In the aftermath of the terrorist attacks in the US on the 9th September 2001, the protection of ECIs was allocated to the North Atlantic Treaty Organisation (NATO) (Pursiainen, 2009: 723). However, Pursiainen (2009) argues that by 2005, there had been
107
another shift in responsibility towards the EU (p. 724). Indeed, the European Commission (EC) published the Communication from the Commission on a European Programme for
Critical Infrastructure Protection in 2006, in which plans are outlined for, as the name of
the document suggests, a European Programme for Critical Infrastructure Protection (EPCIP). This followed a Communication from the EC a year earlier relating specifically to the security of European critical infrastructures from terrorism (see European Commission, 2004). Although acknowledgement of critical infrastructures’ importance began later in Europe than in the US (Pursiainen, 2009: 722), there has since been considerable debate over means of identifying and protecting them. On the identification of ECIs, the Communication states that they:
constitute those designated critical infrastructures which are of the highest importance for the Community and which if disrupted or destroyed would affect two or more MS, or a single Member State if the critical infrastructure is located in another Member State (European Commission, 2006a: 4).
This definition has been further refined in the ‘Council Directive 2008/114/EC of 8 December 2008 on the identification and designation of European critical infrastructures and the assessment of the need to improve their protection’, which establishes that:
‘European critical infrastructure’ or ‘ECI’ means critical infrastructure located in Member States the disruption or destruction of which would have a significant impact on at least two Member States. The significance of the impact shall be assessed in terms of cross-cutting criteria. This includes
108
effects resulting from cross-sector dependencies on other types of infrastructure (Council of the European Union, 2008a: L 345/77).
It would appear then that there are two levels of critical infrastructure within the EU; the first of which pertains to infrastructures deemed critical by national governments, and the second which includes infrastructures deemed critical by the EC. Crucially, the 2008 Directive clarifies that ECIs must now ‘significantly impact’ two separate Member States, implying that infrastructure may only be considered critical on the European level if more than one state is dependent upon it. The removal of the statement “or a single Member State if the critical infrastructure is located in another Member State” (European Commission, 2006a: 4) from the definition contained within the 2006 Communication from
the Commission on a European Programme for Critical Infrastructure Protection suggests
that a hypothetical situation, whereby a Member State is dependent on infrastructure located in another Member State, despite the second state not deeming said infrastructure ‘critical’, is no longer feasible.
Importantly, the identification and classification of infrastructures as ECIs takes place at state level. Member States wishing to designate particular infrastructures within their borders as ECIs are required by Article 4 of Council Directive 2008/114/EC to inform other Member States dependent upon those infrastructures about their intentions. Bilateral or multilateral negotiations will then take place between all “significantly affected” (Council of the European Union, 2008a: L 345/77) parties with the intention of agreeing to classify an infrastructure as an ECI, though the identity of any ECI shall remain confidential only to the Member States affected. In the case that a Member State feels an infrastructure located within the territory of another state should be designated an ECI, it
109
should contact the EC, which will initiate bilateral or multilateral negotiations with all affected parties (Council of the European Union, 2008a: L 345/78).
The final point to be considered from the Council of the European Union’s definition of ECIs is the requirement that any candidate infrastructure must be “located in Member States” (Council of the European Union, 2008a: L 345/77). While this geographical requirement is relatively ambiguous, the argument can be made that it implies that the entirety of a critical infrastructure must be located within the territorial boundaries of Member States in order for it to be categorised as an ECI. This logically means that outer space infrastructures, the subject of this thesis and discussed in greater detail later in this chapter, are not eligible for the label ‘European Critical Infrastructure’. Not only are the space segments of such infrastructures based beyond the confines of the Earth’s atmosphere, but many of the ground segments (e.g. relay stations and launch sites) are located across the globe (Anonymous, 2012b). Although the Arianespace launch facility in Kourou, French Guiana, is located within an overseas department of France, the use of Russian launch sites and the spread of relay stations and ground control segments across EU and non-EU Member States is at odds with article 2(b) of Council Directive 2008/114/EC (see Council of the European Union, 2008a: L 345/77). Moreover, the European Geostationary Navigation Overlay System (EGNOS) and Galileo programmes are described the European Parliament and the Council of the European Union (2013) as “infrastructures set up as trans-European networks of which the use extends well beyond the national boundaries of the Member States” (p. L 347/1). This is problematic as it means that European outer space infrastructures, which provide vital services supporting a host of terrestrial critical infrastructures, are not themselves identified as being considered ‘European’ critical infrastructures merely because of their multiple astro- and geographical locations. It is possible that an exception to this geographical restriction has been made for
110
outer space infrastructures, however bearing in mind that the identity of ECIs must remain confidential, it is highly unlikely that a public acknowledgement of any such exception will materialise.
The relationship between the geographical location of critical infrastructures and their eligibility for ECI status is arguably problematic, not only for outer space infrastructures but for terrestrial ones as well. As discussed earlier in this chapter, infrastructures extend beyond the material assets and hardware which are often their most visible aspects. The connectivity within and between infrastructures is also extremely important and can exist physically, in the shape of pipelines for gas and oil, or virtually, through the flow of digital information across cyber networks. With regards to outer space infrastructures, this connectivity is largely virtual but plays a vital role in the functioning of the infrastructure and is arguably as important as the material assets it links. If the connection is lost between satellites, or between them and their ground control segments, then the assets themselves are rendered redundant, even though they may be still be operational. Moreover, the connectivity is not impervious to astro- and geographical obstacles: the various radio-communications which enable extra-terrestrial operations require line of sight between receivers on satellites and terrestrial ground stations. In addition, launch facilities are also integral to the connectivity of an outer space infrastructure as they enable the deployment of material assets into orbit, which is of vital importance in the development of an infrastructure or the event of a satellite failure. As noted in chapter 2 of this thesis, ESA has one launch facility operated by Arianespace and located in Korou, French Guiana. Meanwhile, Galileo’s ground segment includes control stations, survey stations, upload stations, and Search and Rescue (SAR) data collection stations spread across the globe (European Commission, 2012a: L 52/30-L 52/31). Therefore, tying down an infrastructure to a specific geographical location or container –
111
such as the state – ignores the connectivity necessary for infrastructures to perform the tasks for which they are designed and presents a simplified perspective of the complex networks and vulnerabilities upon which they are founded.
The aforementioned issues pertaining to the narrow definition of ECIs have seemingly not gone unnoticed. In 2013, the EC published a Commission Staff Working Document exploring means of improving the EPCIP. The Working Document notes that “less [sic] than 20 European critical infrastructures have been designated” and that “[s]ome clear critical infrastructures of European dimension, such as main energy transmission networks, are not included” (European Commission, 2013b: 4). Indeed, the EC is of the opinion that “[d]espite having helped foster European cooperation in the CIP process, the [EPCIP] Directive has mainly encouraged bilateral engagement of Member States instead of a real European forum for cooperation” (p. 4). The need for increased cooperation between EU Member States and states outside the EU is also emphasised (pp. 5-6). The answer proposed in the Working Document is a shift away from the existing “sectoral approach, where each sector is treated separately with its own risk methodologies and risk ranking”, towards a “systems approach, where critical infrastructures are treated as an interconnected network” (p. 7). In addition to introducing new forms of risk associated with interdependency, this shift is arguably reflective of the arguments made by Aradau (2010a) on the need for awareness of the materialities of interconnectivity and intra-action, as well as Egan’s (2007) work on LTSs. The pilot programme for this new approach to the EPCIP involves four critical infrastructures: “Eurocontrol, Galileo, the electricity transmission grid and the gas transmission network” (p. 7). One of the reasons given for the selection of these four infrastructures for this pilot is the inherent interdependencies involved:
112
[t]hey are cross-border both physically (i.e. the infrastructures are located in the territory of more than one Member State) and at the level of the service provided (i.e. a disruption of service in one Member State can affect several other Member States – a domino effect) (p. 7).
It must be emphasised that this pilot programme is in its early stages, with a report on progress due to be made in late 2014 (European Commission, 2013b: 10) but nonetheless, the recognition of inter-state interdependences upon critical infrastructures can be seen as a positive step towards addressing some of the problems with the current ECI-designation process.
Returning to the security of ECIs, the EC maintains in the 2006 Communication
from the Commission on a European Programme for Critical Infrastructure Protection
that it:
will avoid duplicating existing efforts, whether at EU, national or regional level, where these have proven to be effective in protecting critical infrastructure. EPCIP will therefore complement and build on existing sectoral measures (European Commission, 2006a: 3).
No further information is given in that particular document, however, about how it will be decided whether existing protection efforts are ‘effective’ enough to be left in the hands of national governments, although paragraph 14 of Council Directive 2008/114/EC states that this process will rely upon cooperation between Member States and the EC:
113
Each Member State should collect information concerning ECIs located within its territory. The Commission should receive generic information from the Member States concerning risks, threats and vulnerabilities in sectors where ECIs were identified, including where relevant information on possible improvements in the ECIs and cross-sector dependencies, which could be the basis for the development of specific proposals by the Commission on improving the protection of ECIs, where necessary (Council of the European Union, 2008a: L 345/76).
Importantly, paragraph 6 of the Directive states that “[t]he primary and ultimate responsibility for protecting ECIs falls on the Member States and the owners/operators of such infrastructures” (Council of the European Union, 2008a: L 345/76), suggesting that despite the regional importance of ECIs, protection will still take place primarily at national level, with European ‘Community level’ action being employed to complement existing protection measures (p. 2). However, there appears to be little regulation of what measures should be implemented by Member States to address security issues (Necesal et
al., 2011: 843).
While the aforementioned Council Directive is aimed specifically at the protection of ECIs within the energy and transportation sectors, it “constitutes a first step in a step-by- step approach to identify and designate ECIs and assess the need to improve their protection” (Council of the European Union, 2008a: L 345/77) and thus can be considered representative of the EU’s approach to the overall protection of ECIs.
As discussed earlier, while protection is a significant part of CIP, it represents only one particular aspect of CIR. Although resilience is not specifically mentioned in EU policy documents with regards to ECIs, it is alluded to in a manner suggesting that is
114
understood to be within the process of CIP; the 2006 Communication from the Commission
on a European Programme for Critical Infrastructure Protection states that “[c]ontingency
planning is a key element of the CIP process so as to minimize the potential effects of a disruption or destruction of a critical infrastructure” (European Commission, 2006a: 8). Given that contingency is a crucial aspect of resilience (see Scalingi, 2007), it can be concluded that some form of resilient strategy is at the forefront of European policy- making, albeit under the guise of CIP.
It appears though that the EU has not completely adopted the resilience-based approach to security. The 2008 Council Directive 2008/114/EC defines ‘protection’ as: “all activities aimed at ensuring the functionality, continuity and integrity of critical infrastructures in order to deter, mitigate and neutralise a threat, risk or vulnerability” (Council of the European Union, 2008a: L 345/77). On the one hand, the definition implies some form of resilience given the inclusion of the terms ‘continuity’, ‘risk and ‘vulnerability’, however the desire to “deter, mitigate and neutralise a threat, risk or vulnerability” (p. L 345/77) arguably hints at emphasis upon a more traditional and reactive approach to CIP. As mentioned earlier, the intent to eradicate threats or vulnerabilities is commonly agreed within resilience literature to be impossible, hence the need for contingency in the event that prevention and protection efforts fail.
Notably, the introduction to a 2013 EC Staff Working Document states that “[b]y ensuring a high degree of protection of EU infrastructures and increasing their resilience (against all threats and hazards), we can minimise the consequences of loss of services to society as a whole” (European Commission, 2013b: 2, original emphasis). While protection remains prominent, the explicit reference to need for resilience can be seen as an acknowledgement of the vulnerability of critical infrastructures and the impossibility of complete protection. Although the Staff Working Document is only a
115
proposal describing a pilot programme, it is nonetheless indicative of a shift in EU policy- making with respect to the security of critical infrastructures upon which European societies depend, albeit one which has not been formalised at the time of writing.