Critical Information-Dependent Systems and International Security

Giuseppe Sacco


“Every millennium has its own apocalypsis” has been written relative to the so-called “Millennium Bug Problem”, and the issue has been discussed with a varying degree of seriousness in different countries, but has been too frequently considered as a one-time problem. Many people with important collective responsibilities even in the minority which has not downplayed the related risks seem to believe that after the critical night of December 31 there will be no more danger on systems whose functioning depend heavily on Information Technologies.

The much talked-about decision of the Chinese authorities to oblige the very persons in charge of security to be on a plane at that moment, is a sign of a basic misconception.

Fragility is indeed a permanent feature of large systems and infrastructures that work on the principle of interconnection and on the basis of exchange of data. And most fragile, among them, are the so-called “legacy systems”, made up by interconnecting in successive waves of “modernisation”, older infrastructures, with the inevitable bugs and frequently unexplored problems due to the interfacing between different technologies and/or different generations of software.

Apart from fiction indulging in “disaster scenarios”, assessments of this type of risks have been already attempted, by two different types of subjects. On one side – also because of continuous hacker intrusion, which is frequently a form of politically-oriented provocation by the military and intelligence community. On the other side, by corporations interested in protecting their systems from costly interference and disruption.

These two subjects, however, frequently see themselves as rivals. Government officials and experts are convinced that software companies spread exaggerate rumours in order to try to sell the latest security software exploiting the fears of an uninformed and technically incompetent public. Corporations, in their turn, suspect that governments are afraid of losing control of large sections of societal activities (the most classical example being the downfall of broadcasting monopolies in Europe, and the most recent the beginning of an international public opinion via the Internet, with which Governments such as the Peking and Singapore ones dont know how to deal) and tend to resist outside interference in the management of security problems.

The self-evident fact that the public and private roles and interests converge in the protection of critical information-dependent infrastructures is however admitted in the case of privately owned and operated systems that could be attacked in order to cripple the functioning of an entire country, or a group of strictly interrelated countries, such as the EU. Info-war being the future (and possibly present) way of waging “total war”, little distinction is possible between societal and political interest to protection and defence.

But disagreement persist on the sharing of the (yet largely unknown) cost that should be faced in order to create reliable protection against cyber warfare through which a minor power could wage a computer-based aggression against other countries and win by crippling the functioning of its most critical infrastructures.

Companies see their duty as that of providing a service. Governments tend to say that they have to guarantee it. On this different approach lies nor only the question about how has to be shared the cost defence against an info-attack, but also the much more serious and politically delicate question of the managing and controlling security in an information-based society.

These issues, and a critical analysis of the various responses to them that are being proposed in the discussions presently underway, will be presented in the proposed paper.