On trust and critical infrastructure protection

I started this blog to explore a topic that I'm both fascinated with, and one that gets way too little attention. That topic is trust and infrastructure protection and its many facets, in both the physical and digital dimensions. What exactly do I mean when I say this topic gets too little attention? Well, just now I googled 'Advertising', and 826 million hits came back.' 'Justin Bieber' got 329 million  hits. 'Wrestling'? 64.5 million hits. 'Critical infrastructure'? a mind-bending 857 thousand (my italics). Guess it's just not that sexy. But, dear readers, protecting  critical infrastructure is a matter of life and death to more people than Justin Bieber is. Only they don't know it yet. And if you stay with me here, I'll do my best to explain.

The term 'critical infrastructure' covers a wide range of industries, but all of them have something very important in common: a requirement to maintain high trust in the products and services that they provide. In other words, the product or service has to be: (a) delivered as advertised, (b) safe and secure, and (c) available when needed.

If a provider fails to consistently meet all three of these criteria, trust in its brand will invariably erode. In many industries, that doesn't matter a whole bunch except to the company that dropped the ball and its immediate stakeholders: owners, employees, suppliers and customers. If you're a provider of advertising campaigns, video games or brainless and narcissistic pop music, your business will no doubt suffer if you fail to maintain trust in your brand. But society at large won't suffer very much. People may lament, complain, or file lawsuits. The slip-up may get covered on Fox News or the Daily Mirror. But soon enough, people will get over it, and life will go on.

Not so if you're a critical infrastructure provider. For you, maintaining trust is ... critical, not only to you and your immediate stakeholders, but to all of society. To test this, think about what would happen if key players in any of the following industry sectors failed to maintain trust as I've defined it:

  • Food
  • Water
  • Energy
  • Transportation
  • Delivery services
  • Manufacturing
  • Government services
  • Defense
  • Emergency services
  • Health care
  • IT and telecommunications
  • Financial services

Things would fall apart, fast. Contamination of the water supply, air traffic grounded, failure of the banking system to clear payments, an extended Internet outage ... any one of these things would bring our days of comfort and happiness to a swift close, no matter what stage of economic development our country happened to be at. And a domino effect would very likely ensue, where failure of one sector brought failure of the others. No electrical power ... no data centers. No data centers, no Internet. No Internet, no Facebook supply chain management. And on it goes.

Now, a few things to note, the first two of which I find worrisome:

  • Governments and critical infrastructure suppliers know all this. They've known it forever. BUT the extent to which they've acted to effectively manage their risks varies wildly from country to country, industry to industry, and company to company. And the extent to which they understand the risks at all, now that we've moved beyond the point of no return into a hypernetworked world where the distinction between physical and digital objects is ever more blurred - that also varies wildly. Generally, though, the level of understanding here tends to be very low.
  • Terrorists, organized criminals, malicious nation states, and other undesirables know this as well. And I believe that, in aggregate, they have a better grasp of the situation than the "good  guys" do. That is, the vast majority of industrialists and bureaucrats who control our critical infrastructure. (Yes I know they're not all good guys ... that's why I put them in quotes).
  • The common need to maintain high trust in providing critical infrastructure products and services means that the different industry segments noted here, and their many sub segments, can surely benefit from talking to each other more and sharing strategies and best practices when it comes to, for example, cyber security.

It has has long struck me that critical infrastructure protection is a hugely important area - even more important than advertising and Justin Bieber - and a field that could use a  lot more insight, cross fertilization, standards, and product innovation than it has right now. I hope this blog can be the beginnings of a catalyst for that to happen, and respectfully invite you to join the conversation.