at the University of Toronto has done
much work on environmental security. Underlying many of its papers is the
spread and influence of Information Infrastructure. Homer-Dixon (1991)230
describes the main interactions between different systems, many of which are
now controlled by Information Infrastructure.
Legal security has depended on a series of events to ensure that contracts
are safe and proven. Legal security is still dependent on boundaries: English
law, American law, Roman law, etc. applies in different geographical areas.
The telecommunication revolution has challenged many existing precepts of
law from signatures to the conveyance of contracts in this respect. There is a
view that the Internet is an extension of the USA, from a USA point of view,
just as most USA law has some supranational applicability, at least from a
USA perspective. In the UK the Tax Bureaucracy has suffered from a loss
of Value Added Tax following international purchases from the Internet that
have evaded boundary(ied) tax regimes. Information Infrastructure allows
227
Trendle, G (2002) The Next Threat to Business – Social Democracy. Internet Integrity
Annual Intelligence Briefing, Tuesday 21st May 2002, BDO Stoy Hayward. Available
at http://www.creativematch.co.uk/viewnews/?88210 (Accessed: 7 January 2007).
228
Tolchin, M and SJ (1992) Selling Our Security, Knopf, New York.
229
Gompert, DC (1998) Right Makes Might: Freedom and Power in the Information
Age, McNair paper 59, Chapter 3, May. Available at http://www.rand.org/publications/
MR/MR1016/MR1016.chap3.pdf (Accessed: 7 January 2007).
230
Homer-Dixon, TF (1991) On the Threshold: Environmental Changes as Causes of
Acute Conflict, Trudeau Centre for Peace and Conflict Studies, University of Toronto
International Security, Vol. 16, No. 2 (Fall). pp. 76–116.
multinational companies much more opportunity for “cross border tax

efficiency” than has previously been the case. Further detail on these threats
can be found at Faegre and Benson (2004).231
There is a strategically important relationship between Information
Infrastructure and systems resilience, recovery, and security and both
Asymmetric Warfare and Obstructive Marketing. It is clear that both
Asymmetric Warfare and Obstructive Marketing methods use Information
Infrastructure to both attack states and companies. It is also clear that there
is a general pervasiveness with regard to these actions. To counter such events
it is further clear that Information Infrastructure and systems resilience,
recovery, and security needs to be improved. This is no longer a tactical issue
for business recovery or continuity. These remain important but a strategic
view must also be taken.
Information Infrastructure and systems are key national resources, and
strategic in nature. At a recent conference (Resilience, 2004) the question
was asked: “How Can the Financial Sector Be Reassured That, In The
Event Of An Incident, Their Utilities Supplies Will Be Uninterrupted? Is
This A Viable And Feasible Request? Hyslop (2004)232 commented that
traditionally they have had to look after themselves. If the utilities went down
so did the Information Infrastructure. Today, however, capitalism has come
under threat from electronic attack; since 11 September 2001; since Basle II
and Sarbanes-Oxley; since some USA Department of Defense papers; it has
become clear that defending the utilities that service the financial sector, the
driver of capitalism, is not a purely academic question.
In the United States of America the House of Representatives (1996)233 and
others have commented as follows:
The United States increasingly relies on information networks for the conduct of
vital business. These networks are potentially subject to major disruptions from
a variety of external sources. To date, there has been no clear statement of the
magnitude of this threat or the ability of the various networks to withstand or
respond to such disruptions.
There is an argument for strategic intervention by major power governments
to protect their major strategic assets in the face of irresponsible use of
Information Infrastructure and associated systems. This may or may not
be a “good” idea. There is also a strategic opportunity for one or more
commercial organizations to gain control of wide sections of the international
231
Faegre and Benson. Available at http://www.faegreandbenson.com (Accessed:
7 January 2007).
232
Hyslop (2004) How Can the Financial Sector be Reassured That in the Event of an
Incident, Their Utilities Supplies Will be Uninterrupted? Is This a Viable and Feasible
Request? Comments to the Resilience (2004) Conference, Millennium Hotel, London.
22/23/24 September 2004.
233
United States. House of Representatives. (1996) The Cyber-Posture of the National
Information Infrastructure. Washington. Chairman: Willis H Ware. Available at http://
www.rand.org/publications/MR/MR976/mr976.html (Accessed: 7 January 2007).
telecommunication and associated systems traffic. This too may or may not
be a “good” idea.
What is a “good” idea is to take a dispassionate and detailed look at how
the strategic nature of Information Infrastructure can be both harnessed and
unleashed to continue the development it has heralded in the last decade and
a half. A critical area of research is Information Infrastructure resilience
independent of both commercial and single state control.
It is clear that Asymmetric Warfare and Obstructive Marketing techniques
affect a wide range of organizations. These organizations need to know
how to protect themselves. The expertise on protection actually lies in the
private sector, which has had more experience of dealing with these sorts
of techniques than anyone else. The private sector also has something the
public sector seems to lack and that is faith (even if only faith driven by the
need to satisfy shareholders). Thus commercial organizations should perhaps
be deploying their own experience in a very different way than today. Some
examples may be:
• Advising on or adopting the creation of appropriate open or closed systems
and virtual private networks
• Advising on or adopting the creation of information and knowledge man-
agement communities within, not across, networks
• Training of personnel by other people, not by electronic means, in security
procedures
• Using Operational Risk Procedures to identify weakest points
• Linking profitable and discrete communities to the Network, not necessarily
all customers to the Network
• Redefining Trust in the context of a mix of open and closed relationships
This is not to advocate the demise of the World Wide Web or the Internet
or Networks but it is to advocate the creation of a new look at resilience and
security and how it might be implemented. To do this new types of fora will
be needed. Examples are the USA and UK CERTS, and the UK’s WARPS.
A reasonable conclusion to this Chapter is that not enough is known about
the possible Asymmetric Warfare and Obstructive Marketing threats to the
resilience, in particular, as well as recovery and security, of Information
Infrastructure. There is no clear consensus as to what constitutes a secure
Information Infrastructure environment. Different drivers are apparent:
commercial, national, strategic, and tactical amongst them. The big threat to
states, Asymmetric Warfare, and corporations, Obstructive Marketing, will
not go away. It would be useful if a consensus could be bridged to bring a
common approach to a key strategic problem that will enable resilient and
secure Information Infrastructure to be deployed effectively. This will require
considerable cooperation from a wide range of parties.
Chapter 11
A Suggested Approach
to Individual, Corporate, National,
and International Resilience,
Critical Infrastructures, and Critical
Information Infrastructures
This Chapter seeks to make suggestions at individual, corporate, national,
and international level of ways in which to make Critical Infrastructures and
Critical Information Infrastructures more resilient.
Individual
In children we need to nurture the characteristics noted by Grotberg
(1998)234 of:
• Trusted network
• Limits on behavior
• Shown how to do things right
• Learn to be independent
• Assisted when sick
• Am liked and loved
• Am well behaved
• Am respectful
• Am confident
• Can communicate
• Can solve problems
• Can control when things go wrong
• Opportunistic
• Can get help when needed
These characteristics must assume an education that also delivers numeracy
and literacy. These are sixteen things for parents and teachers to deliver to
a child over the sixteen or so years to adulthood. In OECD countries this is
a problem, and should not be. These are life skills writ large. They are what
is needed for the future.
234
Grotberg, E (1998) op. cit.
176
Chapter 11 Individual, Corporate, National, and International Resilience 177
In the adult environment it is necessary to nurture the characteristics of

high reliability organizations noted by Rochlin et al. (1987):235
• Trust
• Discipline
• Teaching organizations
• Learning organizations
• Supportive
• Camaraderie
• Behavioral norms
• Hierarchical empathic organization
• Clear responsibilities
• Confident
• Formal and informal communication
• Solve problems
• Adaptive
• Opportunistic
• Can get help when needed
Additional individual resilience skills include knowing how to grow and
harvest food, exercise, use of alternative fuels at home, protecting oneself from
things like bird flu (by understanding key personal hygiene rules), and having
some sort of individual plan to survive food and other shortages. Above all
to do all of this within a society that has a clearly defined set of values, and,
by and large, lives them.
Corporate
In the corporate environment it is suggested that four key things are important:
• To understand common sense business strategy
• To understand how to manage complexity
• To understand the threats and counter-threats of Obstructive Marketing
and Asymmetric Warfare
• To help the defense of Critical Information Infrastructure
The first two of these are beyond the remit of this book, but are things all
businesses should be doing anyway. Help on both is available in concise form
from Pearson (1988)236 and Wood (2000),237 or from a myriad of MBA and
business courses.
On the third point it is evident from Hyslop (1999)238 that many major
corporations understand these threats. There is less of an understanding within
235
Rochlin, GI (1987) op. cit.
236
Pearson, B (1988) Common Sense Business Strategy. Mercury.
237
Wood, R (2000) Managing Complexity. The Economist.
238
supply chains and SMEs of how to deal with these threats. A similar issue
faces Sarbanes-Oxley, where the major corporations understand the reason
for it and have spent the money to conform, but the supply chain (particularly
the non-USA supply chain) seems unsure why they should conform. At the
SME level it has slowed the creation of businesses in the USA. The people in
touch with these businesses are the Chambers of Commerce and the Small
Business federations. They need, eventually, a more formal role in how to
help their membership survive both Asymmetric and Obstructive Marketing
threats. Smaller businesses need some online guidance about how to manage
their Information Infrastructure in particular, and manage other Asymmetric
and Obstructive marketing threats.
At the major corporate level businesses must be engaged with the defense
forces in order to both understand the threats and protect themselves and
their markets form Asymmetric and Obstructive Marketing threats. At the
Information Infrastructure level much more needs to be done to both coordinate
and inform the defenses required not just for Information Infrastructures
but also for all other Critical Infrastructures. This implies the creation of
proper associations, the development of standards and the development of
a rigorous approach to the management of Information Infrastructure that
is based, loosely, on the approaches that have worked in the past for both the
Petroleum and telephone industries. This is not so much to impose constraint
as to suggest responsibility. In terms of reliability and safety the Information
Infrastructure needs to be at the same level as the airline industry. Hopefully,
there will be much more cooperation between USA and European businesses
both in defense and in the creation of an electronic environment. Outsourcing
to developing countries based solely on human resource savings should be
discouraged. Strategic approaches on all fronts are to be encouraged.
National
The following statements summarize the major threats to OECD countries:
The USA’s global power rests on a triad of capabilities: space, sea, and cyber-
space.239 This statement is paraphrased from a relatively recent article on a new
defense model for space. The UK’s MI5 identifies International terrorism,
Northern Ireland, Weapons of Mass Destruction, and Espionage as the key
threats to the United Kingdom.240 The new threats to Europe are best defined
in the European Security Strategy as presented in December 2003:241
239
Cebrowski, AK and Raymond, JW (2005) Operationally Responsive Space: A New
Defense Business Model. Parameters, Summer.
240
http://www.mi5.gov.uk (Accessed: 7 January 2007).
241
Bailes, AJK (2005) European Security Strategy, an Evolutionary History, SIPRI
Policy Paper No. 10, Stockholm International Peace Research Institute, February.
Available at http://www.sipri.org/contents/editors/publications/ESS_PPrapport.pdf
• Terrorism
• Proliferation of weapons of mass destruction
• Regional conflicts
• State failure
• Organized crime
In Australia and New Zealand the threats are identified much as they are
in the UK.242
The threats are obviously related to each other and one can lead to
another. Thus regional conflict can lead to state failure where organized
crime flourishes. Organized crime can escalate into terrorism. The greatest
threat to the world community is now terrorists armed with weapons of
mass destruction.243
If these threats are looked at in the round then there is common under-
standing on:
• Terrorism
• Weapons of mass destruction
• Organized crime
• Espionage
These are all, largely, asymmetric threats. The specific threats to Critical
Infrastructure, Commerce and Critical Information Infrastructure from these
general threats should be understood. As much of these are in private hands
it must be the case that some sort of public–private partnership has to exist
to counter them, if not at national then at federated or international level.
Anyone with a working knowledge of the European Commission or any other
federated bureaucracy will understand the extreme difficulty of operating
effectively at such levels.
To counter these threats all federations and states currently use a combination
of Army, Navy, Air Force, Intelligence Services (including electronic
eavesdropping), and Police. These are the traditional tools for Symmetrical
or state vs. state warfare. Yet much of what this book has been about is the
resilience critical infrastructure and Critical Information Infrastructure to
asymmetric warfare – in both a political and economic context. The threats
confirm this approach. Much Critical Infrastructure has no protection at all.
Critical Information Infrastructure particularly outside the USA has little
protection, because much of it is in commercial hands. There is clear evidence
from a range of sources that terrorists of various kinds use Information
Infrastructures for communication, thinking, planning, and delivery.
242
Threats available at http://www.australia.or.jp/english/seifu/pressreleases/index.
html?pid=defense20030226b (Accessed: 7 January 2007).
243
Dorfer, I (2004) Old and New Security Threats to Europe. Available at http://www.
afes-press.de/pdf/Doerfer_Mont_9.pdf (Accessed: January 2007).
All this suggests a new type of defense model is required to meet the new
threats. It is axiomatic that because much of the Critical Infrastructure and
Critical Information Infrastructure is in commercial hands then a much closer
liaison is required between federation/state and commerce than is normally
understood to be the case. In this respect the USA may be much closer
to a modern working operational model, given the extent of the military/
industrial/electronic complex, than many give it credit for.
It is necessary for the western world, the OECD countries in particular, to
be clear about how they are going to defend themselves against some very
specific threats:
• Use of terrorism against critical infrastructure and Critical Information
Infrastructure
• Use of weapons of mass destruction against critical infrastructure and Critical
• Use of organized crime against critical infrastructure and Critical
• Use of espionage against critical infrastructure and Critical Information
Infrastructure
These require either new or modified defense organizations.
And the more general threats of
• State vs. state warfare
These require more traditional defense organizations.
The lines between all these tend to blur, as they have done in Afghanistan.
It follows that some sort of public/private defense partnership to protect both
Critical Infrastructure and Critical Information Infrastructure is required.
There are some clear candidates for inclusion in the different areas (and this
book shows that the private sector has as much experience in dealing with
asymmetric threats as the public sector). Two countries who might be imagined
to be close on these sorts of subjects, the USA and the UK, have recently
fallen out over the level of detail to be given to pilots operating the others’
planes on sorties into enemy territory in Afghanistan and Iraq. They have
also fallen out over the level of intelligence to be provided to each. This does
not auger well for the development of complementary defense models!
Democracies, and particularly the British form of democracy, are often
reluctant to impose restraints. Frequently, a series of checks and balances
are encouraged. This sort of approach epitomized in the UK by the rather
laissez-faire attitude of the Financial Services Agency as opposed to the
Department for Homeland Security in the USA over disaster recovery
advice for financial institutions. This will not work to protect the fabric of
our societies. There must a level of responsibility and accountability that is
more structured than today. (This does not necessarily mean it has to be less
democratic or involve the imposition of more laws). Indeed from the way
in which individuals are screened at airports to the way in which companies
are involved in the defense of critical infrastructures there is a need to be

more sophisticated not less.
The technology, profiling, screening, and understanding is available to
ensure that society keeps its values whilst fighting an enemy that rejoices
when those values are amended. (The security screening at airports is the
most obvious of these, and statistically and in any other way the most
useless deterrent.)
There is a potential model in the form of the UK Government’s fora for resil-
ience, based at regional level in the UK. These are based in each of the nine
English regions and three other countries of the UK, based on the requirements
of the Civil Contingencies Act. Actually, these bodies do not do very much about
resilience; they are about recovery and continuity more than they are about resil-
ience. This said they represent, at a regional level, an appropriate body where
these matters can be discussed.
In the USA William Pelgrin’s work in New York State is a model that also
could be extended. The New York Telecommunications Reliability Advisory
Council (NYTRAC) has the following role:
To consider and advise on how to maintain and improve the reliability of New
York State’s current and future communications networks for the benefit of
public and private users, and to further the economic security of the State of New
York, its municipalities and its citizens . . . NYTRAC is a panel of public and
private sector telecommunications experts who work to ensure an industry-wide
exchange of information on emerging technologies and strategies to strengthen
New York State’s telecommunications network.
Ideally of course, the population, commercial sector, and defense should
be woven in tightly to the political structure as it is in Switzerland, and to a
lesser extent in Sweden.
Using these two as examples then a suggested national model may look as
follows:
The Public–Private Partnership

However, in approaching an organization care must be taken not to repeat the
mistakes of the past. Mistakes of the past include the void left on the creation
of Serious Organized Crime Agency (SOCA) in the UK in the fight against
crime, and currently, again in the UK, the reintegration of NISCC with the
CNI in the UK, when it should be ascendant rather than subordinate. In the
United States it is the proliferation of bodies with some sort of responsibil-
ity for Homeland Defense. The key to resilience in the OECD countries is a
clear understanding of the threats, and how to counter those threats, a simple
defense organization and a strategic approach at the commercial level. It will
be obvious, by now, that this book is of the opinion that Critical Information
Infrastructure is under protected and that new forms of defense are needed.
A National Defense Model

The national defense organization to counter these threats must start
with a clear political statement of intent. This must concentrate as much
on the preservation of national values as it does on the preservation of
infrastructure. It would seem unnecessary to repeat structures that already
exist, and to a certain extent this is a problem that all nations who have
tried to deal with this problem have already faced. There is an unnecessary
proliferation of bodies designed to look at this problem already.244 These
do need to be streamlined.
The organization itself needs a political master. It is fairly obvious that the
defense of Critical Infrastructures should be the job of a Ministry of Defense.
Just because this is a revisited (in terms of Critical Infrastructure) or new area
(in terms of Critical Information Infrastructure) does not negate the threats
(which would normally be dealt with by a Ministry of Defense) or the fact
that this is a nationally important defense issue. Therefore the national model
should be under the equivalent of a Ministry of Defense.
The physical bodies such as the Army, Navy, Air Force, and Police need
to be responsible for the physical infrastructure and artifacts of critical
Infrastructures. At the moment no one, in any country with the possible
exceptions of Sweden and Switzerland, seem to have complete control of
their defense in terms of specific operational responsibility for defending
specified pieces of national critical infrastructure. This is something that
needs to be put right and should become, naturally, the responsibility of
the Army, Navy, Air Force, and Police.
There needs to be a continually understood approach to mapping boundaries
and ownership of both Critical Infrastructures and Critical Information
Infrastructures. This suggests some sort of mapping and intelligence
gathering body. This can be an adjunct to existing Signal Intelligence and
Human Intelligence gathering bodies plus those bodies that used to be
known as Photographic Reconnaissance and Interpretation Units.
A new defense force needs to be constructed for the purpose of Critical
Information Infrastructure defense. This is not a new idea, per se. Once
aircraft were established as both a threat and a weapon, during World War 1,
then Air Forces were quickly added to existing army and naval defense force
capability. This is very much a development in the same idiom. Note, it is
as entirely inappropriate to treat Critical Information Infrastructure as a
subset of critical infrastructures as it is to treat air forces as a subset of armies
and navies. The corollary of Army Air Corps and Naval Air Arms is equally
appropriate under certain circumstances.
Finally, there must be responsibility in the private sector for both Critical
Infrastructure and Critical Information Infrastructures. The formal responsibility
for this can rest in appropriately constituted bodies.
244
So a national model for the protection, and thereby the increased resilience,
of national infrastructures could look something like this:
Democratically
Elected Govt
‘Ministry’ of
Defense
Intelligence Public / Private

Partnership
Land Defense Sea Air Defense Information Infrastructure

Force Defense Force Defense Force
Energy
Finance
Health
With similar links
from all other
Infrastructures to Food Supply
these other Forces.
Government
Services
Law and
Order
National
Icons
Transport
Water
Waste Water
FIGURE 4. A National Defense Model

International
Critical Infrastructure and Critical Information Infrastructures are no longer
essentially national in nature. Critical Infrastructure remains more national,
but even here there are major issues. One anecdotal example is the desire of
the representative for Pas de Calais, France, to display her green credentials
by campaigning for the abandonment of the region’s nuclear power plant
at Gravelines. This was until it was realized that much was earned from the
export of nuclear generated electricity form the Pas de Calais plant to neigh-
boring Kent in the United Kingdom, some 40 kilometers away across the
Channel. Critical Infrastructure is also much more private than it was 50
years ago – with a great shift of resources out of public ownership into private
ownership. In terms of Critical Information Infrastructure it is difficult to see
how this, in any way, is national in nature. It is international in nature – but
dominated by USA owned Infrastructure and processes and concentrated, to
date, in the OECD nations.245
The multinational organizations that cover the majority of the international
aspects of both Critical Infrastructure and Critical Information Infrastructure,
and their international geography, are relatively few. They are the OECD,246
the European Union,247 the Group of Eight (G8),248 NATO,249 and the UN.250
Each of these do have an approach to both Critical Infrastructure and Critical
Information Infrastructure, but not all are in a position to do anything
concrete about building Resilience in either. All of these organizations are
political in nature. This is a positive attribute because it is necessary to
have buy-in from all parts of the relevant political bodies. Some are for
international discussion, cooperation and action. Only two have any real
defensive mandate, one is NATO and the other is the UN. NATO does not
cover all the geography; the UN covers the geography but, perhaps, with-
out the respect. Each organization has a slightly different approach to the
problem.
The European Union has a number of concerns about Critical Infrastructure
and Critical Information Infrastructure. These concerns are voiced both
formally, in terms of the Lisbon Agenda251 and related Policies and ePolicies,
and informally, within the Commission.
245
Proxy figures are available at http://www.websiteoptimization.com/bw/0510 (Accessed:
7 January 2007) and at http://www.oecd.org (Accessed: 7 January 2007).
246
Available at http://www.oecd.org (Accessed: 7 January 2007).
247
Available at http://www.europa.eu (Accessed: 7 January 2007).
248
Available at http://www.g7.utoronto.ca/what_isg8.html (Accessed: 7 January 2007).
249
Available at http://www.nato.int (Accessed: 7 January 2007).
250
Available at http://www.un.org (Accessed: 7 January 2007).
251
The Lisbon Agenda is available at http://www.euractiv.com/en/agenda2004/lisbon-
agenda/article_117510 (Accessed: 7 January 2007).
Informally there is great concern over a number of vulnerabilities,

evidenced by the slant given to various research projects, particularly on
Security and eSecurity within both the Framework 6 and Framework 7
programs. The issue of Critical Infrastructure protection is dealt with
under the various initiatives in the EU Budget to 2013.252 These are usefully
summarized by Masera.253 The substance of his presentation is that the
problems are recognized but have yet to be dealt with, although funds
have been allocated to flesh out solutions. The major European agency
established to deal with Critical Information Infrastructure protection is the
European Network and Information Security Agency (ENISA).254 Despite
the hope that was engendered by the establishment of ENISA, the reality
is somewhat disappointing. First, the Agency is not operational; it has a
coordinating, informative, and, sometimes, strategic brief. There was reluc-
tance in the European Commission to give it an operational role because
this would have interfered with a number of existing operational bodies at
national and international level. Examples would be existing intelligence
bodies and Europol. The second disappointment was the decision to estab-
lish it in Heraklion, Crete, Greece. This decision was driven by the need
to allocate agencies ahead of the last round of country integration, and
was a politically motivated decision rather than an operationally driven
decision. As a result the Agency is both in the wrong place and, arguably,
has the wrong brief. There is, overall, a lack of political will to deal with
problems that are not immediately obvious to the electorate. Thus there is
much concentration on the obvious requirements to combat the physical
effects of terrorism, and it is true that this helps the protection of Critical
Infrastructures in part, but there is little will to devote resources to the
coordination of the, arguably more important, Information Infrastructures
that now dominate the lives of all.
The Group of Eight (G8)255 has a good history of recognizing the issues
involved in the establishment of principles regarding both Critical Infrastructures
and Critical Information Infrastructures.
The G8 initially addressed the problem in 1995, developed ideas in 2000
with the Okinawa Charter on Global Information Society and, embodying
the OECD Guidelines for Security of Information Systems. Importantly, this
acknowledged the need for both public and private bodies to work together.
252
Information available at http://ec.europa.eu/enterprise/security/articles/article_
2006-09-25-kf_en.htm (Accessed: 7 January 2007).
253
Masera, M (2005) Critical Infrastructures and European Policies. IRGC Confer-
ence, European Commission, Beijing, China. 20 September http://www.irgc.org/irgc/
knowledge_centre/irgceventmaterial/_b/contentFiles/IRGC%202005%20Gen%20Conf_
Marcelo%20Masera.pdf (Accessed: 7 January 2007).
254
ENISA information available at http://www.enisa.eu.int (Accessed: 7 December 2007).
255
Group of Eight information available at http://www.g8.utoronto.ca/summit/
2003evian/press_statement_march24_2003.html (Accessed: 7 January 2007).
In 2003 eleven principles were adopted. The G8 Principles for Protecting

Critical Information Infrastructures256 are as follows:
• The establishment of warning networks
• Promoting partnerships
• Maintaining crisis communication networks
• Facilitating the tracing of attacks
• Training and exercising
• Having appropriate laws and trained personnel
• International cooperation
• Promoting appropriate research
These are fine principles, but the G8 can only advise. It has no real capability
to deliver.
At the OECD the Working Party on Information Security and Privacy
(WPISP) promotes a global approach. The resolutions and recommendations
help both governments and businesses; awareness is raised through the
publication of Information and statistics. In 2002 the OECD adopted
Guidelines for the Security of Information Systems and Networks: Toward
a Culture of Security. The guidelines are a result of consultation between
industry, business, and society. In October 2003 the OECD Global Forum
on Information Systems and Network Security257 met and had the following
key outcomes:
• Raising awareness of the importance of secure Information systems and
networks for safeguarding Critical Infrastructures, as well as business and
consumer Information
• Increasing knowledge of the OECD Security Guidelines
• Encouraging the development and the promotion of security architectures
for organizations that effectively protect Information systems
• Exploring the use of technology and security standards in safeguarding IT
Infrastructures.
The UN has not yet taken the same number of steps towards developing
Information and policy on either Critical Infrastructures or Critical Informa-
tion Infrastructures as other international bodies. It established a UN ICT
Task Force in November 2001. In September 2002 the task force published
a guide called “Information Security – A Survival Guide to the Uncharted
Territories of Cyber-Threats and Cyber-Security.”258 This publication made
7 recommendations:
256
G8 Principles for Protecting Critical Information Infrastructures, in NISCC Quarterly,
April–June 2003, p. 9, http://www.niscc.gov.uk/quarterly/NQ_April03_JUNE03.pdf
257
Information available at http://www.oecd.org.document/38/0,2340,en_21571361_
36139259_16193702_1 (Accessed: 7 January 2007).
258
Information available at http://www.unicttaskforce.org/perl/documents.pl?id=1152
• Recommendation No: 1 - Become aware of the problem

• Recommendation No: 2 – Devise an Information security strategy
• Recommendation No: 3 – Implement some simpler remedial procedures
immediately
• Recommendation No: 4 – Seek professional help without delay
• Recommendation No: 5 – Adopt international standards and other best
practices. International standards like ISO 17799, and other tried and tested
best practices can be of great help in securing your systems from external
threats
• Recommendation No: 6 – Identify the gaps in national legislation
• Recommendation No: 7 – Encourage the United Nations to embark urgently
on a Law of Cyber-Space. The almost complete absence of international law
on this subject has created a phenomenal vacuum
Finally it is worth having a close look at NATO. NATO is an interesting
body in the context of Critical Infrastructures and Critical Information Infra-
structures. This is because many OECD countries are members of NATO, and
most of those who are not have some form of treaty alignment with NATO. It
is because NATO has some teeth, in that it is a defense delivery organization
as well as an Information disseminating and strategic body. It is because it has
some remit to defend both Critical Infrastructures and Critical Information
Infrastructures in line with its charter. Critical Infrastructure protection is
partly covered in the Ministerial Guidance for NATO Civil Emergency
Planning. The Senior Civil Emergency Planning Committee has recognized
the need for more work on protecting Critical Infrastructures. The Civil
Communication Planning Committee has published a number of documents
on Critical Infrastructure Protection. The Civil Protection Committee, the
Industrial Planning Committee, the Food and Agriculture Planning Commit-
tee, the Civil Aviation Planning Committee, the Planning Board for Inland
Surface Transportation, and the Planning Board for Ocean Shipping are all
involved in aspects of Critical Infrastructure and Planning. In the area of
Critical Information Infrastructure things are less well developed.
The NATO Counter-Terrorism Development Program recognizes the need
for a technology response to current problems, and also recognizes the need for
private sector contributions, and also comments as follows259:
The global spread of technology that can be of use in the production of weapons
may result in the greater availability of sophisticated military capabilities,
permitting adversaries to acquire highly capable offensive and defensive air,
land, and sea-borne systems, cruise missiles, and other advanced weaponry. In
addition, state and non-state adversaries may try to exploit the Alliance’s
growing reliance on Information systems through Information operations
designed to disrupt such systems. They may attempt to use strategies of this kind
to counter NATO’s superiority in traditional weaponry.
259
Information available at http://nc3a.info/nctdp (Accessed: 7 January 2007).
At the NATO 2006 Riga Summit a number of general proposals were made:
The Political Guidance for the summit included the following:
the ability to protect Information systems of Critical importance to the Alliance
against cyber attacks.260
The formal release of the summit included the following;
work to develop a NATO Network Enabled Capability to share Information,
data and intelligence reliably, securely and without delay in Alliance operations,
while improving protection of our key Information systems against cyber attack.
(Article 24)261 and
the development of coherent and mutually reinforcing . . . civil emergency
planning. (Article 41)262
Notes to the summit were more explicit regarding the increasing need to
deter and defend against attacks on Critical Information Infrastructures. It is
important to remember that implicit to the role of NATO is the protection of
Physical Infrastructures.
Other international bodies such as Interpol, the International Chambers
of Commerce’s International Maritime Bureau and Cyber Crime Unit, etc.
have an interest in different parts of the Critical Infrastructures, but largely
focused on the criminal aspects of the use of these Infrastructures. This is
subtly different form building resilient Infrastructures.
For example Interpol’s chief initiatives in the area of financial and high-
tech crime focus on:
• Payment cards
• Money laundering
• Intellectual property crime
• Currency counterfeiting
• New technologies263
At the International Chamber of Commerce Crime Services the Cyber
Crime Unit set up in 1999 as a conduit for the exchange of information
between commerce and law enforcement supports the activities of all Com-
mercial Crime Bureaus.
Cyber Crime Unit staff use their knowledge of fraudulent behavior to
identify new scams and issue warnings to members. The Unit also provides
commerce with several essential services:
260
Information available at http://www.nato.int/docu/basictxt/b061129e.htm (Accessed:
7 January 2007).
261
Information available at http://www.nato.int/docu/pr/2006/p06-150e.htm (Accessed:
7 January 2007).
262
Ibid.
263
Available at http://www.interpol.int/Public/FinancialCrime/Default.asp (Accessed:
7 January 2007).
• Tracking and tracing bogus Web sites

• Alerting ISPs that their systems are being used for illegal purposes
• Alerting banks and businesses to the existence of copy-cat sites
• Identifying criminal interference in computer networks
• Providing advice on the security of Information systems
• Conducting audits or wireless networks264
International law regarding both Critical Infrastructures and Critical
Information Infrastructures is sparse. Indeed Dunn and Wigert (2004)265 go
so far as to comment:
Due to the inherently transnational character of Critical Infrastructure and
Critical Information Infrastructure there is a need to harmonize national legal
provisions and to enhance judicial and police co-operation. However, so far, the
international legal framework has remained rather confused and is actually an
obstacle to joint action by the actors involved.
In the European Union the European Commission has started to make
an effort to deal with the problem. The author has been both a Director for
the Commission’s eJustice project and a member of the eDemocracy focused
Politech Institute in Brussels. Both bodies have made substantive recommen-
dations on various approaches to solving the problem.
eJustice succeeded in its aims of:
1. Going beyond the state of the art in several Trust and Security technologies
2. Convincing key representatives of civil society that these technologies, and in
particular biometry, do not represent a threat to the privacy of citizens when
used within well-defined guidelines
3. Convincing major public authorities to adopt the results for their own use.266
But the project cannot, on its own, make these things happen.
The Politech Institute, amongst other things, seeks to consult the different
stakeholders in the development of electronic strategies and policies in the
converging domains of political technologies.267 This includes law. But nor
can it make things happen.
There is a huge vacuum in International Law in regard to Critical Infra-
structure and Critical Information Infrastructure protection.
Elsewhere thought leaders in the subject of Resilience in Critical Infra-
structure and Critical Information Infrastructures have been identified. In
the international context it is important to have structures that have reach,
respect, and resources. This gives a number of problems in regard to the USA
and Europe in particular. This is because both are regarded has having vested
interests, particularly in regard to Critical Information Infrastructures. It also
264
Available at http://www.icc-ccs.org/ccu/overview.php (Accessed: 7 January 2007).
265
266
Available at http://www.ejustice.eu.com (Accessed: 7 January 2007).
267
Information available at http://www.politech-institute.org/services.asp?dept=1 (Accessed:
7 January 2007).
gives a problem in regard to the so-called neutral countries of Sweden and

Switzerland. These countries may well be neutral in a political sense, and they
may be neutral in a Critical Infrastructure sense, but they are not neutral
in a Critical Information Infrastructure sense. This said there is no point in
claiming a neutrality of view on behalf of the author either.
The OECD plays a prominent role in fostering good governance in the
public service and in corporate activity. It helps governments to ensure
the responsiveness of key economic areas with sectoral monitoring. By deci-
phering emerging issues and identifying policies that work, it helps policy-
makers adopt strategic orientations. It is well known for its individual country
surveys and reviews. The OECD produces internationally agreed instruments,
decisions, and recommendations to promote rules of the game in areas where
multilateral agreement is necessary for individual countries to make progress
in a globalized economy. Sharing the benefits of growth is also crucial as
shown in activities such as emerging economies, sustainable development,
territorial economy, and aid. Dialogue, consensus, peer review, and pressure
are at the very heart of OECD. Its governing body, the Council, is made up
of representatives of member countries. It provides guidance on the work of
OECD committees and decides on the annual budget.
It is recommended that the OECD takes on the International Strategic
Responsibility for Resilience in Critical Infrastructures and Critical Information
Infrastructures. Its approach to Resilience should include direct liaison with
the international thought leaders – particularly those in the UK (National
Information Security Coordination Centre),268 Australia (Attorney General’s
Department),269 New Zealand (Centre for Critical Infrastructure Protection),270
and the United States (Department for Homeland Security).271
It would thus have the reach, respect, and resources to deliver. NATO is the
most experienced and effective body in the international defense arena. The
first five articles of the treaty are as follows.
The North Atlantic Treaty
Washington, DC – 4 April 1949

The Parties to this Treaty reaffirm their faith in the purposes and principles
of the Charter of the United Nations and their desire to live in peace with all
peoples and all governments. They are determined to safeguard the freedom,
common heritage, and civilization of their peoples, founded on the principles of
democracy, individual liberty, and the rule of law. They seek to promote stability
and well-being in the North Atlantic area.
268
Information available at http://www.niscc.gov.uk (Accessed: 7 January 2007).
269
Information available at http://www.ag.gov.au (Accessed: 7 January 2007).
270
Information available at http://www.ccip.govt.nz (Accessed: 7 January 2007).
271
Information available at http://www.dhs.gov (Accessed: 7 January 2007).
They are resolved to unite their efforts for collective defense and for the
preservation of peace and security. They therefore agree to this North Atlantic
Treaty:
Article 1
The Parties undertake, as set forth in the Charter of the United Nations, to settle
any international dispute in which they may be involved by peaceful means in such a
manner that international peace and security and justice are not endangered, and to
refrain in their international relations from the threat or use of force in any manner
inconsistent with the purposes of the United Nations.
Article 2
The Parties will contribute toward the further development of peaceful and
friendly international relations by strengthening their free institutions, by
bringing about a better understanding of the principles upon which these
institutions are founded, and by promoting conditions of stability and well-
being. They will seek to eliminate conflict in their international economic
policies and will encourage economic collaboration between any or all of
them.
Article 3
In order more effectively to achieve the objectives of this Treaty, the Parties,
separately and jointly, by means of continuous and effective self-help and mutual
aid, will maintain and develop their individual and collective capacity to resist
armed attack.
Article 4
The Parties will consult together whenever, in the opinion of any of them, the
territorial integrity, political independence, or security of any of the Parties
is threatened.
Article 5
The Parties agree that an armed attack against one or more of them in Europe
or North America shall be considered an attack against them all and conse-
quently they agree that, if such an armed attack occurs, each of them, in exercise
of the right of individual or collective self-defense recognized by Article 51 of
the Charter of the United Nations, will assist the Party or Parties so attacked by
taking forthwith, individually and in concert with the other Parties, such action
as it deems necessary, including the use of armed force, to restore and maintain
the security of the North Atlantic area.
These first five articles can be used as a basis for the protection of interna-
tional Critical Infrastructures and Critical Information Infrastructures. In
the case of Critical Information Infrastructure the majority of international
Infrastructure is already in the hands of existing NATO members. Various
attempts have been made, both at the Riga summit and previously, to
include reference to cyber-attacks. The basis of NATO is defense against
armed attack. Armed attack is an increasingly dated term in the context of
international and asymmetric warfare.
It is recommended that NATO should become the operational arm for

international Resilience in Critical Infrastructure and Critical Information
Infrastructure Protection. It has the reach, respect, and resources to deliver.
In terms of delivering on the ground then a number of agencies need to
be coopted to work with the strategic and operational arms. In terms of
coordinating different aspects of the task it could be suggested that:
• Research can be undertaken by bodies such as ETH272 or I3P273
• International Law can be developed and amended under the auspices of the
International Law Commission274
• The Politech Institute275 coordinates public sector views (because it already
has an Infrastructure to do this)
• The ICC Cyber Crime276 unit coordinates the private sector (because it
already has an Infrastructure to do this)
• ENISA277 coordinates the Critical Information Infrastructure input (because
it already has an Infrastructure to do this)
Strategic Body
(Based at OECD)
Research Law
ETH, Zurich Internation law
13P, Dartmouth, NH Commission
Operational Body
(Based at NATO)
National Ministries
of Defense
Public Sector Private Sector National Bodies National Bodies

(Politech Institute (ICC Cyber Crime Critical Information Critical
Brussels) Unit) Infrastructures Infrastructures
FIGURE 5. An International Defense Model
272
Information available at http://www.eth.cz (Accessed: 7 January 2007).
273
Information available at http://www.thei3p.org (Accessed: 7 January 2007).
274
Information available at http://www.un.org/law/ilc (Accessed: 7 January 2007).
275
Information available at http://www.politech-institute.org (Accessed: 7 January 2007).
276
Information available at http://www.icc-ccs.org (Accessed: 7 January 2007).
277
Information available at http://www.enisa.europa.eu (Accessed: 7 January 2007).
• NATO278 coordinates Critical Infrastructure input (because it already has an

Infrastructure to do this)
• The overall international Resilience in Critical Infrastructure and Critical
Information Infrastructure could thus look something like the diagram
above
This is not to say that any international infrastructure management organi-
zation should look like this, but it is to say that it could look like this. There
is no naiveté or impracticality in such suggestions – the political difficulties
are well understood. It is necessary to have an international organization to
look at this subject; it is necessary to construct one; it is recognized that this
will cost money; it is recognized that some bodies will be better than others;
it is recognized that some Infrastructures already exist that could help. Those
mentioned are some that could help. Each has limitations, but so will any
other suggestions.
To conclude it is important to recognize that an international approach
to Resilience in Critical Infrastructures and Critical Information Infra-
structures is required. There is no current, coherent, structure that could
do the job on its own. It is recommended that an international approach to
Resilience in Critical Infrastructure and Critical Information Infrastructures
be developed, based on existing Infrastructures at the OECD, NATO, the
International Law Commission, existing research bodies at ETH and I3P,
the Politech Institute, the ICC Cyber Crime Unit, and ENISA – or any other
bodies that might willingly take on the task with the required reach, respect,
and resources. There is a need for such an organization; what is required is
the will to create it.
278
Information available at http://www.nato.int (Accessed: 7 January 2007).
Chapter 12
General Summary and Conclusions
Chapter 1
• Critical Infrastructure Protection is about Defense
• Critical Infrastructures need to be Resilient
Chapter 2
• Resilience is about the ability to “bounce back”
• Critical Infrastructure Protection is not the same as Critical Information
Infrastructure Protection
• Critical Infrastructure Protection is essentially national; Critical Information
Infrastructure is both national and “borderless.”
• Both Critical Infrastructure Protection and Critical Information Infrastruc-
ture are inseparable from society’s core values in a political, social, eco-
nomic, and technological sense.
• There has been a migration of Critical Infrastructure from Government to
Private hands over the last 50 years.
• Fewer resources are devoted to the Defense of Critical infrastructure than
50 years ago.
Chapter 3
• There is clear stated political support for Critical Infrastructure and Critical
Information Infrastructure across all countries.
• There is less clear definition of actual operational support for the protection
of Critical Infrastructures and Critical Information Infrastructures across
most countries.
• A common set of Critical Infrastructures can be defined.
• Risk management is important.
• There are concerns with regard to the dominance of Information Technology
in all Critical Infrastructures.
• There are legal gaps at international and national level regarding both Critical
Infrastructure and Critical Information Infrastructure.
• Thought leadership in this subject area is not related to size of country or
Infrastructures.
194
Chapter 12 General Summary and Conclusions 195
Chapter 4
• Every single Critical Infrastructure in the common list is under threat; none
of them really display the characteristics of resilience.
• Governments are clearly not paying enough attention to Critical Infrastruc-
tures, and they are not properly prioritized neither in any national sense, not
of themselves.
Chapter 5
• The Connectivity, Hosting, Security, Hardware, and Software industries
combined, and in general, pay little heed to Critical Information Infrastruc-
ture protection.
• There are no major international, European or national bodies addressing
the subject operationally in an effective manner, although some of the
telecommunication bodies are trying.
• There are many Public–Private Partnership and Information Sharing
Initiatives, but they tend to lack teeth.
• Some Information Sharing initiatives are effective, e.g., CERTS and WARPs,
and work well from the bottom up, as in the New York State example.
Chapter 6
• The export of democracy has increased the threat to Critical Infrastructures,
and led to the increased likelihood of Asymmetric and traditional war.
• There is demonstrable resilience in the Economic field, but this is balanced
by a lack of Obstructive Marketing techniques outside of friendly western
style cultures.
• Inequality and religion are the main social threats to Critical Infrastructures.
• Technical Developments are both positive and negative for Critical Infra-
structures, with a view that the future balance may be negative.
• Global warming will have, at least in the short term, an almost universal
negative effect on Critical Infrastructures.
• Legal and regulatory controls are on the increase for Critical Infrastructures.
• Risk management and the understanding of dependencies are increasingly
important.
• Critical Information Infrastructure’s primacy is confirmed.
Chapter 7
• In less than 20 years the use of Critical Information Infrastructure in busi-
ness has advanced beyond recognition.
• Critical Information Infrastructure protection is now a key issue for business,
led by the banks.
• Many standards across the regulated and nonregulated business have been
introduced.
• These standards, including Sarbanes-Oxley, can be approached from a common
base ISO 17999
• Over time there has been a shift from the tactical issues of recovery and
continuity towards the strategic idea of Resilience.
• Regulation/Compliance/Asymmetric Warfare/Obstructive Marketing is
driving Information Infrastructure Resilience in business.
• Critical Information Infrastructure protection and Resilience is key to Busi-
ness Information Security and hence Business Security.
• A Chief Information Officer, a C-suite member, should be strategically
responsible for Information Infrastructure in a corporate environment.
• Common standards are reviewed against each other in a table.
Chapter 8
• USA and Europe still have the ability to determine their own economic
future.
• Europe’s future growth is potentially at risk from a USA-driven twenty-first
century information-based “East India Company,” dominating the world’s
electronic economy.
• Europe is concerned about this potential.
• Working together the USA and Europe could fashion a sustainable elec-
tronic economy.
• There are counter-arguments. For example, Sarbanes-Oxley has had some
negative effects on business creation and growth as well as on regulation,
compliance, and extraterritorial reach.
• The idea underlines the importance of Critical Information Infrastructure,
because without it the idea will not work.
Chapter 9
• Call Centers are Information-Infrastructure-dependent businesses that have
been increasingly outsourced over recent years.
• Outsourcing without thinking through all the consequences in an holistic
manner is dangerous.
• Call Centers should not be located in areas of high political and economic
risk.
• Call Centers must have access to Information Infrastructure and Disaster
Recovery and Business Continuity.
• There can be international and national legal difficulties when outsourcing.
• The difference between now and the future is increasingly Information
Infrastructure.
• Outsourcing demands Critical Information Infrastructure and Resilience.
Chapter 10
• 2000 was a definitive year for Information Infrastructure, it was the year it
was understood how vital it was.
• Information Infrastructure is massively skewed to the OECD.
• Dependencies need to be understood, as do the tools to find them.
Chapter 12 General Summary and Conclusions 197
• There is a continuing argument in favor of a greater defense role in

managing Information Infrastructure at both a control and operational level.
• Resilience is found in High Reliability Organizations such as submarines
and aircraft carriers.
• The features of resilience found both in High Reliability Organizations and
resilient children needs to be replicated in Information Infrastructure and
information people.
• Security is the state of being free from danger or injury; resilience is about
being able to return to an original form after deformation.
• Information Infrastructure is now the Critical Infrastructure and all OECD
economies are dependent upon it.
• Asymmetric Warfare targets and uses the Critical Information Infra-
structure.
• Obstructive Marketing targets and uses the Critical Information Infrastruc-
ture.
• The Corporate World has more success in dealing with Asymmetric and
Obstructive Marketing challenges than the Political World.
• The post Cold War vacuum was to be filled with democracy and globaliza-
tion. It has not turned out quite like that.
• The expansion of the financial system based on Information Infrastructure
has not been absolutely matched by standards.
• Commercial Information Infrastructure manufacturing companies are not
helping resilience.
• Information Infrastructure is now the bedrock of society and governments
are not doing enough to protect it.
• Political, economic, social, environmental, technological, and legal security
all now depends on Information Infrastructure.
• Cooperation is needed to build the required international, national, and cor-
porate resilience.
Chapter 11
• Resilience in children needs to be encouraged.
• Resilience in adults needs to be encouraged.
• Business needs to understand strategy, complexity, Obstructive Marketing,
and Asymmetric Warfare – and specifically needs to assist in the defense of
Critical Infrastructure
• Threats are understood, and common.
• Current armed forces are out of date.
• Regional fora with a Public/Private partnership required.
• National armed forces need a new “arm” to defend Critical Information
Infrastructure in particular.
• Internationally the OECD and NATO could potentially cooperate to defend
the west/north (OECD) against attacks on both Critical Infrastructure and
Critical Information Infrastructure.
Chapter 13
A Manifesto for Change
Resilience in Critical Infrastructure and Critical Information Infrastructure

Protection has implications at international, national, local, corporate,
individual, and political level.
At an international level it must be recognized that some form of
protection and defense strategy is required to both increase the resilience
of international information infrastructure and deter its use for asymmetric
warfare, obstructive marketing, and other unhelpful activities. There is a huge
role for international law to be developed in this area. This should be seen as
a priority. It has been recommended by this book that the OECD, NATO,
the UN’s International Law Commission, and research bodies such as I3P
and ETH are the sorts of bodies that should be involved in doing this. It does
not matter too much who the bodies are, but the principal of international
involvement in developing resilience is crucial. Without any doubt the defense
of information infrastructure, and the development of the required resilience,
must be treated as a new defense force. In the international context it is also
important to recognize that the overall defense of infrastructures includes a
need for negotiation between state and nonstate bodies; the latter becoming
a more important part of the world’s communities than formerly. Eventually
this may also include the need to negotiate with virtual communities. Much
more attention needs to be given to solving and developing this issue than has
been done to date.
Nationally it is important to recognize the primacy of Critical Information Infra-
structure. This primacy is based on the dependency of all Critical Infrastructures
on Critical Information Infrastructure. This means that Government depart-
ments related to Critical Infrastructures should be led by those responsible for
Critical Information Infrastructure. There is also a clear case for the creation
of a new defense force, along the lines of an Army, Navy or Air Force, to cater
for this new threat of attack through the Critical Information Infrastructure.
Such a development would give both the emphasis and profile to a threat,
which arguably is more of a threat to any nation state than physical terrorism.
At a national level the priorities need to be understood. It is more important to
protect the infrastructures than it is to deliver effective social services, because
198
Chapter 13 A Manifesto for Change 199
without the former there is no hope for the latter. Sight of these priorities
should not be lost. It is only towards the end of this work that any mention of
France has been made. However, it is clear that France has quietly maintained
these priorities (with the possible exception of the protection of Information
Infrastructure and Finance). Perhaps a lesson can be learned on national pri-
orities from France. It is important that any national effort is a coordination
of public and private sector.
Locally the same principles apply as at a national level. The local perspective
must mirror the national perspective in an appropriate manner. This may
mean a rethink of the type of local/regional structures. The 43 UK Police
Forces, for example, do not match the English regions, which themselves do
not properly coordinate with the shire counties. This, over the long term,
is a recipe for disaster. As more and more attacks on national and locals
infrastructures are studied, more and more often it is the lack of coordi-
nation at such a level that allows events to happen, or makes them worse.
Despite the bravery of the emergency services at both 9/11 and 7/07 it
remains a recommendation of the reports into both incidents that there
needs to be more coordination to handle attacks on infrastructures by local
and regional bodies. This emphasizes the need for a different approach for
both resilience and defense at local and regional level.
In the Corporate environment there is almost a universal need to understand
that information is the life-blood, more appropriately the DNA, of a business.
Lack of proper management in this area will eventually kill the business – as
any disease or neglect might do to the human body. The corollary of
asymmetric warfare in the corporate environment, Obstructive Marketing,
is on the increase. It is no longer really rational to hold people responsible
at 2–4 levels away from the C-suite for the integrity of the business. The job
needs to be done at a strategic level by recognized C-suite additions: the Chief
Information Officers (CIO)s. That this has not happened so far is a potential
reason why so many different approaches to governance, regulation, and
compliance have been needed. If there was clear strategic responsibility for
these issues, then maybe the range of controls would not have been needed
or introduced. In almost every case that has demanded some sort of action
by federal or national authorities the root cause of the problem has been
some manipulation, interference, or lack or control of business information.
Business information both sits on and is part of Information Infrastructure.
At an individual level there must be a much wider understanding of what
resilience means. At a practical level it means the ability to grow one’s own
food through to the ability to manage a personal information infrastructure.
Most of all, in an OECD society it means the personal responsibility
to be educated and grow up with a set of values that make the individual
resilient. This is therefore also a parental and political responsibility. As
many of today’s parents have lost all understanding of how to be resilient
themselves this comes back to the political agenda. The political context
of this book is analogous to “Emperor’s New Clothes.” It is absolutely clear
that international, national, local, and individual resilience is dependent on

particular approaches to the common list of infrastructures and, in particular,
Critical Information Infrastructure. However, the focus and priority of
political activity is almost always on something that is not related to Critical
Infrastructure –if it is it is the wrong priority.
Although it will be said that the war on terror epitomizes the defense of
infrastructures, it does not. It compromises most of the values of society
in one way shape or form and has not allocated any real resources to the
defense of Infrastructures, particularly Information Infrastructure. This book
is littered with the paucity of political thought on Infrastructures. It does
remain important to look after these other things, but not at the expense of
exposing Infrastructures to potential damage. The preference for pandering
to tabloid demands as opposed to addressing the real needs of a resilient
society is to be deplored. This is not a left or right issue; it is the matter of
a democratic government undertaking its primary duty, protecting citizens.
There may be some party political differences in how to approach individual
resilience. However, the fact of the matter is that no government has outlined
the key attributes of resilient children; then, as matter of national priority,
gone out to produce such attributes in children. The key priorities of the
current political context must be to develop and maintain a resilient energy
policy; to develop and maintain a sound financial infrastructure; to develop
and maintain resilient food security in the short-, medium-, and long-term; to
develop and maintain the nation’s health resilience; to develop and maintain
effective and resilient government services; to maintain a resilient law and
order structure; to develop and maintain a resilient manufacturing base; to
develop and maintain national icons; to develop and maintain a resilient
transport infrastructure; to develop and maintain resilient fresh water
supplies; to develop and maintain effective waste water treatment (and waste
disposal in general); to develop and maintain resilient people; and to develop
and maintain a resilient education and intellectual property infrastructure.
This is a challenge for our political masters. It is a particular challenge for
the USA and the European Union. The former because of its international
leadership position, the latter because it has now so much legislative responsibility
that it must show the lead to European nations, and both because they are
effectively the greater part of the OECD.
Appendix
An Introductory Information
Infrastructure Resilience, Recovery
and Security Bibliography
Introduction
This book promotes Resilience in Critical Infrastructure Protection. Primarily,
Critical Information Infrastructure Protection (CIIP), combining computer
and communication systems infrastructure, focusing on key issues as facilita-
tors of CIIP efforts including:
● Information sharing
● Data and network security
● IT governance
● Risk management
● Cyber terrorism
Information Infrastructure is a critical cross cutting factor, which other
Critical Infrastructures depend upon. CIIP is as vital as power.
This bibliography is designed to assist those who wish to understand the range
of material published on subjects related to Information Infrastructure
Resilience, Recovery, and Security. It does not claim to be comprehensive.
Indeed the review of literature identifies a number of gaps. As will be seen
reliance is placed on a wide range of associated areas of interest to bring
together potentially relevant material.
For those already involved with this subject as an academic, or a practi-
tioner, then this bibliography may be basic. There may be other sources not
included here. Please be kind enough to inform of any glaring omission or
commission errors – [email protected].
Most references before 1998 are excluded. This is a rapidly moving area
where things quickly become out of date. However, where certain texts before
1998 are viewed as important they have been included.
An effort has been made to include some tacit as well as explicit sources.
Clearly, key text authors are important tacit resources. All Eric Goetz’s and
Sujeet Shenoi’s colleagues and teams at 13P are, for example, good sources of
tacit knowledge.
Annotations are made where it is thought appropriate.
201
202 Appendix
The list of Internet links is a long one, and there is an emphasis on links
in general. The subject is both relatively immature and very much concerned
with online activity; therefore much of the information available is naturally
online.
The discerning will notice that the balance of content is very much in reverse
order: security, recovery, and resilience. It is clear that much less effort has gone
into making Information Infrastructure, systems, utilities, etc. resilient than
there has into working out how to recover from disaster or plug the holes. This
is a reflection of the way Information Infrastructure has developed over the last
decade. It is also a reflection of the balance of risk equation, which is in favor
of the recovery rather than the resilience. This is broadly as it should be in a
market economy, if the risks have been well thought through. However, there is
increasing evidence that this is not so, the risks have not been thought through.
Privatization has led to a loss of linkage between Government and strategic
resources. This trend has meant even those businesses previously considered
quasinational, for example BT in the UK have lost their place in the national
strategic order. This in turn means that not enough thought has gone into pro-
tecting vital national assets. This may be appropriate in an increasingly federal
world, but not in an increasingly asymmetric world. So some redress of the bal-
ance on national strategic assets and their protection/resilience is required. This
is the main lesson from this literature review.
Bibliographies/Lists/Directories/Surveys/
Search Engines
Ares
http://www.aresacademia.com/sistemas/pads/pads7.htm (Accessed:
3 January 2007)
Spanish site, but bibliography in English.
Asymmetric Warfare
http://www.au.af.mil/au/aul/bibs/asm/asw.htm (Accessed: 3 January 2007).
Asymmetric Warfare
http://www.comw.org/rma/fulltext/asymmetric.html (Accessed:
3 January 2007).
Air War College
http://www.au.af.mil/au/awc/awcgate/awc-thry.htm#bibs (Accessed:
3 January 2007).
Amazon
http://www.amazon.com (Accessed: 3 January 2007)
Amazon has lists of lists, which can add to the books listed in this document.
Appendix 203
British Computer Society Publications

http://www.bcs.org/bcs/products/publications (Accessed: 3 January 2007).
Business Continuity, etc.
http://www.survive.com/Resources (Accessed: 3 January 2007).
Cambridge Scientific Abstracts, Computers
http://uk1.csa.com/csa/factsheets/computer.shtml (Accessed: 3 January 2007).
Computer Emergency Response Team (CERT) Information Security
Research Papers
http://www.cert.org/research/papers.html.
CESG (2004) Directory of INFOSEC Assured Products. UK, CESG.
http://www.cesg.gov.uk (Accessed: 3 January 2007).
Listings of security products that meet with UK Government approval.
CESG ‘Cloud Cover’ Public Key Infrastructure Project Bibliography
http://www.cesg.gov.uk/site/ast/index.cfm?menuSelected=1&displayPage=11
Computer Security Books
http://www.epic.org/bookstore/security.html (Accessed: 3 January 2007).
Usability of Computer Security
http://www.sims.berkeley.edu/%7Erachna/security_usability.html (Accessed:
3 January 2007).
Dunn, M and Wigert, I (2004) Critical Information Infrastructure Protection.
Zurich, Switzerland. The Swiss Federal Institute of Technology, available at
http://www.isn.ethz.ch/crn (Accessed: 3 January 2007).
This has a wide ranging bibliography on Critical Information Infrastructure
Protection for Australia, Austria, Canada, Finland, France, Germany, Italy,
The Netherlands, New Zealand, Norway, Sweden, Switzerland, United
Kingdom, United States, Critical Information Infrastructure Methods and
Models, and a number of links.
Cryptography and Security
http://theory.lcs.mit.edu/~rivest/crypto-security.html
Defense Information Access Network http://www.dianepublishingcentral.
com/CustomerService.asp (Accessed: 3 January 2007).
Department of Energy Information Security
http://doe-is.llnl.gov (Accessed: 3 January 2007).
Disaster Recovery, Emergency Planning Books
http://www.binomial.com/bookstore/cg040001.htm (Accessed:
3 January 2007).
204 Appendix
Ernst and Young (2004) IT Security Solutions Directory. London, UK.

Showtime Media Services.
This is an annual publication by Showtime Media Services, sponsored in
2004 by Ernst and Young, which lists and tables vendor solutions to security
problems.
Google
http://www.google.co.uk (Accessed: 3 January 2007)
And other search engines.
Google Scholar
http://www.scholar.google.com (Accessed: 3 January 2007)
And other search engines.
The Information Security Policies/Computer Security Policies Directory
http://www.information-security-policies-and-standards.com/
Information Warfare and Information Security on the Web
http://www.fas.org/irp/wwwinfo.html (Accessed: 3 January 2007).
Institute of Directors Publications
http://www.iod.com/is-bin/INTERSHOP.enfinity/eCS/Store/en/-/GBP/IOD-
Start (Accessed: 3 January 2007). Mainly books, articles, etc. on Corporate
Governance and the security issues associated with Corporate Governance.
http://www.iso17799software.com/ (Accessed: 3 January 2007)
ISO17799 Directory of Software & Security Risk Analysis.
Lancaster Index, The
http://www.mpr.co.uk/scripts/sweb.dll/li_home (Accessed:
20 December2004)
A listing/bibliography of defense and international security
literature.
Microsoft
http://www.microsoft.com/resources/documentation/Windows/2000/server/
reskit/en-us/Default.asp?url=/resources/documentation/Windows/2000/
server/reskit/en-us/iisbook/c09_additional_resources.asp (Accessed: 3
January 2007)
A Microsoft Security Resources List.
National Transportation Library
http://ntl.bts.gov/faq/sept11.html (Accessed: 3 January 2007).
Network Security Reading
http://www.spinics.net/linux/netsec.php (Accessed: 3 January 2007).
Network Security Library
http://secinf.net/ (Accessed: 3 January 2007).
Appendix 205
Perpetuity Press
http://www.perpetuitypress.com (Accessed: 3 January 2007)
Specialises in books, journals, and manuals in the fields of crime, risk, andsecurity.
Qinetiq White Papers
http://www.qinetiq.com/home/markets/security/securing_your_business/
information_and_network_security/white_paper_index.html (Accessed: 3
January 2007) A series of very relevant White Papers. The Qinetiq site is also
a good source of tacit knowledge.
Questia. An Online Library.
http://www.questia.com (Accessed: 3 January 2007).
Price Waterhouse Coopers (2004) Information Security Breaches Survey,
London, UK. Department of Trade and Industry. An annual survey on
Information Security breaches. Available at http://www.security-survey.gov.uk
Rand Organization
http://www.rand.org/publications (Accessed: 3 January 2007).
Reliability Books and Related Subjects
http://www.enre.umd.edu/rbooks.htm (Accessed: 3 January 2007).
Reliability Engineering and Risk Management. Cranfield University’s Papers.
http://www.cranfield.ac.uk/sims/reliability/rermcresearchcapability03.pdf
Revolution in Military Affairs
http://www.comw.org/rma/index.html (Accessed: 3 January 2007).
RFID (Radio Frequency identification) Security and Privacy
http://lasecwww.epfl.ch/~gavoine/rfid/ (Accessed: 3 January 2007).
Risk Software and Computer Risks
http://www.riskworld.com/BOOKS/topics/risksoft.htm
The Rothstein Catalogue on Disaster Recovery
http://www.rothstein.com/ (Accessed: 3 January 2007).
Security Issues (Neil Johnson’s Bibliographies)
http://www.jjtc.com/Security/bib (Accessed: 3 January 2007).
Security and Cryptology http://liinwww.ira.uka.de/bibliography/Misc/
security.2.html (Accessed: 3 January 2007).
SEMPER
http://www.semper.org/sirene/collections/booklist.html (Accessed:
3 January 2007). This is a European R&D project on eCommerce. It has a
substantial booklist. Terminated in 2002, so some book references are old.
206 Appendix
Books – Arranged Alphabetically by Subject

All books on this subject tend to be, by nature, specialist and thus published by
specialist companies or specialist subdivisions of major publishers. Therefore
the book listings of these publishers are a further rich source of additional
material and information. The books listed here are those that form the foun-
dation of the resilience, recovery, and security press. Most can be found at the
bookstores at the major conferences.
Apache
Apache is open software. http://www.apache.org (Accessed: 3 January 2007).
Coar, K and Bowen, R (2003) Apache Cookbook. Farnham, UK. O’Reilly.
Mobily, T, et al. (2003) Professional Apache Security. Indianapolis, Indiana,
USA. Wrox Press Ltd.
Wainwright, P (2004) Professional Apache. Berkeley, CA, USA. Apress.
Auditing and Security
Musaji, YF (2001) Auditing and Security: AS/400, NT, Unix, Networks and
Disaster Recovery Plans. New York, USA. Wiley.
Backup (In Terms of Backing Up Data on Computers)
Desai, A (2000) SQL Server 2000 Backup and Recovery (Database
Professional’s Library). Emeryville, CA, USA. Osborne McGraw-Hill.
Freeman, R and Hart, M (2002) Oracle9i RMAN Backup and Recovery
(Oracle Press S.). USA. Osborne McGraw-Hill.
Hobbs, L, et al. (2000) OCP: Oracle8i DBA Architecture and Administration
and Backup and Recovery Study Guide. CA, USA. Sybex International.
Little, DB (2003) Implementing Backup and Recovery: The Readiness Guide
for the Enterprise (VERITAS S.). New York, USA. Wiley.
Stringfellow S, Klivansky M, and Barto, M (2000) Backup and Restore
Practices for Sun Enterprise Servers (Sun Blueprints S.) Indianapolis,
Indiana, USA. Prentice-Hall.
Velpuri, R, et al. (2000) Oracle8i Backup and Recovery (Oracle Press S.).
Emeryville, CA, USA. Osborne McGraw-Hill.
Carnivore
Carnivore is a FBI computer software program looking for malpractice on
the Internet.
Hatch, OG (2000) Carnivore Controversy: Electronic Surveillance and Privacy
in the Digital Age: Hearing Before the Committee on the Judiciary, U.S. Senate.
Collingdale, PA, USA. Diane Pub Co.
Appendix 207
Canady, CT (2000) Fourth Amendment Issues Raised by the FBI’s Carnivore

Program: Hearing Before the Committee on the Judiciary, U.S. House of
Representatives. Collingdale, PA, USA. Diane Pub Co.
Certification for Security Professionals
Note that material relevant to the Certificate of Information Security
Management is contained in the links section.
Behtash, B (2004) CCSP Self-Study: CISCO Secure PIX Firewall Advanced
(CSPFA). USA. Cisco Press.
Bragg, R (2002) MCSE Training Guide: (70-220) Designing Security.
Indianapolis, Indiana, USA. Que.
Bragg, R (2004) MCSE Windows Server 2003 (Exam 70-98): Designing
Security for a Windows Server 2003 Network: Training Kit. USA.
Microsoft Press International.
Bragg, R and Tittel, E (2004) Designing Security for a Windows
Server 2003 Network: Exam 70-298 (Exam Cram 2 S.). Indianapolis,
Indiana, USA. Que.
Carter, E (2004) CCSP Self-study: CISCO Secure Intrusion Detection
System. USA. Cisco Press.
Cockroft, L (2003) CCSP SECUR Exam Cram 2 (642-501). Indianapolis,
Indiana, USA. Que.
Dubrawski I and Grey P (2003) CCSP CSI Exam Certification Guide: CCSP
Self-Study. USA. Cisco Press.
Edwards, W, et al. (2003) CCSP Secure Pix and Secure VPN Study Guide
(642-521 and 642-511): Secure PIX and Secure VPN Study Guide
(642-521 and 642-511). CA, USA. Sybex International.
Edwards, W, et al. (2004) CCSP Study Guide Kit (642-501, 642-511, 642-
521, 642-531, 642-541). CA, USA. Sybex International.
Golubski, C and Heldman, W (2001) MCSE: ISA Server 2000
Administration Study Guide. USA. Cybex International.
Hansche, S (2003) Official (ISC) 2 Guide To The CSSP Exam. USA.
Auerbach Publishers Inc.
Harris, S (2003) CISSP Certification All-In-One Guide, 2nd Edition.
Hausman, KK (2003) Security+ (Exam Cram SYO-101) (Exam Cram 2 S.).
Hussain, Y (2004) CCIE Security Practice Labs (CCIE Self-study). USA.
Cisco Press.
208 Appendix
Information Systems Audit and Control Association Staff (2001) CISA

Review Manual 2002. Rolling Meadows, IL, USA. Information Systems
Audit and Control Association.
Kramer, J (2003) The CISA Prep Guide: mastering the Certified
Information Systems Auditor Exam.
Krutz, R and Vines, RD (2001) The CISSP Prep Guide: Mastering the Ten
Domains of Computer Security. New York, USA. Wiley.
Krutz, RL and Vines, RD (2003) Advanced CISSP Prep Guide: Exam Q
and A. New York, USA. Wiley.
Krutz, RL (2004) The CISSP Prep Guide: Mastering CISSP and ISSEP.
New York, USA. Wiley.
Menga, J (2003) CCSA NG Check Point Certified Security Administrator
Study Guide (Certification Press). CA, USA. Sybex International.
Microsoft Press (2003) MCSA/MCSE Self Paced Training Kit:
Implementing and Maintaining Security in a Windows 2000 Network
Infrastructure. USA, Microsoft Press International.
Miller, LC and Gregory, PH (2002) CISSP for Dummies.
Molta, D and Akin, D (2003) CWSP Certified Wireless Security
Professional: Official Study Guide (Exam PWO-200). Emeryville, CA, USA.
Osborne McGraw-Hill.
Newman, DP, et al. (2004) CSIDS Exam Cram 2: Exam 642-53.
Newcomb, MJ (2004) CCSP SECUR Exam Certification Guide. USA.
Cisco Press.
Northrup, T (2004) MCSA/MCSE Self Paced Training Kit: Implementing and
Administering Security in a Windows Server 2003 Network. USA. Microsoft
Press International.
Reisman, B and Ruebush, M (2004) MCSE: Windows Server 2003
Network Security Design Study Guide (70-298). CA, USA. Sybex
International.
Roland, J (2004) CCSP Self-study: Securing Cisco IOS Networks (SECUR).
USA. Cisco Press.
Schmied, W and Shimonski, RJ (2003) Mcsa/Mcse Managing and
Maintaining a Windows Server 2003 Environment for an Mcsa Certified on
Windows 2000 (Exam 70-292): Study Guide and DVD Training
System. Rockland, MA, USA. Syngress Media.
Shimonski, RJ and Shinder, DJ (2003) Security+ and Study Guide and DVD
Training System. Rockland, MA, USA. Syngress Media.
Appendix 209
Skoudis, E (2002) The Network Security Training Course Desktop.

Indianapolis, Indiana, USA. Prentice-Hall.
Tittel, E, et al. (2004) CISSP: Certified Information Systems Security
Professional Study Guide. CA, USA. Sybex International.
CISCO
CISCO along with a number of other key vendors, such as Microsoft, Intel,
and Oracle have a wide range of resources dedicated to their products. This
is because of the high market share each has in particular product areas, and
their obvious desire to keep it that way.
Sedayo, J (2001) Cisco IOS Access Lists. Farnham, UK. O’Reilly.
Code (As In Computer Code)

Sebastian Xambo-Descamps (2003) Block Error-correcting Codes:
A Computational Primer (Universitext S.). Berlin, Germany. Springer.
Hatton, L (1994) Safer C: Developing Software in High-integrity and
Safety-critical Systems (McGraw-Hill International Series in Software
Engineering). Emeryville, CA, USA. McGraw-Hill Publishing Co.
Rubin, AD, et al. (2004). Exploiting Software: How to Break Code.
Boston, MA, USA. Addison Wesley.
Computer Security
Amoroso, E (1994) Fundamentals of Computer Security Technology, New
Jersey, USA. AT&T.
Bishop, M (2002) Computer Security: Art and Science. Boston, MA, USA.
Addison Wesley.
Gollmann, D (1999) Computer Security. New York, USA. Wiley.
Greene, TC (2004) Computer Security for the Home and Small Office.
USA. Apress.
Leveson, N (1995) Safeware: System Safety and Computers. Boston, MA,
USA. Addison Wesley.
Luber, A (2002) PC Fear Factor. Indianapolis, Indiana, USA. Que.
Penfold, RRC (1998) Computer Security : Businesses at Risk. London, UK.
Robert Hale Limited.
Pieprzyk, J, et al. (2003) Fundamentals of Computer Security. Berlin,
Germany. Springer.
Zelkowitz, MV (ed.) (2004) Advances in Computers, Vols. 40–62.
New York, USA. Elsevier.
Corporate Security
Alagna, T, et al. (2005) Larstan’s Black Book on Corporate Security.
Potomac, Maryland, USA. Larstan.
210 Appendix
Crime/Forensics/Malice/Malware
Akdeniz, Y (2003) Sex on the Net: The Dilemma of Policing Cyberspace
(Behind the Headlines S.). USA. South Street Press.
Benson, R (1996) Acquiring New ID: How to Easily Use the Latest
Technology to Drop Out, Start Over and Get on with Your Life. Boulder, CO,
USA. Paladin Press.
Casey, E (2004) Digital Evidence and Computer Crime. USA. Academic
Press.
Casey, E (2001) Handbook of Computer Crime Investigation: Forensic Tools
and Technology. USA. Academic Press.
Endorf, C, et al. (2003) Intrusion, Detection and Prevention: The
Authoritative Guide to Detecting Malicious Activity (Security). Emeryville,
CA, USA. Osborne McGraw-Hill.
Jewkes, Y (2003) Dot.cons: Crime, Deviance and Identity on the Internet.
Cullompton, Devon, UK. Willan Publishing.
Kruse II, WG and Heiser, J (2001) Computer Forensics Essentials.
Levy, S (2002) Heroes of the Computer Revolution. UK. Penguin Books.
Mintz, A and Mintz, AP (2002) Web of Deception: Misinformation on the
Internet. Toronto, ON, Canada. Cyberage Books.
Mitnick, KD and Simon, WL (2003) The Art of Deception: Controlling the
Human Element of Security. New York, USA. Wiley.
Parker, D (1998) Fighting Computer Crime: A New Framework for
Protecting Information. New York, USA. Wiley.
Negus, C (2004) Fedora Troubleshooting Bible. New York, USA. Wiley.
Peikari, C and Chuvakin, A (2004) Security Warrior. Farnham, UK. O’Reilly.
Prosise, C and Mandia, K (2003) Incident Response and Computer
Forensics. Emeryville, CA, USA. Osborne McGraw-Hill.
Russell R, and Beale, J (2004) Stealing the Network: How to Own a
Continent. Rockland, MA, USA. Syngress Media.
Russell, R (2003) Stealing the Network: How to Own the Box. Rockland,
MA, USA. Syngress Media.
Phillips, A, et al. (2004) Computer Forensics and Investigations. Boston, MA,
USA. Course Technology.
Sammes, AJ and Jenkinson, B (2000) Forensic Computing: A Practitioner’s
Guide (Practitioner S.). Godalming, UK. Springer.
Appendix 211
Schneier, B (2004) Secrets and Lies: Digital Security in a Networked World.

Skoudi, E (2003) Malware: Fighting Malicious Code. Indianapolis, Indiana,
USA. Prentice-Hall.
Slatalla, M (1996) Masters of Deception: The Gang That Ruled Cyberspace.
London, UK. HarperCollins.
Stoll, C (2000) The Cuckoo’s Egg: Tracking a Spy Through the Maze of
Computer Espionage. USA. New York, USA. Simon and Schuster Inc.
Syngress (2004) Snort 2.1 Intrusion Detection. USA, Rockland, MA, USA.
Syngress Media.
The Honeynet Project (2004) Know Your Enemy: Revealing the Security
Tools, Tactics, and Motives of the Blackhat Community. Boston, MA, USA.
Addison Wesley.
Thomas, D and Loader, BD (2000) Cybercrime: Law Enforcement, Security and
Surveillance in the Information Age. London, UK. Routledge, an imprint of
Taylor and Francis Books.
Wang, W (2000) Steal This Computer Book 2: What They Won’t Tell You
About the Internet. San Francisco, CA, USA. No Starch Press.
Whittaker, J and Thompson, H (2003) How to Break Software Security.
Dacey, RF (2003) Critical Infrastructure Protection: Commercial Satellite
Security Should Be More Fully Addressed. Collingdale, PA, USA. Diane
Pub Co.
Dunn, M and Wigert, I (2004) Critical Information Infrastructure Protection,
The International CIIP Handbook 2004. Zurich, Switzerland. Centre for
Security Studies.
Available at http://www.isn.ethz.ch/crn/publications/publications_crn.
cfm?pubid=224 (Accessed: 20 December 2004).
Ware, WH (1998) The Cyber-Posture of the National Information Infrastructure.
Santa Monica, CA, USA. Rand Corporation.
Cryptography
Cryptography is the process of encoding information in such a way that only
the person (or computer) with the appropriate key can decode it.
Delfs, H and Knebl, H (2001) Introduction to Cryptography: Principles and
Applications (Information Security and Cryptography). Berlin,
Germany. Springer.
212 Appendix
Ferguson, N and Schneier, B (2003) Practical Cryptography. New York,

USA. Wiley.
Hershey, J (2002) Cryptography demystified. Emeryville, CA, USA.
McGraw-Hill Education.
Mao, W (2003) Modern Cryptography: Theory and Practice. Indianapolis, Indiana,

USA. Prentice-Hall.
Mel, HX, et al. (2000) Cryptography Decrypted. Boston, MA, USA.
Addison Wesley.
Menezes, AJ, et al. (1996) Handbook of Applied Cryptography. Boca Raton,
FL, USA.CRC Press.
Rhee, MY (2003) Internet Security: Cryptographic Principles, Algorithms and
Protocols. London. Wiley.
Rhee, MY (1994) Cryptography and Secure Communications
(The McGraw-Hill Series on Computer Communications). Emeryville, CA,
USA. McGraw-Hill Education (ISE Editions).
Schneier, B (1995) Applied Cryptography: Protocols, Algorithms and Source
Code in C. New York, USA. Wiley.
Trappe, W and Washington, LC (2002) Introduction to Cryptography with
Coding Theory. Indianapolis, Indiana, USA. Prentice-Hall.
Van Der Lubbe, JCA and Gee, S (1998) Basic Methods of Cryptograph.
Cambridge, UK. Cambridge University Press.
Weiss, J (2004) Java Cryptography Extensions: Practical Guide for
Programmers. San Francisco, CA, USA. Morgan Kaufmann.
Young, A and Yung, M (2004) Malicious Cryptography: Exposing
Cryptovirology. New York, USA. Wiley.
Data/Databases and Related Issues
Gary, J (2000) Database: Principles, Programming, Performance.
San Francisco, CA, USA. Morgan Kaufmann.
Gill, T, et al. (1998) Introduction to Metadata. Los Angeles, CA, USA. Getty
Education Institute for the Arts.
King, D and Newson, D (1999) Data Network Engineering (BT
Telecommunications S.). Berlin, Germany. Kluwer (Springer-Verlag)
Academic Publishers.
Klosek, J (2000) Data Privacy in the Information Age. Westport, USA.
Quorum Press.
Knox, D (2004) Effective Oracle Databases 10g Security by Design
(Oracle Press S.). Emeryville, CA, USA. Osborne McGraw-Hill.
Appendix 213
Sayood, K (2000) Introduction to Data Compression (The Morgan Kaufmann

Series in Multimedia Information and Systems).
San Francisco, CA, USA. Morgan Kaufmann.
Shani, S (2004) Data Structures, Algorithms, and Applications in C++.
Summit, NJ, USA. Silicon Press.
Wang, RY, et al. (2000) Data Quality (The Kluwer International Series on
Advances in Database Systems). Berlin, Germany. Kluwer (Springer-
Verlag) Academic Publishers.
White, G (2001) Data and Voice Security. Indianapolis,
Indiana, USA. Sams.
Data Mining (The Process of Searching Data for Specific Information)

Berry, MJA (2004) Data Mining Techniques, Second Edition: for Marketing,
Sales, and Customer Relationship Management. New York, USA. Wiley.
Mohammadian, M (2004) Intelligent Agents for Data Mining and
Information Retrieval. Hershey, PA, USA. Idea Group Inc.
Witten, IH and Eibe, F (1999) Tools for Data Mining, Practical Machine
Learning Tools and Techniques (The Morgan Kaufmann Series in Data
Management Systems). San Francisco, CA, USA. Morgan Kaufman.
Disaster Recovery and Contingency Planning (Relevant To Technology)

Arnell, A and Davis, D (1989) Handbook of Disaster Recovery Planning.
Emeryville, CA, USA. McGraw-Hill Education.
Bernan Associates (2003) Planning for Post-disaster Recovery and
Reconstruction. Lanham, MD, USA. Bernan Associates.
Broby, L (2002) Disaster Recovery and Corporate Survival Strategies:
Pre-Emptive Procedures and Countermeasures (Financial Times Executive
Briefings). London, UK. Financial Times/Prentice-Hall.
Brooks, C and IBM (2002) Disaster Recovery Strategies with Tivoli Storage
Management (IBM Redbooks). USA. Vervante.
Buchanan, RW (2002) Network Disaster Recovery: Planning for Business
Continuity and System Performance (Professional Telecommunications S.).
Chase, K (2002) PC Disaster and Recovery. CA, USA. Sybex
International.
Childs, DR and Dietrich, S (2002) Contingency Planning and Disaster
Recovery: A Small Business Guide. New York, USA. Wiley.
Christensen, B (1999) From Management to Leadership: A History of
Recovery from Disaster and Learning from the Experience. Boca Raton, FL,
USA. uPublish.com.
214 Appendix
Christopher, J (2004) Full recovery: Protect Your Small Business from

Disasters and Unforeseen Events. Berkeley, CA, USA. Peachpit Press.
Cougias, DJ, et al. (2003) Backup Book, The. USA. Schaser-Varten Books.
CTRC (1997) Contingency Planning and Disaster Recovery:
Protecting Your Organization’s Resource. UK. CTRC Computer
Technology Research Corporation.
Erbschloe, M and Vacca, JR (2003) Guide to Disaster Recovery. Boston,
MA, USA. Course Technology.
Evan, W and Manion, M (2002) Minding the Machines: Preventing
Technological Disasters. Indianapolis, Indiana, USA. Prentice-Hall.
Grigonis, R (2002) Disaster Survival Guide for Business Communications
Networks Emeryville, CA, USA. Osborne McGraw-Hill.
Gustin, J (2002) Disaster Recovery Planning: A Guide for Facility
Managers. Indianapolis, Indiana, USA. Prentice-Hall.
Hiatt, C (2000) A Primer for Disaster Recovery Planning in an IT
Environment. Hershey, PA, USA. Idea Group Inc.
IBM (1999) Sap R/3 on DB2 for Os/390: Disaster Recovery.
USA. Vervante.
IBM (2000) Disaster Recovery Using Hageo and Georm. USA. Vervante.
Lewis, S (2004) Disaster Recovery Yellow Pages. Newton, MA, USA.
Systems Audit Group Inc.
Lang, A and Larkin, R (2001) Disaster Preparedness and Recovery: A Guide
for Nonprofit Board Members and Executives. Washington, DC, USA. Board
Source.
Mahdy, GE (2001) Disaster Management in Telecommunications,
Broadcasting and Computer Systems. London, UK. Wiley.
Maiwald E, and Sieglein, W (2002) Security Planning and Disaster
Recovery. Emeryville, CA, USA. Osborne McGraw-Hill.
Miora, M (2000) NCSA Guide to Enterprise Disaster Recovery Planning.
Mellish, B and IBM (2002) IBM Total Solutions for Disaster Recovery (IBM
Redbooks). USA. Vervante.
Mellish, B and IBM (2002) IBM Total Storage. USA. Vervante.
Neaga, G (1997) Fire in the Computer Room, What Now ? Disaster
Recovery Handbook (IBM Books). Indianapolis, Indiana, USA. Pearson
Education.
Appendix 215
NIIT (2002) Disaster Recovery. Portland, OR, USA. Premier Press.

Pedersen, A (1998) NAFCU’s Contingency Planning, Disaster Recovery, and
Record Retention for Credit Unions. Arlington, VA, USA. AS Pratt.
Preston, WC (1999) UNIX Backup and Recovery. Farnham, UK. O’Reilly.
QED (1995) Disaster Recovery: Contingency Planning and Programme
Analysis. Boston, MA, USA. QED Technical Publishing Group.
Robinson, MK (2003) Disaster Recovery for Nonprofits. Lanham, MD,
USA. University Press of America.
TechRepublic (2003) Administrator’s Guide to Disaster Planning and
Recovery, Vol. 2. USA. TechRepublic.
Toigo, J (2002) Disaster Recovery Planning: Preparing for the Unthinkable.
Vacca, J (2004) The Business Case for Network Disaster Recovery Planning.
USA. CISCO Press.
Wallace, M and Webber, L (2004). The Disaster Recovery Handbook.
London, UK. Amacom.
Warrick, C and IBM (2004) IBM Totalstorage Solutions for Disaster
Recovery. Palos Verdes, CA, USA. Vervante.
Wold, RL (1989) Disaster Recovery for Banks. Emeryville, CA, USA.
William C Brown.
Zaenglein, N (1998) Disk Detective: Secrets You Must Know to Recover
Information from a Computer. Boulder, Co, USA. Paladin Press.
eBusiness
Ghosh, AK (2001) Security and Privacy for e-Business. New York, USA. Wiley.
Matsura, JH (2001) Security, Rights and Liabilities in E-Commerce
(Telecommunications Library) Norwood, MA, USA. Artech House Books.
Firewalls
Firewalls are electronic barriers designed to keep destructive forces from
compromising computers in particular.
Callisma (2002) Cisco Security Specialists Guide to Pix Firewall. Rockland,
Deal, R (2002) Cisco PIX Firewalls. Emeryville, CA, USA. Osborne
McGraw-Hill.
Komar, B, et al. (2003) Firewalls For Dummies. New York, USA. Wiley.
Kopparpu, C (2002) Load Balancing Servers, Fire Walls and Caches. New
York, USA. Wiley.
216 Appendix
Mason, A, et al. (2003) Check Point NG FireWall-1/VPN-1

Administration (Network Professional’s Library). Emeryville, CA, USA.
McCarty, B (2002) Red Hat Linux Firewalls. New York, USA. Wiley.
Northcutt, S (2002) Inside Network Perimeter Security: The Definitive Guide
to Firewalls, Virtual Private Networks, Routers and Network
Intrusion Detection. USA. New Riders.
Strassberg, K, et al. (2002) Firewalls: The Complete Reference (Complete
Reference S.). Emeryville, CA, USA. Osborne McGraw-Hill.
Welch–Abernathy, D (2004) Essential Check Point Firewall 1 NG: An
Installation, Configuration and Troubleshooting Guide. Boston, MA, USA.
Addison Wesley.
Ziegler, R and Constantine, C (2001) Linux Firewalls. USA. New Riders.
Zwicky, ED, et al. (2000) Building Internet Firewalls. Farnham, UK.
O’Reilly.
Hacking
The pejorative sense of hacker is becoming more prominent largely because
the popular press has coopted the term to refer to individuals who gain
unaccess to computer systems for the purpose of stealing and corrupting
data. Hackers, themselves, maintain that the proper term for such individuals
is cracker (Webopedia).
Beaver, K (2004) Hacking for Dummies. New York, USA. Wiley.
Dr-K. (2002) A Complete Hacker’s Handbook. UK, Carlton Books.
Dr-K. (2004) Hackers’ Tales: Stories from the Electronic Front Line.
London, UK. Carlton Books.
EC-Council (2004) Ethical Hacking. Chicago, IL, USA. Independent
Publishers Group. OSB Publisher Pte Ltd.
Erickson, J (2003) Hacking the Art of Exploitation. San Francisco, CA,
USA. No Starch Press.
Flickenger, R (2003) Linux Server Hacks. Farnham, UK. O’Reilly.
Graham, P (2004) Hackers and Painters: Essays on the Art of Programming.
Farnham, UK. O’Reilly.
Gunkel, DJ (2001) Hacking Cyberspace. Boulder, CO, USA. Westview Press.
Hatch, B, et al. (2002) Hacking Exposed Linux: Linux Security Secrets and
Solutions. Emeryville, CA, USA. Osborne McGraw-Hill.
Hemenway, K and Calishain, T (2003) Spidering Hacks. Farnham, UK. O’Reilly.
Appendix 217
Huang, A (2003) Hacking the Xbox: An Introduction to Reverse Engineering.

San Francisco, CA, USA. No Starch Press.
Jones, K, et al. (2003) Anti-Hacker Tool Kit (Anti-Hacker Tool Kit).
Kaspersky, K (2003) Hacker Disassembling Uncovered. UK. Computer
Bookshops.
Klevinsky, TJ, et al. (2004) Hack I.T.: Security Through Penetration
Testing. Boston, MA, USA. Addison Wesley.
Lockhart, A. (2004) Network Security Hacks. Farnham, UK. O’Reilly.
Mclure, S, et al. (2003) Hacking Exposed: Network Security Secrets and
Solutions, 4th edition. Emeryville, CA, USA. Osborne McGraw-Hill.
Mutton, P (2004) IRC Hacks. Farnham, UK. O’Reilly.
Parker, T, et al. (2004) Cyber Adversary Characterization: Auditing the
Hacker Mind. Rockland, MA, USA. Syngress Media.
Scambray, J and McClure, S (2003) Hacking Exposed Windows Server 2003
(Hacking Exposed). Emeryville, CA, USA. Osborne McGraw-Hill.
Scambray, J, et al. (2002) Hacking Exposed: Web Applications (Hacking
Exposed). Emeryville, CA, USA. Osborne McGraw Hill.
Schiffman, M. (2001) Hacker’s Challenge: Test Your Incident Response Skills
Using 20 Scenarios. Emeryville, CA, USA. Osborne McGraw-Hill.
Schiffman, M, et al. (2003) Hacker’s Challenge 2: Test Your Network
Security and Forensic Skills (Hacking Exposed S.). Emeryville, CA, USA.
Skoudis, E (2001) Counter Hack: A Step-by-Step Guide to Computer Attacks
and Effective Defense. Indianapolis, Indiana, USA. Prentice-Hall.
Syngress (2004). Hardware Hacking: Have Fun While Voiding Your
Warranty. Rockland, MA, USA. Syngress Media.
Tulloch, M (2004) Windows Server Hacks. Farnham, UK. O’Reilly.
Vladimirov, A (2004) WI-FOO: The Secrets of Wireless Hacking. Boston,
MA, USA. Addison Wesley.
Warren, HS (2002) Hacker’s Delight. Boston, MA, USA. Addison Wesley.
Hardening
Hardening is the process of making hardware and software more resilient
and resistant to damage, intrusion, and attack. Initially used in the sense of
preventing electromagnetic bursts from nuclear bombs destroying computer
systems. The term’s use has now widened to deal with more prosaic issues.
218 Appendix
Akin, T (2002) Hardening Cisco Routers. Farnham, UK. O’Reilly.

Bragg, R (2004) Hardening Windows System. Emeryville, CA, USA.
Gharajedaghi, J (1999) Systems Thinking: Managing Chaos and
Complexity. Woburn, MA, USA. Butterworth-Heinemann.
Hallows, JE (2004) Information Systems Project Management: How to
Deliver Function and Value in Information Technology Projects.
Hassell, J (2004) Hardening Windows. Berkeley, CA, USA. Apress.
Mobily, T (2004) Hardening Apache. Berkeley, CA, USA. Apress.
Noona, W (2004) Hardening Network Infrastructure. Emeryville, CA, USA.
Terpstra, JH, et al. (2004) Hardening Linux. Emeryville, CA, USA. Osborne
McGraw-Hill.
Turnbull, J (2004) Hardening Linux. Berkeley, CA, USA. Apress.
Incident Response.
Schultz, EE and Shumway, R (2001) Incident Response. USA. New Riders.
Mandia K, et al. (2003) Incident Response. Emeryville, CA, USA. Osborne-
McGraw Hill.
Information/Information Technology Security and Assurance
Barman, S (2001) Writing Information Security Policies. USA. New Riders.
Bhargava, VK, et al. (2003) Communications, Information and Network
Security. Berlin, Germany. Kluwer (Springer-Verlag) Academic Publishers.
British Chambers of Commerce (2003) The British Chambers of
Commerce Guide to IT Security. UK. Microsoft Corporation.
Calder, A and Watkins, S (2003) IT Governance: A Managers Guide to Data
Security and BS 7799/ISO 17799. London, UK. Kogan Page.
CSIA (2004) Protecting Our Information Systems. London, UK. Cabinet
Office, UK Government.
Desman, MB (2001) Building and Information Security Awareness
Program. Boca Raton. Auerbach Publishing.
Doswell, B (2000) A Guide to Information Security Management. UK.
Perpetuity Press.
Doswell, B (2000) A Guide to Business Continuity Management. UK.
Perpetuity Press.
Herrmann, DS (2001) A Practical Guide to Security Engineering and
Information Assurance. Boca Raton, FL, USA. Auerbach Publishers.
Appendix 219
Hughes, L (1995) Actually Useful Internet Security Techniques.

Indianapolis. Indiana, USA. New Riders.
Hunter, JMD (2001) An Information Security Handbook. Berlin,
Germany. Springer.
IEEE (2001) 2001 Information Survivability Exposition 11(DI: Discex’01:
Proceedings, 12–14 June 2001, Anaheim, California), V.1-2. Piscataway, NJ,
USA. IEEE Computer Society Press.
Institute of Directors (2004) IT Security. UK. Institute of Directors/McAfee.
Kovacich, GL (1998) The Information Systems Security Officer’s Guide:
Establishing and Managing an Information Protection Program, 2nd
Edition. Woburn, MA, USA. Butterworth-Heinemann.
Krause, M and Tipton, HF (2000) Information Security Management
Handbook. Boca Raton, Fl, USA. Auerbach Publishers.
Peltier, TR (2001) Information Security Policies, Procedures and Standards:
Guidelines for Effective Information Security Management. Boca Raton, FL,
USA. Auerbach Publishers.
Pipkin, D (2000) Information Security. Indianapolis, Indiana, USA.
Prentice-Hall.
Proctor, PE and Byrnes, FC (2002) The Secured Enterprise: Protecting Your
Information Assets. Upper Saddle River, NJ, USA. Prentice-Hall.
Tudor, JK (2004) Information Security Architecture. Boca Raton, FL, USA.
Auerbach Publishers.
Tudor, JK (2000) Information Security Architecture: An Integrated Approach
to Security in the Organization. Boca Raton, FL, USA.
Auerbach Publishers.
Java
A high-level programming language developed by Sun Microsystems. Java
was originally called OAK, and was designed for handheld devices and set-top
boxes. OAK was unsuccessful so in 1995 Sun changed the name to Java and
modified the language to take advantage of the burgeoning World Wide Web.
Java is an object-oriented language similar to C++, but simplified to eliminate
language features that cause common programming errors (Webopedia).
Oaks, S (2001) Java Security. Farnham, UK. O’Reilly.
Berg, C (2003) Designing Secure J2EE Applications and Web Services (Sun
Microsystems Press Java S.). Indianapolis, Indiana, USA. Prentice-Hall.
Taylor, A, et al. (2002) J2EE and Java: Developing Secure Web Applications with
Java Technology (Hacking Exposed). Emeryville, CA, USA. Osborne
McGraw-Hill.
220 Appendix
Kerberos
An authentication system developed at the Massachusetts Institute of
Technology (MIT). Kerberos is designed to enable two parties to exchange
private information across an otherwise open network. (Webopedia).
Garman, J (2003) Kerberos: The Definitive Guide. Farnham, UK. O’Reilly.
Linux
Pronounced lee-nucks or lih-nucks. A freely distributable open source
operating system that runs on a number of hardware platforms. The Linux
kernel was developed mainly by Linus Torvalds. Because it’s free, and because
it runs on many platforms, including PCs and Macintoshes, Linux has
become an extremely popular alternative to proprietary operating systems
(Webopedia).
Bauer, MD (2002) Building Secure Servers with Linux. Farnham, UK.
O’Reilly.
Collings, T and Wall, K (2004) Red Hat Linux Networking and System
Administration. New York, USA. Wiley.
Purdy, GN (2004) Linux IPTables Pocket Reference. Farnham, UK. O’Reilly.
Microsoft and Microsoft Windows General

Alexander, Z (2001) Microsoft ISA Server 2000. Indianapolis, Indiana,
USA. Sams.
Bott, E (2002) Windows XP/2000 Security Inside Out. USA. Microsoft Press
International.
Brown, K (2000) Programming Windows Security. New Jersey, USA.
Pearson.
Brown, T (2001) Windows 2000 Network Disaster Recovery. Indianapolis,
Indiana, USA. Sams.
Craft, M (2002) Configuring Citrix MetaFrame XP for Windows. Rockland,
Daily, SK (2001) Admin 911 Windows 2000 Disaster Recovery. Emeryville, CA,
USA. McGraw-Hill Osborne Media.
De Clerq, J (2003) Windows Server 2003 Security Infrastructures: Core
Security Features of Windows.Net. Woburn, MA, USA. Butterworth
Heinemann.
Komar, B (2004) Windows Server 2003 PKI and Certificate Security. USA.
Microsoft Press (2001) Internet Security and Acceleration Server 2000
(MCSE Training Kit). USA. Microsoft Press International.
Appendix 221
Swiderski, F (2004) Threat Modeling. USA. Microsoft Press

International.
Robinson, G (2003) Real World Microsoft Access Database Protection and
Security. Berkeley, CA, USA. Apress.
Walther, H and Santry, P (2004) CYA Securing Exchange Server 2003 and
Outlook Web Access. Rockland, MA, USA. Syngress Media.
Mobile Communications/Mobility
Al-Mualla, M, et al. (2002) Video Coding for Mobile Communications:
Efficiency, Complexity and Resilience (Signal Processing and Its
Applications). New Jersey, USA. Academic Press.
Davies, I (2002) Security Interests in Mobile Equipment. Aldershot, UK.
Dartmouth.
Grimes, RA (2001) Malicious Mobile Code: Virus Protection for Windows.
McGraw G, and Felten, EW (1998) Getting Down to Business with Mobile
Code: A Guide to Creating and Managing Secure Mobile Code. New York,
USA. Wiley.
Mitchell, C (2003) Security for Mobility (Telecommunications S.).
London, IEE.
Vigna, G (1998) Mobile Agents and Security (Lecture Notes in Computer
Science S.). Berlin, Germany. Springer.
.NET
.NET is a widely used networking software product.
Brown, K (2004) The .NET Developer’s Guide to Windows Security.
Freeman, A and Jones, A (2003) Programming .NET Security. Farnham,
UK. O’Reilly.
Gaster, B, et al. (2002) ASP.NET Security. Indianapolis, Indiana, USA.
Wrox Press Ltd.
Microsoft Press (2003) Building Secure ASP.NET Applications. USA.
Network Security
Allen, JH (2001) The CERT Guide to System and Network Security
Practices. Boston, MA, USA. Addison Wesley.
Brenton, C and Hunt, C (1999) Active Defense, A Comprehensive Guide To
Network Security. CA, USA. Sybex International.
222 Appendix
Buchanan, RW (2002) Network Disaster Recovery: Planning for Business

Continuity and System Performance (Professional Telecommunications S.)
Emeryville, CA, USA McGraw-Hill Education.
Canavan, JE (2001) Fundamentals of Network Security (Telecommunications
Library). Norwood, MA, USA. Artech House Books.
Chey, C (2002) Network Security for Dummies (For Dummies S.). New York,
USA. Wiley.
Cisco Systems Inc., Cisco Networking Academy Program. (2003) Cisco
Networking Academy Program Fundamentals of Network Security:
Companion Guide. USA, Cisco Press.
Harris, J (2002) Cisco Network Security Little Black Book. Phoenix, AZ,
USA. Paraglyph Press.
Hendry, M (1995) Practical Computer Network Security. Norwood, MA,
USA. Artech.
House
Kaeo, M (2004) Designing Network Security. New Zealand. Penguin Books (NZ).
Liotine, M (2003) Mission Critical Network Planning (Telecommunications
Library) Norwood, MA, USA. Artech House Books.
Maiwald, E (2001) Network Security: A Beginner’s Guide. Emeryville, CA,
USA. McGraw-Hill.
Maxwell, D and Amon, C (2002) Nokia Network Security Solutions
Handbook. Rockland, MA, USA. Syngress Media.
MCI (2002) Business Continuity Guide. UK. MCI Available at http://
www.mci.com/uk/bcinterest (Accessed: 3 December 2004).
Mikalsen, A and Borgesen, P (2002) Local Area Network Management,
Design and Security: A Practical Approach. London, UK. Wiley.
McNab, C (2004) Network Security Assessment. Farnham, UK. O’Reilly.
Panko, R (2003) Corporate Computer and Network Security. Indianapolis,
Powell, G and Bejtlich, R (2004) The Tao of Network Security Monitoring:
Beyond Intrusion Detection. Boston, MA, USA. Addison Wesley.
Rozenblit, M (2000) Security for Telecommunications Network Management.
Sonnenreich, W and Albanese, J (2003). Network Security Illustrated.
Stallings, W (2002) Network Security Essentials:(United States Edition).
Appendix 223
Thomas, T (2004) Network Security First-Step (First Step S.). Cisco Press.
Viega, J, et al. (2002) Network Security with OpenSSL. Farnham, UK.
O’Reilly.
Wilson, J, et al. (1998) Telecom and Network Security: Telecommunications
Reports Toll Fraud and Telabuse Update. New York, USA.
Telecommunications Reports.
Operational Risk
Frost, C, et al.(2001). Operational Risk and Resilience. USA.
Butterworth-Heinemann.
Public Key Infrastructure (PKI).
A system of digital certificates, Certificate Authorities, and other registration
authorities that verify and authenticate the validity of each party involved in
an Internet transaction (Webopedia).
Austin, T (2001) PKI. New York, USA. Wiley.
Adans, C and Lloyd, S (2002) Understanding PKI: Concepts, Standards, and
Deployment Consideration. Indianapolis, Indiana, USA. Sams.
Positive Messages
Purba, S (2003) High-Value IT Consulting: 12 Keys to a Thriving Practice.
Reeher, G, et al. (2002) Click on Democracy: The Internet’s Power to Change
Political Apathy into Civic Action. Boulder, CO, USA. Westview Press.
Reliability
Kececioglu, D (1995) Reliability Engineering Handbook. Indianapolis,
Radio Frequency Identification (RFID)
Finkenzeller, K (2003) RFID Handbook. New York, USA.Wiley.
Securing and Security
Ahuja, V (1996) Secure Commerce on the Internet. Orlando, FL, USA.
AP Professional.
Amon, C (2004) Check Point Next Generation with Application Intelligence
Security Administration. Rockland, MA, USA. Syngress Media.
Amoroso, E (1999) Intrusion Detection. New Jersey, USA. AT&T.
Anderson, R (2001) Security Engineering: A Guide to Building Dependable
Distributed Systems. New York, USA. Wiley. A key text.
Bace, R and Melnick, D (2003) PDA Security: Incorporating Handhelds into
Your Enterprise. Emeryville, CA, USA. McGraw-Hill Education.
Ballard, J (2002) Internet Security and Acceleration Server 2000 Technical
Reference. USA. Microsoft Press International.
224 Appendix
Barratt, DJ, et al. (2003) Linux Security Cookbook. Farnham, UK. O’Reilly.
Barrett, DJ, et al. (2001) SSH, the Secure Shell: The Definitive Guide.
Birkholz, EP, et al. (2004) Security Sage’s Guide to Hardening the Network
Infrastructure. Rockland, MA, USA. Syngress Media.
Carter, J (2004) The Expert Guide to PeopleSoft Security. Lincoln, NE,
USA. iUniverse Inc.
Carroll, B (2004) Cisco Access Control Security: AAA Administration
Services. Indiana, USA. Cisco Press.
Cheah, CH, et al. (2004) CYA Securing IIS 6.0. Rockland, MA, USA.
Syngress Media.
Cox, KJ and Gerg, C (2004) Managing Security with SNORT and IDS
Tools. Farnham, UK. O’Reilly.
Delp, EJ and Wong, PW (2003) Security and Watermarking of Multimedia
Contents: V (Proceedings of SPIE). Bellingham, WA, USA. Society of
Photo-Optical Instrumentation Engineers (SPIE).
Dournaee, B. (2004) XML Security. Emeryville, CA, USA. McGraw-Hill.
Drew, G, et al. (1998) Using SET for Secure Electronic Transactions.
Dwivedi, H (2003) Implementing SSH: Strategies for Optimizing the Secure
Shell. New York, USA. Wiley.
France, P (2003) Local Access Network Technologies (Telecommunications S.).
Stevenage, UK. IEE.
Graff, MG and Van Wyk, KR (2003) Secure Coding: Principles and

Practices. Farnham, UK. O’Reilly.
Gehrmann, C, et al. (2004) Bluetooth Security. Norwood, MA, USA. Artech
House Books.
Gritzalis, D, et al. (2003) Security and Privacy in the Age of Uncertainty
(IFIP International Federation for Information Processing S.). Berlin,
Germany. Kluwer (Springer-Verlag) Academic Publishers.
Gupta, A and Laliberte, S (2004) Defend I.T.: Security by Example. Boston,
MA, USA. Addison Wesley.
Hendry, M (2001) Smart Card Security and Applications (Telecommunications
Library). Norwood, MA, USA. Artech House Books.
Hope, P (2004) Freebsd and Openbsd Security Solutions. Indianapolis,
Indiana, USA. Sams.
Appendix 225
Howard, M (2002) Writing Secure Code. USA, Microsoft Press International.

Howlett, T (2004) Open Source Security Tools: Securing Your Unix or
Windows Systems. Boston, MA, USA. Addison Wesley.
IEEE Computer Society Staff. (2003) 16th Computer Security Foundations
Workshop (Csfw 16–2003). Piscataway, NJ, USA. IEEE Press.
Jancezewski, L (2000) Internet and Intranet Security, Management, Risks and
Solutions. Hershey, PA, USA. Idea Group Inc.
Kabatiansky, G (2004) Error Correcting Coding and Security for Data
Networks: Analysis of the Superchannel Concept. London, UK. Wiley.
Koziol, J (2004) The Shellcoder’s Handbook: Discovering and Exploiting
Security Holes. New York, USA. Wiley.
Kuhn, RD (2003) PBX Vulnerability: Finding Holes In Your PBX Before
Someone Else Does. Collingdale, PA, USA. Diane Pub Co.
Kuhn, DR (2003) Role-Based Access Control (Artech House Computer
Security Series) Norwood, MA, USA. Artech House Books.
Kuhn, RD, et al. (2003) Security for Telecommuting and Broadband
Communications: Recommendations of the National Institute of Standards and
Technology. Collingdale, PA, USA. Diane Pub Co.
Lail, BM (2002) Broadband Network and Device Security (RSA Press S.).
Lippert, E (2002) Visual Basic.NET Code Security Handbook. Indinapolis,
Indiana, USA. Wrox Press Ltd.
Nazario, J and Palmer, B (2004) Secure Architectures: With OpenBSD.
Niemi, V and Nyberg, K (2003) UMTS Security. London, UK. Wiley.
Oppliger, R (2000) Secure Messaging with PGP and S/MIME (Artech House
Computer Security Series). Norwood, MA, USA. Artech
House Books.
Pansini, AJ (2004) Transmission Line Reliability and Security. New York,
USA. Marcel Dekker.
Phaltankar, KM (2000) Implementing Secure Intranets and Extranets
(Telecommunications Library). Norwood, MA, USA. Artech House Books.
Polk, WT (2000) Anti Virus Tools and Techniques for Computer Systems
(Advanced Computing and Telecommunications Series). Norwich, New York,
USA. Noyes Publications.
Ranum, MJ (2003) Myth of Homeland Security. New York, USA. Wiley.
226 Appendix
Rescorla, E (2000) SSL and TLS: Building and Designing Secure Systems.
Rockley, A, et al. (2002) Managing Enterprise Content: A Unified Content
Strategy. USA. New Riders.
Rosenberg, J and Remy, D (2004) Securing Web Services with WS-Security:
Demystifying WS-Security, WS-Policy, SAML, XML Signature and XML
Encryption. Indianapolis, Indiana, USA. Que.
Shinder, TW and Shimonski, RJ (2003) Building DMZs for Enterprise
Networks. Rockland, MA, USA. Syngress Media.
Sutton, R (2001) Secure Communications: Applications and Management
(Wiley Series in Communications Networking). London, UK. Wiley.
Thomas, S (2000) SSL and TLS Essentials: Securing the Web. New York,
USA. Wiley.
Tolchin, M and SJ (1992) Selling Our Security. New York, USA. Knopf.
Trudel, R and Convery, S (2004) Designing Secure Enterprise NE. USA.
Cisco Press.
Viega, J and McGraw, G (2001) Building Secure Software: How to Avoid
Security Problems the Right Way. Boston, MA, USA. Addison Wesley.
Sniffing
A sniffer analyzes networks and protocols and ‘smells’ what’s coming in and
out of the network, good, and bad.
Orebaugh, AD, et al. (2004) Ethereal Packet Sniffing. Rockland, MA, USA.
Syngress Media.
Shimonski, R (2002) Sniffer Network Optimization and Troubleshooting
Handbook. Rockland, MA, USA. Syngress Media.
Spam
Electronic junk mail or junk newsgroup postings. Some people define spam
even more generally as any unsolicited e-mail (Webopedia).
Feinstein, K and McAneny, M (2004) How to Do Everything to Fight Spam,
Viruses, Pop-ups and Spyware (How to Do Everything S.). Emeryville, CA,
USA. Osborne McGraw-Hill.
Schwartz, A (2004) SpamAssassin. Farnham, UK. O’Reilly.
Scott, C, et al. (2004) Anti-Spam Tool Kit. Emeryville, CA, USA. Osborne
McGraw-Hill.
Steganography
The process of hiding messages or files in other messages or files. For
example hiding a document in a photograph.
Appendix 227
Petitcolas, F, et al. (1999) Information Hiding Techniques for Steganography

and Digital Watermarking (Computing S.). Norwood, MA, USA. Artech
House Books.
Virtual Private Networks (VPNs)

Davis, C (2001) IPSec: Securing VPNs (RSA Press S.). Emeryville, CA,
USA. Osborne McGraw-Hill.
Mairs, J (2001) VPNs: A Beginner’s Guide (Network Professional’s Library)
Tan, NK (2003) Building VPNs: With IPSec and MPLS (Pro Tel S.)
Warfare and Politics

Berkowitz, B (2003) The New Face of War: How War Will Be Fought in the
21st Century. New York, USA. Simon and Schuster International.
Cheswick, WR and Brabigan, S (2004) High-Tech Crimes Revealed:
Cyberwar Stories from the Digital Front. Boston, MA, USA. Addison
Wesley.
Fialka, JJ (1997) War By Other Means. New York, USA. Norton.
Golden, JR (1994) Economics and National Strategy in the Information Age:
Global Networks, Technology Policy and Cooperative Competition. Oxford,
UK. Praeger Publishers.
Gongora, T and Von Riekhoff, H (2000) Toward a Revolution in Military
Affairs? Defense and Security at the Dawn of the Twenty-First Century.
Oxford, UK. Greenwood Press.
Nichols, R, et al. (2002) Infowar: Protecting Telecom and Information
Systems (ProTel). Emeryville, CA, USA. McGraw-Hill.
Petrakis, GJ (1998) Are You Ready for Information Warfare?: Security for
Personal Computers, Networks and Telecommunications Systems. Toronto,
ONT, Canada. Productive Publications.
Poisel, RA (2002) Introduction to Communication Electronic Warfare
Systems (Artech House Information Warfare Library). Norwood, MA, USA.
Artech House Books.
Stacy, JR (2001) Inside 911. Philadelphia, PA, USA. Xlibris Corporation.
Wilkin, P (2001) The Political Economy of Global Communication: An
Introduction (Human Security in the Global Economy S.). Sydney, Australia.
Pluto Press Limited.
Yourdon, E (2002) Byte Wars: The Impact of September 11 on Information
Technology. Indianapolis, Indiana, USA. Prentice-Hall.
228 Appendix
Wireless
Barken, L (2003) How Secure is Your Wireless Network?: Safeguarding Your
WI-Fi LAN. Indianapolis, Indiana, USA. PrenticeHall.
Carter, B and Shumway, R (2002) Wireless Security End to End
(End to End). New York, USA. Wiley.
Edney, J and Arbaugh, B (2003) Real 802.11 Security: Wi-Fi Protected
Access and 802.11i. Boston, MA, USA. Addison Wesley.
Held, G (2003) Securing Wireless LANs: A Practical Guide for Network Managers,
LAN Administrators and the Home Office User. London, UK. Wiley.
Hurley, C, et al. (2004) Wardriving - Drive, Detect, Defend: A Guide to
Wireless Security. Rockland, MA, USA. Syngress Media.
Maxim, M and Pollino, D (2002) Wireless Security. Emeryville, CA, USA.
McGraw-Hill.
Miller, S (2003) WiFi Security. Emeryville, CA, USA. McGraw-Hill Education.
Nichols, RK, et al. (2004) Wireless Security: Models, Threats, and Solutions.
Emeryville, CA, USA. McGraw-Hill.
Nichols, R and Lekkas, P (2001) Wireless Security: Models, Threats and Solutions
(McGraw-Hill Telecom Professional S.). Emeryville, CA, USA. McGraw-Hill.
Perrig, A and Tygar, JD (2002) Secure Broadcast Communication: In Wired
and Wireless Networks ? Berlin, Germany. Kluwer
(Springer-Verlag) Academic Publishers.
Potter, B and Fleck, B (2003) 802.11 Security. Farnham, UK. O’Reilly.
Schaefer, G (2004) Security in Fixed and Wireless Networks: An
Introduction to Securing Data Communications. London, UK. Wiley.
Swaminatha, T and Elden, C (2002) Wireless Security and Privacy: Best
Practices and Design Techniques. Boston, MA, USA. Addison Wesley.
Temple, R and Regnault, J (2002) Internet and Wireless Security (BTexact
Communications Technology S.). Stevenage, UK. IEE.
WordPerfect
Acklen, L (2004) Absolute Beginner’s Guide to WordPerfect 12. Indianapolis,
Indiana, USA. Que.
Articles – Arranged Alphabetically By Subject

This is by no means a definitive list of articles. However, these articles give
an insight into different aspects of the subject, sometimes quite obtuse. They
can be used as a starting to point to explore for different authors and articles
on similar subjects.
Appendix 229
Asymmetric Warfare
Allen, RH (1997) Asymmetric Warfare: Is the Army ready? Available at
http://www.amsc.belvoir.army.mil/asymmetric_warfare.htm (Accessed: 14
November 2004).
Corbin, M (2001) Reshaping the Military for Asymmetric Warfare’ Center
for Defense Information 5 October. Available at http://www.cdi.org/terrorism/
asymmetric.cfm (Accessed: 14 November 2004).
Goulding, JG (2000) Back to the Future with Asymmetric Warfare,
Parameters, Winter. Available at http://carlisle-www.army.mil/usawc/
Parameters/00Winter/goulding.htm (Accessed: 3 January 2007).
Staten, CL (1999) Asymmetric Warfare, the Evolution and devolution of Terrorism:
The Coming Challenge for Emergency and National Security Forces. Journal of
Counterterrorism and Security International, Winter. Available at
http://www.emergency.com/asymetrc.htm (Accessed: 3 January 2007).
Hyslop, MP (2003) Asymmetric Warfare, Proceedings International
Conference on Politics and Information Systems: Technologies and Applications
(PISTA ’03), Orlando, Florida, USA. 31 July 2003 – 2 August 2003.
Banking
Banking Development Department Hong Kong Monetary Authority (2002)
Business Continuity Planning After 9/11, Hong Kong Monetary Authority
Quarterly Bulletin, 11.
BS7799
ISO/IEC 17799: Code of Practice for Information Security Management is a
generic set of best practices for the security of information systems. Considered
the foremost security specification document in the world, the code of practice
includes guidelines for all organizations, no matter what their size or purpose.
17799 was originally published in the United Kingdom as a Department of
Trade and Industry Code of Practice, and then later as BS 7799.
There are many available articles on BS 7799.
eEye Digital Security and ECSC Limited (2004) Attaining BS7799
Compliance with Retina Vulnerability Assessment Technology, ECSC
Limited Whitepaper. ECSC.
Robinson, PC, et al. (1998) Critical Infrastructure. Issues in Science and
Technology, Vol. 15, Fall.
Cryptography
The art of protecting information by transforming it (encrypting it)
into an unreadable format, called cipher text. Only those who possess
a secret key can decipher (or decrypt) the message into plain text
(Webopedia).
230 Appendix
Dam, KW (1997) The Role of Private Groups in Public Policy:

Cryptography and the National Research Council. University of Chicago
Law School Occasional Paper No.38.
Stansfield, EV and Walker, M (1995) Coding and Cryptography for Speech
and Vision, Proc. 5th Cryptography and Coding IMA Conference, pp.
213–236.
Computer Crime and Security
Cadoree, M (1994) Computer Crime and Security. Resource Materials,
Library of Congress, Library of Congress.
Cyberwar and Netwar
Arquilla, JJ and Ronfeldt, DF (1995) Cyberwar and Netwar: New Modes,
Old Concepts, of Conflict Rand Research Review, Fall.
Clash of Civilizations
Huntington, SP (1993) The Clash of Civilizations, Foreign Affairs. Summer,
v72, n3, p22(28).
Data Related
Ware, WH (1994) Policy Considerations for Data Networks. Computing
Systems, 7(1), Winter, pp. 1–44
Yeung, PC (1986) The environment and the implementation of data
security in the world of telecommunications. Technical Report, University of
Kansas, Computer Science.
Defense
UK Ministry of Defense (2004) The Future Strategic Context for Defense.
Available at http://www.mod.uk/issues/strategic_context/military.htm
Digital Development
Hammond, A (2001) Digitally Empowered Development, Foreign Affairs pp.
96–106.
Dot Com Dreams
Bloor, R (2000) The Destruction of Dot Com Dreams. Available at http://
www.it-analysis.com/article.php?articleid=1429 (Accessed: 3 January 2007).
Elections
Cramer, R, et al. (1997) A Secure and Optimally Efficient Multi-Authority
Election Scheme. European Transactions on Telecommunications, 8(5),
September.
Electronic Intrusion
Frizzell, J, Phillips, T, and Groover, T (1994) The Electronic Intrusion
Threat to National Security and Emergency Preparedness Telecommu-
nications: An Awareness Document. Proc. 17th NIST-NCSC National
Computer Security Conference, pp. 378–399.
Appendix 231
Electronic Mail
Jones, RL (1995) Client Confidentiality: A Lawyer’s Duties with Regard to
Internet E-Mail. Computer Law Section of the State Bar of Georgia, August
16, 1995.
United States. Congress. House. Committee on Commerce. Subcommittee
on Telecommunications, Trade, and Consumer Protection (1997)
The Security and Freedom through Encryption (SAFE) Act: Hearing before
the Subcommittee on Telecommunications, Trade, and Consumer Protection
of the Committee on Commerce, House of Representatives, One Hundred
Fifth Congress, first session, on H.R. 695, September 4, 1997. Technical
Report, United States Government Printing Office, Number
Serial no. 105–39 (United States. Congress. House. Committee on Commerce),
p. iii + 121, United States Government Printing Office, 1997.
Electronic Signature
European Telecommunications Standards Institute. Electronic Signature
Standardization for Business Transactions, August 1999. Available at
http://webapp.etsi.org/workprogram/Report_WorkItem.asp?WKI_ID=13387
Erlang
A unit of measurement of traffic density in a telecommunications system.
The erlang describes the total traffic volume of one hour, or 3600 seconds.
Castro, M (2000) Design Issues for a High Reliability Environment for
Erlang,
12 November. Available at
http://www.erlang-projects.org/Public/documentation/serc/?pp=1
Environment
Homer-Dixon, TF (1991) On the Threshold: Environmental Changes as
Causes of Acute Conflict, Trudeau Centre for Peace and Conflict Studies,
University of Toronto International Security, Vol. 16, No. 2 (Fall)
pp. 76–116.
Freedom of Information
Aftergood, S. Making Sense of Government Information restrictions: Panic
After September 11 Led to Bad Policy. Issues in Science and
Technology, Vol. 18, Summer.
Gompert, DC (1998) Right Makes Might: Freedom and Power in the
Information Age, McNair paper 59, Chap. 3, May. Available at http://
www.rand.org/publications/MR/MR1016/MR1016.chap3.pdf
Lewis, C (2002) Freedom of Information under Attack.
Nieman Reports, Vol. 56.
232 Appendix
Fuel Crisis
Townsend, M and Bright, M. Army Guard on Food if Fuel Crisis Flares,
The Observer, 6 June 2004.
Information Security and Warfare, etc.
Lohmeyer, DF, et al. (2002) Managing Information Security. The McKinsey
Quarterly, Summer.
Nearon, BH (2000) Information Technology Security Engagements: An
Evolving Specialty. The CPA Journal, Vol. 70.
Small, DW (1997) Information Security Awareness for Small to Medium
Sized Telecommunications Organizations. Technical Report, Saint Mary’s
University of Minnesota.
United States. Congress. House. Committee on Energy and Commerce.
Subcommittee on Telecommunications and Finance. Computer security:
virus highlights need for improved Internet management: report to
the chairman, Subcommittee on Telecommunications and Finance,
Committee on Energy and Commerce, House of Representatives.
Technical Report, U.S. General Accounting Office, p. 48, U.S. General
Accounting Office, 1989.
Fogleman, RR, et al. (2003) Cornerstones of Information Warfare.
Available at http://www.af.mil/lib/corner.html (Accessed: 3 January 2007).
MI5 (2004) Protecting Your Information.
Available at http://www.mi5.gov.uk/output/Page236.html
Whitaker, R (1998) Information Warfare. Available at http://www.informatik.
umu.se/~rwhit/IW.html (Accessed: 3 January 2007).
WIPRO. Information Security Challenges in the Energy industry. WIPRO
White Paper. USA/India. Available at http://www.wipro.com/insights/
infosecuritychallenges.htm (Accessed: 3 January 2007).
Zekos, G (1999), Internet or Electronic Technology: A Threat to State
Sovereignty, Commentary, The Journal of Information, Law and
Technology (JILT (3) ).
Available at http://elj.warwick.ac.uk/jilt/99-3/zekos.html (Accessed:
3 January 2007).
Java
A definition of Java is in the book section.
Garthwaite, A and Nettles, S (1998) Transactions for Java. Proceedings of
the 1998 International Conference on Computer Languages. IEEE
Computer Society Press. pp. 16–27.
Appendix 233
Microsoft and Cisco

Reardon, M (2004) Microsoft and Cisco Clash on Security. CNET.news.com,
17 September. Available at http://insight.zdnet.co.uk/internet/
security/0,39020457,39166968,00.htm (Accessed: 3 January 2007).
National Information Infrastructure
United States. House of Representatives (1996) The Cyber-Posture of the
National Information Infrastructure. Washington. Chairman: Wlillis H Ware.
Available at http://www.rand.org/publications/MR/MR976/mr976.html.
Network Security
Cirrincione, G, Cirrincione, M, and Piglione, F. (1996) A neural network
architecture for static security mapping in power systems. MELECON ’96.
8th Mediterranean Electrotechnical Conference. Industrial Applications in Power
Systems, Computer Science and Telecommunications. Proceedings,
Vol. 3, IEEE. pp. 1611–14.
Shenoy, DR and Medhi, D (1999) A network management framework for
multiple layer survivable networks: Protocol development and
implementation. Technical Report, Computer Science Telecommunications
Program. University of Missouri, Kansas City, 1999.
SafeNet (2004) Delivering Government Approved Security. Safenet White
Paper. USA. SafeNet. Available at http://www.safenet-inc.com
Optimistic Message Logging
Wang, YM and Huang, Y. (1995) Why Optimistic Message Logging Has
Not Been Used in Telecommunications Systems. Institute of Electrical
and Electronics Engineers, Inc., June.
Open Systems
Anderson, R (2002) Security In Open versus Closed Systems – The Dance
of Boltzmann, Coase and Moore. Available at http://www.ftp.cl.cam.ac.uk/
ftp/users/rja14/toulouse.pdf
An important paper, as is his recent work on economics as the basis of security.
Obstructive Marketing
Hyslop, MP (1999) Obstructive Marketing: Challenges to Globalizing
Companies, M.Sc. Thesis, Huddersfield University Business School/
Chartered Institute of Marketing.
Resilience, Robustness, Reliability
Grotberg, E (1998) The International Resilience Project, 55th Annual
Convention, International Council of Psychologists, Graz Austria, July 14–18,
1997 (published 1998).
234 Appendix
Kendra, JM, et al. (2003) Elements of Resilience After the World Trade
Centre Disaster: Reconstituting New York City’s Emergency Operations
Centre. Disasters, 27(1) pp 37–53.
Little, RG (2002) Toward More Robust Infrastructure: Observations on
Improving the Resilience and Reliability of Critical Systems. Proceedings
of the 36th Hawaii International Conference on Systems Access, Hawaii,
January 06–09, 2003.
Rochlin, GI, et al. (1987) The Self-Designing High reliability Organization:
Aircraft Carrier Flight Operations at Sea, Naval War College Review,
Autumn.
Saffre, F and Ghanea Hercock, R (2000) Increasing Robustness Of Future
Telecommunications Networks. Available at http://discuss.santafe.edu/
robustness/stories (Accessed: 3 January 2007), also a site with similar articles.
Radio Frequency Identification (RFID)
Claburn, T and Hulme, GV (2004) RFID Security Information Week, 15
November. Available at http://www.informationweek.com/story/showArticle.
jhtml?articleID=52601030&tid=13690 (Accessed: 3 January 2007).
Security, etc.
Arbaugh, WA, Davin, JR, Farber, DJ, Smith JM (1998) Security for Virtual
Private Intranets. Computer, 31(9), pp. 48–54.
Dasgupta, P, et al. (2000) The Security Architecture for MAgNET: A
Mobile Agent E-commerce System. Third International Conference on
Telecommunications and E-commerce.
Donnelly, C (2003) Security in the 21st Century – New Challenges and
Responses. 1st ETR2A Conference, Newcastle-upon-Tyne, UK, 23 June
2003. Available at http://www.etr2a.org (Accessed: 3 January 2007).
Hendry, M (2001) Smart Card Security and Applications.
The Artech House Telecommunications Library, p. xviii + 305, Artech House Inc.
Hill, P (2002) Bankrupt Worldcom Called a Security Risk. The Washington
Times, July 3.
Lacoste, G, Steiner, M (1999) SEMPER: A Security Framework for the
Global Electronic Marketplace. COMTEC – the magazine for telecom-
munications technology, 77(9), pp. 56–63, September 1999.
Murray, WH (1984) Security Considerations for Personal Computers. IBM
Systems Journal, 23(3), pp. 297–304.
Today (2004) Will the Number of Casinos Rise After the Changes to the
Gambling Bill, BBC Radio 4, 19 October 2004, 07.32 hours. Available at
http://www.bbc.co.uk (Accessed: 3 January 2007).
Appendix 235
Popp, R, Froehlich, M, Jefferies, N (1995) Security Services for

Telecommunications Users. Lecture Notes in Computer Science, Vol. 998, pp.
28ff.
Wong, A (2003) Before and Beyond Systems: An Empirical Modeling
Approach, Ph.D. Thesis. Department of Computer Science, University of
Warwick, UK, January. Available at http://www.dcs.warwick.ac.uk/~allan
Strategic Information Warfare
The Futurist (1997) Strategic Information Warfare. Vol. 31, September.
Telecommunications Networks
Ahn, I (1994) Database Issues in Telecommunications Network
Management
SIGMOD Record (ACM Special Interest Group on Management of
Data), 23(2), pp. 37–43, June 1994.
Chuah, MC, et al. Performance of two TCP implementations in
mobile computing environments. Conference Record/IEEE Global
Telecommunications Conference, Vol. 1, pp. 339–344, 1996.
Fowler, J, Seate, RC (1997) Threats and Vulnerabilities for C4I in Commercial
Telecommunications: A Paradigm for Mitigation. Proc. 20th NIST-NCSC
National Information Systems Security Conference, pp. 612–618.
Varadharajan, V (1994) Security Requirements for Customer Network
Management in Telecommunications. Proc. 17th NIST-NCSC National
Computer Security Conference, pp. 327–338.
Sinclair, MC (1992) Single-moment analysis of unreliable trunk networks
employing $K$-shortest-path routing. Proc. IEE Colloq. Resilience in
Optical Networks, p. 3/1–6, Oct 1992.
Trusted Computing
Anderson, R (2004) Trusted Computing. Available at http://www.cl.cam.
ac.uk/~rja14/tcpa-faq.html
URL (Uniform or Universal Resource Locator – Web Address) Security
Wernick, P (1995) British Telecom URL Security: Project Outline, BT,
November
Utilities
Hyslop (2004) How Can the Financial Sector Be Reassured That in the
Event of an Incident, Their Utilities Supplies Will Be Uninterrupted? Is
This a Viable and Feasible Request? Comments to the Resilience (2004)
Conference, Millennium Hotel, London. 22/23/24,
September 2004
236 Appendix
Video Coding
Faerber, N, et al. (1999) Analysis of Error Propagation in Hybrid Video
Coding with Application to Error Resilience, Proceedings of the 1999
International Conference on Image Processing (ICIP-99, pp. 550–554, IEEE,
Oct 24–28, 1999.
Wire Pirates
Wallich, P (1994) Wire Pirates, Scientific American, 270(3), pp. 90ff (Intl. ed.
pp72ff), March 1994.
Year 2000 Issues (Y2K)
The Eos Life – Work Resource Centre Y2K Update. Available at http://www.
eoslifework.co.uk/Y2Kupdate.htm (Accessed: 3 January 2007).
Regular Publications – Arranged

Alphabetically By Title
Business Facilities and associated titles
http://www.busfac.com (Accessed: 3 January 2007).
Online Advice for Economic Development
http://www.facilitycity.com (Accessed: 3 January 2007).
Call Center Magazine
http://www.callcentermagazine.com (Accessed: 3 January 2007).
CIO (Chief Information Officer) Magazine
http://www.cio.com (Accessed: 3 January 2007).
Communication News Magazine
http://www.comnews.com (Accessed: 3 January 2007).
Computer World
http://www.computerworld.com (Accessed: 3 January 2007).
Consulting Specifying Engineering Magazine
http://www.csemag.com (Accessed: 3 January 2007).
CPA (Certified Public Accountant) Journal, The
http://www.capamag.com (Accessed: 3 January 2007).
Crime Prevention
http://www.perpetuitypress.com/acatalog/Crime_Prevention_and_
Community_Safety.html (Accessed: 3 January 2007).
Continuity and Risk Magazine
http://www.cirmagazine.com (Accessed: 3 January 2007).
CSO (Chief Security Officer) Magazine
http://www.csoonline.com (Accessed: 3 January 2007).
Appendix 237
Economist, The
http://www.economist.com (Accessed: 3 January 2007).
EDPACS (Electronic Data Processing Audit, Control and Security
Newsletter)
http://www.info-edge.com/product_detail.asp?sku1=418& (Accessed:
3 January 2007).
Financial Times, The Online IT pages.
http://news.ft.com/reports/ftit (Accessed: 3 January 2007).
Financial Times, FT Corporate Security.
http://www.ft.com/corporatesecurity2004 and related items at
http://www.ft.com/specialreports (Accessed: 3 January 2007).
Futurist, The
http://www.wfs.org/futurist.htm (Accessed: 3 January 2007).
Government Technology
http://www.govtech.net (Accessed: 3 January 2007).
Harvard Business Online
http://harvardbusinessonline.com (Accessed: 3 January 2007).
HotWire
http://www.weibull.com/hotwire (Accessed: 3 January 2007).
Government Security News
http://www.gsnmagazine.com (Accessed: 3 January 2007).
Information and Communications Technology Law
http://journalsonline.tandf.co.uk (Accessed: 3 January 2007).
Information, Communication and Society
Information Security
http://infosecuritymag.techtarget.com (Accessed: 3 January 2007).
Information Technology
Information Storage and Security Journal
http://www.issjournal.com (Accessed: 3 January 2007).
Information Systems Management
http://www.auerbach-publications.com/home.asp (Accessed:
3 January 2007).
Information Systems Security
http://www.auerbach-publications.com/home.asp (Accessed:
3 January 2007).
238 Appendix
International Review of Law, Computers and Technology

http://journalsonline.tandf.co.uk (Accessed: Accessed: 20
December 2004).
Internet Works
http://www.iwks.com (Accessed: 3 January 2007).
Intersec
http://www.intersec.co.uk/ns/ddjune.html (Accessed: 3 January 2007).
Journal of Technology Law and Policy, University of Florida
http://journal.law.ufl.edu/~techlaw/ (Accessed: 3 January 2007).
Linux Magazine
http://www.linux-mag.com (Accessed: 3 January 2007).
McKinsey Quarterly
http://www.mckinseyquarterly.com (Accessed: 3 January 2007).
.NET
http://www.netmag.co.uk (Accessed: 3 January 2007).
New Scientist
http://www.newscientist.com (Accessed: 3 January 2007).
Operational Risk
http://www.operationalriskonline.com (Accessed: 3 January 2007).
PC (Personal Computer) magazine
http://www.pcmag.com (Accessed: 3 January 2007).
PC (Personal Computer) World
http://www.pcworld.com (Accessed: 3 January 2007).
Public CIO (Chief Information Officer)
http://www.public-cio.com (Accessed: 3 January 2007).
Review of Business
http://www.questia.com (Accessed: 3 January 2007).
Risk Management
http://www.perpetuitypress.com/acatalog/Risk_Management_An_
International_Journal.html (Accessed: 3 January 2007).
SC magazine
http://www.infosecnews.com/home/index.cfm (Accessed:
3 January 2007).
Security Magazine
http://www.securitymagazine.com (Accessed: 3 January 2007).
Security Journal
http://www.perpetuitypress.com/acatalog/Security_Journal_Volume_17_
number_3_Abstracts.html (Accessed: 3 January 2007).
Appendix 239
Security Studies
Sys Admin
http://www.samag.com (Accessed: 3 January 2007).
Telecommunications Magazine
http://www.telecommagazine.com (Accessed: 3 January 2007).
The Information Society
The Information Week
http://www.informationweek.securitypipeline.com (Accessed:
3 January 2007).
Wireless Business and Technology
http://www.sys-con.com (Accessed: 3 January 2007).
Links – Arranged Alphabetically

by Subject and Site Name
Academia
http://www.cerias.purdue.edu/ (Accessed: 3 January 2007).
CERIAS/Purdue University Information Security Site.
http://www.cerias.purdue.edu/about/history/coast/ (Accessed: 3 January
2007). Centre of Education and Research on Information Assurance and
Security at the University of Purdue.
http://www.cerias.purdue.edu/about/history/coast_resources/firewalls/
Definitive guide to Firewalls.
http://ftp.cerias.purdue.edu/pub/papers/taimur-aslam/aslam-krsul-
spaf-taxonomy.pdf (Accessed: 3 January 2007).
A taxonomy of Security Faults.
http://www.cs.columbia.edu.ids (Accessed: 3 January 2007).
University of Columbia in New York.
http://www.ee.columbia.edu/~liebenau/E6901.html (Accessed:
3 January 2007).
Topics in EE: Resilient Communication Networks.
http://www.ftp.cl.cam.ac.uk/ftp/users/rja14/guidelines.txt (Accessed:
3 January 2007).
Clinical System Security.
http://www.cl.cam.ac.uk/users/rja14 (Accessed: 3 January 2007).
The Web site of Ross Anderson – A leading Computer Security Academic.
240 Appendix
http://www.cl.cam.ac.uk/users/rja14/ Med (Accessed: 3 January 2007).

Security of Medical Information Systems and other Notes from
Ross Anderson at University of Cambridge Computer Laboratory
(EU/UK).
http://www.coventry.ac.uk/cms/jsp/polopoly.jsp?d=957&a=7974 (Accessed: 3
January 2007).
Coventry University’s Disaster Management Site.
http://dit.unitn.it/research/seminario?id=02-016 (Accessed:
3 January 2007).
A 2002 Seminar on ‘Theoretical questions in practical network reliability
analysis’ given by Dr. Laszlo Jereb of Budapest University at the University
of Trento.
http://www.rmcs.cranfield.ac.uk/ddmsa/index_html/view (Accessed:
3 January 2007).
Cranfield University’s Relevant Site.
http://iip.ist.psu.edu/faculties/vs.htm (Accessed: 3 January 2007).
Website of Dr Bin Zhang – Chinese Visiting Scholar to Penn State
University Institute for Information Policy – a leading Chinese
Scholar. Also an access point for other Penn State Information Policy
information.
http://www.isg.rhul.ac.uk/ (Accessed: 3 January 2007).
Information Security group at Royal Holloway College,
University of London.
http://www.ja.net/CERT/JANET-CERT/incidents/coping-with-
intrusions.html
JANET’s (UK Joint Academic Network) Computer Emergency
Response Team.
http://www.ja.net/documents/gn-ddos.pdf (Accessed: 3 January 2007).
JANET’s (UK Joint Academic Network) guide to denial of service attacks.
http://online.northumbria.ac.uk/geography_research/ddc (Accessed:
3 January 2007).
Disaster and Development Centre at Northumbria University.
http://law.richmond.edu/jolt/index.asp (Accessed: 3 January 2007).
Richmond Online Law Review – Contains Some Articles on Security (USA).
http://www.som.cranfield.ac.uk/som/scr (Accessed: 3 January 2007).
Concerns have surfaced in recent years that an eagerness to reduce waste,
and thereby the risks associated with suboptimal supply chain performance, has
meant that other less obvious risks to supply chains have been
overlooked. This Web site deals with the issue.
Appendix 241
http://theory.lcs.mit.edu/~cis/ (Accessed: 3 January 2007).

Massachusetts Institute of Technology, Cryptography and
Information Security Group.
http://www.yale.edu/its/security/disaster.htm
Disaster Recovery Tips for New PC Owners.
Associations/Institutes/Societies/Organizations, etc.
http://www.antiphishing.org (Accessed: 3 January 2007).
Anti-Phishing Working Group.
http://www.bsi-global.com (Accessed: 3 January 2007).
British Standards Institute.
http://www.business-continuity-online.com/ (Accessed: 3 January 2007).
Online business continuity exhibition.
http://www.disasterrecoveryworld.com (Accessed: 3 January 2007).
The Business Continuity Planning and Disaster Recovery Planning
Directory.
http://www.ddsi.org (Accessed: 3 January 2007).
Dependability Development Support Initiative.
http://www.ewis.jrc.it (Accessed: 3 January 2007).
European Warning and Information System Forum.
http://www.fas.org/irp/nsa/rainbow.htm (Accessed: 3 January 2007).
Federation of American Scientists access point to the ‘Rainbow’ Series,
which is defined as the following: The Rainbow Series is six-foot tall stack of
books on evaluating ‘Trusted Computer Systems’ according to the National
Security Agency. The term ‘Rainbow Series’ comes from the fact that each
book is a different colour. The main book (upon which all other expand) is
the Orange Book.
http://www.gbde.org (Accessed: 3 January 2007).
Global Business Dialogue on Electronic Commerce.
http://www.hipaa.org (Accessed: 3 January 2007).
The Health Insurance Portability and Accountability Act of 1996.
www.iaac.org.uk/initiatives/BT_IAAC.pdf (Accessed: 3 January 2007).
Information Assurance Guidelines for Boards and Senior Managers.
http://www.idra.com (Accessed: 3 January 2007).
International Disaster Recovery Association (IDRA) is a group originally
comprised of those having a special interest in the voice, data, image, and
sensory telecommunications aspects of Disaster Recovery Planning (DRP),
Contingency Planning and Business Continuation.
242 Appendix
http://www.insme.info/documenti/
040707%20Draft%20Program%20GF%202004.pdf
Global IT Forum 2004 – The Broad Convergence.
http://www.isaca.org (Accessed: 3 January 2007).
The home site of the Information Systems Audit and Control
Association (ISACA).
http://www.isaca.org/Template.cfm?Section=CISM_Certification (Accessed:
3 January 2007).
Certified Information Security Manager, ISACA’s next generation
qualification for Information Security now gaining widespread
acceptance, information site.
http://www.isc2.org (Accessed: 3 January 2007).
Training and education. Promoting 2005 as the year of the Information
Security Professional.
http://www.iwf.org.uk (Accessed: 3 January 2007).
Internet Watch Foundation.
http://nerc.com/~oc/twg.html (Accessed: 3 January 2007).
North American Electric Reliability Council Telecommunications
Working Group.
http://www.rusi.org (Accessed: 3 January 2007).
The Royal United Services Institute’s purpose is to study, promote debate,
report and provide options on all issues relating to national and
international defense and security.
http://www.sans.org/rr/ (Accessed: 3 January 2007).
SANS (SysAdmin, Audit, Network, Security) Information Security
Reading Room.
http://www.seattlewireless.net/index.cgi/LinksysWrt54g (Accessed:
3 January 2007).
Wireless Community Support Site including Security.
http://www.securityforum.org/html/frameset.htm (Accessed: 3 January 2007).
Information Security Forum.
http://www.securitypark.co.uk (Accessed: 3 January 2007).
Security Park – Online news for security professionals.
http://www.survive.com (Accessed: 3 January 2007).
A Business Continuity Association.
http://www.thebci.org/ (Accessed: 3 January 2007).
The Business Continuity Institute.
http://www.theirm.org/ (Accessed: 3 January 2007).
The Institute of Risk Management.
Appendix 243
http://www.thebci.org/PAS56.html (Accessed: 3 January 2007).

The NEW Guide to Business Continuity Management from the British
Standards Institute.
http://www.the-eps.org/ (Accessed: 3 January 2007).
The Emergency Planning Society.
http://www.terena.nl/ (Accessed: 3 January 2007).
Trans European Research and Education Networking Association.
TERENA carries out technical activities and provides a platform for
discussion to encourage the development of a high-quality computer-
networking infrastructure for the European research community.
http://www.w3.org/(Accessed: 3 January 2007).
The World Wide Web Consortium.
Asymmetric and Information Warfare
http://www.amsc.belvoir.army.mil/asymmetric_warfare.htm (Accessed:
3 January 2007).
US Army Management Staff College – Asymmetric Warfare.
http://www.au.af.mil/au/aul/bibs/asw/asw.htm (Accessed: 3 January 2007).
Asymmetric Warfare.
http://www.comw.org/rma/fulltext/asymmetric.html (Accessed:
3 January 2007).
Revolution in Military Affairs – Asymmetric Warfare.
http://www.ctrasymwarfare.org (Accessed: 3 January 2007).
A Centre for Asymmetric Warfare.
http://carlisle-www.army.mil/ (Accessed: 3 January 2007).
Asymmetric Warfare.
http://emergency.com (Accessed: 3 January 2007).
Asymmetric warfare. Emergency Response and Research Institute. Crisis,
Conflict, and Emergency Service News, Analysis and Reference.
http://europa.eu.int/scadplus/leg/en/lvb/l33193.htm (Accessed:
3 January 2007).
Attacks Against Information Systems: To strengthen criminal judicial
cooperation on attacks against information systems by developing
effective tools and procedures.
http://www.fas.org/irp/wwwinfo.html (Accessed: 3 January 2007).
Information Warfare, Information Security Resource.
http://www.iwar.org.uk/comsec (Accessed: 3 January 2007).
Information Warfare Site.
http://nationalstrategy.com (Accessed: 3 January 2007).
Asymmetric Warfare.
244 Appendix
http://www.psycom.net/iwar.1.html (Accessed: 3 January 2007).

Institute for the Advanced Study of Information Warfare.
http://www.theestimate.com/public/110300.html
Asymmetric Warfare.
Australia
http://www.ag.gov.au (Accessed: 3 January 2007).
Australian Attorney General’s site.
http://www.isn.ethz.ch/dossiers/ciip/index.cfm (Accessed: 3 January 2007).
Defining Critical Information Infrastructure Protection.
http://www.auscert.org.au (Accessed: 3 January 2007).
Australian Computer Emergency Response Team.
http://www.asio.gov.au (Accessed: 3 January 2007).
Australian Security Intelligence Organization.
http://www.ahtcc.gov.au (Accessed: 3 January 2007).
Australian High Tech Crime Centre.
http://www.dsto.defense.gov.au (Accessed: 3 January 2007).
Australian Defense Science and Technology Organization.
http://noie.gov.au (Accessed: 3 January 2007).
Australian National Office for the Information Economy.
http://www.defense.gov.au/predict (Accessed: 3 January 2007).
Australian Infrastructure Core Requirements Tool.
http://www7.health.gov.au/hsdd/gp/phim.htm (Accessed: 3 January 2007).
Australian Personal Health Information Management in General Practice.
http://www.pm.gov.au (Accessed: 3 January 2007).
Australia’s Prime Minister Site.
http://www.stratwise.com (Accessed: 3 January 2007).
Australian Strategic Intelligence Site.
http://www.cript.gov.au (Accessed: 3 January 2007).
Trusted Information Sharing Network for Critical Infrastructure
Protection.
Austria
Austria is an important reference country for this subject because it leads
Europe, and the world, in terms of placing legislation online.
http://www.cio.gv.at (Accessed: 3 January 2007).
Austrian Chief Information Office.
Appendix 245
http://www.bmi.gv.at (Accessed: 3 January 2007).

Austrian Internal Ministry.
http://www.circa.at/index.html (Accessed: 3 January 2007).
Austrian Computer Incident Response Co-ordination.
http://www.bka.gv.at (Accessed: 3 January 2007).
Austrian Chancellery.
http://www.a-sit.at (Accessed: 3 January 2007).
Austrian Centre for Information Technology.
Canada
Canada has been at the forefront of the information technology revolution.
http://www.cancert.ca (Accessed: 3 January 2007).
Canada’s National Computer Emergency Response Team.
http://www.nrc.ca (Accessed: 3 January 2007).
Canadian National research Council.
http://www.crc.ca (Accessed: 3 January 2007).
Canada’s Communication Research Centre.
http://www.dnd.ca (Accessed: 3 January 2007).
Canada Defense Net.
http://www.faso-afrs.ca (Accessed: 3 January 2007).
Canadian federal Association of Security Officials.
http://www.gol-ged.gc.ca (Accessed: 3 January 2007).
Canadian Government Online.
http://www.iit.nrc.ca (Accessed: 3 January 2007).
Canadian Institute for Information Technology.
http://www.nce.gc.ca (Accessed: 3 January 2007).
Canadian Networks of centers of Excellence.
http://www.ocipep-bgiepc.gc.ca (Accessed: 3 January 2007).
Canada’s Office of Critical Infrastructure Protection and Emergency
Preparedness.
http://www.tbs-sct.gc.ca (Accessed: 3 January 2007).
Canada’s Treasury Board Secretariat.
European Union
The European Union places the subject of information security amongst its
highest priorities.
http://www.cert.dfn.de/eng/csir/europe/certs.html (Accessed: 3 January 2007).
List of some European Computer Emergency Response Teams (CERTs).
246 Appendix
http://www.etsi.com (Accessed: 3 January 2007).

European Telecommunications Standards Institute (EU).
http://www.etr2a.org (Accessed: 3 January 2007).
The Web site of the European Telecommunications Resilience and
Recovery Network (EU).
http://www.europa.eu.int/abc/index2_en.htm (Accessed: 3 January 2007).
The Europa Web site re European Commission.
http://europa.eu.int/egovernment-research (Accessed: 3 January 2007).
eGovernment Website.
http://www.europol.eu.int (Accessed: 3 January 2007).
The Europol Site – With Information on Crime (EU).
http://www.eurosmart.com (Accessed: 3 January 2007).
The Voice of the European Smart Card Industry (EU).
http://www.ejustice.eu.com/index.html (Accessed: 3 January 2007).
An EC Framework 6 project looking at different, justice related, approaches
to information and computer security.
3 January 2007).
Organised crime: Council of Europe Convention on Cyber Crime: To
combat misuse of new technologies (EU).
3 January 2007).
Establishment of a European Network and Information Security Agency
(ENISA). Communication networks and information systems have
become ubiquitous utilities and their security is of increasing concern to
society. In order to guarantee users the best possible
security, the European Union has decided to establish a European
Network and Information Security Agency (ENISA) to advise
Member States and coordinate measures they are taking to secure their
networks and information systems. Its objective will also be to enhance
cooperation between different actors operating in this field, and
particularly between the Commission and the Member States, in order
to prevent, address and respond to network and information security
problems (EU).
http://www.eurim.org/ (Accessed: 3 January 2007).
The European Information Society Group (EU).
Finland
Finland has completely reinvented itself as a consequence of pursuing the
information and telecommunications revolution.
Appendix 247
http://www.nesa.fi (Accessed: 3 January 2007).

Finland’s National Emergency Supply Agency.
http://www.ficora.fi (Accessed: 3 January 2007).
Finnish Communications Regulatory Authority.
http://www.ficora.fi/englanti/tietoturva/certfi.htm (Accessed: 3 January 2007).
Finland’s Computer Emergency Response Team.
http://www.tieke.fi (Accessed: 3 January 2007).
Finland’s Information Society development Centre.
http://www.tietoyhteiskuntaohjelma.fi (Accessed: 3 January 2007).
Finland’s information society site.
http://www.valtioneuvosto.fi/vn/liston/base.lsp?k=en (Accessed:
3 January 2007).
Finland’s Government Site.
http://www.e.finland.fi/ (Accessed: 3 January 2007).
eFinland.
http://www.defmin.fi (Accessed: 3 January 2007).
Finland’s Ministry of Defense.
France
France is developing very sophisticated information security tools.
http://www.clusif.asso.fr/en/clusif/present/ (Accessed: 3 January 2007).
French Association for Information Security Systems.
http://www.certa.ssi.gouv.fr/ (Accessed: 3 January 2007).
French Computer Emergency Response Team.
http://www.cert-ist.com (Accessed: 3 January 2007).
French Computer Emergency response team: Industry, Services and Trade.
http://www.internet.gouv.fr/ (Accessed: 3 January 2007).
France’s information society site.
http://www.renater.fr/ (Accessed: 3 January 2007).
French National Network of Telecommunications for Technology,
Education and Research.
http://www.ssi.gouv.fr/fr/index.html (Accessed: 3 January 2007).
French Site on Security of Information Systems.
http://csti.pm.gouv.fr (Accessed: 3 January 2007).
French Strategic Advisory Board on Information Technologies.
Germany
Germany is a leader in the academic field of information security.
248 Appendix
http://www.aksis.de (Accessed: 3 January 2007).

German Infrastructure Protection Group.
http://www.bka.de (Accessed: 3 January 2007).
German Federal Law Enforcement Agency.
http://www.bsi.de (Accessed: 3 January 2007).
German Information Security Site.
http://www.bitkom.org (Accessed: 3 January 2007).
BITKOM.
http://www.bsi.bund.de/certbund/index.htm (Accessed: 3 January 2007).
German Computer Emergency Response Team.
http://www.econbiz.de/fach/FS_VWL0190300.shtml?step=20&l0=0
Germany’s Risk Management Site.
http://www.bundestag.de (Accessed: 3 January 2007).
Deutscher Bundestag.
http://www.cert.dfn.de (Accessed: 3 January 2007).
DFN-CERT.
http://www.eurubits.de (Accessed: 3 January 2007).
European Institute for Information Security.
http://www.denis.bund.de (Accessed: 3 January 2007).
German Emergency Preparedness Information System.
http://www.bmi.bund.de (Accessed: 3 January 2007).
German Ministry of the Interior.
http://www.iid.de/iukdg/ (Accessed: 3 January 2007).
German Information and Communication Site.
http://www.initiatived21.de (Accessed: 3 January 2007).
Initiative D21.
http://www.iid.de (Accessed: 3 January 2007).
German Information Initiative.
http://www.juris.de (Accessed: 3 January 2007).
Juris Gmbh.
http://rayserv.upb.de/FIFF/Veroeffentlichungen/Extern/
Fortress_Europe_36.html
Fortress Europe No. 36: Germany curtails unobserved
telecommunications.
http://www.regtp.de/en/index.html (Accessed: 3 January 2007).
German Regulatory Agency for Telecommunications and Posts.
Appendix 249
http://www.secunet.de (Accessed: 3 January 2007).

Secunet Security Networks.
http://www.sicherheit-im-internet.de (Accessed: 3 January 2007).
Internet Security.
http://www.s-cert.de (Accessed: 3 January 2007).
Financial services CERT.
http://www.telekom.de (Accessed: 3 January 2007).
Deutsche Telekom AG.
http://www.thw.de/english/ (Accessed: 3 January 2007).
An informative site in English.
International Organizations
http://www.cosin.org/ (Accessed: 3 January 2007).
Coevolution and Self-Organization in Dynamical Networks.
http://www.ctose.org (Accessed: 3 January 2007).
Cyber Tools On-Line Search for Evidence.
http://www.e-europestandards.org (Accessed: 3 January 2007).
eEurope Standards.
http://cybercrime-forum.jrc.it/default/ (Accessed: 3 January 2007).
EU Forum on Cybercrime.
http://coras.sourceforge.net/ (Accessed: 3 January 2007).
EU-funded CORAS project.
http://www.iabg.de/acip.index.html (Accessed: 3 January 2007).
Analysis and Assessment for critical infrastructure Protection.
http://www.itu.int (Accessed: 3 January 2007).
International Telecommunications Union.
http://www.oecd.org/document/42/0,2340,en_2649_33703_15582250_1_1_1_
1,00.html (Accessed: 3 January 2007).
OECD Guidelines for the Security of Information Systems and Networks:
Towards a Culture of Security (adopted as a recommendation by the OECD
Council at its 1037th Session 25 July 2002).
http://info.worldbandk.org.ict/ICT_ssp.html (Accessed: 3 January 2007).
Information and Communication Technologies – A World Bank Group
Strategy.
http://www.worldbank.org/mdf/mdf1/modern.htm (Accessed: 3 January 2007).
Modernising telecommunications through public–private partnerships.
http://rru.worldbank.org/toolkits/telecomsregulation/details.aspx (Accessed:
3 January 2007).
Privatisation toolkit telecommunications regulation.
250 Appendix
Italy
Italy leads a number of the European Union’s network and security policies.
http://www.dico.unimi.it (Accessed: 3 January 2007).
Italian department of Informatics and Communications.
http://www.iritaly.org (Accessed: 3 January 2007).
Italian Incident Response.
http://www.clusit.it/indexe.htm (Accessed: 3 January 2007).
Italian Association for Security in Informatics.
http://www.innovazione.gov.it/ (Accessed: 3 January 2007).
Italy’s information society site.
http://www.innovazione.gov.it/eng/ (Accessed: 3 January 2007).
Italian Ministry for Innovation and Technologies.
http://www.communicazioni.it/en (Accessed: 3 January 2007).
Italian Ministry of Communication.
http://www.cnipa.gov.it (Accessed: 3 January 2007).
National centre for Informatics in the Public Administration.
http://www.poliziadistato.it/pds/english/ (Accessed: 3 January 2007).
Italian State Security System.
Lawyers
It’s a little invidious to single out particular law practices. Most large,
international firms, have strong telecommunication practices. Here are a few
others that have provided some very innovative approaches to difficult problems.
http://www.dickinson-dees.co.uk (Accessed: 3 January 2007).
Law Firm with top security specialist.
http://www.eversheds.com (Accessed: 3 January 2007).
Leading International Electronic Law Firm.
http://www.faegreandbenson.com (Accessed: 3 January 2007).
Leading USA Electronic Law Firm.
http://www.robertmuckle.co.uk (Accessed: 3 January 2007).
Leading Uk Electronic/Technology Law Firm.
http://www.wardhadaway.com (Accessed: 3 January 2007).
Leading UK Electronic Law Firm.
Police
http://www.europol.net (Accessed: 3 January 2007).
Access to all European National Police Sites – And Information
on Crime.
http://www.interpol.int (Accessed: 3 January 2007).
International Crime Intelligence Site.
Appendix 251
http://www.nhtcu.org/ (Accessed: 3 January 2007).

National Hi-Tech Crime Unit.
http://www.police.uk (Accessed: 3 January 2007).
UK Police Site.
http://www.pito.org.uk/ (Accessed: 3 January 2007).
UK Police Information Technology Organization.
The Netherlands
During its presidency of the European Union in 2004, the Netherlands
launched a number of significant information security initiatives.
http://www.fas.org/irp/world/netherlands/bvd.htm (Accessed:
3 January 2007).
Netherlands National Intelligence and Security Agency.
http://www.www.nlip.nl (Accessed: 3 January 2007).
Dutch Internet Providers Consortium.
http://www.minvenw.nl/dgtp/home/ (Accessed: 3 January 2007).
Dutch Directorate General of Post and Telecommunications.
http://www.Govcert.nl (Accessed: 3 January 2007).
Dutch Government Computer Emergency Response Team.
http://www.infodrome.nl (Accessed: 3 January 2007).
INFODROME.
http://www.kwint.org (Accessed: 3 January 2007).
KWINT.
http://www.minvenw.nl (Accessed: 3 January 2007).
Dutch Ministry of Water and Sewage.
http://www.minbzk.nl (Accessed: 3 January 2007).
Dutch Ministry of the Interior.
http://www.Nlip.nl (Accessed: 3 January 2007).
Dutch Internet providers.
http://cert-nl.surnet.nl/home-eng.html (Accessed: 3 January 2007).
SURFnet Computer Security Incident Response Team.
http://www.aivd.nl (Accessed: 3 January 2007).
Dutch General Intelligence and Security Service.
http://www.ecp.nl/ENGLISH/index.html (Accessed: 3 January 2007).
Dutch Electronic Business Site.
http://www.tno.nl (Accessed: 3 January 2007).
TNO.
http://www.waarschuwingsdienst.nl (Accessed: 3 January 2007).
Waarschuwingsdienst – A Computer Emergency Response Team.
252 Appendix
New Zealand
New Zealand, with Australia, has led much information security
development.
http://www.security.govt.nz (Accessed: 3 January 2007).
New Zealand Security Policy and Guidance.
http://www.standards.co.nz (Accessed: 3 January 2007).
Standards New Zealand.
http://www.ccip.govt.nz (Accessed: 3 January 2007).
New Zealand Centre for Critical Infrastructure Protection.
http://www.defense.govt.nz (Accessed: 3 January 2007).
New Zealand Ministry of Defense.
http://www.executive.govt.nz (Accessed: 3 January 2007).
New Zealand Cabinet.
http://www.gcsb.govt.nz (Accessed: 3 January 2007).
New Zealand Government Communications Security Bureau.
http://www.dpmc.govt.nz (Accessed: 3 January 2007).
Department of the Prime Minister and Cabinet.
http://www.ssc.govt (Accessed: 3 January 2007).
State Services Commission.
http://www.nzcs.org.nz (Accessed: 3 January 2007).
New Zealand Computer Society.
http://www.auscert.org.au (Accessed: 3 January 2007).
Australian Computer Emergency response Team (JV with New Zealand).
http://www.cologic.co.nz (Accessed: 3 January 2007).
New Zealand E-Secure-IT ALERT and Early Warning Service.
Norway
Norway leads on a number of critical infrastructure processes.
http://www.norsis.no/indexe.php (Accessed: 3 January 2007).
Norwegian Centre for Information Security.
http://www.dsb.no (Accessed: 3 January 2007).
Norwegian Directorate for Civil Protection and Emergency Planning.
http://odin.dep.no/nhd/engeslsk/ (Accessed: 3 January 2007).
Norwegian Ministry of Trade and Industry.
http://www.ntia.doc.gov (Accessed: 3 January 2007).
Norwegian telecommunications and Information Administration.
http://www.nsm.stat.no/index.html (Accessed: 3 January 2007).
Norwegian National Security.
Appendix 253
http://www.okokrim.no (Accessed: 3 January 2007).

The Norwegian National Authority for Investigation and Prosecution of
Economic and Environmental Crime.
http://cert.uninett.no (Accessed: 3 January 2007).
The Norwegian Network for Research and Education.
Russia
http://president.kremlin.ru/eng/articles/institut04.shtml (Accessed:
3 January 2007). Responsibility for Information Security in Russia.
Sweden
Sweden has one of the most active information security sectors.
http://forsvar.regeringen.se (Accessed: 3 January 2007).
Swedish Ministry of Defense.
http://kth.se/eng (Accessed: 3 January 2007).
Swedish Royal Institute of Technology.
http://www.ocb.se (Accessed: 3 January 2007).
Part of the warning system of the Swedish Emergency Management Agency.
http://www.gea.nu (Accessed: 3 January 2007).
Swedish Alliance for Electronic Commerce.
http://www.fmv.se (Accessed: 3 January 2007).
Swedish Defense Material Administration.
http://www.foi.se/english/ (Accessed: 3 January 2007).
Swedish Defense Research Agency.
http://www.krisberedskapsmyndigheten.se/english/index.jsp (Accessed:
3 January 2007).
Swedish Emergency Management Agency.
http://www.sitic.se (Accessed: 3 January 2007).
Swedish IT Incident Centre.
http://www.fhs.se (Accessed: 3 January 2007).
Swedish national Defense College.
http://www.fra.se/english.shtml (Accessed: 3 January 2007).
Swedish National Defense Radio Establishment.
http://www.psycdef.se/english/ (Accessed: 3 January 2007).
The National Board of Psychological Defense.
Switzerland
Switzerland the academic home of the Critical Information Infrastructure
Handbook.
http://www.bbt.admin.ch (Accessed: 3 January 2007).
Swiss Federal Office for Professional Education and Technology.
254 Appendix
http://www.empa.ch/plugin/template/empa/*/4523/—/1=2 (Accessed:
3 January 2007).
Reliability of Telecommunications Networks (Switzerland).
http://www.switch.ch/cert/ (Accessed: 3 January 2007).
Swiss Computer Emergency Response Team SWITCH.
http://www.fsk.ehtz.ch (Accessed: 3 January 2007).
Swiss centre for Security Studies.
http://www.snhta.ch/www-support/institutions/cti-fopet.htm (Accessed:
3 January 2007).
Swiss Commission for Technology and Innovation.
http://www.isn.ethz.ch/crn/ (Accessed: 3 January 2007).
Swiss Comprehensive Risk Analysis and Management Network.
http://www.vbs.admin.ch/internet/GST/AIOS/e/index.htm (Accessed:
3 January 2007).
Swiss Division for Information Security and Facility Protection.
http://www.bakom.ch/en/index.html (Accessed: 3 January 2007).
Swiss Federal Office for Communication.
http://www.bwl.admin.ch/ (Accessed: 3 January 2007).
Swiss Federal Office for National Economic Supply.
http://internet.bap.admin.ch (Accessed: 3 January 2007).
Swiss Federal Office for Police.
http://www.informatik.admin.ch/ (Accessed: 3 January 2007).
Swiss Federal Office of Information Technology, Systems and
Telecommunications.
http://www.isb.admin.ch/ (Accessed: 3 January 2007).
Swiss Federal Strategy Unit for Information Technology.
http://www.infosurance.org (Accessed: 3 January 2007).
Swiss Infosurance Foundation.
http://www.zurich.ibm.com (Accessed: 3 January 2007).
IBM Zurich Research Laboratory.
http://www.ifi.unizh.ch/ikm/research.html (Accessed: 3 January 2007).
Swiss Information and Communication Management Research Group.
http://www.isps.ch (Accessed: 3 January 2007).
Swiss Information Society Co-ordination group.
http://www.isn.ethz.ch (Accessed: 3 January 2007).
Swiss International Relations and Security Network.
http://www.naz.ch (Accessed: 3 January 2007).
Swiss National Emergency Operations Centre.
Appendix 255
http://www.lasecwww.epfl.ch (Accessed: 3 January 2007).

Swiss Security and Cryptography Laboratory.
http://www.softnet.ch (Accessed: 3 January 2007).
Softnet – Related Swiss Federal Project.
http://www.sfa.admin.ch (Accessed: 3 January 2007).
Strategic Leadership Training.
http://www.cybercrime.admin.ch (Accessed: 3 January 2007).
Swiss Co-ordination Unit for Cybercrime.
http://www.privacy-security.ch (Accessed: 3 January 2007).
Symposium on Privacy and Security.
United Kingdom
The United Kingdom has one of the most developed environments for
information and critical infrastructure protection.
http://www.cabinet-office.gov.uk/CSIA (Accessed: 3 January 2007).
The Web site of the Central Sponsor for Information Assurance.
http://www.cesg.gov.uk (Accessed: 3 January 2007).
UK National Technical Authority for Information Assurance.
http://www.dti.gov.uk/bestpractice/technology/index.htm (Accessed:
3 January 2007).
The Department of Trade and Industry (EU/UK) IT and Security best
practice site – includes information previously contained on the UK online
for business site.
http://www.dti.gov.uk/industries/information_security (Accessed: 3 January
2007). Information Security overview.
http://www.epcollege.gov.uk (Accessed: 3 January 2007).
Emergency Planning College (EU).
http://www.financialsectorcontinuity.gov.uk (Accessed: 3 January 2007).
This Web site has been established by the UK’s tripartite financial
authorities (HM Treasury, the Bank of England and the Financial Services
Authority) to provide a central point of information about work on
continuity planning that is relevant to the UK’s financial sector (EU/UK).
http://www.go-ne.gov.uk/resilience/resilience_business_continuity.htm
Each regional government office in the UK has a resilience page like this one.
http://homeoffice.gov.uk (Accessed: 3 January 2007).
Information on a range of relevant subjects in the publications section.
http://www.londonprepared.gov.uk/ (Accessed: 3 January 2007).
Information and advice on London’s resilience and preparations for, and
responses to, major incidents and emergencies.
256 Appendix
http://www.niscc.gov.uk/ (Accessed: 3 January 2007).

National Infrastructure Security Coordination Centre – includes a
business good practice guide for telecommunications resilience.
http://www.security-survey.gov.uk (Accessed: 3 January 2007).
DTI Information Security Breaches Survey.
http://www.uniras.gov.uk (Accessed: 3 January 2007).
Unified Incident Reporting and Alert Scheme.
http://www.ukonlineforbusiness.gov.uk has been superseded by
http://www.dti.gov.uk/bestpractice (Accessed: 3 January 2007).
http://www.ukresilience.info/ (Accessed: 3 January 2007).
UK Resilience, Civil Contingencies Secretariat. Information on the Civil
Contingencies Bill is at http://www.ukresilience.info/ccbill/index.htm
http://www.warp.gov.uk (Accessed: 3 January 2007)
UK Government Warning Advice and Reporting Point site for co-ordinating
reaction to information security breaches, etc.
United States
It’s a cliché but since 11 September 2001 the USA has paid much more
attention to some of the very original research in its Government
departments and Industrial Sectors regarding information and critical
infrastructure protection.
http://www.alw.nih.gov/Security/Docs/passwd.html (Accessed: 3 January 2007).
Selecting good passwords.
http://www.alw.nih.gov/Security/Docs/admin-guide-to-cracking.101.html
Improving the Security of Your Site by Breaking into It.
http://www.cdt.org (Accessed: 3 January 2007).
USA Centre for Democracy and Technology.
http://www.cert.org (Accessed: 3 January 2007).
USA Computer Emergency Response Team.
http://www.cia.gov/cia/publications/factbook (Accessed: 3 January 2007).
For number of Internet users by country.
http://www.ciao.org (Accessed: 3 January 2007).
USA Critical Infrastructure Assurance Office.
http://www.cybercrime.gov (Accessed: 3 January 2007).
Government Cybercrime Site.
http://shield.dmpsi.dc.gov (Accessed: 3 January 2007).
http://www.ftc.gov/privacy/glbact/ (Accessed: 3 January 2007).
Financial Modernisation Act of 1999.
Appendix 257
http://www.ftc.gov/privacy/index.html (Accessed: 3 January 2007).

USA Federal Trade Commission.
http://csrc.ncsl.nist.gov/secpubs/ (Accessed: 3 January 2007).
Listing of Publications on Computer Security from National Institute of
Standards and Technology Sources.
http://csrc.ncsl.nist.gov/secpubs/rainbow/ (Accessed: 3 January 2007).
National Institute of Standards and Technology (NIST) listing of the
‘Rainbow Series.’
The Rainbow Series is six-foot tall stack of books on evaluating
‘Trusted Computer Systems’ according to the National Security Agency.
The term ‘Rainbow Series’ comes from the fact that each book is a
different color. The main book (upon which all other expound) is the
Orange Book.
http://www.whitehouse.gov/deptofhomeland (Accessed: 3 January 2007).
USA Department of Homeland Security.
http://www.eia.doe.gov/emeu/security/ (Accessed: 3 January 2007).
Energy Information Agency – all types of security attacks on worldwide
energy resources.
http://www.energyisac.com (Accessed: 3 January 2007).
USA Energy Information Sharing and Analysis Centre.
http://www.ey.com/security (Accessed: 3 January 2007).
Ernst and Young Security Site.
http://www.fbi.gov (Accessed: 3 January 2007).
USA Federal Bureau of Investigation.
http://www.fedcirc.gov (Accessed: 3 January 2007).
USA Federal Computer Incident Response Centre.
http://www.fas.org (Accessed: 3 January 2007).
USA Federation of American Scientists.
http://www.fsisac.co (Accessed: 3 January 2007).
USA Financial Services Information Sharing and Analysis Centre.
http://www.ftc.gov/infosecurity/ (Accessed: 3 January 2007).
The Federal Trade Commission has created this Web site for consumers
and businesses as a source of information about computer security and
safeguarding personal information.
http://www.hhs.gov/ocr/hipaa/ (Accessed: 3 January 2007).
Medical Privacy – National Standards to Protect the Privacy of Personal
Health Information.
http://www.it-isac.org (Accessed: 3 January 2007).
USA Information Technology Sharing and Analysis Centre.
258 Appendix
http://www.ncs.gov/ncc/ (Accessed: 3 January 2007).

USA National Co-ordinating Centre for Telecommunications.
http://www.nipc.org (Accessed: 3 January 2007).
USA National Infrastructure Protection Centre.
http://www.nerc.com (Accessed: 3 January 2007).
North American Electric Reliability Council.
http://www.oag.state.ny.us/ (Accessed: 3 January 2007).
Eliot Spitzer – New York State Attorney General Site re Governance.
http://www.ostp.gov/ (Accessed: 3 January 2007).
USA Office of Science and Technology Policy.
http://www.cert.otg/octave/ (Accessed: 3 January 2007).
USA Operationally Critical Threat, Asset and Vulnerability Evaluation.
http://www.pcis.org (Accessed: 3 January 2007).
USA Partnership for Critical Infrastructure Protection.
http://www.staysafeonline.info (Accessed: 3 January 2007).
USA Stay Safe Online.
http://www.sec.gov/news/testimony/021203tsrc.htm (Accessed: 3 January 2007).
Protecting Capital Markets Against Terrorism.
http://www.surfacetransportationisac.org (Accessed: 3 January 2007).
USA Surface Transportation Information Sharing and Analysis Centre.
http://www.dhs.gov (Accessed: 3 January 2007).
USA Department of Homeland Security.
http://www.us-cert.gov/federal/ (Accessed: 3 January 2007).
United States Computer Emergency Readiness Team.
http://www.whitehouse.gov (Accessed: 3 January 2007).
USA White House.
Vendor Sites
There are of course many more vendors than are listed here. There has been
no selection process. These links are those known to be of interest to this
subject area.
http://www.almaden.ibm.com (Accessed: 3 January 2007).
IBM Research Establishment.
http://www.availability.sungard.com/ (Accessed: 3 January 2007).
Sungard Data Recovery/Disaster Recovery.
http://www.business-systems.bt.com/ (Accessed: 3 January 2007).
BT Solutions.
Appendix 259
http://www.bt.com/business/broadband (Accessed: 3 January 2007).

BT Data Recovery/Disaster Recovery.
http://www.bt.com/commsure (Accessed: 3 January 2007).
BT CommSure – Total Business Continuity.
http://www.buysunonline.com/ (Accessed: 3 January 2007).
Sun Microsystems Data Recovery.
http://www.crg.com (Accessed: 3 January 2007).
Control Risk Group – international business risk consultants.
http://www.datamobilitygroup.com (Accessed: 3 January 2007).
Data and Storage second opinions.
http://www.disklabs.com/ (Accessed: 3 January 2007).
DiskLabs Data recovery.
http://www.drsolomon.com/ (Accessed: 3 January 2007).
Dr Solomon, a McAfee Company Anti Virus Centre.
http://www.datafellows.com/ (Accessed: 3 January 2007).
F-PROT Virus Protector.
http://www.easynet.com/ (Accessed: 3 January 2007).
Easynet Data Recovery.
http://www.etsec.com (Accessed: 3 January 2007).
ETSEC Staying ahead of the Security Curve.
http://www.foundstone.com (Accessed: 3 January 2007).
Security Products.
http://www.hp.com (Accessed: 3 January 2007).
Hewlett Packard’s Site – HP Trust and Security.
http://www.intel.com (Accessed: 3 January 2007).
Intel includes security advice.
http://www.intersolve-tech.com (Accessed: 3 January 2007).
Advanced Security with FINREAD CSP.
http://www.jjtc.com (Accessed: 3 January 2007).
Johnson and Johnson (Consultants) Computer Security.
http://www.kavado.com (Accessed: 3 January 2007).
ScanDo from Kavado.
http://www.mcafee.com/uk/ (Accessed: 3 January 2007).
McAfee Computer Security Products.
http://www.mci.com/uk/bcinterest (Accessed: 3 January 2007).
Business Continuity the MCI way.
260 Appendix
http://research.microsoft.com/security/ (Accessed: 3 January 2007).

Microsoft Research.
http://www.microsoft.com/security/default.mspx (Accessed:
3 January 2007).
Microsoft Security Site.
http://www.microsoft.com/technet/security/sourcead.asp (Accessed:
3 January 2007).
Microsoft TechNet, Source Address Spoofing.
http://www.microsoft.com/technet/security/topics/hardsys/default.mspx
Hardening.
http://www.pinkertons.com (Accessed: 3 January 2007).
Pinkertons.
http://www.qinetiq.com/home/markets/security.html (Accessed:
3 January 2007).
Qinetiq’s Introduction to Security.
http://www.qinetiq.com/home/markets/security/securing_your
_business/information_and_network_security.html
Qinetiq Information Security.
http://www.rsasecurity.com/ (Accessed: 3 January 2007).
RSA Security USA Security Consultants.
http://www.sanctum.com (Accessed: 3 January 2007).
Appscan from Sanctum/Watchfire – Vendor.
http://www.safenet-inc.com/ (Accessed: 3 January 2007).
The ‘Foundation’ of Information Security.
http://www.sapphire.net/(Accessed: 3 January 2007).
Information technology security company.
http://securityresponse.symantec.com (Accessed: 3 January 2007).
Symantec Computer Security Site.
http://www.spiresecurity.com (Accessed: 3 January 2007).
Spire Security.
http://www.srm-solutions.com (Accessed: 3 January 2007).
Security Risk Management Limited.
http://www.spidynamics.com (Accessed: 3 January 2007).
WebInspect from SPI Dynamics.
http://www.stiller.com/ (Accessed: 3 January 2007).
Stiller Research, Computer Security.
Appendix 261
http://www.symantec.com/avcenter/ (Accessed: 3 January 2007).

Symantec Anti Virus Centre.
http://community.whitehatsec.com (Accessed: 3 January 2007).
Sentinel from White Hat Security.
http://www.xerxes.com/security.html (Accessed: 3 January 2007).
Xerxes Security Site.
http://www.zonelabs.com (Accessed: 3 January 2007).
ZoneAlarm, Computer Security Protection.
General Information – Alphabetically by Site

http://www.as400security.net/
AS/400 (an IBM mid-range product) Security Portal.
http://www.bofh.sh/CodeRed/index.html (Accessed: 3 January 2007).
Re: the CodeRed Worm.
http://www.cert.org (Accessed: 3 January 2007).
CERT (Computer Emergency Response Teams) Coordination Centre.
http://www.continuitycentral.com (Accessed: 3 January 2007).
Portal Publishing Limited’s excellent site on business continuity and
security matters of all kinds.
http://www.cigital.com/javasecurity/links.html (Accessed: 3 January 2007).
Java Security Hotlist.
http://cgi.nessus.org/plugins/dump.php3?family=Backdoors (Accessed:
3 January 2007).
A current list of ‘backdoors’ recognized by Nessus. The ‘Nessus’ Project
aims to provide to the Internet community a free, powerful, up-to-date and
easy to use remote security scanner.
http://www.continuitycentral.com/ (Accessed: 3 January 2007).
Online Site about all things Business Continuity.
http://www.computer-security.qck.com/(Accessed: 3 January 2007).
Computer Security reference site.
http://www.crisis.solutions.com (Accessed: 3 January 2007).
http://www.crm-strategy.net/ (Accessed: 3 January 2007).
Customer Relationship Management Resources.
http://www.denialinfo.com/ (Accessed: 3 January 2007).
Links and links and links on Denial of Service attacks.
http://encyclopedia.thefreedictionary.com/Telecommunications%20service
Free Dictionary with wide ranging definitions.
262 Appendix
http://www.enteract.com/~lspitz/linux.html (Accessed: 3 January 2007).

Armoring Linux.
http://www.eon-commerce.com/riskanalysis/index.htm (Accessed:
3 January 2007).
Alternative Risk Analysis Site.
http://www.epic.org/privacy/carnivore (Accessed: 3 January 2007)
EPIC 2002, The Carnivore FOIA Litigation.
http://www.e-securityworld.com/ (Accessed: 3 January 2007).
Unix, Linux, iSeries, NT and OS/390 Security Specialists.
http://www.freecpd.co.uk/learning_materials/information_technology/
identifying_and_assessing_risk_in_it_systems__1 (Accessed: 3 January 2007).
Identifying and Assessing Risk in IT Systems.
http://www.globalcontinuity.com (Accessed: 3 January 2007).
This site is a Web-portal focused exclusively on business continuity issues.
http://www.globalsecurity.org/org/staff/pike.htm (Accessed:3 January 2007).
John Pike, one of the world’s leading experts on defense, space and
intelligence policy.
http://www.gocsi.com (Accessed: 3 January 2007).
Computer Security Institute.
http://grc.com/dos/grcdos.htm (Accessed: 3 January 2007).
The story of a Denial of Service Attack.
http://www.ukhomecomputing.co.uk (Accessed: 3 January 2007).
Home Computing Initiatives.
http://icm-computer.co.uk/risks (Accessed: 3 January 2007).
http://www.idc.com (Accessed: 3 January 2007).
IT and telecommunications global market intelligence and advice.
http://www.identityrestore.com (Accessed: 3 January 2007).
Getting your stolen electronic identity back.
http://www.infosec.co.uk (Accessed: 3 January 2007).
Infosecurity Europe (annual security event).
http://www.it-analysis.com/column.php?section=24 (Accessed:
3 January 2007).
Robin Bloor’s Home Page – for a different view on Security.
http://www.internetsecuritynews.com/ (Accessed: 3 January 2007).
Computer security related news, analysis and assessments.
http://www.internetworldstats.com/stats.htm(Accessed: 3 January 2007).
Internet World Statistics.
Appendix 263
http://www.jjtc.com/Steganography/ (Accessed: 3 January 2007).

Johnson and Johnson’s (Consultants) introduction to Steganography.
http://web.mit.edu/kerberos/www/#what_is (Accessed: 3 January 2007).
Kerberos is a network authentication protocol, this site explains it.
http://library.ahima.org/xpedio/groups/public/documents/ahima/
pub_bok1_021875.html (Accessed: 3 January 2007).
Medical Practice Brief: Information Security-An Overview.
http://www.lockdown.co.uk/ (Accessed: 3 January 2007).
Lockdown – The Home Computer Security Centre.
http://www.nessus.org/index2.html (Accessed: 3 January 2007).
The ‘Nessus’ Project aims to provide to the Internet community a free,
powerful, up-to-date and easy to use remote security scanner.
http://www.netsurf.com/nsf/ (Accessed: 3 January 2007).
Netsurfer Focus. A chronicle on Internet Players.
http://networkintrusion.co.uk (Accessed: 3 January 2007).
Talisker Security Wizardry Portal – Excellent Summary of the global state
of network intrusion attacks.
http://www.newsfactor.com (Accessed: 3 January 2007).
Technical News Site.
http://www.nscwip.info/ (Accessed: 3 January 2007).
National Steering Committee for Warning and Informing the Public (EU).
http://www.nym-infragard.us/ (Accessed: 3 January 2007).
InfraGard is an FBI program dedicated to promoting ongoing dialogue and
timely communication between the private sector and the FBI
concerning critical infrastructure protection issues.
http://www.openenterprise.ca (Accessed: 3 January 2007).
Open Enterprise Solutions including security.
http://owasp.org (Accessed: 3 January 2007).
Open Web Application Security Project.
http://research.lumeta.com/ches/map/index.html (Accessed: 3 January 2007).
Internet mapping project.
http://retailindustry.about.com/cs/security/ (Accessed: 3 January 2007).
The rather limited approach of the retail industry.
http://www.riskserver.co.uk/bs7799/ (Accessed: 3 January 2007).
The BS7799 Launch Pad.
http://www.securityfocus.com (Accessed: 3 January 2007).
Security site dealing comprehensively with Computer
Security threats.
264 Appendix
http://www.securitypolicy.co.uk/bs-7799/index.htm (Accessed: 3 January 2007).

Another Alternative for compliance with BS 7799.
http://www.schneier.com (Accessed: 3 January 2007).
Leading Cryptography Author, Bruce Schneier (USA).
http://www.sgrm.com/Resources.htm (Accessed: 3 January 2007).
A collection of computer crime and security references that is particularly
strong regarding white-collar computer-related crime (Canada).
http://www.snort.org (Accessed: 3 January 2007).
Snort – the Lightweight Network Intrusion Detection System.
http://sunsolve.sun.com/pub-cgi/show.pl?target=content/content7 (Accessed:
3 January 2007).
Sunsolve: The Solaris Fingerprint Database.
http://techrepublic.com.com/ (Accessed: 3 January 2007).
Part of CDnet and a good site for current threats.
http://www.theregister.co.uk/2004/04/30/spam_biz/ (Accessed: 3 January 2007).
The Register is an alternative security site carrying much useful information.
http://www.searchsecurity.techtarget.com (Accessed: 3 January 2007).
Information technology and related definitions/explanations.
http://www.securityauditor.net/ (Accessed: 3 January 2007).
Resources for Security Policies, Security Audit & Security Risk Analysis.
http://www.security.kirion.net/securitypolicy/ (Accessed: 3 January 2007).
Compliance with Internal Security Policies.
http://www.sysd.com (Accessed: 3 January 2007).
System Threat Detection.
http://tms.symantec.com/documents/040617-Analysis-
FinancialInstitutionCompromise.pdf (Accessed: 3 January 2007).
Analysis of a Compromised Laptop.
http://ue.eu.int/uedocs/cmsUpload/79635.pdf (Accessed: 3 January 2007).
The View of the EU on Combating Terrorism.
http://www.vmyths.com/ (Accessed: 3 January 2007).
Computer Virus Myths (USA).
http://www.vnunet.com/security (Accessed: 3 January 2007).
VNUnet – Computer/Security Publisher’s security support site.
http://www.webopedia.com (Accessed: 3 January 2007).
Information technology and related definitions.
http://www.weibull.com/hotwire/issue3/hottopics3.htm (Accessed:
3 January 2007).
Determining Reliability for Complex Systems.
Appendix 265
http://www.whitehats.com (Accessed: 3 January 2007).

Whitehats.com is an online community resource to provide support for
those who are interested in network security, including network and security
administrators.
Whitehats Network Security Resource: online community resource to
provide support for those who are interested in network security.
http://www.wired.com (Accessed: 3 January 2007).
A Lycos technology news site.
http://world.std.com/~franl/crypto/cryptography.html (Accessed:
3 January 2007).
Introduction to Cryptography.
http://www.ynet.co.il (Accessed: 3 January 2007).
Israeli news-site (A knowledge of Hebrew helps).
http://www.y2k.com (Accessed: 3 January 2007).
Some issues, including alternative, on the Y2K problem.
http://www.year2000.com (Accessed: 3 January 2007).
Information about the Y2K issues, includes some links to White Papers on
security and recovery.
http://www.zdnet.com (Accessed: 3 January 2007).
A premier technology and security News Site.
Index
11 September 2001, 20, 99, 100, 159, 160, Assets, 3, 6, 20–24, 26, 27, 31, 36, 64, 67,
161, 169, 174, 256 69, 88, 108, 109, 127, 128, 174, 202
7/07, 199 Asymmetric warfare, 2–6, 51, 79, 100,
9/11, 19, 154, 160, 199, 229 102, 155, 158, 164–167, 170, 174,
175, 177, 179, 191, 196–199, 202,
A 229, 243, 244
Administration, 31, 35, 78 Atlantic ocean, 46
Advice Brokering Service, 74 Attack, 3, 31, 37–39, 41, 50, 54, 60, 69,
Afghanistan, 4, 54, 77, 80, 164, 180 70, 72, 73, 75, 79, 80, 87, 92, 98,
Africa, 48, 95, 157 100, 170–172, 174, 188, 191, 217
Agents, 37, 38, 154, 155 Attitude, 5, 50, 81, 180
AIDS, 49, 59 Australia, 1, 8, 19, 33, 34, 40, 48, 179,
Air Force(s), 3, 17, 179, 182, 198 190, 203, 227, 244, 252
Aircraft carriers, 2, 162, 197 Authentication, 39, 42, 118, 137, 138,
Airport, 5 220, 263
Al Qaeda, 165 Automation, 40, 156
Alarms, 3 Automotive, 53
Algeria, 53 Avalon project, 55
Ambulance, 16 Avian flu, 49
Amsterdam, 151
Anderson, R., 64, 160, 161, 164, 169, B
223, 233, 235, 239, 240 B2B, 158
Antarctic, 54 Balance, 4, 44, 57, 83, 105, 156, 164,
Anti-spam service, 72 195, 202
Anti-terror legislation, 5 Bank(s), 16, 20, 41, 49, 63, 86, 88–90, 95,
APEC, 42 102, 189, 195
Arab- Israeli, 56 Bank of England, 16, 88, 255
Armed conflict, 2 Banking, 19, 27, 28, 35, 41, 62, 79, 94,
Armed forces, 6, 43 95, 97
Armed might, 1 Barcelona, 54
Armies, 3, 42, 182 Barley, 48
Arms, 14, 192 Basel II, 126–144
Army, ix, 10, 11, 17, 170, 179, 182, 198, Basle, 88–90, 174
229, 232, 243 Battle, 2, 3
Asia-Pacific Economic Co-Operation, 42 Battleground, 3
267
268 Index
Behavior, 9, 12, 32, 81, 92, 188 China, 46–48, 52–54, 58, 59, 63, 81, 82,
Belgium, 1, 152, 154 88, 102, 146–148, 150, 167, 168, 185
Berlin wall, 1, 54, 168 Chips, 40, 64
Bloomberg, 158 Christian, 15, 84, 145, 146
Bloor, 158, 230, 262 CIA, 44
Border controls, 5 CIP, 5, 11, 12, 33, 34
Botnets, 42 Cisco, 39, 64, 161, 169, 207–209, 215,
BP, 16 218, 222–224, 226, 233
Bridges, 19 Citizens, 14, 18, 32, 52, 56, 64, 75, 170,
Britain, 3, 15, 54, 145, 170, 172 173, 181, 189
British, 3, 49, 97, 145, 147, 159, 163, Civil Contingencies Act, 52, 77, 86, 87,
171, 180, 203, 218, 235, 241, 243 170, 181
British Standard, 77, 97, 99 Civil service, 17
Broadband, 42, 156, 157, 259 Clausewitz, Karl von, 18, 79, 80
Brussels, 189 Climate change, 7, 46
BS 25999, 94, 97, 163 Coal, 45, 170
BT, 16, 63, 202, 212, 235, 241, 258, 259 COBIT, 103, 104, 126
Buddhist, 54 Cold war, 1, 81, 87, 146, 197
Bulgaria, 52 Colorado, 151
Bureaucrats, 6 Communications, 4, 12, 16, 23, 25,
Burtles, J., 86 27, 30–34, 63, 73, 97, 103, 104,
Bush, G.W., 77 113–116, 132–135, 152, 165, 171,
Business, 4, 9, 15, 18, 20–22, 33–35, 39, 173, 179, 186, 201, 212, 214, 218,
47, 53, 55, 60, 62, 63, 65, 74, 81, 82, 221, 225, 226, 228, 237, 247, 250,
84, 88–92, 94, 95, 97–103, 105, 106, 252, 263
116, 117, 120, 123, 140, 142, 147, Community , 6, 23, 25, 28, 31, 56, 74, 75,
149, 150, 152, 153, 156, 163, 164, 172, 175, 211, 236, 242
166, 172, 174, 177, 186, 195, 196, Companies, 2, 16, 41, 52, 53, 58, 63,
205, 241, 255, 256, 258–262 65, 66, 70, 81–83, 89–91, 94, 95,
Business continuity, 9, 94, 97–100, 97, 100, 102, 106, 146, 147, 151,
105, 123, 130, 132, 134, 142, 160, 153–157, 163, 169, 171–174, 180,
163, 196, 203, 213, 218, 222, 229, 197, 206
241–243, 259, 261 Complexity, 40, 177, 197
Business effectiveness, 3 Compliance, 87, 89, 90, 97, 100, 102,
Business week, 158 105, 123–125, 127, 128, 143, 144,
Buyer, 83 156, 196, 199, 229, 264
Computer, 12, 18, 26, 32, 35, 39–41,
C 71, 72, 79, 83, 92, 95, 96, 110, 115,
Cadmium, 59 117–122, 136–138, 151, 158, 189,
Call centers, 150, 154 201, 203, 206, 211, 216, 217, 243,
Campaign, 3, 4, 72, 164 246, 257, 261, 262, 264
Canterbury cathedral, 54 Computer Emergency Response
Capitalism, 4, 13, 15, 16, 77, 81, 99, 102, Team (s), 71, 72, 203, 240, 244, 245,
145, 146, 165, 166, 168, 169, 174 247, 248, 251, 254, 256, 261
Catastrophe, 9, 18 Conduit, 4, 165, 188
CERTS, 71, 73, 175, 195 Conflict, 2, 56, 79, 91, 179, 191
Checkpoint, 63 Connectivity, 11, 12, 62, 63, 76
Chicago, 99, 216, 230 Constitution, 14, 15, 20
Index 269
Consultants, 40, 64, 259 Defense, 1–4, 6, 7, 10, 14, 15, 20, 21,
Contingency planning, 46 31–34, 42–44, 51, 52, 83, 161, 163,
Contractors, 37, 40, 95 169, 177, 178, 180–182, 187, 190,
Control risks, 94 191, 197–200, 204, 242, 244, 252, 262
Cooperation, 21, 24, 27, 29, 33, 34, Defense of the Realm, 2
67, 148, 175, 178, 243, 246 Dell, 64
Copenhagen, 84 Deloitte, 64
Cork, 154 Democracy, 1, 13, 77–79, 83, 173, 180,
Corn, 48 190, 195, 197
Corporate governance, 88–90 Denial of service, 38, 41, 42, 240
CorpTracker, 53 Department, 21, 22, 28, 31–34, 42, 43,
Cost, 27, 39, 52, 53, 74, 83, 89, 91, 146, 49, 51, 59, 84, 250
151, 153–157, 193 Department of Homeland Security, 31,
Crete, 185 66, 257, 258
Crime prevention, 33 Detroit, 83
Criminal law, 40 Deutsche Bank, 48
Critical Information Infrastructure, 1, 7, Digital technology, 1, 39
8, 10–13, 15, 18, 20, 31, 32, 42, 43, Digital world, 1
61–64, 66, 69–71, 76, 77, 93, 106, Disaster, 34, 91, 92, 94, 97, 99, 100, 151,
145, 177, 179–182, 184, 185, 187, 152, 156, 161, 163, 180, 202, 213, 241
189–198, 200–203, 211, 244, 253 Disaster recovery, 9, 94, 152, 196, 203,
Critical Information Infrastructure 205, 206, 213–215, 220, 222, 241,
Protection, 198 258, 259
Critical Infrastructure(s), 1–10, 12, 13, Diseases, 2, 49, 50, 59
16–23, 25, 30–34, 36, 37, 41–45, Disposable income, 151
50–52, 59–62, 64, 70, 76, 77, 79, 80, Distribution, 4, 35, 47, 56, 57, 67, 72,
83–88, 93, 94, 159, 176, 178–180, 81, 165, 166
182, 184–198, 200, 201, 211, 229, Disturbance, 8, 9
244, 245, 252, 256, 258 DNA, 99, 105, 199
Critical mass, 146 Doswell, B., 97
Critical National Infrastructure, 13, 31, Dublin, 151
69, 73, 86 Dunn, M., 10–12, 20, 43, 76, 182, 189
Customer(s), 4, 35, 41, 62, 64, 66, 91,
154–156, 165, 166, 169, 175 E
Cybercrime, 40, 249, 255, 256 Ecology, 9
Cyber-threats, 11, 12 ecommerce, 147, 205
Czech Republic, 1, 52, 152 Economic, 2, 4–6, 10, 11, 15, 16, 20, 26,
31, 34, 42, 52, 55, 57, 58, 60, 77,
D 80, 81, 84, 88, 91, 93, 145, 146, 149,
Dams, 20 151, 153, 159, 161, 164, 167–170,
Dartmouth, 69, 221 172, 173, 179, 181, 190, 191, 194,
Data, 8, 16, 30, 43, 63, 68, 72, 85, 91, 196, 197
94–100, 111, 112, 115–117, 121, Economist, The, 158, 177
124–144, 146, 147, 153, 155, 156, EDS, 163
172, 188, 216, 230, 241 Education, 3, 10, 59–61, 73, 84, 85, 110,
Debt, 47, 80 117, 153, 165, 166, 176, 212–214,
Declaration of Independence, 13, 15 222, 223, 227, 228, 239, 242, 243,
Decoys, 3 247, 253
270 Index
Education/intellectual Property, 10 105, 126, 146, 148, 171, 184, 185,

Effort, 4, 11, 31, 32, 70, 164, 166, 189, 189, 240, 245, 246, 249–251, 255,
201, 202 263, 264
eGovernment, 50, 246 Europol, 185, 246
Egypt, 53, 57, 58 Evaluation, 32, 124, 258
Electricity, 3, 33, 35, 38, 46, 85, 170, 184 Evolution, 12, 169
Electricity pylons, 3 Executive Club of Chicago, 99
Electronic, 1, 2, 31, 40, 42, 62, 67, 69, Executive order, 20, 24, 27, 28, 30,
73, 75, 80, 95, 99, 100, 102, 110, 31, 65, 66
117, 126–144, 149, 164, 174, 175, Exercise, 14, 49, 50, 87, 171, 173,
178–180, 189, 196, 215, 262 177, 191
Electronic environment, 2, 178
Email, 95 F
Emergency services, 16, 31 Faegre and Benson, 174
Enemies, 2, 54, 171 Far east, 52, 53, 99, 145, 146
Energy, 9, 16, 18, 19, 21, 23, 25, 27, 28, FCC, 66
31, 45–47, 56, 61, 62, 85, 102, 203, FDA 21 CFR, 97, 107
232, 257 Fences, 3
English, 150–153, 157, 173, 181, 202, 249 FERC/NERC, 104, 105, 107
ENISA, 69, 185, 192, 193, 246 FFIEC & GLBA, 126
Enron, 89, 99, 100, 149 Fialka, 169, 227
Entrepreneurs, 6 Fiber, 11, 63
Environment, 2, 40, 42, 43, 58, 59, 74, Fiber optic, 11, 151
81, 87, 92, 102, 132, 145, 146, 151, Filtered Warning Service, 74
153, 169, 171, 175, 177, 196, 230 Finance, 10, 16, 31, 52, 61, 62, 83,
Environment Agency, 58 85, 232
Environmental, 31, 77, 93, 111, 112, 131, Financial Services Authority, 88, 255
146, 153, 161, 170, 173, 197 Fire, 16, 63, 214, 215
Equipment, 39, 62, 63, 83, 92, 95, 96, Fire stations, 20
117, 118, 131, 137, 163 Fish and Chips, 3, 54
Ernst & Young, 52, 83, 204 Fish stocks, 59
ETH, 192, 193, 198 Flanders, 154
Euphrates, 57 Flood, 2, 98
Europa, 158, 171, 246 Food, ix, 2, 5, 6, 10, 16, 31, 45, 47–49,
Europe, 8, 19, 33, 40, 46, 48, 50, 52–55, 57–59, 61, 62, 83, 85, 98, 102, 152,
58, 69, 71, 82, 89, 90, 94, 95, 99, 165, 170, 177, 187, 199, 200, 232
100, 102, 146–149, 151, 155, 168, Food supply, 10, 61, 85
171, 178, 179, 189, 191, 196, 244, Foreign exchange, 57
246, 248, 262 Formula, 1, 3
European Commission, 32, 33, 56, 88, Framework, 32, 33, 80, 87, 88, 102, 107,
90, 148, 179, 185, 189, 246 126, 189, 233
European Investment Monitor, 52 France, 1, 51, 184, 199, 203,
European Network and Information 224, 247
SecurityAgency, 185, 246 Frankfurt, 99
European Telecommunications Free trade, 55
Resilience and Recovery Freedom of speech, 14
Association, 145 Friedman, T.L., 15, 82
European Union (EU), 32, 33, 40, 46, Fuel, 5, 46, 48, 56, 85, 87, 170, 232
48, 51, 52, 55, 56, 88, 90, 100, 103, Funding, 17, 32, 58
Index 271
G Home workers, 156

G8, 152, 184–186 Homeland, 10, 20, 66, 67
Gas, 19, 33, 45, 46, 56, 58, 83, 170 Homer-Dixon, 173, 231
GDP, 80, 82, 151 Hong Kong, 99, 160, 229
Germans, 2 Horses, 2, 6, 38
Glasnost, 54 Hospitals, 19, 35
Global Crossing, 63 Hosting, 62
Global warming, 45, 50, 84 House of Representatives, 161, 174, 207,
Globalization, 1, 2, 12, 53, 81, 82, 231–233
99, 145, 159, 166, 168, 197 Humanitarian, 7, 46
Goetz, Eric, 201 Hungary, 1, 52
Gompert, 173, 231 Huntington, 169, 230
Goods, 4, 16, 52, 55, 63, 83, 146, 150, Hussein, S., 54
151, 154, 166 Hyslop, M., 2, 4, 56, 81, 99, 164, 165, 167,
Governance, 3, 6, 82, 88–90, 147, 149, 168, 171, 172, 174, 177, 229, 233, 235
190, 199, 201, 204, 218, 258
Government, 2, 3, 6, 10, 13, 14, 16, 17, I
19, 21–29, 31–36, 40–42, 50, 51, 53, I3P, xi, 69, 192, 193, 198
60, 61, 65–70, 73, 75, 77, 79, 85–87, ICC Cyber Crime, 192, 193
146, 152, 154, 170–172, 181, 194, Icons, 10, 54, 61, 85
202, 203, 218, 231, 233, 237, 245, Identity theft, 42
247, 251, 252, 255, 256 Ideological, 15
Government Department, 3, 17 IDM, 42
Graduates, 54, 59, 60 Illness, 2
Grain, 13, 48 IMF, 86
Gravelines, 184 Impact assessment, 91
Greece, 1, 185 India, 47, 48, 52–54, 58, 59, 82, 88, 102,
Greeley, 154 145–149, 154, 156, 157, 196, 232
Grotberg, 162, 163, 176, 233 Industry associations, 33, 34
Group of Eight, 184, 185 Inequality, 84
Information, 1, 5, 10–12, 16, 18–24,
H 26–30, 33, 34, 39, 41, 42, 44, 48, 49,
Hackers, 37 55, 62–75, 77, 79, 80, 85, 86, 88–90,
Hacking, 32, 38, 40 94, 95, 97–100, 105–110, 112, 117,
Hague Convention, 54 120, 121, 124, 126–128, 130, 132,
Hammond, A., 172, 230 136, 139–141, 143, 147, 148, 155,
Happiness, 14, 78 157, 163, 171–175, 181, 185, 196,
Hardware, 62, 64, 76, 91, 92, 152, 169, 197, 202, 204–206, 211, 220, 229,
217, 220 240, 242, 243, 245–247, 250–253,
Hayek, 15 255–257, 260, 262, 264
Hazards, 34, 111, 112, 131 Information Infrastructure, 1, 11–13,
Health, 2, 10, 17, 19, 21, 23, 25, 31, 34, 15, 18, 24, 27, 29, 43, 44, 50, 61–64,
47, 49, 50, 59, 61, 84, 85, 89, 102, 69, 76, 88, 91, 94, 106, 150, 153,
118, 241, 244, 257 158–161, 163–165, 169–175, 178,
Heathrow, 55 179, 182, 184, 196, 197, 201–203,
Heraklion, 185 211, 233
Hewlett Packard, 63, 259 Infrastructure, 4, 6, 11, 12, 18–24, 26–29,
HIPAA, 102, 104, 107 32–41, 45, 50–52, 56, 66–68, 70, 76,
Home Office, 170, 228 79, 91, 120, 132, 140, 151, 152, 154,
272 Index
Infrastructure (continued) K
156, 157, 160, 161, 164, 165, 169, Kennedy, J., 19
171, 179, 180, 182, 194, 201, 243, Kendra, J.M., 161–163, 234
249, 252, 255, 256, 263 Kent, 184
In-house, 154 Ki work, 155–157
Institut Pericles, 145 Knowledge, 38, 40, 49, 64, 75, 106, 146,
Institutions, 2, 20, 80, 86, 88, 171, 180, 148, 175, 179, 185, 186, 188, 205,
191, 254 265
Insurance, 23, 46, 47, 63 Knowledge Economy, 52
Intel, 64, 209, 259 Korea, 1, 53
Intellectual property, 2, 59, 60 Kroll, 94
Intelligence, 5, 30, 60, 65–69, 171, 172,
180, 182, 185, 188, 262 L
Interconnectors, 56 Langchao, 63
International, 4–6, 12, 16, 18, 24, 27, 34, Law and order, 10, 51, 61, 85
40, 41, 43, 45–48, 50, 51, 53–59, 62, Law enforcement, 19, 24, 33, 41, 66–70,
66, 70, 76, 81, 84, 88–90, 95, 146, 86, 188
151, 153, 166, 173, 174, 176, 179, Lebanon, 57
184–197, 204, 242, 250, 259 Leeds, 151
International Financial Reporting Lefever, Ernest W., 77
Standard, 90, 91 Legal, 4, 23, 41, 77, 81, 93, 102,
International Law Commission, 192 146, 161, 165, 166, 170, 189, 194,
International relations, 4, 58, 166, 191 196, 197
Internet, 4, 6, 11, 12, 15, 33, 38, 39, 41, 42, Lenin, 54
62, 63, 72, 75, 83, 99, 147, 148, 165, Liberalization, 33
169, 171–173, 175, 202, 206, 210–212, Liberty, 14, 77, 78, 190
216, 219, 220, 223, 225, 228, 231, 232, Libya, 57
238, 242, 251, 256, 261–263 Life, 5, 8, 14, 16, 31, 50, 52, 56, 57, 87,
Iran, 78 156, 159, 176
Iraq, 4, 51, 52, 54, 57, 77, 80, 164, 180 Lincoln, A., 78
Ireland, 1, 152–154, 178 Linux, 73, 216, 218, 220, 224, 238,
Islam, 84, 166 262
ISO 17799, 97, 98, 102–105, 107, 126, Lisbon, 146, 148, 149, 184
187, 218 Literacy, 176
Israel, 57 London, 33, 47, 60, 75, 85, 94, 95,
Issue groups, 38 97, 99, 149, 174, 204, 205, 209,
IT, 12, 35, 37–41, 71, 72, 91, 94, 126, 211–216, 218, 221, 222, 225, 226,
128, 132, 143, 144, 156, 172, 186, 228, 235, 240, 255
201, 204, 214, 218, 219, 223, 237, London Stock Exchange, 149
242, 252, 253, 255, 262 Lucent, 19
ITIL, 103, 104, 126, 129, 131, 134, 136,
137, 140–142 M
ITU, 62 Madrid, 33
Magna Carta, 3, 51, 54
J Malthusian, 59
JANET-CERT, 71, 240 Malware, 38, 42, 65
Japan, 1, 53, 78 MAN-CERT, 71, 72
Jordan, 57 Manchester, 63, 73
Judiciary, 51, 206, 207 Manchester University, 71
Just in Time, 5, 6 Manufacturer, 4, 63, 81, 153, 165, 166
Index 273
Manufacturing, 10, 21, 28, 52–54, 61, Network (s), 11, 12, 21, 23, 26, 30,
62, 83, 85, 146, 148, 197 33–35, 38, 39, 43, 63, 64, 73, 95, 96,
Market forces, 12 115, 119, 121, 124, 125, 134–137,
Market research, 91, 151, 153 156, 157, 160, 161, 163, 169,
Marketing, 4, 53, 81, 82, 100, 102, 173–175, 181, 186, 189, 205, 220,
151–153, 158, 166, 178 226, 233, 235, 240, 246, 249, 250,
Marsh, 63 260, 263, 265
Marx, K., 15 New World, 1, 83
Marxism, 16 New York, 69, 82, 95, 97, 99, 159, 161,
Masera, M., 185 169, 173, 181, 195, 206, 208–213,
Mass migrations, 55 215, 216, 220–228, 234, 239, 258
Materials science, 9 New Zealand, 1, 8, 19, 35, 36, 38, 39–42,
Mecca, 54 179, 190, 203, 222, 252
Media, 12, 80, 94, 109, 112, 115 Newcastle-upon-Tyne, 54, 234
Medical, 53 Nice, 145, 146
Mexico, 1, 157 Niebuhr, R., 79
MI5, 31, 171, 178, 232 Nigeria, 49
Microsoft, 39, 40, 64, 65, 82, 161, 169, Nile, 56, 57
204, 207–209, 218, 220, 221, 223, NISCC, 69, 70, 73–75, 181, 186
225, 233, 260 Noord-Brabant, 154
Middle East, 56–58, 147 North, 46, 53, 102, 152, 190, 191, 242, 258
Militia, 14 North Sea, 46
Ministry of Defense, 2, 171, 182, 230, Northumberland, 51
247, 252, 253 Northumbria, 145, 146, 240
Mobile, 43, 120, 139, 150, 153, 169, Nottinghamshire, 51
235 Nuclear energy, 45
Model, 15, 36, 83, 91–93, 146, 148, 149, Numeracy, 176
178, 180–183
Monarchy, 3 O
Money, 15, 16, 47, 58, 86, 88, 93, Obesity, 49
146, 150, 151, 157, 166, 169, 178, Obstructive marketing, 2–6, 81, 82, 84,
193 93, 102, 164–167, 170, 174, 175,
Monitoring, 32, 88, 139, 190 177, 178, 195–199, 233
Moore’s Law, 83 OECD, 1, 8, 9, 13, 15, 16, 18, 42–44,
Morocco, 53 46–50, 52, 54, 61, 70, 71, 77, 84,
MRSA, 49 97, 99, 145, 149, 159, 164, 169, 172,
173, 176, 178, 180, 181, 184–187,
N 190, 193, 196–200, 249
Nation states, 1, 13, 55 OFCOM, 70
National Guard, 10 Oil, 16, 19, 45, 46, 50, 56, 57, 102, 147
National Information Security Operating systems, 39, 71, 220
Co-ordination Centre, 12, 190 Organization, 9, 18, 51, 74, 82, 91–93,
National interest, 6 95, 99, 106–108, 126, 128, 137,
NATO, 6, 50, 184, 187, 188, 190–193, 162, 172, 177, 181, 182, 184, 187,
197, 198 193
Navies, 3, 182 Organized crime, 38, 166, 168, 179,
Navy, 17, 179, 182, 198 180
Nelson’s Column, 3, 54 Outsource service providers, 156, 157
Netherlands, 1, 15, 55, 152, 154, 203, Outsourced, 35, 108, 128, 150, 154, 196
251 Outsourcing, 6, 150, 154, 155, 196
274 Index
Ownership, 16, 17, 35 Power plants, 19

Oxford Intelligence, 52, 53 President, 19–22, 24–26, 28–30, 56, 77, 78
PriceWaterhouseCoopers, 64
P Private, 5, 12, 14–18, 21–23, 26, 28, 29,
Parliament, 3, 87 35, 41, 42, 44, 56, 58, 62, 66–71,
Partnership, 3, 5, 6, 21, 29, 34, 179, 80, 82, 87, 88, 94, 95, 150, 175,
180, 197 179–182, 184, 185, 187, 192, 220,
Pas de Calais, 184 249, 263
Passport, 55, 102 Private property, 14
Password(s), 38, 71, 96, 117–119, 137, Private sector, 3, 5, 22, 26, 73
138, 256 Privatization, 5, 56
Patriot Act, 77, 86 Privatized, 3, 170
PC, 64, 73, 83, 96, 209, 213, 229, 230, Processes, 3, 5, 9, 53, 62, 81, 88, 93,
238, 241 97, 106, 123, 124, 126, 142, 143,
Pearson, B., 177 156, 184, 252
Pearson, T., 214 Professional bodies, 33, 34
Pelgrin, W., 69 Protected, 2, 3, 5, 31, 34, 35, 68, 111,
People, 10, 13, 14, 60, 61, 73, 85 112, 131, 170, 181
Perturbation, 9 Protection, v, 2, 3, 5–7, 10–12, 14, 15,
Peter Le Magnen, 52 18, 20–26, 28, 30, 32–34, 37, 42, 43,
Petrochemical(s), 59, 62 63–65, 69, 70, 76, 86, 87, 103, 104,
Petroleum industry, 62 106–129, 133, 135, 155, 175, 179, 183,
Petroleum institute, 62 185, 187–192, 194–196, 201–203, 211,
Philippines, 154, 157 219, 231, 244, 245, 248, 249, 252, 254,
Phishing, 42, 63 255, 256, 258, 261, 263
Pipelines, 20, 56 Psychology, 9
Pipes, 3 Public, 5, 14, 16–19, 21, 29, 31, 33, 34,
Planes, 5, 180 41, 42, 44, 56, 58, 62, 65, 67, 69,
Poland, 1, 52, 152 71, 80, 82, 87, 115, 121, 134, 175,
Poles, 2, 6 179–181, 184, 185, 189, 190, 192,
Police, 16, 17, 35, 41, 179, 182, 250, 238, 244, 249, 263
251, 254 Public safety, 17, 31
Police forces, 3 Public sector, 41, 180
Policy, 19–21, 32, 33, 41, 42, 79, 87, 92, Public service, 17, 31
106, 107, 110, 119, 126, 130, 133, Public transit operators, 20
139, 186, 190, 262 Public-private partnership, 3, 5, 181, 195
Polio, 49
Politech institute, 189, 192, 193 Q
Political, 1, 2, 12, 13, 16, 18, 31, 47, 55, Qinetiq, 163, 205, 260
57, 58, 60, 77–79, 84, 87, 93, 146, Quangos, 17
147, 151, 161, 167–173, 179, 181,
182, 184, 185, 189, 190, 191, 193, R
194, 196 Rail, 55, 56
Political will, 1, 47, 185 Rand, A., 15
Politics, 4, 18, 79, 166 Reagan, R., 78
Ports, 20 Reardon, M., 161, 169, 233
Post Office, 16 Recovery, 5, 23, 24, 33, 91, 94, 95,
Power distribution, 5 97–100, 105, 106, 114, 123,
Index 275
150–152, 156, 158, 160, 163, 164, S

170, 174, 175, 180, 181, 196, 202, Sadat, A., 56
206, 214, 241, 259, 265 Safety, 2, 34, 85, 89, 178
Redundancy, 5, 162–164 Sarbanes-Oxley, 82, 88, 89, 107
Regulation, 34, 88, 94, 97, 100, 146, Satellites, 11, 67
196, 199, 249 Saudi, 57
Regulator(s), 33, 34, 70, 88 Schipol, 55
Religion, 14, 54, 195 Scotland, 152
Research and development, 24, 53, 54, Sect, 57
64, 173 Sector, 11, 12, 17, 21–23, 26, 28, 29, 32,
Resilience, 1, 5, 7–9, 13, 14, 16, 18, 20, 35, 41, 53, 66–70, 74, 88, 94, 150, 155,
31, 32, 33, 34, 42, 43, 44, 46, 47, 49, 174, 175, 180–182, 187, 192, 255, 263
50, 51, 54, 55, 58, 59, 60, 63, 66, 69, Secunia, 71
76, 77, 86, 91, 94, 99, 100, 102, 105, Security, 3, 5, 10, 12, 14, 19–28, 30–34,
106, 145, 150, 156, 158, 160, 161, 36, 38–43, , 62–65, 67, 68, 71–74, 76,
162, 163, 164, 170, 174, 175, 176, 79, 88, 90, 94–98, 102–105, 107–144,
177, 179, 181, 183, 184, 189, 190, 146, 147, 158, 160, 161, 163, 164,
192–202, 206, 221, 223, 233, 234, 169, 171–175, 178–181, 185–187,
235, 236, 246, 255, 256 189– 191, 195–197, 200–265
Resiliency, 9 Self-sufficiency, 46
Resilient, 2, 5, 7, 18, 55, 60, 80, 92, 100, Seller, 83
106, 160, 162–164, 170, 175, 176, Service provider, 4, 81, 165, 166
188, 197, 202, 217 Services, 2, 4, 9, 11, 12, 19, 21, 23, 28,
Resources, 2, 4, 28, 34, 38, 46, 57, 58, 66, 30, 31, 34, 36, 50–53, 55, 62, 69, 71,
67, 70, 72, 79, 80, 87, 96, 113, 119, 74, 75, 83, 87, 88, 95, 97, 106, 117,
124–126, 129, 132, 133, 147, 148, 126–144, 150–155, 166, 171, 172,
164, 168, 170, 173, 174, 184, 185, 188, 189, 249
189, 190, 192–194, 201, 202, 204, Sewage, 2, 58, 251
209, 239, 257, 261 Shakespeare, 79
Revolution, 18, 21, 58, 83, 168, 169, 171, Shareholder, 41, 168
173, 245, 246 Shaw, G.B., 6
RFID, 43, 205, 223, 234 Shell, 46, 224
Riccardo, D., 15 Shenoi, Sujeet, 201
Rice, C., 78 Shock, 8
Riga, 188, 191 Siberia, 46
Risk, 5, 29, 32–34, 36–38, 40, 41, 43, Silicon Valley, 154
46, 65, 66, 69, 74, 75, 77, 88, Smith, A., 15
90–94, 102, 106, 121, 131, 141, 147, Sniffers, 5
151, 153, 172, 196, 202, 205, Social, 6, 10, 16, 20, 31, 51, 58, 60, 77,
259, 262 84, 93, 146–149, 161, 170, 172, 173,
Risk management, 6, 92, 194, 195 194, 195, 197
Rivers, 57–59 Society, 2, 3, 5, 8, 13, 15, 18, 23, 45, 50,
Road, 55, 56, 64, 65 51, 54, 56, 59, 60, 69, 84, 161, 171,
Rochlin, 162, 163, 177, 234 177, 181, 186, 189, 194, 197, 246,
Romania, 52 247, 250
RSA, 63, 225, 227, 260 Software, 11, 42, 62, 64–66, 74, 76, 91,
Russia, 46, 47, 52, 58, 82, 147, 96, 98, 114–116, 133, 135, 140, 152,
148, 253 160, 164, 169, 206, 217, 221
276 Index
South America, 48, 58, 147, 157 230–232, 234, 241, 246, 248, 249,
Soviet Union, 54 252, 256, 262
Spain, 1, 54 Telephone, 19, 83, 95, 96, 154, 169, 178
Spanish, 157, 202 Telephony, 39
Staff, 26, 30, 37, 38, 40, 155, 156, 172, Telstra Saturn, 35
188, 262 Ten Commandments, 15
Stakeholders, 31, 33, 87, 189 Territorial Army, 10
Stalin, 59, 150 Terrorism, 5, 20, 32–34, 42, 66, 68, 77,
Standard of living, 2, 146, 148 79, 98, 165, 178–180, 185, 187,
Steel, 79, 170 198, 201, 229, 258, 264
Steganographic, 4 Terrorist groups, 2
Stockpiles, 3, 5, 48 Theft, 37, 38, 40, 42, 110, 112, 115, 129,
Strategic National Asset, 3 132, 135, 171
Stress, 9, 18, 156, 162 Tigris, 57
Sudan, 58 Timing, 4, 164
Sun Microsystems, 63, 219, 259 Tolchin, M., 173
Sunderland, 154 Tolchin, S.J., 173
SunGard, 63 Tompkins, J., 86
Supermarkets, 48, 170 Townsend, 170, 232
Supply chain(s), 34, 62, 83, 147, 178, 240 Trains, 5
Survival, 1, 3, 56, 98, 100, 158 Transport, 10, 17, 31, 56, 61, 62, 85
Sweden, 1, 11, 43, 181, 182, 190, 203, 253 Transportation, 2, 19, 21, 23, 28, 55, 56
Swiss, 12, 43, 203, 253–255 Trendle, 173
Switzerland, 1, 10, 43, 181, 182, 190, Trial, 14, 15
203, 211, 253, 254 Troy, 154
Syria, 57 Trudeau centre, 173, 231
Trusted Sharing Service, 74
T Tunisia, 53
Tags, 43 Turkey, 1, 57
Taliban, 54 Tyco, 89
Tanks, 2, 148
Target, 4, 77, 165, 264 U
Tea, 3 UN’s International Law Commission,
Technological, 5, 11–13, 40, 42, 46, 51, 198
52, 57, 67, 77, 153, 161, 170, 173, Uncertainty, 82, 83, 91, 173
194, 197 United Kingdom (UK), 1, 2, 5, 6, 8, 11,
Technology, 1, 8, 12, 16, 18, 21, 23–25, 12, 16–19, 31, 32, 46–51, 53–56,
30, 39, 40, 43, 51, 53, 64, 65, 67, 68, 58–60, 62, 63, 69–73, 77, 82, 86–90,
74, 83, 85, 90, 98–100, 103, 140, 146, 94, 97, 100, 103, 126, 152, 154, 155,
147, 150–152, 154–156, 165–167, 160, 170–173, 175, 178–181, 184,
169–173, 181, 186, 187, 194, 203, 190, 202–206, 209–230, 234, 235,
209, 210, 213, 214, 218–220, 225, 240, 250, 251, 255, 256
227–229, 231, 232, 234, 237–239, United Nations(UN), 78, 84, 146, 184,
241, 244, 245, 247, 250, 251, 186, 187, 190, 191
253–258, 260, 262, 264, 265 United States of America (USA), 2–5,
Telecom, 35, 223, 227, 228, 235 8, 10, 13–15, 19, 20, 47, 51, 52, 63,
Telecommunications, 1, 5, 8, 11, 16, 18, 65, 70, 76, 77, 79, 80–83, 86, 88,
21, 23, 29, 35, 38, 62, 67, 69, 70, 76, 89, 97, 99, 100, 102, 106, 146–149,
90, 91, 150, 153, 158, 160, 163, 181, 151, 152, 154, 155, 158, 164, 167,
Index 277
171, 173–175, 178–181, 184, 189, Windows, 39, 40, 204, 207, 208, 217,
196, 206–229, 232, 233, 240, 250, 218, 220, 221, 225
256–258, 260, 264 Wireless, 12, 43, 151, 152, 189
Universities, 3, 145, 146, 153 Wong, A., 160, 235
University of Toronto, 173, 231 Wong, P.W., 224
Unix, 39, 73, 206, 225, 262 Wood, 177
Utah, 151 Wilson, W., 78
Utilities, 5, 96, 174, 202, 246 The World, 2, 4, 6–9, 46–48, 55, 64, 65,
70, 77, 80, 82, 84, 90, 100, 146, 147,
V 151, 164, 166, 168–171, 179, 196,
Vatican, 54 229, 230, 244, 262
Verizon, 63 Work, 3, 8, 23, 24, 26–29, 42, 43, 51, 56,
Viruses, 38, 50, 169 69, 70, 73, 74, 76, 80, 83, 86, 87, 98,
110, 126, 130, 145, 150, 155, 156,
W 159, 173, 180, 181, 185, 187, 188,
Walls, 3 190, 192, 195, 196, 233, 255
War, 2, 4, 14, 18, 45, 46, 49, 51, 54–56, Workstations, 73
78–80, 146, 148, 162, 164, 168–170, World heritage sites, 54
182, 195, 202, 227, 234 World Trade Centre, 3, 54, 159, 161,
War Office, 2 169, 234
Warning Action and Reporting Points, World Trade Organization, 147
73 World Wide Web, 12, 99, 160, 169, 175,
WARPs, 71, 73–76, 195 219, 243
Washington Times, 77, 234 WorldCom, 89, 149
Water, ix, 2, 19, 21, 23, 45, 47, 56–59, 79, Worms, 38
85, 98, 200
Water, 10, 17, 32, 56–59, 61, 85, 165, 251 Y
Way of life, 2, 3, 5, 13, 15, 51 Y2K, 1, 98, 158, 236, 265
Weapons, 19, 81, 179, 180, 187 Yale, 55
Weapons of Mass Destruction, 178, 179
Wembley, 3, 54 Z
Wenger and Metzger, 76 Zambia, 59
Wheat, 47, 48 Zekos, 171, 172, 232
Wigert, I., 10–12, 20, 43, 76, 182, 189 Zurich, 10–12, 203, 211, 254

Maitland Hyslop - Critical Information Infrastructures - Resilience and Protection (2007)

Uploaded by

Copyright:

Available Formats

Maitland Hyslop - Critical Information Infrastructures - Resilience and Protection (2007)

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Maitland Hyslop - Critical Information Infrastructures - Resilience and Protection (2007)

Uploaded by

Copyright:

Available Formats

Critical Information Infrastructures

Library of Congress Control Number: 2007924497

Critical Information Infrastructures: Resilience and Protection

ISBN 978-0-387-71861-3 eISBN 978-0-387-71862-0

Printed on acid-free paper.

© 2007 Springer Science+Business Media, LLC

Chapter 1. Introduction ..................................................................... 1

Chapter 2. Definitions and Assumptions ........................................... 8

Chapter 3. Critical Infrastructures and Critical Information

Chapter 4. Critical Infrastructures and Critical Information

Chapter 5. Critical Information Infrastructure................................... 61

Chapter 6. Some Political, Economic, Social, Technological,

Chapter 7. Comments on Standards in Information Security,

Chapter 8. A Tangential Threat To OECD Resilience:

Chapter 9. Resilience and Outsourcing Call Centers Offshore:

Chapter 10. Information Infrastructure: Resilience,

Chapter 11. A Suggested Approach to Individual, Corporate,

Chapter 12. General Summary and Conclusions ................................. 194

Chapter 13. A Manifesto for Change ................................................... 198

1. Introduction ..................................................................................... 201

2. Bibliographies/Lists/Directories/Surveys/Search Engines ................. 202

3. Books – Arranged Alphabetically by Subject ................................... 206

Radio Frequency Identification (RFID) ........................................... 223

4. Articles – Arranged Alphabetically By Subject ................................ 228

Telecommunications Networks......................................................... 235

5. Regular Publications – Arranged Alphabetically By Title ................ 236

6. Links – Arranged Alphabetically by Subject and Site Name............ 239

Resilience is an increasingly important concept and quality in today’s world.

In 2007, traditional armed conflict is only one of a number of ways of

that protection will differ from any traditional understanding of defense.

is key. It is necessary to understand Obstructive Marketing and the lessons it

George Bernard Shaw famously commented that an unreasonable man

issue, the sorts of changes required need to be defined further. Finally, an

Resilience General Definition

Resilience in Materials Science

Resilience in this Book

A consistent approach is required to definitions in terms of both Critical

to be subsumed into a Critical National Infrastructure body in 2007 – thus

At least in theory the Government of the USA (and other Governments)

Marxism. In practice, many modern western economies developed under heavy

TABLE 1. UK Infrastructure Ownership

The ability to defend Critical Infrastructures has changed too.

TABLE 2. UK Defense of Infrastructures

Arguably, the UK is defending a more complex international and national

This review of Critical Infrastructures and Critical Information Infrastructures

– 2 million miles of pipelines

Executive Order on Critical Infrastructure Protection

that own, operate, develop, and equip information, telecommunications,

(iii) National Security Systems. The National Security Telecommunications

Government programs for international cooperation covering international

(x) Financial and Banking Information Infrastructure, chaired by a

more than 30 members appointed by the President. The members of the

(v) To the extent permitted by law, and subject to the availability of

The Executive Order represents a clear political statement about the

• Protective security (physical, personnel and procedural)

Banking / Finance Transport

Electric Power Telecommunications

Emergency Services Oil and Gas Government Services

FIGURE 1. New Zealand Critical Infrastructure Dependencies (Source: New Zealand