The IT Law Wiki
There is no avoiding the security implications emerging at the intersection of cyberspace and critical infrastructure.[1]



Critical infrastructure is

those physical facilities, supply chains, information technologies and communication networks which, if destroyed, degraded or rendered unavailable for an extended period, would significantly impact on the social or economic wellbeing of the nation or affect Australia's ability to conduct national defence and ensure national security.[2]


Critical infrastructure is

the installations, services or assets that if destroyed, disrupted or incapacitated will have a debilitating impact on security, the national economy, national public health and safety.[3]

European Union[]

Critical infrastructure (CI) is

an asset, system or part thereof located in Member States which is essential for the maintenance of vital societal functions, health, safety, security, economic or social well-being of people, and the disruption or destruction of which would have a significant impact in a Member State as a result of the failure to maintain those functions.[4]


Critical infrastructure (CI) is

the basis of people's social lives and economic activities formed by businesses that provide services which are extremely difficult to be substituted by others if its function is suspended, deteriorated or become unavailable, it could have significant impacts on people's social lives and economic activities.[5]

United States[]

Critical infrastructures (CI) are

systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health and safety, or any combination of those matters.[6]
[s]ystems and assets, whether physical or virtual, so vital that their incapacitation or destruction may have a debilitating impact on the security, economy, public health or environment of a nation. Examples include infrastructure that supports banking and finance, communications, energy and transportation.[7]


Critical infrastructures (CI) (also referred to as critical national infrastructures or CNI) are physical or virtual systems and assets so vital to the nation that their incapacitation or destruction would:

  • cause catastrophic health effects or mass casualties comparable to those from the use of weapons of mass destruction,
  • impair Federal departments and agencies' abilities to perform essential missions or ensure the public's health and safety,
  • undermine State and local government capacities to maintain order and deliver minimum essential public services,
  • damage the private sector's capability to ensure the orderly functioning of the economy . . . .
  • have a negative effect on the economy through the cascading disruption of other critical infrastructure,
  • or undermine the public's morale and confidence in our national economic and political institutions.[8]

Critical infrastructures underpin the security of the U.S.'s national wealth, defense capability, economic prosperity of its people, and, above all, the maintenance of the system of human rights and individual freedoms for which the United States was founded. The threat of infrastructure attacks therefore has the potential for strategic damage to the United States.

Critical infrastructures increasingly integrate information using hardware and software that interoperate over the Internet and depend on the IT infrastructure. Vast amounts of information are collected and shared within government and throughout the private sector using interdependent physical and IT infrastructure. Critical distributed information resources and Web services that support operations must be protected against inappropriate access and malicious attack.

In May 1998, Presidential Decision Directive 63 (PDD-63) established critical infrastructure protection as a national goal and presented a strategy for cooperative efforts by the government and the private sector to protect the physical and cyber-based systems essential to the minimum operations of the economy and the government. Among other things, this directive encouraged the development of information sharing and analysis centers (ISAC) to serve as mechanisms for gathering, analyzing, and disseminating information on cyber infrastructure threats and vulnerabilities to and from owners and operators of the sectors and the federal government.

Critical infrastructure sectors[]

There are 18 critical infrastructure sectors: agriculture and food, banking and finance, chemical, commercial facilities, communications, critical manufacturing, dams, defense industrial base, emergency services, energy, government facilities, information technology, national monuments and icons, nuclear reactors, materials and waste, postal and shipping, public health and health care, transportation systems, and water. These systems and assets are essential to the operations of the economy and the government.

Cyberspace is their nervous system — the control system of our country. Cyberspace is composed of hundreds of thousands of interconnected computers, servers, routers, switches, and fiber optic cables that allow the critical infrastructures to work. The healthy functioning of cyberspace is essential to the U.S. economy and national security.


Disruptions can be caused by any number of factors: poor design, operator error, physical destruction due to natural causes, (earthquakes, lightning strikes, etc.) or physical destruction due to intentional human actions (theft, arson, terrorist attack, etc.). Disruption of any infrastructure is always inconvenient and can be costly and even life-threatening. Major disruptions could lead to major losses and affect national security, the economy, and the public good.

Over the years, operators of these critical infrastructures have taken measures to guard against, and to quickly respond to, many of these threats, primarily to improve reliability and safety. However, the terrorist attacks of September 11, and the subsequent anthrax attacks, demonstrated the need to reexamine protections in light of the terrorist threat, as part of an overall critical infrastructure protection policy.[9]


[T]his reliance of all of the nation’s critical infrastructures on IT makes any of them vulnerable to a terrorist attack on their computer or telecommunications systems.[10]

The U.S. government has identified multiple sources of threats to our nation’s critical infrastructure, including foreign nation states engaged in information warfare, domestic criminals, hackers, virus writers, and disgruntled employees working within an organization. In addition, there is concern about the growing vulnerabilities to our nation as the design, manufacture, and service of information technology have moved overseas.[11] For example, according to media reports, technology has been shipped to the United States from foreign countries with viruses on the storage devices.[12]

All critical infrastructures are increasingly dependent on information and communications. The most important impact and vulnerability for this sector is the increasing interdependency of the Public Telephone Network (PTN) and the Internet. The Internet depends heavily on the PTN. The PTN, in turn, depends on electrical power for operations and on telephone lines and fiber optic cables that often run along transportation routes. The PTN is increasingly software driven, and remotely managed and maintained through computer networks. Deregulation of the telecommunications industry has had a markedly increase the number of access points, increasing opportunities for attacks.

U.S. authorities are concerned about the prospect of combined physical and cyber attacks, which could have devastating consequences. For example, a cyber attack could disable a security system in order to facilitate a physical attack.

"Of growing concern is the cyber threat to critical infrastructure. This infrastructure provides essential services such as energy, telecommunications, water, transportation, and financial services and is increasingly subject to sophisticated cyber intrusions that pose new risks. As information technology becomes increasingly integrated with physical infrastructure operations, there is increased risk for wide scale or high-consequence events that could cause harm or disrupt services upon which our economy and the daily lives of millions of Americans depend."[13]


  1. Cyber Security and Global Interdependence: What Is Critical?, at 7.
  2. Australian Government's Critical Infrastructure Resilience Strategy, at 8.
  3. Emilio Tissato Nakamura, Jadir Antonio da Silva, José Manuel Martin Rios et al., Mobile Telecommunications Networks for the 2014 World Cup 23 (GSM Association) (Feb. 1, 2011) (full-text(.
  4. EU Council Directive 2008/114/EC of 8 December 2008 on the identification and designation of European critical infrastructures and the assessment of the need to improve their protection, Off. J. of the European Union, at 77 (full-text).
  5. Information Security Policy Council, The Second Action Plan on Information Security Measures for Critical Infrastructures, Japan National Security Information Center, at 10 (Feb. 3 2009) (full-text).
  6. 42 U.S.C. §5195c(e).
  7. Joint Terminology for Cyberspace Operations.
  8. White House, Homeland Security Presidential Directive 7, Critical Infrastructure Identification, Prioritization, and Protection (Dec. 17, 2003). A more general definition is given in statute (Pub. L. No. 107-71, §1016): ". . . systems and assets, physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health and safety, or any combination of those matters."
  9. Besides loss of life, the terrorist attacks of September 11 disrupted the services of a number of critical infrastructures (including telecommunications, the Internet, financial markets, and air transportation). In some cases, protections already in place (like off-site storage of data, mirror capacity, etc.) allowed for relatively quick reconstitution of services. In other cases, service was disrupted for much longer periods of time.
  10. Information Technology for Counterterrorism: Immediate Actions and Future Possibilities, at 2.
  11. Statement of the Director of National Intelligence before the Senate Select Committee on Intelligence, Annual Threat Assessment of the Director of National Intelligence for the Senate Select Committee on Intelligence (Feb. 5, 2008).
  12. Robert McMillan, “Seagate Ships Virus-Laden Hard Drives,” InfoWorld (Nov. 12, 2007).[1]
  13. Department of Homeland Security, The 2014 Quadrennial Homeland Security Review, at 40 (June 18, 2014) (full-text).

See also[]