Ensuring (and Insuring?) Critical Information Infrastructure Protection.

Protecting infrastructure from calamity has always been important for industry, government and society. Yet with more activities dependent on computer networks -- from banking and aviation to emergency services -- the reliability and security of information and communication systems against disasters, both natural and man-made, are in doubt. The question of protection is difficult because the majority of critical information infrastructure is privately-owned, interlinked with other firms, and crosses international borders. Evidence suggests there are currently insufficient incentives for protection to be adequately implemented. Companies internalize the costs and hope for the best; governments are loath to regulate lest they do it badly. Indeed, without really knowing the risk profile, it is not even clear what constitutes adequate protection in the first place. And, as always, it poses the question: who should pay? To understand the obstacles for protecting critical information infrastructure and to consider solutions, over 25 experts from industry, government and academia met for the fifth annual Conference on Information Law and Policy for the Information Economy, organized by Professors Lewis M. Branscomb and Viktor Mayer-Schönberger of Harvard University’s John F. Kennedy School of Government, with the support of Swiss Re, from June 16-18, 2005 at the Swiss Re Center for Global Dialogue in Rueschlikon, Switzerland. The report that is meant not only as an analytical summary of the discussion, but also as a roadmap for future work. It is comprised of five sections. The first explains the problems of protecting critical information infrastructure, and the second section considers the economics of it. The third section examines different models of network security, and the fourth identifies roles for business, government and the insurance industry. The fifth section takes a practical turn, and proposes a series of next steps that the private and public sectors can take. The report concludes that global economic development may be the force that best addresses the problem. As society increasingly depends on critical information infrastructure, it is important for new forms of partnerships to develop, involving numerous stakeholders. As a first step, information-sharing requires a permissible legal framework, regarding both antitrust and liability concerns. Moreover, the introduction of insurance could provide a foundation for market-based risk analysis, and cooperation among infrastructure operators. The participants of the Rueschlikon conference were largely optimistic that provided market forces could be brought to bear on the issue of critical information infrastructure protection, many of today’s challenges could be alleviated.