Visit ebookball.

com to download the full version and

explore more ebook or textbook

(Ebook PDF) Critical Infrastructure Protection

Advances in Critical Infrastructure Protection
Information Infrastructure Models Analysis and
Defense 1st Edition by Javier Lopez, ‎Roberto
Setola, ‎Stephen Wolthusen 3642289207
_____ Click the link below to download _____
9783642289200 full chapters
https://ebookball.com/product/ebook-pdf-critical-
infrastructure-protection-advances-in-critical-
infrastructure-protection-information-infrastructure-models-
analysis-and-defense-1st-edition-by-javier-lopez-
aeurzroberto-setola-aeurz/

Explore and download more ebook or textbook at ebookball.com

Here are some recommended products that we believe you will be
interested in. You can click the link to download.

Critical Infrastructure protection in homeland security

1st Edition by Ted Lewis ISBN 9780471786283 047178628X

https://ebookball.com/product/critical-infrastructure-protection-in-
homeland-security-1st-edition-by-ted-lewis-
isbn-9780471786283-047178628x-13746/

Cyber Infrastructure Protection 1st Edition by Tarek

Saadawi, Louis Jordan ISBN 1470064359 9781470064358

https://ebookball.com/product/cyber-infrastructure-protection-1st-
edition-by-tarek-saadawi-louis-jordan-
isbn-1470064359-9781470064358-11734/

Policymaking for Critical Infrastructure 1st edition by

Gordon Gow 1351151584 9781351151580

https://ebookball.com/product/policymaking-for-critical-
infrastructure-1st-edition-by-gordon-
gow-1351151584-9781351151580-20598/

Cyber Security and Critical Infrastructure 1st edition by

Leandros Maglaras, Helge Janicke, Mohamed Amine Ferrag
9783036548463
https://ebookball.com/product/cyber-security-and-critical-
infrastructure-1st-edition-by-leandros-maglaras-helge-janicke-mohamed-
amine-ferrag-9783036548463-20056/
Cyber Physical Security Protecting Critical Infrastructure
at the State and Local Level 1st Edition by Robert Clark,
Simon Hakim ISBN 9783319328249 3319328247
https://ebookball.com/product/cyber-physical-security-protecting-
critical-infrastructure-at-the-state-and-local-level-1st-edition-by-
robert-clark-simon-hakim-isbn-9783319328249-3319328247-15774/

Cyber Physical Security Protecting Critical Infrastructure

at the State and Local Level 1st edition by Robert Clark,
Simon Hakim ISBN 3319328247 9783319328249
https://ebookball.com/product/cyber-physical-security-protecting-
critical-infrastructure-at-the-state-and-local-level-1st-edition-by-
robert-clark-simon-hakim-isbn-3319328247-9783319328249-17008/

(Ebook PDF) Risk and Systems With Applications in

Infrastructure Project Management 1st edition by David
Carmichael 9781000833119 978-1032381213 full chapters
https://ebookball.com/product/ebook-pdf-risk-and-systems-with-
applications-in-infrastructure-project-management-1st-edition-by-
david-carmichael-9781000833119-978-1032381213-full-chapters-21794/

Cyber Physical Security Protecting Critical Infrastructure

at the State and Local Level 1st Edition by Robert M
Clark, Simon Hakim ISBN 3319328247 9783319328249
https://ebookball.com/product/cyber-physical-security-protecting-
critical-infrastructure-at-the-state-and-local-level-1st-edition-by-
robert-m-clark-simon-hakim-isbn-3319328247-9783319328249-15836/

(Ebook PDF) High Power Converters and AC Drives 2nd

edition by Bin Wu, Mehdi Narimani 1119156068 9781119156062
full chapters
https://ebookball.com/product/ebook-pdf-high-power-converters-and-ac-
drives-2nd-edition-by-bin-wu-mehdi-
narimani-1119156068-9781119156062-full-chapters-14628/
Lecture Notes in Computer Science 7130
Commenced Publication in 1973
Founding and Former Series Editors:
Gerhard Goos, Juris Hartmanis, and Jan van Leeuwen

Editorial Board
David Hutchison
Lancaster University, UK
Takeo Kanade
Carnegie Mellon University, Pittsburgh, PA, USA
Josef Kittler
University of Surrey, Guildford, UK
Jon M. Kleinberg
Cornell University, Ithaca, NY, USA
Alfred Kobsa
University of California, Irvine, CA, USA
Friedemann Mattern
ETH Zurich, Switzerland
John C. Mitchell
Stanford University, CA, USA
Moni Naor
Weizmann Institute of Science, Rehovot, Israel
Oscar Nierstrasz
University of Bern, Switzerland
C. Pandu Rangan
Indian Institute of Technology, Madras, India
Bernhard Steffen
TU Dortmund University, Germany
Madhu Sudan
Microsoft Research, Cambridge, MA, USA
Demetri Terzopoulos
University of California, Los Angeles, CA, USA
Doug Tygar
University of California, Berkeley, CA, USA
Gerhard Weikum
Max Planck Institute for Informatics, Saarbruecken, Germany
Javier Lopez Roberto Setola
Stephen D. Wolthusen (Eds.)

Critical
Infrastructure
Protection
Information Infrastructure Models,
Analysis, and Defense

13
Volume Editors

Javier Lopez
University of Malaga
Computer Science Department
29071 Malaga, Spain
E-mail: jlm@lcc.uma.es

Roberto Setola
University CAMPUS Bio- Medico di Roma
Complex Systems and Security Lab
Via Alavro del Portillo, 21
00128 Roma, Italy
E-mail: r.setola@unicampus.it

Stephen D. Wolthusen
University of London
Information Security Group
Department of Mathematics
Egham, Surrey TW20 0EX, UK
and
Gjøvik University College
Norwegian Information Security Laboratory
Faculty of Computer Science
2802 Gjøvik, Norway
E-mail: stephen.wolthusen@rhul.ac.uk

ISSN 0302-9743 e-ISSN 1611-3349

ISBN 978-3-642-28919-4 e-ISBN 978-3-642-28920-0
DOI 10.1007/978-3-642-28920-0
Springer Heidelberg Dordrecht London New York

Library of Congress Control Number: 2012933456

CR Subject Classification (1998): D.4.6, K.6.5, E.3, C.2, H.4, H.3, I.6, J.1

LNCS Sublibrary: SL 4 – Security and Cryptology

© Springer-Verlag Berlin Heidelberg 2012

This work is subject to copyright. All rights are reserved, whether the whole or part of the material is
concerned, specifically the rights of translation, reprinting, re-use of illustrations, recitation, broadcasting,
reproduction on microfilms or in any other way, and storage in data banks. Duplication of this publication
or parts thereof is permitted only under the provisions of the German Copyright Law of September 9, 1965,
in its current version, and permission for use must always be obtained from Springer. Violations are liable
to prosecution under the German Copyright Law.
The use of general descriptive names, registered names, trademarks, etc. in this publication does not imply,
even in the absence of a specific statement, that such names are exempt from the relevant protective laws
and regulations and therefore free for general use.
Typesetting: Camera-ready by author, data conversion by Scientific Publishing Services, Chennai, India
Printed on acid-free paper
Springer is part of Springer Science+Business Media (www.springer.com)
 Preface

Information and communication technology (ICT) systems form an integral part

of critical infrastructure globally, whether in their own right or as a supporting or
controlling mechanism for other sectors. Although there are large bodies of work
on the safety and reliability of the underlying systems and components and on
many security aspects affecting the critical infrastructure’s ICT elements, there
are a significant number of issues that are unique and both deserve and demand
to be considered in their own right.
Although not the main focus of the present volume, it begins with an un-
derstanding of the effects and impacts of failures in the critical infrastructure
including any cascading effects that may also occur in different locations or at
later points in time, but also must take into account the conflict between more
conventional security considerations and the often overriding imperative to en-
sure availability that imply a much greater reliance on a system’s resilience to
failure and compromise than is typically given consideration, e.g., in the devel-
opment of cryptographic security mechanisms.
Moreover, the properties of critical information infrastructures make it in-
evitable that the inter-relationships with the physical infrastructure be consid-
ered, which can arise in many different forms from the need to satisfy hard
real-time constraints to having to understand the way that a physical system
state influences ICT components and vice versa.
Beyond such largely academic and technical considerations, however, the field
also has a necessarily strong link to economic and policy considerations, which di-
rectly and indirectly influence any approach to the safety, security, and resilience
of the critical (information) infrastructure. Recent developments have shown the
need to regularly assess the validity of many explicit and tacit assumptions, in-
cluding whether attacks on critical infrastructure by non-state (e.g., terrorist)
or state actors (“cyber warfare”) represent a genuine threat.
The present volume cannot begin to cover all of these issues in a satisfactory
manner. However, in combining elementary concepts and models with policy-
related issues and placing an emphasis on the timely area of control systems, the
book aims to highlight some of the key issues facing the research community. The
sector studies included provide further insights into selected issues encountered
both in infrastructure sectors that have been studied extensively such as the
electric grid, but also ones that have not seen similar attention despite their
obvious significance, namely, the financial services sector, but also the oil and
gas elements of the energy and the transportation sector with their reliance on
ICT systems to ensure levels of efficiency and safety that would otherwise not
be possible to achieve.
VI Preface

We hope that this book can serve as a timely introduction to the state of
the art in critical infrastructure protection, particularly for the information in-
frastructure, and as such may aid both researchers to gain an overview of a field
that is still largely dominated by conference publications and a disparate body
of literature, but also lecturers wishing to prepare postgraduate-level courses in
this rapidly moving and multifaceted field.

October 2011 Javier Lopez

Roberto Setola
Stephen D. Wolthusen
 List of Contributors

Andreas Aas
Norwegian University of Science and Technology, Norway
E-mail: aasand@jbv.no
Cristina Alcaraz
Computer Science Department, University of Malaga, Spain
E-mail: alcaraz@lcc.uma.es
Ettore Bompard
Department of Electrical Engineering, Politecnico di Torino, Italy
E-mail: ettore.bompard@polito.it
Fernando Carvajal
INDRA, Spain
E-mail: jfcarvajal@indra.es
Paolo Cuccia
Department of Dispatching and Grid Operation, Terna S.p.A, Italy
E-mail: paolo.cuccia@terna.it
Jordi Cucurull
Department of Computer and Information Science,
Linköping University, Sweden
E-mail: g-jorcu@ida.liu.se
Myriam Dunn Cavelty
Center for Security Studies, ETH Zurich, Switzerland
E-mail: dunn@sipo.gess.ethz.ch
Gerardo Fernandez
Computer Science Department, University of Malaga, Spain
E-mail: gerardo@lcc.uma.es
Igor Nai Fovino
Institute for the Protection and Security of the Citizen, Joint Research Center,
European Commission
E-mail: igor.nai@jrc.ec.europa.eu
Andrea Glorioso
European Commission DG Information Society and Media, Unit A3 - Internet,
Network and Information Security
E-mail: Andrea.Glorioso@ec.europa.eu
VIII List of Contributors

Daniel Germanus
Computer Science Department, Technische Universität Darmstadt, Germany
E-mail: germanus@cs.tu-darmstadt.de
Rajni Goel
Department of Information Systems and Decision Sciences,
Howard University, USA
E-mail: rgoel@howard.edu
Stuart Goldman
USA
E-mail: familygoldman@gmail.com
Bernhard Hämmerli
Department of Computer Science, Norwegian Information Security Laboratory,
Gjøvik University Collage, Norway
E-mail: bmhaemmerli@acris.ch; E-mail: Bernhard.Hammerli@hig.no
Mark Hartong
Federal Railroad Administration, U.S. Department of Transportation, USA
E-mail: mark.hartong@dot.gov
Stig O. Johnsen
Norwegian University of Science and Technology, Norway
E-mail: Stig.O.Johnsen@gmail.com
Abdelmajid Khelil
Computer Science Department, Technische Universität Darmstadt, Germany
E-mail: khelil@cs.tu-darmstadt.de
Javier Lopez
Computer Science Department, University of Malaga, Spain
E-mail: jlm@lcc.uma.es
Eric Luiijf
Netherlands Organisation for Applied Scientific Research - TNO,
The Netherlands
E-mail: eric.luiijf@tno.nl
Marcelo Masera
Institute for Energy, Joint Research Center, European Commission
E-mail: marcelo.masera@jrc.it
Simin Nadjm-Tehrani
Department of Computer and Information Science, Linköping University,
Sweden
E-mail: simin@ida.liu.se
Ying Qian
Shanghai University, Shanghai
E-mail: iris qian@hotmail.com
 List of Contributors IX

Massimiliano Raciti
Department of Computer and Information Science,
Linköping University, Sweden
E-mail: masra@ida.liu.se
Julian L. Rrushi
Faculty of Computer Science, University of New Brunswick, Canada
E-mail: jrrushi@unb.ca
Andrea Servida
European Commission DG Information Society and Media, Unit A3 - Internet,
Network and Information Security
E-mail: Andrea.Servida@ec.europa.eu
Roberto Setola
Faculty of Engineering, Universitá Campus Bio-Medico di Roma, Italy
E-mail: r.setola@unicampus.it
Neeraj Suri
Computer Science Department, Technische Universität Darmstadt, Germany
E-mail: suri@cs.tu-darmstadt.de
Manuel Suter
Center for Security Studies, ETH Zurich, Switzerland
E-mail: suter@sipo.gess.ethz.ch
Nils Kalstad Svendsen
Norwegian Information Security Laboratory, Faculty of Computer Science,
Gjøvik University College, Norway
E-mail: nils.svendsen@hig.no
Huseyin Uzunalioglu
Alcatel-Lucent, USA
E-mail: huseyin.uzunalioglu@alcatel-lucent.com
Dumida Wijesekra
Department of Computer Science, George Mason University, USA
E-mail: dwijesek@gmu.edu
Stephen D. Wolthusen
Norwegian Information Security Laboratory, Faculty of Computer Science,
Gjøvik University College, Norway
E-mail: stephen.wolthusen@hig.no and
Information Security Group, Department of Mathematics, Royal Holloway,
University of London, UK
E-mail: stephen.wolthusen@hig.no
Part I
Introduction to Critical Information
Infrastructure Protection

The chapters in this part provide an overview of the concepts and terminology
used throughout this volume and also serve as a high-level outlook on current de-
velopments in critical information infrastructure research. As these are inevitably
interlinked, the following chapters also provide a perspectives on the larger crit-
ical infrastructure area, its interactions with the policy domain, and the risks
and vulnerabilities that the critical information infrastructure is exposed to.

Part II
Models and Defensive Mechanisms

In this part, the current state of research on modeling critical infrastructures

is elaborated with an emphasis on information infrastructures and the associ-
ated problems of early warning and attack detection mechanisms; the latter are
critical as the critical information infrastructure is typically required to operate
continuously and may not easily be shut down or degraded for defensive or re-
covery purposes. An example of the type of models involving physical as well
as ICT elements is provided in the second chapter of this part, while further
aspects of this problem area will be discussed in the following Parts III and IV
as well.
Part III
Control Systems and Protocols

A key part of the critical information infrastructure is in fact not immediately

visible as it is embedded in automation and control systems, which are the focus
of Part III. Following an introduction to the problems of supervisory control
and data acquisition (SCADA) and distributed control (DCS) systems, research
on vulnerability of control systems with particular emphasis on areas where
differences to standard network and information systems arise is discussed fol-
lowed by a review of the security threats and possible countermeasures result-
ing from ongoing developments away from proprietary protocols and towards
open standards, along with the increased risks of inadvertent and inadvisable
interconnections.

Part IV
Infrastructure Sector Studies

The final part of this volume is devoted to a selection of sector studies. These
deal with two sub-sectors of the energy sector, namely the electric grid with an
emphasis on the conventional, large-scale grid and its robust operation, and also
the oil, gas, and petrochemical industries. In addition, a chapter on telecommu-
nications highlights some of the concerns raised by convergent next-generation
telecommunications infrastructures that have been or are being deployed by
many advanced telecommunications carriers. The chapter on the financial ser-
vices industry focuses largely on the back-end infrastructure of banks and insti-
tutions in the sector, but also highlights some of the problems facing the sector
from new technology being deployed before a review of the transportation sector
with an emphasis on a case study for the rail transportation sector.
 Table of Contents

Part I: Introduction to Critical Information

Infrastructure Protection
Overview of Critical Information Infrastructure Protection . . . . . . . . . . . . 1
Javier Lopez, Roberto Setola, and Stephen D. Wolthusen

The Art of CIIP Strategy: Tacking Stock of Content and Processes . . . . . 15

Myriam Dunn Cavelty and Manuel Suter

Infrastructure Sectors and the Information Infrastructure . . . . . . . . . . . . . 39

Andrea Glorioso and Andrea Servida

Understanding Cyber Threats and Vulnerabilities . . . . . . . . . . . . . . . . . . . . 52

Eric Luiijf

Part II: Models and Defensive Mechanisms

Modelling Approaches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
Nils Kalstad Svendsen and Stephen D. Wolthusen

Anomaly Detection in Water Management Systems . . . . . . . . . . . . . . . . . . . 98

Massimiliano Raciti, Jordi Cucurull, and Simin Nadjm-Tehrani

Part III: Control Systems and Protocols

Security Aspects of SCADA and DCS Environments . . . . . . . . . . . . . . . . . . 120
Cristina Alcaraz, Gerardo Fernandez, and Fernando Carvajal

SCADA Protocol Vulnerabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150

Julian L. Rrushi

Protection of SCADA Communication Channels . . . . . . . . . . . . . . . . . . . . . 177

Abdelmajid Khelil, Daniel Germanus, and Neeraj Suri

Part IV: Infrastructure Sector Studies

Cyber Vulnerability in Power Systems Operation and Control . . . . . . . . . 197
Ettore Bompard, Paolo Cuccia, Marcelo Masera, and Igor Nai Fovino

Sector-Specific Information Infrastructure Issues in the Oil, Gas, and

Petrochemical Sector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235
Stig O. Johnsen, Andreas Aas, and Ying Qian
XIV Table of Contents

Telecommunications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 280
Stuart Goldman and Huseyin Uzunalioglu

Financial Services Industry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 301

Bernhard Hämmerli

Transportation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 330
Mark Hartong, Rajn Goel, and Duminda Wijesekera

Author Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 357

 Overview of Critical Information
Infrastructure Protection

Javier Lopez1 , Roberto Setola2 , and Stephen D. Wolthusen3

1 Computer Science Department, E.T.S. Ingenieria Informatica, Campus de Teatinos,
University of Malaga, Malaga, Spain
jlm@lcc.uma.es
2 Faculty of Engineering, Universitá Campus Bio-Medico di Roma, Rome, Italy

r.setola@unicampus.it
3 Department of Mathematics, Royal Holloway, University of London, Egham,

United Kingdom and Norwegian Information Security Laboratory,

Gjøvik University College, Gjøvik, Norway
stephen.wolthusen@rhul.ac.uk

Abstract. The present volume aims to provide an overview of the current under-
standing of the so-called Critical Infrastructure (CI), and particularly the Critical
Information Infrastructure (CII), which not only forms one of the constituent
sectors of the overall CI, but also is unique in providing an element of intercon-
nection between sectors as well as often also intra-sectoral control mechanisms.
One problem faced by research on C(I)I is the extreme range of scales at which
security problems may arise. This is true for the time dimension where policy-
level decisions such as the deployment of physical infrastructure like roads and
high-tension transmission lines have impacts measured in decades whilst indus-
trial control systems must provide guaranteed and secure real-time responses in
the millisecond range. It is, moreover, also the case for the physical extent of in-
frastructures where single physical facilities such as vaccine plants may be a vital
element of national or supra-national infrastructures, but where the trans-national
electrical power or natural gas transmission networks span entire continents.
The book hence surveys not only key high-level concepts and selected techni-
cal research areas with an emphasis on control systems as a highly active research
area, but also seeks to include policy aspects as well as a discussion on models
for validation and verification. This is rounded off by several studies of specific
issues and challenges faced by individual CI sectors including the telecommuni-
cations, electricity, transportation, and financial services sectors.

1 Introduction

Modern societies depend on the continuous and reliable availability of a number of

services and are at risk of severe economic impacts or loss of life and limb if such
products and services are disrupted or unavailable in a larger region for a significant
length of time. These services are those provided by the so called critical infrastructures
(CI). These infrastructures are not merely crucial in their own right but also exhibit
interdependencies which in some cases result in tight coupling between components.

J. Lopez et al. (Eds.): Critical Information Infrastructure Protection, LNCS 7130, pp. 1–14, 2012.
c Springer-Verlag Berlin Heidelberg 2012
2 J. Lopez, R. Setola, and S.D. Wolthusen

Risks related to critical infrastructures arise from a number of quarters, beginning

with simple wear and tear of individual components leading to failures, natural disas-
ters, but also including sabotage and acts of terrorism or war. In many cases individual
incidents are “normal” and expected and can be dealt with accordingly in the course
of regular operations for many such critical infrastructures. As an example, part of any
electric power grid will, regardless of whether referring to the transmission or gen-
eration side, be inoperational for maintenance or because of malfunctions and other
unforeseen events at any given point in time. In such cases long-standing experience as
well as sector-specific practices and regulatory oversight ensure that sufficient redun-
dancy exists to meet the service quality and reliability requirements unless exceptional
circumstances arise. This limitation arises simply from the fact that any safety margin
will, by necessity, be finite and one cannot anticipate any and all contingencies that
may either be wholly unanticipated or have a very low probability of occurrence. As is
discussed throughout thus book, however, research on the protection of critical infras-
tructures is not concerned primarily with such well-understood approaches to reliability
theory and fault tolerance but rather with areas that are less well understood by these
communities.
One such area is the need to consider cases in which faults and malfunctions are
induced deliberately and hence cannot be described as easily by statistical means and
ultimately as probability density functions. For such deliberate attacks and sabotage,
it is therefore necessary to study different mechanisms for the design and analysis of
infrastructure components which allow the efficient enhancement of their robustness
and, moreover, the early detection and mitigation of such actions. The second area of
research that is underpinning much of the work also documented in the present book
is a need to understand interconnections between elements of the critical infrastructure
that can lead to larger-scale and often unanticipated failures, particularly where inter-
dependencies mean that infrastructures are mutually dependent on each other and can
hence both propagate failures from one sector to another but also make recovery from
such events difficult as assumptions on the availability of other sectors’ services may
not be valid.
The critical infrastructure is commonly considered to be divided into sectors, and
while the precise composition varies in granularity and scope between analyses [6,3,8],
the energy and particularly the information and communication (ICT) sector are typi-
cally singled out owing to their immediate impact on other infrastructure elements. This
is particularly the case for the ICT sector which had to be considered in the same time a
critical infrastructure by itself, but also an increasingly fundamental component to the
operation of any other critical infrastructure for almost all other sectors from financial
services to transportation. To stress the peculiar nature of ICT, it was coined the term
Critical Information Infrastructure (CII), that has been identified as an area of particular
concern.
Following pioneering efforts of the PCCCI in the U.S., considerable attention has
been devoted to enhancing the robustness of the ICT infrastructures. This was driven
in part by a recognition that this area has the potential to be the focus of an attack by
asymmetrical adversaries without a need for geographical proximity, but also because
it is still not well-understood where the limitations of attacks on the ICT infrastructures
 Overview of Critical Information Infrastructure Protection 3

are relative to other threats. Moreover, unlike for attacks on physical entities, it is not
necessarily possible to determine the origin of an attack reliably, making attribution one
of the most difficult problems with any such attacks. As a result, however, the well-
understood mechanisms and theories underlying reactions to and deterrence of mali-
cious activity are not immediately applicable. This has led to ongoing efforts worldwide
to increase protective measures, generally referred to as Critical Information Infrastruc-
ture Protection (CIIP). Howver, despite the identification of the need to have CII protec-
tion strategies, no clear consensus has emerged yet as to its exact scope and distinction
from general computer, network, and information security and research in these fields
on one hand and policy-related activities on the other. At the same time it is also increas-
ingly clear from a number of incidents that targeted attacks on critical infrastructure have
moved from the subject of largely academic inquiry [2,4,1] to a focal area of defence
and intelligence establishments worldwide [5,7]. Moreover, although deliberate, coor-
dinated attacks clearly are the more challenging problem, even relatively simple faults
and human error must be better understood as unlike for physical events, there exists
very little historical data or constraints imposed by underlying physical properties for
the ICT sector that are relevant in other domains in constructing risk and vulnerability
assessments.
This book hence aims to address this issue by providing a faceted view of core results
and ongoing research in the area centered around the ICT domain, but also touching
upon other sectors that are affected by the specific issues surrounding the ICT sector.
The focus of the book will therefore be on aspects unique to critical information infras-
tructures and infrastructure sectors immediately affected by CII. Moreover, it will also
emphasise issues arising from different aspects of interconnection specific to the crit-
ical information infrastructure and cover not just the immediate operational concerns
but also the prevention, detection, and mitigation of threats and attacks through a num-
ber of approaches ranging from policies and procedures to early warning and detection
mechanisms.
Given this remit, the contributions to this book cover not only the scientific and
technical aspects of CII protection and security; instead, they are deliberately structured
in such a way as to commence with a review of the policy level and the understanding
of individual sectors and their interconnections as well as current understanding on
existing and evolving threats and vulnerabilities. Given the ubiquitous nature of ICT
systems, a comprehensive review of the impact on CII would require a much more
extensive format. By focusing on an area which is both the subject of intensive scrutiny
by the CII research community and with the potential for a disproportionate impact
owing to the direct coupling between information and physical systems in the form of
selected aspects of control systems security, the book seeks to highlight key problems
that are not wholly addressed by general information security research.

1.1 Active Research Areas

Although research on critical infrastructures and particularly critical information infras-
tructures as identified in this book have been the subject of investigation for well over
a decade at the time of writing, it is nevertheless still defining its precise boundaries.
This is in part owing to developments in the infrastructure itself, often involving novel
4 J. Lopez, R. Setola, and S.D. Wolthusen

and unanticipated use of information and communication technology, but also to the
identification of novel or re-assessment of existing hazards and threats. A further char-
acteristic of C(I)IP research is that it is drawing on a number of disciplines to aid in
understanding and enhancing the robustness, resilience, and security of critical infras-
tructure components and particularly interconnected components. Whilst this research
is typically not inter-disciplinary in nature, it has been the case that similar questions
particularly in the modelling and simulation domain have been approached by using
significantly different techniques ranging from employing graph theory to autonomous
agents approches and statistical physics. This creates difficulties not only in assessing
work based on differing sets of assumptions, but also because of the very different meth-
ods used in such investigations, and consequently the difficultis to identify the “C(I)IP
community” and the relevant sources of information.
Any collection must cope with such a multiplicity of perspectives, although in this
case it is clearly inevitable that the range is necessarily broader than would be the case
otherwise.
Except for cases where both data and results are qualitative in nature and hence
unlikely to allow the derivation of actionable conclusions, most research in the C(I)IP
domain is faced with the problem that its results can be either misused if obtained by
unauthorised entities or that the very data on which it may be based is also sensitive in
its own right as it may identify vulnerabilities or ways in which threats can be realised.
This problem also arises in case of other research, particularly in the information se-
curity domain where a vulnerability may be widespread and difficult to mitigate. Here,
systematic vulnerabilities such as protocol weaknesses may require extended time pe-
riods for changes to affected systems or mitigation efforts during which the release of
information on the vulnerability can still cause widespread damage.
For critical infrastructures, particularly where physical and cyber systems are in-
terconnected, the potential for adverse effects may be substantially larger and involve
larger-scale economic disruptions or loss of life and limb. This often imposes also an
ethical onus on researchers in addition to legal requirements, and it is imperative that
any such work is undertaken in full awareness of its potential ramifications.

2 Overview
The following section provides a brief overview of the structure and contents of the
book. As the volume is intended to serve the dual purpose of a collection of active
research whilst being suitable for use as a graduate-level text, it has been divided into
four parts:

2.1 Part I: Introduction

The first part of the book consists of three chapters in addition to the present one and
is intended primarily to set the scene and contextualise the problems and research
discussed in the remaining three parts. This is necessary in no small part owing to
the cross-connections between the technical and policy domains, but — as is made
evident throughout the book — also illustrates that even within these two large do-
mains, significant differences exist in terminology and usage, resulting in inevitable
 Overview of Critical Information Infrastructure Protection 5

mis-communication at the necessary points of interaction. Such interaction is of course

inevitable given the interconnections and interdependencies found throughout the criti-
cal information infrastructure and the further elements of the critical infrastructure that
is coming to rely on the CII.
The chapter by Dunn Cavelty and Suter therefore begins by providing a policy-
oriented delineation of the CIIP area. This not only requires the identification of what
constitutes the immediate as well as indirect critical aspects forming both the CII and
supporting roles as outlined above, but is also becoming increasingly connected to the
area of cyber security and defence — itself a term that is very much evolving — as
concepts and demonstrated activities from the realm of information warfare are becom-
ing realised and also have an immediate impact on civilian infrastructure, forcing a
re-assessment of risk and security assessments at the policy level that was not consid-
ered necessary whilst these threats were merely hypothetical in nature. These authors
hence provide a systematic overview of protection goals that reach from the strategic
level at the national and in some cases supra-national levels to general CII and ulti-
mately also sector-specific goals and requirements, although particularly in the CII the
relevant sectors are frequently not easily bounded by geographical or political entities.
These different levels are illustrated with relevant national strategies and also reflect
external constraints such as the association of CI and CII with different governmen-
tal departments since such organisational aspects can lead to significant differences in
approaches even where all other aspects of the problem space are largely comparable.
However, as noted by the authors, the development of relevant strategies is still very
much an on-going activity and has not seen the level of co-ordination and reconciliation
that would be considered desirable. A significant contribution of the chapter is there-
fore a review of the strategy development process itself and the different approaches
chosen by countries that have already undertaken such development processes along
with a discussion of insights gained from nations where such strategies have not only
been discussed but also where at least some insight has been gained from their opera-
tionalisation. One such implementation aspect highlighted by Dunn Cavelty and Suter
is the use of Public-Private information sharing arrangements; such co-ordination ef-
forts are in place in several countries as the CII is typically held privately, necessitating
means for translating and communicating protection strategies from the policy to the —
private — operational level.
Following this tour d’horizon of the policy landscape driven mainly by national
strategies, the chapter by Glorioso and Servida offers a more focused European per-
spective. As highlighted above, there is a strong influence on how an approach is framed
based on the remit and constraints posed by the policy level, and this is clearly also the
case for a European Union perspective that does not have the national security aspect
within its mandate. The authors nevertheless highlight the European role in this domain
beginning with recent efforts at co-ordinating prevention and preparedness measures for
attacks on the CI, which is closely aligned to this boundary. Highlighting the various
interlocking bodies and instruments that are not limited to the European Commission,
this provides the background for the further study of the ICT sector and particularly the
Communication on Critical Information Infrastructure Protection of 2009 that has come
into force as an instrument in addition to the more conventional regulatory powers that
6 J. Lopez, R. Setola, and S.D. Wolthusen

the Commission has been able to exert directly or indirectly in the sectors related to the
CII. This is traced along the lines of the five-pillar strategy of the European Commission
in the remainder of the chapter. As in the preceding contribution by Dunn Cavelty and
Suter, the lack of alignment between infrastructure ownership and the entities poten-
tially suffering from their becoming unavailable is discussed, but with an emphasis on
governance and monitoring structures. Such structures can, where more technical capa-
bilities are affected, be co-ordinated provided that a common baseline and information
exchange mechanisms are achieved. However, as Glorioso and Servida point out, there
exist genuine differences in policy priorities that render higher levels of co-ordination
problematic.
The final chapter in the introductory part of the book by Luiijf takes a more system-
atic approach to the threats and risks that the preceding chapters employed in a more
intuitive manner. Although it is inevitable that the precise semantics of some of the
terms and concepts required in the CI(I) domain are the subject of ongoing discussions
that can even be influenced by the context in which terms are used, the taxonomy pro-
vided by Luiijf represents an useful point of departure. The main focus of the chapter is
on providing a review of the threats considered relevant to the CII environment under
an all-hazards perspective. This approach also considers threats to the CII environment
rather than merely the CII itself, and so must take natural events ranging from phaenom-
ena such as solar flares to even insects causing damage to physical equipment into ac-
count as well as externalities that involve human actions. The latter, however, need not
even be deliberate and can be the result of accidents or actions that have indirect, un-
foreseen effects, which makes such threats very difficult to bound properly. In outlining
a selection of threats specific to the ICT domain, the chapter also highlights a similar
problem for identifying bounds; as is demonstrated for the case of control systems in
Part III, this area also encompasses ICT systems that combine intricate functional re-
quirements with what so far must be considered only limited resilience to deliberate
threats. Characterising the threat actors is a further major contribution of the chapter
by Luiijf, which also seeks to characterise the different unique roles that the CII has as
not only the immediate target of attacks, but also indirect effects when the CII is used
either as the means to achieve a threat agent’s objective or even as a weapon in its own
right. As Luiijf points out, however, many threats emerging in novel application areas
of ICT such as electric mobility and the ICT systems embedded in Smart Grid environ-
ments will likely only be identified as having been encountered before in similar form
after the fact; at the same time, however, the very flexibility and ability to create novel
applications by combining ICT components in unforeseen ways make a comprehensive
assessment of risks an extremely challenging task.

2.2 Part II: Models and Defensive Mechanisms

As with any other element of the Critical Infrastructures, protecting the Critical Infor-
mation Infrastructure particularly against deliberate attacks cannot rely on reactive de-
fence mechanisms and be limited in the ability to extrapolate current and future threats
from historical data even for accidents and natural disasters since the information in-
frastructure’s rate of change is likely to invalidate such conclusions rapidly. A major
element of research on critical infrastructures and also the CII has therefore focused
 Overview of Critical Information Infrastructure Protection 7

on model-building and, to a lesser extent, their validation. Such models are crucial in
identifying not only in high-level interactions that are not obvious in their strength or
potentially even existence, but can also be employed in exploratory settings. This can
occur either systematically, exploring parts of the parameter space, or in the form of
targeted exercises and scenarios that allow a more fine-grained investigation not only of
the behaviour of the Critical Information Infrastructure, but also the entities interacting
with it.
The chapter by Svendsen and Wolthusen provides a high-level survey of some of the
most significant and influential strands of research on modelling and simulation of crit-
ical infrastructures. Such models typically include or are focused on the CII, but may
also extend further and incorporate other sectors that have an impact on the CII. More-
over, similar to the hierarchy of strategic considerations found by Dunn Cavelty and
Suter, modelling techniques span a very broad range of abstraction levels ranging from
qualitative models describing national or even supranational entities on a sector-by-
sector basis for the purpose of qualitative analyses of resilience or macro-economic ef-
fects to highly quantitative models of smaller-scale effects. The chapter therefore seeks
to provide at least reference models sampled from this broad spectrum. These include,
at the qualitative level, economic models such as Input-Output models but also models
of interacting entities such as those based on System Dynamics. Although limited in
their predictive ability, such models are valuable as aids to understanding dependencies
and interactions, particularly for more complex models that cannot be understood eas-
ily without the support of simulation environments. Characterising or even predicting
the behaviour of threat agents as well as neutral or friendly entities interacting in the
CI(I) domain is, however, a highly desirable objective that has recently gained attention
and is modelled using game-theoretical and related behavioural techniques in ongoing
research that can aid in areas such as defensive resource allocation. A major part of
the chapter is, however, devoted to the large body of research on graph-based models
of critical infrastructures at different levels, which in turn can range from techniques
found in statistical physics to highly accurate domain-specific models. The graph or
other combinatorial representation, however, is often crucial in such models to gain an
understanding of relations and structural properties that go significantly beyond artifacts
and phaenomena arising from particular parameter choices.
The following chapter of this part, by Raciti, Cucurull and Nadjm-Tehrani, focus its
attention on Water Management Systems as water quality has recently received con-
siderable attention from the security research community. Authors argue that real-time
monitoring of water quality requires analysis of sensor data gathered at distributed lo-
cations, as well as subsequent generation of alarms when quality indicators indicate
anomalies. In these infrastructures, event detection systems should produce accurate
alarms, with low latency and few false positives. In this sense, this chapter shows how
an existing learning based anomaly detection technique is applied to the detection of
contamination events in water distribution systems. The initial hypothesis of authors
is that the clustering algorithm ADWICE that has earlier been successfully applied to
n-dimensional data spaces in IP networks, can also be deployed for real-time anomaly
detection in water management systems. The chapter describes the evaluation of the
anomaly detection software when integrated in a SCADA system that manages water
8 J. Lopez, R. Setola, and S.D. Wolthusen

sensors and provides data for analysis within the Water Security initiative of the U.S.
Environmental Protection Agency (EPA). Also, this chapter elaborates on the analysis
of the performance of the approach for two stations using performance metrics such
as detection rate, false positives, detection latency, and sensitivity to the contamination
level of the attacks. The first results, in terms of detection rate and false positive rate,
have shown some contaminants are easier to detected than others. Additionally, authors
discuss on the reliability of the analysis when data sets are not perfect, that is, where
data values may be missing or less accurate as indicated by sensor alerts.

2.3 Part III: Control Systems and Protocols

The necessity of considering the security and robustness of control systems was well-
recognised by researchers at the time the present volume was conceived; it has since
regrettably become a far more public concern that is unlikely to fade from sight. In part
this is attributable to the prevalence of legacy systems dating back to insulated environ-
ments with limited capabilities, which is likely to become less of a concern over time
as facilities are modernised or retired altogether. However, several other concerns such
as the need to operate under hard real-time constraints or the overriding importance of-
ten placed on availability and reliability over security are likely to pose challenges for
enhancing the robustness of control systems to different types of disruptions, which do
also include deliberate attacks. Moreover, some concerns are less likely to arise in infor-
mation systems otherwise, namely the need to trade off security and the confidence of
having adequate controllability over a facility and its products against the risk of loss of
function such as production outputs or even damage to equipment and endangering the
environment or placing lives at risk. In such cases decisions must be made rapidly, often
based on incomplete and unreliable information, which is unlikely to be possible in a
fully automated manner. This aspect of protecting the critical information infrastructure
hence inevitably also touches the boundaries of other areas including human-computer
interaction and incident management rather than being able to restrict inquiries to the
design of robust and secure systems since threats such as physical subversion, vulnera-
bilities, or malicious insider activities are likely to invalidate underlying assumptions.
The chapter by Alcaraz, Fernandez and Carvajal hence focuses on providing basic
guidelines for a suitable secure management of current SCADA systems, which con-
verge on the use and dependence on new ICT systems for automation and control from
anywhere and anytime. These types of advances and the use of new technologies bring
new security issues and a large number of potential risks due to threats, vulnerabilities
and failures associated to them. As authors point out, it is necessary to take into ac-
count some security aspects that allow the system to protect itself against any possible
anomalous event/situation. To this end, some aspects related to network architecture,
interdependences and consequences are analysed in-depth throughout the chapter in
order to identify problems and their security solutions. Most of these solutions are nar-
rowly related to secure management by means of standards, security policies, official
recommendations, best practices and technical specifications to ensure interoperabil-
ity between SCADA components, systems and entities. Detection and prevention as-
pects, and incident response topics are also discussed, identifying tools, systems and
methodologies to apply in these types of critical systems. Moreover, an adaptive alarm
 Overview of Critical Information Infrastructure Protection 9

management system based on reputation is presented in order to show how a SCADA

system could intelligently assign alarms to the best operators in the field, and thereby
ensuring an efficiently speed up the response. Solutions and approaches are equally
analysed for a Smart Grid context whose main control is located in a SCADA system.
Also in the scope of SCADA, a chapter on protocol vulnerabilities by Rrushi fol-
lows. As the author points out, most of network traffic in process control networks
is generated by industrial communication protocols, what causes that a large number
of attack techniques that apply to process control systems can be conducted over in-
dustrial communication protocols. The author provides with a technical discussion of
possible vulnerabilities in industrial communication protocols, with specific reference
to ModBus and the IEC 61850 protocols, considered as representatives of the protocols
currently deployed in digitally controlled physical infrastructures such as power plants
and electrical substations. In this sense, Modbus has been selected as representative of
bit-oriented protocols in terms of design while IEC 61850 has been selected because it
adopts the emerging paradigm of object-oriented process control communications. It is
important to note that Rrushi elaborates on how the vulnerabilities are exploited. In de-
tail, the chapter discusses vulnerabilities regarding weak or missing authentication and
integrity checks of industrial protocol traffic along with some of the computer network
attacks that exploit those vulnerabilities. Then, memory corruption vulnerabilities as
applied to implementations of industrial communication protocols are also discussed.
Besides, the chapter also includes a description of various techniques that leverage a
computer network attack to cause physical damage via disruption of physical processes
and equipment.
This part of the book finishes with a chapter authored by Khelil, Germanus and Suri
that focuses on the protection of SCADA communication channels. Generally speaking,
in this chapter the existing approaches for SCADA communication protection are com-
prehensively surveyed and categorized, and also upcoming research technologies on
enhancing the protection of SCADA communication are presented. More precisely, the
paper describes the communication assets of SCADA systems and their requirements
on protection, and also outline the key threats, vulnerabilities and security weaknesses
of SCADA systems that may present a danger for their proper operation. Then, existing
techniques for the protection of SCADA communication channels are discussed. Inter-
estingly, authors classify them into three main categories: techniques for resilience to
network perturbations, cryptographic protection of SCADA communication, and trust-
worthy interconnection of SCADA systems. Further, authors focus on middleware tech-
niques as they are have general applicability and also conform with the clear IP trend
in SCADA components, and analyse two middleware add-on protection techniques, the
INSPIRE P2P-based middleware and the GridStat middleware. As shown by authors,
both techniques aim at augmenting the trustworthiness of deployed SCADA systems,
primarily utilizing the approach of controllable data replication.

2.4 Part IV: Infrastructure Sector Studies

The book concludes with five sector studies, which aim to highlight the different but
nevertheless crucial impact that the information systems aspect brings to securing the
critical infrastructure. There is a notable imbalance in the availability of published
10 J. Lopez, R. Setola, and S.D. Wolthusen

information on different sectors, with the vast majority of material covering the telecom-
munications area and the interactions of this sector particularly with the energy sector,
specifically the electricity sector. Other sectors may be equally dependent on informa-
tion and communication systems, but this is far less visible. Confidentiality require-
ments are a major hindrance in any efforts seeking to ultimately publish outcomes, and
in some areas even highlighting concerns appears to be problematic. In other environ-
ments, however, it is still necessary to exercise careful judgement in analysing security,
reliability, and robustness characteristics of sectors and sector elements as some of the
problems identified may well turn out to be difficult or time-consuming to rectify. This
relative paucity of available information for some sectors is also problematic for the
creation and ultimately also the verification and validation of models discussed in Part
II, but is unlikely to be possible to rectify in the medium term.
The aforementioned electricity sub-sector of the energy domain is covered in the
chapter by Bompard, Cuccia, Masera, and Nai Fovino, who provide a high-level survey
of modern power systems with an emphasis on parts of the electric grid that are nor-
mally considered constituent elements of the critical infrastructure. These include the
national and supra-national elements drawing on the European case as an example and
range to the distribution grid, which only in rare instances would be concerned with the
impact of end users. The chapter focuses on the current grid architecture concentrated
around a relatively limited number of large-scale generation sites and similarly limited
transmission capabilities. This necessitates the continuous monitoring of the grid state
to ensure that operating parameters remain in an acceptable range both for a given area
(e.g. national grid) and any adjacent or otherwise affected areas as these may differ. An
intrinsic challenge in the electric grid is the need to maintain a equilibrium within a
relatively narrow parameter space under real-time constraints despite considerable fluc-
tuations in generating and transmission capacity as well as demand. Elaborate models
exist for state and demand estimation as well as planning, but despite this situations may
arise where it is not possible or cost-effective to compensate. Bompard et al. hence also
discuss the protective measures available to grid operators before discussing the specific
security risks and problems in the sector beginning with an overview of the communi-
cation and control systems employed in the electricity sector at different levels from
control centres to individual SCADA components and concluding with an analysis of
possible countermeasures. As the sector is likely to change in response to the need to
reduce its carbon intensity and efficiency, a number of new challenges will arise; how-
ever, the current highly reliable infrastructure in place is likely to remain the backbone
for the foreseeable future, and hence its security and robustness must be assured despite
further efforts in securing the more modern smart grid of the future and its interplay
with the conventional grid.
The chapter by Johnsen, Aas, and Qian studies a different aspect of the energy sector
that is less concerned with real-time effects, but one where the impact of failure is po-
tentially very severe to the ability to function, the environment, and loss of life and limb,
namely the oil and gas sector. Although the risk of contamination as well as fires and
explosions is inherent in the sector, the need to exploit resources that are increasingly
difficult to reach and often stretch the limits of available technology or indeed require
the development of novel techniques for exploration and exploitation altogether may
 Overview of Critical Information Infrastructure Protection 11

well have increased the potential for accidents. Moreover, both the more sophisticated
techniques themselves and the increasingly hostile environments such as off-shore or
Arctic environments force reliance on automation and control systems that cannot, sim-
ilar to the electric grid, be replaced or even bridged by manual intervention owing to
the precision and complexity of the operations required. However, despite efforts to
centralise some of these operations and an increasing reliance on highly specialised
entities collaborating in all phases of the exploration, extraction, and transportation of
hydrocarbons, the sector retains its emphasis on safety rather than security. The chapter
by Johnsen hence reviews both the regulatory framework in which the industry must
operate and the technical — mainly SCADA — systems used in the sector. Particular
emphasis is placed on the ability to prevent and respond to accidents and incidents as
well as methods for systematically identifying risks and hazards arising also from the
deployment of ICT and SCADA systems in the security domain.
The core ICT sector of telecommunications is studied in the chapter by Goldman
and Uzunalioglu; while the sector has been scrutinised extensively for a long time, this
chapter focuses on the effects caused by the convergence of conventional telephony
and packet-switched networks that have been the subject of major investment efforts by
telecommunications carriers in recent years to bring about so-called Next Generation
Networks (NGN). The incentive for carriers of having to maintain a single and highly
flexible infrastructure rather than two separate systems is very much self-evident, as
is the desire to provide differentiated services to clients that also can be the subject
of different service provision as well as cost models. However, both the convergence
towards NGN itself and the more complex policy-driven service provisioning architec-
ture clearly present risks from faults and particular ones originating in malicious agency,
with new threats arising from the desire to integrate services across what has conven-
tionally been a strictly layered architecture with only limited exceptions provided such
as call prioritisation for emergencies and certain government services. Goldman and
Uzunalioglu hence review threats arising at both the transport and service layers and
highlight effects of layering in their contribution. However, as in the case of other in-
frastructure sectors discussed throughout the present volume, there is also a need to
interact and remain interoperable with legacy systems, which can limit the ability to
provide services such as stronger security features (e.g. authentication and access con-
trol) that would be straightforward in more homogeneous environments.
The chapter by Hämmerli provides insights into a sector that has — albeit to different
extents depending on the sub-sector — become extremely reliant on the use of infor-
mation and communication technology, namely financial services. Although reliant on
information in a wider sense, the ability to reliably perform transactions and safely
retain or access information is at the key of the sector and must be maintained beyond
any reasonable doubt as the loss of trust in the sector’s ability to provide its core ser-
vices has the potential to cause cascading effects far beyond any immediately affected
institution or service provider affected. The chapter by Hämmerli focuses on conven-
tional infrastructure for financial services, namely the payment and clearing services
used both between financial service institutions internationally and also towards clients,
also discussing the underlying legal and regulatory framework. This is crucial to con-
sider as the sector is covered by a dense network of regulations and agreements as well
12 J. Lopez, R. Setola, and S.D. Wolthusen

as technical standards. The chapter also provides an overview of the interconnected

technical infrastructure for providing the transactional services and the increasing in-
terconnection with additional components such as advanced payment systems and sup-
porting infrastructures such as identification and authentication mechanisms, briefly
also highlighting the effects one can observe indirectly arising from so-called over-
the-counter (OTC) trading, which can not only have significant influence on prices for
equities and derivatives, but may also affect secondary parameters such as the volumes
of transactions required for infrastructure services to handle. These developments high-
light a number of dependencies even within the sector that must be understood and
managed carefully, which is made all the more difficult by the speed of developments
on one hand and the fact that some of the developments are not wholly captured by
the previously mentioned legal and regulatory framework, but are largely taking place
invisibly to public or even academic scrutiny.
The final chapter of the present volume by Hartong, Goel, and Wiejesekera, on the
contrary, covers aspects of a sector whose adoption of information and telecommunica-
tion technology is somewhat more cautious and even halting, namely the transportation
sector. Some of the sub-sectors are inherently international in nature, mainly aviation
and seaborne shipments, requiring international standardisation and agreements that
serve to limit the rate of adoption for new ICT services. Other sectors such as road
or rail transportation have far fewer restrictions, but providing extensive road and rail
networks with e.g. telematics services imposes a significant capital burden. Unlike the
previously covered sectors, the time-scales relevant in the sub-sectors are much larger,
but even so hard real-time constraints must be observed. As Hartong, Goel, and Wieje-
sekera highlight, significant elements of the transportation infrastructure are inherently
inter-modal, whether transitioning from seaborne transport to road and rail, between dif-
ferent road transportation modes, or in some cases even to pipeline networks; these all
rely on the availability and interconnection of ICT systems to ensure that resource plan-
ning, freight bills, and related information is exchanged in a timely and correct manner.
The chapter highlights some of the ICT-related components found in the transportation
infrastructure itself, including satellite navigation and telecommunication mechanisms
that are used extensively before discussing the concrete case of a safety mechanism
used in rail transportation and the susceptibility of this mechanism to deliberate attack.

3 Editor Information
3.1 Javier Lopez
Prof. Javier Lopez is Full Professor in the Computer Science Department at the Univer-
sity of Malaga, and Head of the Network, Information and Computer Security (NICS)
Laboratory. His research activities are mainly focused on network security and critical
information infrastructures protection, leading a number of national and international re-
search projects in those areas, including projects in FP5, FP6 and FP7 European Frame-
work Programmes. He is the Co-Editor in Chief of International Journal of Information
Security (IJIS) and Chair of the ERCIM Working Group on Security and Trust Man-
agement. Besides, he is member of the Editorial Board of, amongst others, the jour-
nals Computers & Security, International Journal of Critical Infrastructures Protection,
 Overview of Critical Information Infrastructure Protection 13

Wireless Communications and Mobile Computing, Computer Communications, Journal

of Network and Computer Applications, and International Journal of Communication
Systems. Prof. Lopez is the Spanish representative in the IFIP Technical Committee 11
on Security and Protection in Information Systems.

3.2 Roberto Setola

R. Setola is the head of the Complex System & Security Lab of the University CAMPUS
Bio-Medico di Roma (Italy) and the General Secretary of the AIIC (Italian Association
of Critical Infrastructures’ Experts). From 1999 to 2004 he served at the Italian Prime
Minister’s Office and he managed the Italian Government Working Group on Critical
Information Infrastructure Protection. He has been member of the G8 High-Tech Crime
Subgroup and of the G8 Senior CIIP Expert (2003-2005) and Point of Contact for the
Italian Government in the G8 “International CIIP Directory” (2003-2008). He received
his M.Sc. in Electronic Engineering and Ph.D. in Control Theory from the Universitá
di Napoli, Italy. He is author of three books and more than 100 peer-reviewed publica-
tions about modelling and simulation of complex systems, CIP/CIIP and the security of
critical infrastructures.

3.3 Stephen D. Wolthusen

Prof. S. D. Wolthusen is Reader in Mathematics with the Information Security Group

in the Department of Mathematics at Royal Holloway, University of London, UK and
holds a concurrent appointment as Full Professor of Information Security with the Nor-
wegian Information Security Laboratory at the Department of Computer Science at
Gjøvik University College, Norway and holds several appointments as guest and vis-
iting professor. He is author and editor of several books as well as more than 90 peer-
reviewed research publications as well as past Editor in Chief of the journal Computers
& Security and has served on several national and international advisory bodies in the
area of critical infrastructure protection and the modelling of infrastructures.

References

1. Albert, R., Albert, I., Nakarado, G.L.: Structural Vulnerability of the North American Power
Grid. Physical Review E – Statistical, Nonlinear, and Soft Matter Physics 69(2), 025103
(2004), doi:10.1103/PhysRevE.69.025103
2. Albert, R., Jeong, H., Barabási, A.L.: Error and Attack Tolerance of Complex Networks. Na-
ture 406, 378–382 (2000), doi:10.1038/35019019
3. Brömmelhörster, J., Fabry, S., Wirtz, N. (eds.): Internationale Aktivitäten zum Schutz Kritis-
cher Infrastrukturen. Bundesamt für Sicherheit in der Informationstechnik, Bonn, Germany
(2004)
4. Cohen, R., Erez, K., ben Avraham, D., Havlin, S.: Breakdown of the Internet under Intentional
Attack. Physical Review Letters 86(16), 3682–3685 (2001),
doi:10.1103/PhysRevLett.86.3682
5. Falliere, N., Murchu, L., Chien, E.: Stuxnet Dossier. Symantec Security Response (2011)
14 J. Lopez, R. Setola, and S.D. Wolthusen

6. Marsh, R.T. (ed.): Critical Infrastructures: Protecting America’s Infrastructures. United States
Government Printing Office, Washington D.C., USA (1997); Report of the President’s Com-
mission on Critical Infrastructure Protection
7. United States Department of Defense: Department of Defense Strategy for Operating in Cy-
berspace. U.S. Government Printing Office (2011)
8. Wenger, A., Mauer, V., Dunn, M. (eds.): International CIIP Handbook 2008/2009. Center for
Security Studies, ETH Zurich, Zurich, Switzerland (2008)
 The Art of CIIP Strategy: Tacking Stock of Content
and Processes

Myriam Dunn Cavelty and Manuel Suter

Center for Security Studies, ETH Zurich, 8092 Zurich, Switzerland

{dunn,suter}@sipo.gess.ethz.ch

Abstract. This chapter analyses and compares CI(I)P and cybersecurity

strategies to discover key issues, developments, and trends and to make
recommendations about strategy making in the field of CIIP. To this end, it will
first define CIP, CIIP and cybersecurity. It will then show what kind of
protection goals – statements about a desired state of security of a particular
object/asset that is seen in need of protection from one or a variety of threats –
are defined and what kind of countermeasures are foreseen. Third, it will move
from the content to the process and will make recommendations about how an
optimal strategy process in the field of CIIP should look like.

Keywords: cybersecurity policy, public-private partnerships, threat perception,

protection goals, strategy process.

1 Introduction

“[Critical infrastructures] are the foundations of our prosperity,

enablers of our defense, and the vanguard of our future. They
empower every element of our society. There is no more urgent
priority than assuring the security, continuity, and availability of our
critical infrastructures.”

(President’s Commission on Critical Infrastructure Protection, 1997: vii)

The above statement, made over a decade ago, still rings true. Critical infrastructures
(CI) are systems or assets so vital to a country that any extended incapacity or
destruction of such systems would have a debilitating impact on security, the
economy, national public health or safety, or any combination of the above. As a
consequence, critical infrastructure protection (CIP) is currently seen as an essential
part of national security in numerous countries around the world.
Not everything about CIP is new: under the heading of vital system security,
protection concepts for strategically important infrastructures and objects have been
part of national defense planning for decades, though they played a relatively minor
role during the Cold War as compared to other concerns such as deterrence[1]. Today,
however, CIP refers to a broader concept with a distinctly different flavor. First of all,

J. Lopez et al. (Eds.): Critical Information Infrastructure Protection, LNCS 7130, pp. 15–38, 2012.
© Springer-Verlag Berlin Heidelberg 2012
16 M. Dunn Cavelty and M. Suter

it is no longer restricted to concrete defense against immediate dangers, but

increasingly refers to preventive security measures as well. Second, contemporary
modern societies have become significantly more vulnerable, and the spectrum of
possible causes of disruptions and crises has become broader and more diffuse. Third,
CIP is a security practice that reflects the fact that the security challenges to the state
from ‘inside’ and ‘outside’ have become blurred in the new threat environment to the
point where they have become the same. National security – traditionally dealing with
extraordinary threats and countermeasures from the outside – is now also concerned
with attempts to create resilience and redundancy in national infrastructure through
cyber-security measures and other means. This means that measures that are generally
regarded as being within the purview of information security may now also be
included among measures to ensure national security. In this new logic of security,
two formerly different notions of security are merging, as technical security and
safety and national security become one.[2]
Ever since the landmark report of the President’s Commission on Critical
Infrastructure Protection of 1997 called “Critical Foundations, Protecting America’s
Infrastructures”[3], countries around the world have focused on ways how to identify
and protect their critical assets against a variety of threats. As a result, a broad range
of political and administrative initiatives and efforts are underway in the US, in
Europe, and in other parts of the world.[4] While over the years, substantial
differences between these governmental protection policies have become apparent,
there also commonalities in the form of key challenges that almost all governments
are confronted with.
This chapter aims to take stock of these efforts and said challenges. It will identify
the key issues, developments, and trends by comparing a set of recent policy papers,
especially strategies, in the domain. These governmental policies are at various stages
of implementation – some are enforced, while others are just a set of suggestions –
and come in various shapes and forms, ranging from a regulatory policy focus
concerned with the smooth and routine operation of infrastructures and questions such
as privacy or standards, to the inclusion of CIP into more general counter-terrorism
efforts. While the chapter aims to discuss only aspects unique to critical information
infrastructures (CII) and infrastructure sectors immediately affected by CII in sync
with the aims of this book, it is not always so clear where to draw the line between
CIP and CIIP in practice. Therefore, some groundwork in terms of definitions and
concepts is necessary; in addition, a reading of the policy papers also in terms of
definitions of concepts that they provide reveals a lot about the state of the art of
CI(I)P and the topic more generally.
In an ideal world, strategies “guide the implementation of plans, programs,
campaigns, and other activities” [5]. They refer to a plan of action designed to achieve
a particular goal and should therefore be drafted before any policy action is taken.
Strategies can also be seen as a pattern, “a consistency of behavior over time”[6].
Optimally, a strategy sets direction and focuses effort and provides consistency by
sketching a path from a current state to a desired future end state. Therefore, strategic
thinking is always about thinking about the future.
 The Art of CIIP Strategy: Tacking Stock of Content and Processes 17

In a less ideal world, strategies come in a variety of forms. Very often, setting
future goals and defining steps to get there are closely interwoven or not even
separated at all. In a field as diverse as CI(I)P and as populated by so many players
inside and outside of government, it is almost entirely impossible to define in theory
what a strategy is and what it is not. Therefore, rather than just selecting documents
that have the word “strategy” in the title, we drew from a broader document base.
Without any claim for comprehensiveness, we looked at publicly available
documents that contain a) definitions of CI(I)P and related concepts, b) the
description of (protection) goals, c) statements about an object to be protected, d)
statements about the type of threat to which these objects are subject, and e) the
means by which these objects are to be protected. In short, we were mainly
interested in statements about a desired state of security of an identifiable object
that is seen in need of protection from one or a variety of threats as well as
statements about the type of countermeasures to be taken. In short, we mainly focus
on protection goals. However, the constant and sometimes rapid advancement of
existing policies shows that many countries are still in the process of defining their
own “CI(I)P identity”. What we are looking at are snapshots of a dynamic policy
field with fuzzy boundaries.
This chapter is structured as follows: First, it will be analyzed how CIIP is defined –
or rather not defined – and that many countries focus not on CIIP but on
cybersecurity. Second, we will identify and describe the definition of protection goals
on different levels. It will be shown that these strategies and policies differ
considerably with regard to the question what should be protected from which threat.
Cyberthreats are often only vaguely defined and it remains unclear which is the most
relevant threat to critical infrastructures. In order to understand the varying
approaches in the documents, it is necessary to distinguish between different
cyberthreats and to analyze which strategy focus on which threat. Furthermore, the
chapter looks at the proposed responses to cyberthreats. Even though the policy and
strategy papers on CIIP and cybersecurity differ with regard to the question who
threatens what, they usually propose similar concepts to respond to cyber
vulnerabilities. Common response strategies include the formation of Public-Private
Partnerships (PPPs); efforts to strengthen coordination between the different agencies
that are assuming tasks in the field of CIIP; campaigns to increase public awareness
for cybersecurity; and attempts to improve international collaboration. It will be
briefly discussed how these protection and prevention measures are defined and
which are the most relevant challenges that need to be addressed in order to
implement them. Third, we will take a step away from the content and look at the
process of how these strategic elements are defined and then point out what an ideal
strategy making process could look like.

2 Definitions and Demarcations

More than ten years after the beginning of the CIP debate, there still is little clarity
with regard to a clear and stringent distinction between the two key terms “CIP” and
18 M. Dunn Cavelty and M. Suter

“CIIP”. In official publications, the term CIP is frequently used even if the document
is only referring to the information aspects of the issue. It will be shown in a first
subsection how the two terms can be differentiated. In a second subsection, it will be
shown that rather than focusing on CIIP specifically, most governments focus on
strategies in the domain of cybersecurity instead.

2.1 Distinguishing the Critical ‘I’ from the Information ‘I’

A focus on CIIP creates immediate difficulties for any researcher, since the basis for
distinguishing between CIP and CIIP is unclear. A clear distinction between CIP and
CIIP is lacking in most countries, and one finds both terms being used
interchangeably. This reflects the continuing difficulties that arise from having to
distinguish between physical and virtual aspects of critical infrastructures.
That the two concepts are closely interrelated is apparent from the current debate
on protection necessities: The debate jumps from a discussion of defending critical
physical infrastructure – telecommunications trunk lines, power grids, and gas
pipelines – to talk of protecting data and software residing on computer systems that
operate these physical infrastructures. This indicates that the two cannot and should
not be discussed as completely separate concepts. Rather, CIIP seems an essential
part of CIP: While CIP comprises all critical sectors of a nation’s infrastructure, CIIP
is only a subset of a comprehensive protection effort, as it focuses on the critical
information infrastructure.
The definition of exactly what should be subsumed under CI, and what under CII,
is another question: Generally, critical information infrastructures can be described as
the part of the global or national information infrastructure that is essential for the
continuity of critical infrastructure services. There is a physical component to it,
consisting of high-speed, interactive narrow-band and broadband networks; satellite,
terrestrial, and wireless communications systems; and the computers, televisions,
telephones, radios, and other products that people employ to access the infrastructure.
In addition, there is an equally important immaterial, sometimes very elusive
component, namely the information and content that flows through the infrastructure,
the knowledge that is created from this, and the services that are provided through
them.
Due to their role in interlinking various other infrastructures and also providing
new ways in which they can be targeted, (critical) information infrastructures are
regarded as the backbone of critical infrastructures, given that the uninterrupted
exchange of data is essential to the operation of infrastructures in general and the
services that they provide. Thus, it comes as no surprise that many so-called CIP
policies have a strong focus on the protection of specific information infrastructures
rather than focusing on all CI sectors and aspects.

2.2 From CIIP to Cybersecurity

While it is uncontested that CIIP is an essential part of CIP, the protection of

information and communication infrastructures or technologies (ICT) and of the
 The Art of CIIP Strategy: Tacking Stock of Content and Processes 19

information which is processed by these systems is not only crucial for critical
infrastructures. ICTs have also become absolutely essential for societal and business
relations across the board. Governments are therefore also developing policies with
regard to the security of information infrastructures more generally – meaning not
only for critical information infrastructures from a government perspective – with the
aim to secure all interactions that are enabled by them and depend on them. These
economic, social and cultural interactions take place in what is labeled cyberspace.[7]
In accordance, the policies that aim to secure these interactions are usually called
cyberspace security policies or, in short, cybersecurity policies.
One of the first national cybersecurity strategies, called “Defending America’s
Cyberspace”, was issued by the Clinton administration in January 2000. Since then,
cybersecurity is perceived as an integral part of national security and many countries
have started to develop cybersecurity policies. Compared to CIIP policies,
cybersecurity policies pursue a broader view on the security of ICTs and the
protection of the information that is processed by them, but the protection of the
essential information infrastructure remains an integral part of such policies. In order
to examine the key concepts and policies with regard to CIIP, it is thus important not
only to look at national security strategies or CIP policies, but also to analyze those
documents that refer to cybersecurity.
There are many examples for recent policy documents in that area: in the last two
years countries like the UK, Sweden, Japan, Estonia or Belgium released new
strategies for cybersecurity (or information security which is used as an alternative
label). In addition the administration Obama issued the widely noticed “Cyberspace
Policy Review”. Most of these publications include parts dedicated to CIIP and
point to the fact that cybersecurity is crucial for CIP. The US Cyberspace Policy
Review for example highlights that “…the growing connectivity between
information systems, the internet, and other infrastructures creates opportunities for
attackers to disrupt telecommunications, electrical power, energy pipelines,
refineries, financial networks, and other critical infrastructures”[8] and the Estonian
Cyber Security Strategy describes the formulation of a cybersecurity strategy as the
first step “to protect the country’s critical infrastructure and to ensure the country’s
information security”[9].
However, the cybersecurity strategies and policy papers studied rarely provide a
clear definition of cybersecurity. The UK Cyber Security Strategy states that “[c]yber
security embraces both the protection of UK interests in cyber space and also the
pursuit of wider UK security policy through exploitation of the many opportunities
that cyber space offers”.[10] The US Cyberspace Policy Review defines cybersecurity
policy broadly as the “strategy, policy, and standards regarding the security of and
operations in cyberspace”.[11] It can be observed, however, that all of these
documents implicitly adhere to the following definition: Cybersecurity is the absence
of a threat either via or to information and communication technologies and networks.
Simply put, this means that cybersecurity is the security one enjoys in and from
cyberspace. [12]
20 M. Dunn Cavelty and M. Suter

Fig. 1.

In sum, we will refer to CIP in this chapter when a document/strategy covers all
relevant critical sectors of a country, to CIIP if the document/strategy just talks about
one critical sector related to information infrastructures and to cybersecurity if the
documents covers ICTs more generally, without just focusing on the critical part.
With these general definition in mind, we will now move on to a depiction of the
content of the various strategies.

3 Key Issues and Protection Goals in CI(I)P and Cybersecurity

Strategy Documents

Protection goals – which according to our understanding contain statements about the
object to be protected and the type of threat to which these objects are subjected – can
be found on three hierarchically distinguishable levels and have different functions
and purposes, which is shown in the first subsection. In a second subsection we will
look at what is seen in need of protection and what is seen as the main threat. In a
third, we look at the proposed countermeasures.

3.1 Protection Goals on Three Levels

We can distinguish between three levels on which protection goals can be found:
• First, protection goals are described on a strategic level in national security strategy
documents.
• Second, protection goals are described in CIP, CIIP or cybersecurity strategies or
similar documents.
• Third, protection goals are further defined and specified in sector-specific documents.
 The Art of CIIP Strategy: Tacking Stock of Content and Processes 21

Not surprisingly, these goals become more concrete the further down one moves. We
look at all three of them in separate subsections.
The analysis of CIP documents shows that ‘protection goals’ vary with regard to
their specificity and purpose. On the level of national security strategies and policy
papers, goals tend to use rather general terms such as ‘prevention’, ‘mitigation of
vulnerabilities’, or ‘protection of vital interests’. We believe it would be useful to
label these kind of statements ‘protection principles’ rather than protection goals,
because they provide the general framework for CIP.
Slightly more specific protection goals are found on the second level of CIP
strategies. They are more precise and specific than the protection principles, but still
follow a systemic-abstract logic, as they refer to the totality of all CIs rather than to
one sector or to one infrastructure. Examples for “protection goals” on this aggregated
level are the goals of ‘identifying critical infrastructures and key resources’,
‘enhancing resiliency’, or ‘analyzing interdependencies and vulnerabilities’. These
goals, formulated for all CIs, can be described as ‘protection policies’, as they define
in a general way what must be protected from which threats in what way.
The third level is the sector-specific dimension. On this level, the “protection
goals” are more concrete. Examples are the goals to ensure ‘the availability, integrity
and confidentiality of information and information technology’ or ‘sustain protection
of public health and the environment’. They may be referred to as (sector-specific)
‘protection goals’.

Fig. 2.
22 M. Dunn Cavelty and M. Suter

3.1.1 Level 1 (Protection Principles): National Security Strategies

Due to the high stakes if something went severely wrong with critical infrastructures,
CIP is considered part of national security in most countries. However, in their
national security strategies, different states focus on different aspects of CIP and
define the protection goals of CIP in a different way. In order to highlight these
differences, this section will provide an overview on the national security strategies of
Canada, the Netherlands, the United Kingdom, and the United States and analyze how
CIP is defined in these documents.
At the highest strategic level, the United States references the protection of critical
infrastructures in its National Strategy for Homeland Security. The document calls for
the ‘Protection of the American people, our critical infrastructures, and key
resources’[13] and outlines three specific goals for critical infrastructures protection:
deter the terrorist threat; mitigate the vulnerabilities; and minimize the consequences.
Furthermore, this document singles out the National Infrastructure Protection Plan
(NIPP) – developed pursuant to the Homeland Security Presidential Directive-7 – as
the main guidance for the efforts to protect critical infrastructures. The NIPP is
designated within this national strategy as the tool to ‘ensure that our government,
economy, and public services continue to function in the event of a man-made or
natural disaster.’[14] This task is carried out through sector-specific plans developed
within identified critical infrastructures and key resources (see below).
The general goal stated in the Netherlands’ national security strategy is to protect
the ‘vital interests of the Netherlands in order to prevent societal disruption’. [15] CIP
is seen as the operational tool to ensure this. The Dutch National Security Strategy
depicts critical infrastructures protection as risk management and positions it on a par
with crisis management; the two concepts together cover the operational aspects of
security, while national security covers the strategic aspects. Moreover, it specifies
that ‘with critical infrastructures the emphasis is primarily on prevention (measures
for better security of the critical sectors), while with crisis management the emphasis
is on preparation (preparation for incidents), response (if an incident has occurred)
and after-care.’[16]
While the Dutch strategy locates CIP in to the context of both national security and
crisis management, Canada and the United Kingdom view critical infrastructure
vulnerability (i.e., the threat) and its protection (i.e., the countermeasure) as a main
challenge of emergency management.[17] In the UK, it is defined as the ‘single
overarching national security objective’ to protect ‘the United Kingdom and its
interests, enabling its people to go about their daily lives freely and with confidence,
in a more secure, stable, just and prosperous world’.[18] Furthermore, the British
national security strategy identifies critical infrastructures among the key assets to be
protected, stating the goal as ‘to improve the protection of critical infrastructures,
hazardous sites and materials, and crowded places’.[19]
These examples reveal the interrelationship between national security and CIP:
National security is often described as being in some way related to ensuring the
continuity of life – and CIP is the way to ensure this on an operational level. In other
words, because CI are regarded as the fabric of society, the protection of society is
equated with the protection of CI. This has several implications: a) Because CIP is a
national security issue, there is a level of secrecy when it comes to concrete aspects
such as protection goals; b) protection goals are directly linked to human survival.
The stakes are thus very high. If the security of entire nations depends on CIP
 The Art of CIIP Strategy: Tacking Stock of Content and Processes 23

measures, then protection goals in CIP are – or should have to be – top-level strategic-
political decisions. This is an important aspect that will be addressed in some more
detail in the concluding section.

3.1.2 Level 2 (Protection Policies): CI(I)P Strategies

Protection goals formulated in CI(I)P and cybersecurity strategy papers (usually at the
national/federal level) tend to be very general as well; rather than being specific
mandates or measurable values, they are guiding principles, or mission statements.
Nevertheless, on the second level, much more information can be found about the
objects to be protected, the measures, and the threats.
There are many similarities between CI(I)P strategy documents: One common
element is the importance of the concepts of resilience and of public-private
partnerships, in different combinations. For example, the overarching goal of the
United States’ National Infrastructure Protection Plan (NIPP), one of the more
elaborate strategies, is to ‘[b]uild a safer, more secure, and more resilient America by
preventing, deterring, neutralizing, or mitigating the effects of deliberate efforts by
terrorists to destroy, incapacitate, or exploit elements of our Nation’s CIKR [Critical
Infrastructures and Key Resources] and to strengthen national preparedness, timely
response, and rapid recovery of CIKR in the event of an attack, natural disaster, or
other emergency.’[20]
Similarly, in Canada, the document National Strategy and Action Plan for Critical
Infrastructure: Strategy (2008) highlights the importance of enhancing resilience as a
critical infrastructure protection goal that can be “achieved through the appropriate
combination of security measures to address intentional and accidental incidents,
human induced intentional threats, business continuity practices to deal with
disruptions and ensure the continuation of essential services, and emergency planning
to ensure adequate response procedures are in place to deal with unforeseen
disruptions and natural disasters.’[21] Furthermore, this document reveals that
partnerships, risk management, and information-sharing are viewed as key
components of CI(I)P.
The recent Australian Critical Infrastructure Resilience Strategy (2010), finally,
includes two main objectives of CIP. First, increasing the effectiveness of owners and
operators of CI in managing foreseeable risks “through an intelligence and
information led, risk informed approach”, and secondly, “enhance their capacity to
manage unforeseen or unexpected risk to the continuity of their operations, through an
organizational resilience approach.”[22]
There are many other national CI(I)P strategies that follow a similar approach, but
in order to highlight the most important protection goals as formulated on the level of
CI(I)P strategies, these three recent examples should be sufficient. They show that
CI(I)P strategies usually pursue an all-hazard approach and include both human
induced attacks and accidental failures of CIs. In addition, the goal of resilience of
CIs has recently gained a lot of attention and is today perceived as one of the most
important protection goals in CI(I)P. Resilience can be described as the ability of a
system to recover quickly after experiencing a sudden shock or physical stress.[23]
Since critical infrastructures are highly interdependent and complex, they cannot be
protected against all potential threats. Accordingly, the ability to recover quickly after
an incident – a high resiliency – is perceived as essential for ensuring the continuation
of critical services.
24 M. Dunn Cavelty and M. Suter

3.1.3 Level 3 (Protection Goals): Sector-Specific Protection Goals

More tailored protection goals – very often tied specifically to definition and
implementation of protection measures – can be found in sector-specific CIP plans.
The case of the United States provides a good example for a CIP framework which is
based on sector-specific protection approaches. The 2006 National Infrastructure
Protection Plan (NIPP) allocates the responsibility for sector-specific protection plans
to the respective federal agencies. The sector-specific federal agencies[24] became
responsible for coordinating CIP efforts with relevant public and private stakeholders
and developing sector-specific plans. All sector plans share a common framework;
however, they also allow for flexibility and encourage customization.
Thus far, nine plans have been made available in the following areas: agriculture
and food, banking and finance, communication, defense industrial base, energy,
information technology, national monuments and icons, transportation systems, and
water. In all of the sectors discussed, the respective plans list specific implementation
measures used to achieve the goals.[25] The following protection goals have been
identified for the IT sector:[26] 1) prevention and protection through risk management
by identifying and assessing core functions, prioritizing risks and mitigating
vulnerabilities; 2) improving situational awareness during normal operations; and 3)
enhance the capabilities of public and private sector security partners to respond to
and recover from realized threats and disruptions.
Another country that has a published sector-specific plan for CIIP is Germany. The
documents National Plan zum Schutz der Informationsinfrastruktur (National Plan for
Critical Information Infrastructure Protection) of 2005 and the subsequent 2007 report
Umsetzungsplan KRITIS [27] (implementation plan KRITIS) outline the protection
goals for CIIP. Similar to the IT-Sector-Specific-Plan of the US, prevention, reaction
and sustainability are defined as generic goals of CIIP. In addition, the
implementation strategy refers to the concepts of availability, integrity, and
confidentiality, which are known form information assurance policies.
The examples of sector-specific protection goals for CIIP in the US and in Germany
reveal that even on this specific level, the definitions of goals and objectives remain
very broad. It is not described in further detail what exactly needs to be done in order to
achieve the goals. The difficulties of formulating clear and unambiguous protection
goals show that there is still a need for conceptual groundwork in the field of CI(I)P.

3.2 Referent Object and Threat Subject

Next to general protection principles, policies and goals, the documents studied also
contain more specific information about that which is threatened and in need of
protection (i.e., referent object) and the type of threat (i.e., threat subject). In this
section, we will look at the referent object in one subsection, before turning to a
discussion of the threats in the next.

3.2.1 Referent object: What Is Threatened?

When it comes to the referent object, there are two major issues: economic well-being
and national security. The strategies and policy papers emphasize the importance of
 The Art of CIIP Strategy: Tacking Stock of Content and Processes 25

ICTs for the national economy and point to the high costs of cyberattacks for the
corporate sector.[28] These costs are deemed to have a negative impact on the growth
of national economy.[29] The second referent object that is prominently discussed in
the documents is national security. With reference to the large-scale attacks on
Estonia in 2007, it is stressed that cyberattacks can compromise the functioning of
critical infrastructures, which are considered to be crucial to national security.[30]
However, rather than being two clearly separable dimensions, economic well-being
and national security are closely interconnected, since critical information
infrastructures are essential for both dimensions at the same time. This
interconnectedness is reflected in most of the documents. The United States, for
example, claims that: “The continued exploitation of information networks and the
compromise of sensitive data, especially by nations, leave the United States
vulnerable to the loss of economic competitiveness and the loss of the military’s
technological advantages.”[31] The Swedish Assessment of Information Security also
mentions both dimensions: “Deficient information security can threaten […] the
capability to deal with serious disturbances and crises. Furthermore, it can have a
negative impact on combating crime, trade and industry’s profitability and growth, as
well as the personal integrity of the country’s citizens”.[32]
The nexus between economic and national security interests is even more
accentuated by the fact that many of the cyberstrategies view cybersecurity as being
directly related to other governmental strategies, especially the respective countries’
national security strategies (see section above). The UK realizes that: “Cyber security
cuts across almost all the challenges outlined in the National Security Strategy, and
interlinks with a wide range of Government policies, involving many departments and
agencies”[33]. The US encourages the development of a new security strategy, noting
that: “The national strategy should focus senior leadership attention and time toward
resolving issues that hamper US efforts to achieve an assured, reliable, secure, and
resilient global information and communications infrastructure and related
capabilities”[34]. However, some of the strategies and policy papers also explicitly
highlight the connection to information society and economic strategies. The Estonian
Cyber Security Strategy, for example, states: “In developing the Cyber Security
Strategy, the committee has taken into account national development plans that might
also be relevant to information security and the information society, as well as plans
relating to internal security and national defense.”[35]

3.2.2 Malevolent Actors: Who Threatens Critical Information Infrastructures?

Two levels can be distinguished on which security in and from cyberspace can be at risk:
1. Technical level: While it is a commonplace that our societies are entirely and
pervasively dependent upon ICT, the complexity and interconnectedness of this
dependence is growing. With dependence comes vulnerability. On the first level,
this vulnerability is linked to the danger of system failures that may have cascading
effects affecting not only the individual use of ICT, but crippling the smooth
functioning of entire branches of societal activity and security.
2. Actor level: Triggered by the pervasive societal dependence upon information and
communication technology, the second area of vulnerability is the one linked to
26 M. Dunn Cavelty and M. Suter

potential malevolent agency. The panoply of malevolent agents deploying their

activities in and/or through cyberspace is vast, but can be generally categorized
into four elements. These include – in decreasing order of gravity – state-sponsored
actors, ideological and politically extremist actors, frustrated insiders, organized
criminal agents, and individual criminal agents.[36]
These two levels are interrelated: While the security challenge posed by potential
systemic failure is inherent to the nature of the technological development in ICT, the
dangers caused by and through malicious agents are conditioned by the nature of ICT.
It is in fact the interaction between the two threat levels that makes the issue of
cybersecurity such a complex challenge since it “is not simply that increasing
dependence on ICT creates vulnerabilities and opportunities to be exploited by the
unscrupulous, but also that ICT has an increasingly important enabling function for
serious and organized crime, ideological and political extremism, and possibly even
state-sponsored aggression.”[37]
Despite the importance of technical vulnerabilities, there is an exclusive focus on
the actor dimension of the threat spectrum in most of the CIP and cybersecurity
strategies. This is not overly surprising, as cybersecurity is considered to be one of the
key national security challenges of today; and in the context of national security, the
possibility of a human attack is of special interest. Even though the immediate
response to a cyberspace incident has to be tailored to the actual event on the
technical level, mid- or long-term strategies work on a different level, and the identity
of the attacker is crucial for calibrating the right response: If the attack was
perpetrated by a state actor, military responses can be activated; when the threat
originates from sub-state actors, the primary response should consist of law-
enforcement measures. The question of who or what is threatening thus remains an
important aspect of cybersecurity.
The recent policies and strategies with regard to cybersecurity and CIIP vary a lot
with regard to the question who they consider to be the gravest threat in the domain of
cyberspace. The UK Cyberspace Policy Review views the “established capable
states” as the potentially most sophisticated threat,[38] the Estonian cyber security
strategy notes that “terrorist organizations, organized criminals and state-sponsored
actors already pose a serious global threat”[39], and the Swedish Information
Security Strategy states that IT crimes “constitutes one of the largest threats to
government agencies’ electronic services being further developed and used by more
people”.[40]
This diversity shows that there are different perceptions and assessments of the
threats to cyberspace. However, it has to be noted that the strategies and policy papers
lack clear definitions and remain vague when it comes to the description and
evaluation of the different threats. The terms “criminal activity” and “terrorist act” are
not clearly defined. This vagueness can hardly be avoided, as it is a distinctive
characteristic of cyberspace that it interlinks different actors and thus blurs the
boundaries between different fields of activities. The Estonian cybersecurity strategy
even explicitly acknowledges that “[t]here are no general regulations for the
prevention and combating [sic] cyber threats, nor even a set of common definitions of
these threats.”[41]
Nevertheless, the strategies do differentiate between different threats. The most
explicit delineation is made between state actors and non-state actors. The threats that
 The Art of CIIP Strategy: Tacking Stock of Content and Processes 27

are posed by states range from spreading disinformation to intelligence-gathering and

large-scale attacks on critical infrastructures. In some documents, such activities are
subsumed under the label “cyberwarfare”.[42] Non-state actors, on the other hand, are
described either as “cybercriminals” or as “cyberterrorists”, depending on their
motivation or their targets.
Despite this categorization of malicious actors into state and non-state actors, it
remains unclear who poses the biggest threat, since there is not enough information
on the capabilities and motivations of potential perpetrators. The difficulty of
assessing the level and origin of threats to cybersecurity is acknowledged in most of
the strategy and policy papers, and they avoid ranking the threats according to
likelihood or severity.
The differences between the strategies show that there are different perceptions
concerning the questions of who is threatening and what is threatened in cyberspace.
Figure 3 summarizes four categories of threats that are referenced in the documents,
arranged by the differences between those two questions.

Fig. 3.

In theory, what one perceives as threatening and what one perceives as being
threatened generates the focus of what is perceived to be in need of protection. A
clear prioritization of the threats would therefore lead to a prioritization of response
strategies. However, as mentioned above, in the case of CIIP cybersecurity, it is
neither possible to define which actor poses the biggest threat, nor can the two
28 M. Dunn Cavelty and M. Suter

dimensions of economy and national security be viewed in isolation. In consequence,

the link between threat perceptions and countermeasures is far less clear. In fact, even
though the strategies do differ in their assessments of key threats, they arrive at very
similar countermeasures, as is shown in the next section.

3.3 Responding to the Threat: Protection Policies

In the absence of a clear picture of the severity and likelihood of different threats to
cybersecurity, most strategy and policy papers define response strategies that reduce
vulnerability to all forms of cyberattacks. Despite the differences between various
kinds of attacks, there are also similarities that can be used to define general response
strategies. For example, cybercriminals and cyberterrorists may exploit the same
vulnerabilities to intrude into IT systems. Furthermore, both types of actors benefit
from the lack of knowledge of many users and from the fact that they can start their
attacks from the location of their choice, which can make it hard to prosecute them.
It is thus possible to mitigate the risk of all kinds of attacks by reducing
vulnerabilities and improving national and international coordination and prosecution.
Thus, even though strategies and policy papers sometimes differ in their threat
description, they all identify similar response strategies: they promote an increase of
public-private collaboration to enable a better exchange of information; they call for
more coordination within the public sector in order to foster coherent responses; they
highlight the importance of public awareness campaigns; and they point to the need for
more international cooperation. These response strategies shall be briefly discussed.

3.3.1 Public-Private Partnerships/Information-Sharing

The idea of public-private partnerships (PPPs) for CIIP is by no means a new
development. In fact, the 1997 US Report on Critical Infrastructure Protection clearly
states that “coping with increasingly cyber-based threats demands a new approach to
the relationship between government and the private sector.”[43] Already more than a
decade ago, governments realized the crucial role of the private sector in information
infrastructure protection, as it is the private companies that own most of the critical
infrastructure and can therefore be crucial in sharing information that is required for
the effective protection of such infrastructure elements. Considering that PPPs have
been continuously promoted for many years, it is clear that so far, this concept has not
reached its full efficiency potential. This is reflected in the current strategies and
policy reviews – especially in the latest US Cyberspace policy review. According to
this document, “these groups perform valuable work, but the diffusion of effort has
left some participants frustrated with unclear delineation of roles and responsibilities,
uneven capabilities across various groups, and a proliferation of plans and
recommendations.”[44]
The crux of public-private partnership is that their implementation is demanding
and that there is no single best way how to establish them. The design of partnerships
must be in line with their function as well as with the specific characteristics of the
public and private partners involved. [45] A partnership approach must therefore be
flexible in order to allow various ways of implementation, and it makes no sense to
 The Art of CIIP Strategy: Tacking Stock of Content and Processes 29

define the structure of partnerships on the level of a strategy paper. On the other hand,
it is unsatisfactory to promote better PPPs without describing how the difficulties in
their implementation shall be addressed. A potential solution is the definition of
frameworks and programs for PPPs. Such frameworks are, for example, proposed by
the US Cyberspace Policy Review[46] or by the Communication from the EU
Commission on Critical Information Infrastructure Protection.[47]

3.3.2 Better Coordination and Integration

A second measure that is proposed in almost all strategies is better coordination and a
more integrated approach on the domestic front, which would offer clear allocations
of responsibilities and thus improve the efficiency of cybersecurity measures. The
Estonian Cyber Security Strategy for example notes: “It is necessary to acknowledge
cyber threats much more widely, and to improve interdepartmental coordination
system related to the prevention and combating of cyber attacks on a national
level.”[48] And the UK Cyber Security Strategy highlights that the “[g]overnment
must lead a coherent UK response to the security challenges that arise from these
threats and risks and a strategic approach is fundamental to achieving this aim.”[49]
In order to implement greater coordination at the practical level, many strategies
suggest the development of new structures or offices that would be responsible for
overseeing the activities of all of the agencies that deal with cybersecurity-related
issues. This trend is particularly observable in the cases of the United States and the
United Kingdom. The United States Cyberspace policy review suggests that the
President appoints a cybersecurity policy official at the White House (a so-called
"cyber czar"), who would coordinate all of the national cybersecurity related policies
and activities.[50] Likewise, the UK Cyber Security Strategies also recommends more
centralization and proposes the establishing of a Cyber Security Operations Center
involving representatives from across the government and key stakeholders.[51] The
goal of this center would then be to “provide policy guidance, expertise and
situational awareness to those elements of government that deal directly with national
security threats, and to the private sector and the public.”[52]
By defining new structures, the strategies can be useful for achieving better
coordination in cybersecurity and CIIP. Often, there are too many governmental
agencies involved. In consequence, it has often been impossible to attribute
responsibilities, which hindered the effective response. At the same time, however, it
should be noted that the implementation of new structures is a cumbersome process
and reorganization could also destroy mechanisms that have been working quite
effectively. While new developments may require institutional reforms, it is also
important to ensure a certain degree of stability and continuity. A cybersecurity
strategy should therefore try to define an institutional framework for cybersecurity
that is not only able to tackle the short-term problems, but is also flexible enough to
deal with potential new problems.

3.3.3 Awareness Campaigns and the Promotion of Education, Training, and

Research
As a third response strategy to cyberthreats many strategies and policy papers
highlight the importance of awareness rising. They argue that cybersecurity can only
30 M. Dunn Cavelty and M. Suter

be improved if the whole society becomes more aware of the problem. Therefore, in
order to recognize the public vulnerability to cyberthreats and the importance of
public participation in building cybersecurity policies, awareness-raising campaigns
as well as education, training, and research have been continuously emphasized in
strategy and policy papers. The 1997 report on critical infrastructure protection in the
United States already includes a clear call for ingraining infrastructure protection “in
our culture, beginning with a comprehensive program of education and
awareness”,[53] and the Cyberspace Policy Review of 2009 recommends that “[t]he
Federal government, in partnership with educators and industry, should conduct a
national cyber security public awareness and education. The strategy should involve
public education about the threat and how to enhance digital safety, ethics, and
security.”[54]
While many strategies emphasize the importance of awareness and education
programs, they rarely specify how or by whom such programs should be
implemented. Some refer to previous established and still ongoing programs,[55]
while others refer to implementation plans that will be issued later.[56] It also often
remains unclear who should be targeted by such campaigns (the strategies and policy
papers mention company leaders, students, government officials, or the general public
as potential addressees). Although it is not necessary to define every detail of
awareness and education programs at the level of a strategy, it would still be
beneficial to have better specifications, which would make it possible to analyze
which programs are already implemented (and by whom) and which have still to be
developed.

3.3.4 International Cooperation

Despite the fact that international cooperation is in many ways already taking
place,[57] virtually all of strategies and policy papers in the field of cybersecurity
and CIIP underscore the need for expanded and more efficient cooperation, realizing
that cyberthreats and the perpetrators of cybercrimes do not recognize national
boundaries.
There are several international initiatives regarding cyber space. The Council of
Europe Convention on Cyber Crime was opened for signature in 2001 and entered
into force in 2004. The Forum of Incident Response and Security Teams (FIRST)
brings together a variety of Computer Security Incident Response Teams (CSIRTs)
from national governments as well as commercial and education organizations; the
European Network and Information Security Agency (ENISA) promotes cooperation
on the level of EU members and institutions; the International Telecommunication
Union is a UN agency for information and communication technology issues; and the
Meridian Process is a platform providing governments worldwide with a means of
discussing and working together on policies regarding critical information
infrastructure protection.
Such international initiatives and organizations play a very important role in CIIP,
since information and communication infrastructures are international and
cyberthreats are therefore not territorially based. It should be noted however, that one
of the reasons for the lack of efficient cooperation is the difference in perceptions of
 The Art of CIIP Strategy: Tacking Stock of Content and Processes 31

terms such as ‘cyberterrorism,’ ‘cyberattack’, ‘cyberwarfare’, etc. This contributes to

the status quo, which is characterized by a lack of coherent international approach.
There are also different perceptions of cooperation from different international actors.
While some countries would like to treat information system attacks merely as
criminal offences against public and private property, as suggested in the Council of
Europe’s Convention on Cybercrime, other actors would like to see the response to
such offences to be escalated to the level of a national security issue. Other
differences include the distinction between small- and large-scale attacks as well as
ordinary computer systems and critical infrastructure systems.[58] Therefore, while
the demands for more international cooperation constitute a positive phenomenon,
international cooperation will continue to be insufficient unless there is a real will for
unity concerning these essential terms and basic regulations.

4 The Strategy Making Process

In the section above, we have outlined several points that can be found in CI(I)P and
cybersecurity strategies. If we compare them, it can be shown that recent documents
contain thoughts that are already well established, rather than any new ideas. In
addition, these documents are quite alike with regard to their description of the threat.
First, the documents are all rather vague in describing the threats, since they aim to
avoid excluding certain types of threats. Second, they all take into account the fact
that cybersecurity concerns both national security and the national economy. Third,
they unanimously identify public-private partnerships, improved policy coordination,
awareness campaigns, and international coordination as the most important measures
for enhancing cybersecurity, but most of them fail to outline how such programs shall
be implemented.
The similarities between the different strategy and policy papers show that most
governments face similar problems in formulating and implementing CIIP policies. The
underlying problem is that it remains unclear what is threatened, who is threatening, and
what the potential consequences of attacks or failures could be. A CIIP strategy has to
take into account very diverse types of threats, ranging from criminally motivated
attempts to steal information to terrorist attacks on critical infrastructures with the goal
to create as much damage as possible. The likelihood of occurrence for these threats
varies greatly, as does their potential impact on the security of society. Would it thus
make sense to include all these threats in one strategy, or should there rather be separate
strategies for CIIP, cybercrime and cyberwar? The problem is that the different threats
are interlinked and the connections between them are not clear. Treating different
threats separately would be inconsistent with the so-called “all-hazards approach”,
which has proven to be a useful concept in CIP as well as in cybersecurity. It is thus not
possible to separate the different kind of threats completely from each other, and CIIP
strategies should take all of them into account.
More solid definitions would make it easier, however, to put the different
countermeasures into context. The design of PPPs, for example, will vary depending
on the function of the partnership. While PPPs for critical infrastructure protection are
small and based on direct exchanges of information between the government and the
32 M. Dunn Cavelty and M. Suter

private sector, PPPs for the fight against cybercrime require broader coalitions, as
criminals may attack all kinds of companies (not only those operating critical
infrastructures). Clearer definitions are also required in order to develop a coherent
international approach for cybersecurity, as the different perceptions of threats still
hinder collaborative efforts. Finally, a clear delineation of cyberthreats is required to
define the responsibilities of different government agencies, which would be the first
step towards better coordination of cybersecurity efforts. The inter-mixing of
cybercrime with cyberwarfare and cyberterrorism, for example, often impedes a clear
division of responsibility between military and civil agencies.
In sum, it can be noted that the vague definitions of threats in the strategy papers
lead to rather vague concepts for countermeasures. Most strategies fail to set priorities
and to provide well-defined cybersecurity programs. This clearly impairs their value
and may even jeopardize the benefits of having a CIIP or a cybersecurity strategy.
However, one should not jump to the conclusion that such strategies are completely
unnecessary. Developing a CIIP strategy can be valuable for two reasons: First, the
process of developing a strategy is valuable in its own right. The discussions about the
existing policy that accompany the formulation of a strategy can be fruitful and may
stimulate processes that lead to important advancements. Second, a strategy can help
to raise awareness of cyberthreats in general, but can also underline the importance of
individual countermeasures. The mention of PPPs as important instrument for more
cybersecurity, for example, supports the existing public-private collaborations and can
help to establish new PPPs. In this final section, we therefore want to sketch an
optimal strategy making process.

4.1 Strategy Making: Top Down Meets Bottom Up

As mentioned above, public and private actors play specific roles in the formulation
of protection principles, policies, or goals. We can distinguish between a top down
and a bottom up part of the strategy making process.

4.1.1 The Definition of Principles and Policies in Political Processes

Political decision-makers set general goals – or principles – for CIP and thereby guide
the development of more specific protection goals. They also decide what needs to be
protected from which threats, and by which means. The question of ‘what needs to be
protected’ is a key question in CIP that is closely related to the definition of protection
goals. The criticality of infrastructures depends on factors such as the importance for
other infrastructures, for the national economy, or for society at large. However, these
factors are hard to quantify satisfactorily, so that the identification of CIs remains an
inherently political decision. In consequence, the CIs are often listed in strategy
papers or government directives.[59]
Another issue within CIIP that is highly influenced by political decisions is the
question of which threats the CIs need to be protected from. The potential threat
spectrum ranges from terrorist attacks to human error to technical failures. To avoid
turf battles among agencies, it is therefore crucial to address the discussion on sources
of threats at the political level. In response to that need, many strategies and policy
 The Art of CIIP Strategy: Tacking Stock of Content and Processes 33

papers emphasize the importance of the ‘all-hazards approach’ in CIP. This means
that all relevant agencies need to be involved and that the concrete protection goals
need to be formulated in a threat-neutral way.
Finally, there are also some decisions to be taken on the political level concerning
the means by which a goal should be protected. This question is all the more
important since many CIs are owned and operated by the private sector. Protection
can only be achieved if all stakeholders act in concert. This means that concrete
protection goals should be defined in collaboration with the private sector. Such an
empowerment of non-state actors is not a routine process and needs to be anchored in
political decisions. Hence, many strategies explicitly highlight the need for
collaboration with the private sector. The important role of public-private partnerships
in CIP is not only articulated in the documents reviewed in this report, but also
evident in the establishment of state-sponsored partnership platforms such as
Australia’s Trusted Information Sharing Network (TISN), the United Kingdom’s
Centre for the Protection of National Infrastructure (CPNI), and the United States
Critical Infrastructure Partnership Advisory Council (CIPAC), Sector Coordinating
Councils (SCC), and Government Coordinating Councils (GCC). The principle of
public-private collaboration is thus another important political decision that shapes
the formulation of concrete protection goals for CIP.

4.1.2 The Definition of Protection Goals in Consultative Processes with

Practitioners
As indicated above, decisions on the political level determine the room of maneuver
for the definition of protection goals for CIP. However, these goals are not only
influenced by top-down political decisions, but also by bottom-up consultations with
the owners and operators of CIs.
The private sector influences the definition of protection goals in three different
ways: First, the owners and operators of CI are represented in advisory boards for CIP
and contribute directly to the development of national CIP policies. The best known
historic example is the Advisory Committee to the President’s Commission for
Critical Infrastructure Protection (PCCIP), which was composed of 15 industry
leaders and informed the work of the PCCIP.[60] Today, similar advisory bodies exist
in many countries. Examples include the Strategic Board for CIP (SOVI)[61] in the
Netherlands; the National Infrastructure Advisory Council (NIAC)[62] in the United
States; or the Critical Infrastructure Advisory Council (CIAC)[63] in Australia. These
advisory bodies are key actors in the development of CIP policies and thus have an
important influence on the definition of general protection goals.
Secondly, private actors closely collaborate with sector-specific agencies to
develop and implement protection goals for their individual sectors. While such
collaborations are well-established across most sectors and in most countries, they
often remain informal and only rarely publish reports identifying sector-specific
protection goals. The Sector-Specific Plans in the United States,[64] which are
mandated by the National Infrastructure Protection Plan (NIPP) and publicly
available, are an exception. These plans list the sector-specific goals and identify the
partners that contributed to the development of these goals. Another example of a
jointly developed sector-specific plan that includes protection goals is the CIP
Implementation Plan in Germany (UP KRITIS)[65] for the IT sector.
34 M. Dunn Cavelty and M. Suter

The third way in which private actors influence the definition of protection goals
consists of what may be called lobbying activity. Industry groups try to shape CIP
policies according to their interests by talking to politicians or by issuing white papers
and press releases. The goals of lobbying in CIP can be to highlight the importance of
the own sector or to push for government initiatives. The Information Technology
Association of America (which is a leading industry group for United States IT and
electronics businesses), for example, writes in its Mission Statement on Information
Security Policy that it is the organization’s goal to ‘ensure that cyber security is an
integral part of critical infrastructure protection.’[66]

4.2 Combining the Three Levels with a Top-Down / Bottom-Up Interaction

Of course, the top-down and bottom-up processes cannot be regarded as being
independent, since they influence each other: Protection principles, policies and goals
as described above are usually the result of both political decisions and consultations
with the private sector. Nevertheless, the public and private sectors do have different
responsibilities when it comes to protection goals. It is the role of the public actors to
ensure that protection goals developed on the third level are in line with the protection
principles and policies defined on the first and second levels, and it is the role of the
private actors to ensure that the protection goals are realizable and meaningful for the
specific demands of their sector.
We can therefore sketch a process that combines the top-down and the bottom-up
approach and integrates the three levels of protection principles, policies and goals.
As mentioned, protection principles (Level 1) are formulated in political processes
and formulated in national security strategies. They can provide guidance to the
administrative bodies in charge of CIP by describing potential threats and risks and by
highlighting the necessity to tackle them. The national security strategies and policy
papers provide the framework for the risk analysis and management processes.
Protection principles are very important in a complex field such as CIP, since they
ensure a necessary level of coherence between different levels of government and
help in developing measures to ensure security.
In order to analyze and manage the risks in the field of CIP, protection principles
need to be translated into less abstract concepts. This translation process happens on
Level 2, the level of protection policies. Protection policies specify what protection
principles such as ‘prevention’ or ‘resilience’ mean for CIP and identify means for
identifying, assessing, and managing the risks to CI. Such protection policies state, for
example, that prevention shall be improved by public-private collaboration or that the
resilience of CI (understood as the entity of CIs, not as individual infrastructures) shall
be strengthened by information-sharing between the owners and operators of CIs.
These policies are necessarily broad, because it is not possible to determine criteria for
all sectors of CIs: the differences are too big. But at the same time, the
interdependencies between the different CIs make a coherent approach indispensable.
One sector cannot be secure if another sector on which it depends is not. The
development of shared frameworks for risk analysis and management is a crucial step
in CIP, as it allows the formulation of sector-specific protection goals without risking a
 The Art of CIIP Strategy: Tacking Stock of Content and Processes 35

loss of coherence within CIP as a whole. The function of protection policies (Level 2)
is therefore to connect these top-down and bottom-up processes and incorporate them
into one coherent approach to CIP.
Sector-specific protection goals (Level 3) are formulated in collaboration with the
owners and operators of CI. The goals need to be sufficiently specific to enable
implementation (cf. the concept of operational protection goals in the German case).
On this level, there needs to be clarity with regards to the overall aim and purpose of
protection efforts, including what risks to focus on.

5 Conclusion
In this chapter, it was first shown how the terms CIIP and cybersecurity relate to each
other to bring some clarity into the terminological muddle that exists in the field and
to show why many countries have begun focusing on cybersecurity more recently.
Second, the chapter looked at statements about the object to be protected and the type
of threat to which these objects are subjected in recent policy papers. It was shown
how such ‘protection goals’ vary with regard to their specificity and purpose. The
chapter then introduced three labels for three different types of such goals: protection
principles for the level of national security strategies and policy papers, protection
policies for more specific CI(I)P strategies, and (sector-specific) protection goals for
the most concrete form of such statements in sector-specific protection plans.
Furthermore, the chapter compared what is said about that which is threatened and in
need of protection (i.e., referent object) and the type of threat (i.e., threat subject). It
was shown that the strategies and policies differ considerably with regard to these two
issues, but that despite these discrepancies, they usually propose similar concepts to
respond to cyber vulnerabilities: Public-Private Partnerships (PPPs); efforts to
strengthen coordination between the different agencies that are assuming tasks in the
field of CIIP; campaigns to increase public awareness for cybersecurity; and attempts
to improve international collaboration.
The similarities between the different strategy and policy papers can be seen as an
indication that most governments face the same problems in formulating and
implementing CIIP policies: Specifically, the vague definitions of threats in the
strategy papers lead to rather vague concepts for countermeasures. As a consequence,
most strategies do not succeed in setting priorities or in providing sufficiently defined
cybersecurity programs, which impairs their value. To move beyond this problem, an
optimal strategy making process was outlined in the section above. This process
combines a top-down with a bottom-up approach and integrates the three levels of
protection principles, policies and goals in an optimal way.
The three-level model in combination with the description of the combined top-
down/bottom-up process outlined above provides a useful framework for the
definition and use of protection goals in critical infrastructure protection, as it ensures
coherence between the protection goals in different sectors and a sufficient level of
specification of protection goals within the individual sectors. Beginning at the
political level, protection goals are first identified at the highest strategic levels and
articulated in a national security framework/strategy. In this phase, overarching
36 M. Dunn Cavelty and M. Suter

protection principles and goals, such as the protection of critical infrastructure, are
addressed. The next step is the creation of CIP strategies where specific sectors and
sub-sectors are highlighted and protection principles (such as promoting information-
sharing, utilizing a risk framework, creating public-private partnerships, etc.) are
applied and further refined. This step leads to a process of policy transfer, with
protection goals developed in the political level being applied at the sector-specific
level, and the beginning of an exchange between specialized public agencies and CI
operators in the private sector. The sector-specific level is where protection goals
become customized based on the particular needs of an identified CI sector – resulting
in the construction of sector-specific plans. At this stage, the role of the private sector
is to manage CI, liaise with the public sector, and articulate goals and measures to
achieve protection. Within the public sector, specialized agencies work to
communicate federal mandates to CI operators and create platforms for information-
sharing and partnerships.
While the CIP framework described herein points to a traditional top-down process –
with the top level setting the agenda – there are bottom-up forces that inform the
political level, creating feedback loops. At both levels, a broader informing
environment provides insights and influence to those identifying goals and means of
protection, for example. This informing environment includes public officials and
local/regional state agencies as well as those operating in the private sector and in
academia/think-tanks. Overall, this framework exemplifies a dynamic, interactive
process where each sphere of influence has a key role to play in defining and refining
protection goals.

References
1. Collier, S., Lakoff, A.: The Vulnerability of Vital Systems: How ‘Critical Infrastructure’
Became a Security Problem. In: Dunn Cavelty, M., Kristensen, K.S. (eds.) The Politics of
Securing the Homeland: Critical Infrastructure, Risk and Securitisation, pp. 40–62.
Routledge, London (2008)
2. Dunn Cavelty, M.: Cyber-Security. In: Burgess, P. (ed.) The Routledge Handbook of New
Security Studies, pp. 154–162. Routledge, London (2010)
3. President’s Commission on Critical Infrastructure Protection. Critical Foundations.
Protecting America’s Infrastructures, US Government Printing Office, Washington DC
(1997)
4. Brunner, E.M., Suter, M.: International CIIP Handbook 2008/2009. Center for Security
Studies, Zurich (2008)
5. Claudle, S.L.: National Security Strategies: Security from What, from Whom, and by What
Means. Journal of Homeland Security and Emergency Management 6(1), 10 (2009)
6. Mintzberg, H., Ahlstrand, B., Lampel, J.: Strategy Safari: A Guided Tour Through the
Wilds of Strategic Management, p. 9. The Free Press, New York (1998)
7. Schneider, V., Hyner, D.: Security in Cyberspace. In: Koenig-Archibougi, M., Zürn, M.
(eds.) New Modes of Governance in the Global System. Exploring Publicness, Delegation
and Inclusiveness, Palgrave MacMilllan, pp. 154–176 (2005)
8. US Government. Cyberspace Policy Review. Assuring a Trusted and Resilient Information
and Communication Infrastructure. US Government Printing Office, Washington DC (2009)
 The Art of CIIP Strategy: Tacking Stock of Content and Processes 37

9. Ministry of Defence of Estonia. Cyber Security Strategy. Cyber Security Strategy

Committee, Tallinn, p. 8 (2008)
10. Cabinet Office of the United Kingdom. Cyber Security Strategy of the United Kingdom.
Safety, Security and Resilience in Cyber Space. The Stationery Office, London, p. 9
(2009)
11. US Government, Cyberspace Policy Review, p. 2
12. Cornish, P., Hughes, R., Livingstone, D.: Cyberspace and the National Security of the
United Kingdom. Threats and Responses. Chatham House, London (2009)
13. Homeland Security Council. National Strategy for Homeland Security. US Government
Printing Office, Washington DC, p. 1 (2007)
14. Ibid, p. 26
15. Dutch Ministry of the Interior and Kingdom Relation. National Security Strategy and
Work Programme 2007-2008. Broese & Peereboom, The Hague, p. 16 (2007)
16. Ibid, p.13
17. Her Majesty the Queen in Right of Canada. National Strategy for Critical Infrastructure.
Public Safety Canada, Ottawa, p. 25 (2009)
18. Cabinet Office of the United Kingdom. The National Security Strategy of the United
Kingdom. Security in an Interdependent World. The Stationery Office, London p. 5 (2008)
19. Ibid, p. 26
20. Department of Homeland Security. National Infrastructure Protection Plan. Partnering to
Enhance Protection and Resiliency. Government Printing Office, Washington DC, p. 1 (2009)
21. Her Majesty the Queen in Right of Canada. National Strategy for Critical Infrastructure
p. 1 (2008)
22. Australian Government. Critical Infrastructure Resilience Strategy. Commonwealth of
Australia, Barton, pp. 3ff (2010)
23. Brunner, E., Giroux, J.: Resilience: A Tool for Preparing and Managing Emergencies. CSS
Analyses in Security Policy, No. 60, p. 1 (2009)
24. For a complete list of the sector-specific agencies, see: Department of Homeland Security,
National Infrastructure Protection Plan, p. 19
25. Other plans can be retrieved,
http://www.dhs.gov/files/programs/gc_1179866197607.shtm
26. Department of Homeland Security. Information Technology. Critical Infrastructure and
Key Resources Sector-Specific Plan as Input to the National Infrastructure Protection Plan.
Government Printing Office, Washington DC, p. 11ff (2007)
27. Bundesministerium des Innern. Umsetzungsplan KRITIS des nationalen Plans zum Schutz
der kritischen Informationsinfrastrukturen. Publikationsversand der Bundesregierung,
Rostock (2007)
28. Cabinet Office of the United Kingdom, Cyber Security Strategy, pp. 12f
29. Swedish Civil Contingency Agency. Information Security in Sweden: Situational
Assessment 2008. MSB, Karlstad, p. 3 (2008)
30. US Government, Cyberspace Policy Review, p. 2; Ministry of Defence of Estonia, Cyber
Security Strategy of Estonia, p.10
31. US Government, Cyberspace Policy Review, p. 1
32. Swedish Civil Contingency Agency, Information Security in Sweden, p. 3
33. Cabinet Office of the United Kingdom , Cyber Security Strategy, pp. 14
34. US Government, Cyberspace Policy Review, p. 8
35. Ministry of Defence of Estonia, Cyber Security Strategy of Estonia, p.8
36. Ibid
37. Ibid.: p. vii
Other documents randomly have
different content
So extraordinarily is sound conveyed in these vast and barren
tunnels that every word spoken during the night at the other end of
the passage is distinctly audible, whereas conversation close by is
almost unintelligible, so great is the echo. I think Mr. Burglar Lovell
may congratulate himself that he had not been relegated to
Coldbath Fields, for he would most assuredly have derived less
benefit there from his sixty feet of rope than he appears to have
done at Millbank. A prisoner attempting to escape forfeits all the
time he may have completed of his sentence—a sufficient deterrent
for a sane man! A very disgusting adjunct to the convalescent ward
is “Itch Bay,” and though comparatively distinct, is actually next door,
and leads from it. It is devoted to those filthy creatures who, on
admission, are found to abound in vermin, or who, after months in
prison—as can be verified—have caught the disease (according to
my theory) by using the universal bath. The treatment of this
complaint can hardly be said to be a pleasant, although undoubtedly
a very effectual one. A man is taken to “the bay,” made to strip off
all his clothes, put into a separate cell, and smeared with a thick
coating of mercurial ointment, and left to soak for three days at
least, and often longer. His bedding may best be described as an
ointment mattress, with “blankets to match,” so saturated is
everything in this fearful quarter, the stench from which pervades
the passage, and works into the convalescent ward. I used almost
daily to see these loathsome objects, either before admission or
after three days’ retirement, and it is difficult to say which is the
most revolting. On admission, and previous to treatment, I have
seen three or four of these unclean things waiting to be admitted.
During this time—often an hour and more—they sit in the
convalescent ward, use the furniture, and circulate with the others.
This surely is wrong, and may justly be laid to the charge of
negligent warders! On leaving they are again taken through the
ward, devoid of all covering but the saturated blanket, and
conducted to a bath. This bath is a fixture in the hospital kitchen.
Yes, the itch bath in the principal prison of civilized London is in the
hospital kitchen! I have seen these social pariahs splashing about
within a few feet of the kitchen fire, whilst a rice pudding was being
made—an appetizing accompaniment to the preparation of human
food. This gross outrage on cleanliness must fairly be charged to
the Home Office people; and as the kitchen is situated in the main
thoroughfare, and passed through almost daily by visiting justices or
prison commissioners, it is clearly no official’s business to point it out
—and if a surgeon represented it he would probably be told to mind
his own business. This is in conformity with prison usage, and
anyone mentioning, or taking apparent interest in a trifle not actually
connected with his special department, is at once suspected of some
sinister motive. I have heard officials regret this disgusting
institution, and their inability to remedy it.
I have more horrors connected with this kitchen to mention when I
describe the hospital, and hope some one whose business it is will
redress this crying shame. As a set-off to the many discomforts
attending the convalescent ward, were the facilities it offered for the
uninterrupted working of the telephone, and so multifarious were
the opportunities, and so utterly impossible detection, that I omitted
the commonest precautions as absolutely superfluous. My favourite
time for correspondence was between two and four in the morning.
I noticed that nature usually asserted itself on turnkey humanity, and
that the most watchful became drowsy about this time. It must be
remembered that a night warder is in the room all night, and that
the gas, though turned down, is alight. I frequently wrote for two
hours at a time, and as my bed was next the fire-place I had the
advantage of poking it into a blaze as circumstances required. I
often wondered whether these watch-dogs were really dozing. That
they had not the faintest suspicion I am confident; the very
possibility of such coolness may possibly have disarmed them, for I
have written for hours under their very noses. One night I had a
considerable scare. I had been carried away by the interest of my
letter, and whether I had thought aloud and some word had escaped
me I cannot say, but on peeping round the mantelpiece I saw one of
the most ferocious of the tribe—who was on duty that night—leaning
forward and peering in my direction. His eyes glistened like a
cheetah’s as he cautiously approached the fire-place—the
mantelpiece and one bed alone separated our respective positions,
the rattle of a paper, or a hurried motion, would have been fatal; so,
proceeding to mutter in my sleep, I slid my arm over a very damning
pile. For some moments he stood intently watching me, and then
happily began to poke the fire. Had he delayed much longer I
should inevitably have betrayed myself; as it was, the noise
“justified” my being disturbed, and I rolled round, “papers under,” as
Bell’s Life would once have described a pugilistic round. The danger
was now past, but I had quite determined, if he had asked me any
unpleasant questions, to have made a dash at the fire-place and
destroyed the evidence. There is a curious invention that exists in
various parts of the prison. Detector-clocks are intended to show
that a warder must have been alert every half-hour, by being
required to press down a pin. This pin is so constructed that it
cannot be let down except at the exact time, or unless the clock is
unlocked. These various clocks undergo a minute inspection the
following morning, and if all the pins are not down the delinquent is
fined a shilling, or even more, for each omission. I could tell some
curious stories about these detector clocks, but their narration might
be interpreted as pointing in directions I have no intention of
indicating. I may, however, without compromising anyone, state
that if the authorities conceive they are aware of the exact number
of keys that open these clocks, they are considerably out of their
reckoning.
“My eye, old man,” I one morning said to an acquaintance, “you’ve
missed two or three pins.”
“Never mind,” he replied; “I’ve got a pal outside that’ll make it all
right before I’m relieved.”
At 6.30, when my friend was, I hope, comfortably in bed, I saw the
Detector inspected and found “correct.”
On one occasion a friend kindly supplemented the rubbishy literature
provided by the chaplain by lending me to read the book of “Rules
for the Guidance of Warders and Assistant-Warders.” They can
hardly be said to be as interesting as those lately published by
Howard Vincent for the guidance of the police, although, situated as
I was, they were to me vastly more important. I had intended to
have produced them verbatim, but they are not of sufficient general
interest. They, however, deal with the various duties of warders in
that absurd style which attempts to impress on them the
responsibility and general respectability of what, if carried out in its
integrity, is a contemptible system of espionage.
 CHAPTER XX.
CRIMINAL LUNATICS.

In one of the padded cells was a dangerous lunatic. For weeks and
months he had kept up an incessant conversation with himself,
occasionally diversified by shrieks and yells. At first it was believed
the man was shamming, and he was taken before the visiting
justices and sentenced to be flogged, but this usually infallible cure
had not the desired effect. Clothes were converted into rags in an
incredibly short space of time. He was handcuffed in front, and still
they were destroyed. He was handcuffed behind with the same
result. On his door being opened he would be found naked, the
handcuffs on the floor, and his clothes in shreds. Canvas sacks, with
slits for the head and hands, were suggested, and, first clothed,
then handcuffed with his hands behind him, and finally covered with
the huge sack, he was again consigned to the cell. The same result,
however, invariably followed, and the kind-hearted doctor, despairing
of cure, and though inwardly convinced it was an artfully contrived
sham, yet loth to persist in the stringent remedies that alone were
effectual, gave him the benefit of the doubt, and consigned him to
the Criminal Lunatic Asylum at Hanwell. I have frequently seen this
maniac fed. His door was opened and he was brought out, and,
half-naked and handcuffed, bleared, filthy, and bleeding from self-
inflicted injuries, with dishevelled hair, and glaring like a panther, this
wild beast in human form would open his mouth, and gruel and
bread be shovelled in bounteously. Attempts would occasionally be
made to induce him to wash, but at best they were qualified
successes, and the assistance of four or five turnkeys had eventually
to be resorted to. It was impossible to believe this being was sane
and capable of keeping up the deception for such a time. Sleep was
out of the question, for night was made hideous by the muffled
shouts and blasphemies that forced themselves through the padded
cell. But a reprieve at length came, and it was with a sense of relief
that I one morning saw him taken off to Hanwell. The lull, however,
was not of long duration; and he was eventually sent back as
“cured.” The cure showed itself in a curious way. On finding himself
again in his old quarters, and smarting under a pretended sense of
breach of faith, he raved that the doctor at Hanwell had promised to
release him if he withdrew his claim to the crown of Ireland. And
now a reign of terror began in earnest, and shouting for Parnell, his
secretary, the Empress Eugenie, and Old Ireland, he raved and
roared day and night. How human nature could bear such a strain
appeared marvellous. One night all was calm. “Thank goodness!” I
thought, “he’s collapsed.” Had he? The wish, alas! was father to the
thought, and the lull was only the precursor of the storm. Whilst we
were sleeping the maniac was maturing his plans, and a shout of
“Fire!” one night reminded us of his proximity. Smoke was now
issuing from the padded cell. To draw back the ponderous bolts was
the work of a second. To distinguish anything was absolutely
impossible. Blinding smoke filled the cell, and as it poured out a
terrible sight presented itself. On the floor was the charred
mattress, the horse-hair alight, and the plank bed smouldering, and
peacefully lying beside it was the madman. The first idea was that
he was dead, but the smoke that would have killed a sane man had
but temporarily stupefied him. In an instant he was on his feet, and,
his arms being free, made a desperate attack with pieces of glass on
the two men who had humanely approached him. Further help was
now sent for, during which time he kicked, struck, and bit everything
within reach, and it required sixteen men to secure and remove this
wild beast in human form. The extent of his mischief now made
itself apparent. How he had removed the handcuffs remains a
mystery, but with the cunning and dexterity only to be found in
maniacs, he had succeeded in reaching the gas, which, situated ten
feet from the ground, and protected by a strong glass, must have
taxed his ingenuity, not only to reach, but eventually to open, and
yet this had been done so quietly that forty men and a watchful
warder in the adjoining room heard nothing. With the fire now at
his disposal, he had burnt the straps that were lashed round his
body to secure the sack, but finding the effect not sufficiently
expeditious, had proceeded to pull out the bed-stuffing, and lying
down naked, bruised, and bleeding, beside the smouldering mass,
calmly awaited the conflagration that was to free him. The cell
presented an extraordinary appearance. On the floor were broken
glass, burning wood, and his clothes torn to shreds; here the
handcuffs, there the charred straps: the walls were smeared with
filth and dabbed with porridge; the plank bed was torn up, and
plaster and brickwork removed: a terrible wreck, an incredible
performance, and all the work of two hands, handcuffed behind and
strapped, and surrounded by every precaution that official ingenuity
could suggest.
This final escapade materially assisted the magisterial finding as to
the extent of the maniac’s “cure,” and he was again consigned to
Hanwell.
Another lunatic of a different type was an inmate of the convalescent
ward, a harmless, inoffensive creature, that had been flogged out of
his senses. His physique proclaimed him incapable of doing bodily
harm to a calf. He was not more than five feet high, with a fore-arm
like a robin’s thigh, and the receding forehead, sunken eye, and
conical skull associated with imbecility; but he had once
“threatened” a warder, a hulking, round-shouldered old woman, that
might have squeezed the life out of him without turning a hair, and
discipline demanded he should be reported, and the visiting justices
sentenced him to be flogged. From that day he never spoke, and
would sit for hours without moving; suddenly he would break out
into an immoderate fit of laughter, to be immediately followed by a
paroxysm of grief, and, laying his head on the table, would sob like a
child. Nothing appeared likely to restore his naturally limited
intellect, and the country will be at the expense of keeping this
“dangerous criminal” for another twelvemonth, who would be
infinitely more at home at Earlswood Asylum for Idiots. A perfect
child occupied another of these hospital cells, an incorrigible young
scamp of about fourteen, that nothing seemed capable of taming.
Everything within reach he proceeded to destroy, and clothes
supplied him in the morning were in shreds at night. He, too, was
constantly handcuffed; he refused to eat, and for a week nothing
passed his lips. One day, on his door being opened, he was found
suspended by a bed-strap from the bell-handle: another second, and
life would have been extinct. For this he was taken before the
visiting justices and birched. It had, however, no deterrent effect,
and up to the time of his release he remained the same incorrigible
young ruffian. There is no hope for such a lad; his future is bound
to be a repetition of many instances I saw amongst the adults, who
had commenced a career of crime with birchings, followed by three
and five years in a reformatory, and ending with imprisonment and
eventually penal servitude. Another companion that was the source
of occasional anxiety, had been an inmate of a lunatic asylum, and
though usually quiet, was subject to extraordinary fits. The first
intimation of one coming on was a demoniacal groan, and in an
incredibly short time a space was cleared round him. It had been
found, indeed, that nothing could arrest the first paroxysm, and on
the “band beginning to play,” a stampede invariably ensued: and not
without cause, for everything within reach became an instant wreck,
and tables, chairs, books, and (when procurable) arms and noses,
were ruthlessly attacked by hands, feet, and teeth. When
comparatively restored it took six or eight men to remove him into a
cell, and the only thing that appeared to rouse him was the presence
of the priest. So efficacious was this remedy that when everything
else failed, the Roman Catholic chaplain was invariably sent for, and
in a moment oil appeared to be thrown on the troubled waters, and
the maniac arose subdued, and clothed in his right mind. Here was
a religion that appeared to appeal to the feelings, and to produce
results never attained by brow-beating and personality—a lesson to
be laid to heart, and worthy of imitation, though in the quarter it
was most needed it was, I fear, utterly thrown away. Personally this
influence did not surprise me, for though debarred, by being a
Protestant, from coming into actual contact with the priest, I was
considerably struck, and almost fascinated, by the kind smile and
friendly salutation he had for all his co-religionists. An Italian by
nationality, with all the refinement of manner habitual to his
countrymen, this polished gentleman was a pronounced contrast to
the fire-and-brimstone snob occasionally met with in the
“Established” ranks.
 CHAPTER XXI.
PRISON CELEBRITIES.

I was surprised at the number of respectable men—such as solicitors,

an ex-officer of Guards, a bank manager, a man of title,
stockbrokers, cashiers, ex-officers of the army and navy, clerks,
clergymen, etc.—in Coldbath Fields. Some of these had quite lost
(supposing they ever had any) their pristine semblance of
respectability; others, again, retained the appearance of persons of
education, and spoke and deported themselves as such. A
lamentable instance of the fatal effect of associating with the scum,
and the ease with which a young man of good position can acquire
the style and appearance of a vagrant, was exemplified in young B
—. He was not more than 25 or 26, had been a subaltern in the —
Guards, and came, moreover, of a good county stock; and yet in six
short months he had so far degenerated as to be punished on the
day his sentence expired for stealing a loaf from a fellow prisoner.
A worthy old man with grey hair and venerable appearance, and
who might have passed for the chairman of a board of directors,
appeared every morning at mine and other cells in the passage with
a dust-pan, and with methodical precision removed the sweepings.
He told me he had been a solicitor with a large connection, with
chambers in — Street, and had a wife and grown-up family in a
comfortable house in a well-known suburb. His imprisonment was
perceptibly telling on him, and his hair and beard grew whiter every
day.
A bustling, business-like man, one day attracted my attention. He
was connected with the stores, and brought me a new pair of
boots. He had been the manager of a London bank, and undergoing
retirement for six months for some error regarding the ownership of
£300.
A tall, smart-looking man that was pointed out to me, was, I was
informed, an individual who attained notoriety some two years ago
over a mining scheme. He was suffering two years’ incarceration for
a miscalculation of over £7000.
A man who called himself Count H—, and an ex-convict to boot, was
languishing for a year, because certain noblemen had had the bad
taste to object to his having obtained money from them by false
pretences. This nobleman! had a mania for petitioning the Home
Office (I will give a specimen of his style hereafter).
In addition to these, numerous individuals who had been gentlemen
in their day were known to me by sight. Conspicuous amongst
them, was an old jail bird and ex-convict, who had 20 years ago
been a captain in the army, and ever since had existed (and still is)
in prison, for terms of seven, five, five, two, and one years. All the
starch had been thoroughly wrung out of him, though he
occasionally stood on a dilapidated kind of dignity. I once asked him
where a friend of his had gone. He replied, “I don’t know; we don’t
speak now; he’s no gentleman. Will you believe it, he had the
impertinence to doubt my word.” As his word had been doubted a
good many times during the past 20 years, I was considerably
amused by this assumption of dignity.
Many prisoners are under the impression that they have only to
petition the Home Office to procure a remission of their sentence. It
seems perfectly immaterial to them, whether they have the slightest
grounds for this assumption or not, and it frequently happens that,
instead of mitigating their offence, they put matters in a more
unfavourable light by airing their grievances, whilst others make a
rambling statement referring to every subject but the one
particularly concerning themselves.
Count H— was a specimen of this class. He was undergoing a well-
merited 12 months’ imprisonment for defrauding the Dukes of S—
and M— and other noblemen of sums of money, by representing
himself as the son of some individual, which he certainly was not. It
is, of course, possible that he may (to use a vulgar expression) have
been “changed at nuss,” though the fact that he had previously
undergone five years’ penal servitude for a similar offence minimizes
the probability that he was acting under a misapprehension. The
Count! had no sooner taken up his quarters than he expressed a
desire to petition the Home Secretary. A “form” being supplied him,
which he retained four days, eventually reappeared so blurred and
smeared with blots and erasures that its transmission was
impossible. A second attempt was more successful, and the
following exhaustive specimen of penmanship and veracity struggled
up to the Home Office, and eventually struggled back:—“That your
petitioner, on being discharged from Pentonville Convict Prison, at
the expiration of five years’ penal servitude, found that certain
moneys and property, valued at several hundred pounds, had been
stolen by his agent, who collected his rent on his estates in Italy;
that being at that time without funds to go abroad, he had written to
the Duke of S— and Duke of M— and others, asking for a loan until
he received his rents. That his father really was Count H— and a
friend of these noblemen, and that the charge of false pretences was
consequently incorrect. That he had held diplomatic appointments,
and been decorated for gallant service, and that he possesses a
coronet with S.P.Q.R., all of which clearly proves his identity. In
conclusion, your petitioner appeals to you with confidence as a
lawyer of renown, and a scion of the noble house of Vernon.—
Signed, H—.”
I have corrected “the Count’s” spelling as far as possible; the logic
and composition were, however, past redemption. The rogue
evidently knew the Home Secretary’s claim to “Royal descent,” as
delicately hinted at in the concluding paragraph.
Another individual petitioned against his hair and beard being cut,
on religious grounds, and quoted the Law of Moses as forbidding
these formalities. This specimen did not, I believe, leave the
establishment.
I was frequently struck by the vast difference in the sentences
awarded in what appeared to me to be parallel cases, and tried in
vain to discover any system that might be supposed to regulate
them. It cannot be denied that a great difference of opinion exists
apparently amongst judges on the subject of crimes and their
punishment, and that whereas one judge will administer justice with
harshness, another will attain the same desirable end with a regard
to humanity. With these respective characteristics, the criminal
classes are thoroughly conversant, and it would astonish the Bench
if they heard how accurately their respective peculiarities are
summed up. Thus one judge is credited with being very severe on
conspiracy and long firm cases, whilst another is supposed to be
“down” on burglars, whilst it is generally conceded that a plea of
guilty will invariably fare better than one of not guilty. For my own
part I fancied I had noticed that conspiracy is considered the most
serious offence, and that two men conspiring to defraud another of
£50 will run the risk of a severer punishment than the individual who
unaided steals £500.
I will quote a few first offences which, apparently similar, differ
considerably as regards their sentences:—
(a) A solicitor for passing a forged cheque for £18 that had been
paid to him: 18 months’ imprisonment with hard labour.
(a) A bank manager for appropriating £300: six months’
imprisonment with hard labour.
(b) A wine merchant for complicity in a forged cheque, £52:
sentence, 18 months’ imprisonment with hard labour.
(b) A commission agent for forging a £600 bill of exchange: 12
months’ imprisonment with hard labour.
(c) A clerk (with twenty years’ good character and recommended to
mercy), for forging £50 and stealing employer’s cheque: sentence,
twenty months’ imprisonment with hard labour.
(c) A City man, for a fraudulent mining scheme and forgery, whereby
he obtained £7000: sentence, two years’ imprisonment with hard
labour.
(d) A shopman, for robbing his employer of £50: sentence, three
months’ imprisonment with hard labour.
(d) A beggar boy, for stealing 1s. 6d.: sentence, three months’
imprisonment with hard labour.
There are men in Coldbath whose cards show upwards of seventy
previous convictions, varying from a year to seven days; nor is it to
be wondered at, considering the starvation that confronts them
outside and the comfort that is accorded them in prison. One of
these habitual vagrants on his periodical appearance was usually
accosted with an official joke, “Same address, I suppose?” “Yes,
please,” was the invariable reply; “no change since last time.”
One old man in the convalescent ward, suffering from rheumatism
and asthma, who was supplied with dainties he could never have
heard of before, confessed to me that he should have preferred six
to the three months’ imprisonment he was undergoing. Another old
vagrant (a City man) told me that he always made it a rule to sleep
on a doorstep a day or so before Christmas Day to insure the
Christmas meal of a loaf of bread, beef, pudding, and a pint of ale,
stood by the Lord Mayor to every prisoner in Newgate. He was
bewailing the loss of that charming residence, and telling me how,
having foolishly omitted to make himself acquainted with the change
of system, had subsisted last Christmas Day in “Coldbath” on dry
bread and stirabout.
Foreigners of every description find their way into Coldbath, though
the majority consists of Germans, mostly Jews. There is an
advantage in belonging to this faith, as I was led to understand by a
gourmand. It consists in receiving meat on Mondays in lieu of the
usual bacon and beans. Circumstances, however, render the
temporary embracing of this faith more difficult than they do that of
Romanism, which is much in vogue; and as certain punishment
would follow the certain detection, Judaism has not as many
followers as the Australian meat would otherwise command.
Flogging is usually administered for insubordination and
malingering. For less serious offences the punishment cells and
short commons usually have the desired effect. There are two
descriptions of corporal punishment—the cat and the birch, usually
reserved for youths. In the former case the culprit is lashed to a
triangle; in the latter he is hoisted on what is euphoniously called a
donkey. As a punishment, the cat, as applied in prisons, is not to be
compared to its defunct namesake in the army or navy. It is
sufficiently severe, however, to necessitate certain after-treatment—
an item in the programme regulated rather by the “system” than
humanity. A soldier was invariably admitted into hospital after
undergoing corporal punishment; a prisoner is, however, flogged and
then conducted to his cell.
These floggings are usually administered in the forenoon in presence
of a surgeon, and before evening a zinc plaster—perhaps two—is
applied to the recipient’s back. The performance takes place in a
room off the main passage, and is not unattended with a certain
amount of ceremony. The traffic is stopped, and no particulars
transpire but the howls of the victim, which can be heard all over the
building. Since the abolition of Newgate, Coldbath has risen in
retributive importance, and garrotters sentenced to the lash here
receive their punishment.
A one-legged garrotter was lately flogged; his leg, which had been
amputated at the thigh, prevented his being securely tied, and his
abortive struggles procured him a flogging infinitely severer than
ordinarily experienced. Every blow fell on a different place, and the
twenty lashes left twenty wheals, breaking the skin in a dozen
different places. Sympathy with a garrotter would be out of place,
and no one can doubt that he richly deserved his punishment; yet
one’s bowels of compassion are instinctively moved by the
description given to me by an eye-witness, of a lump of bleeding
humanity alone and sobbing in a cell, and receiving at five in the
afternoon a zinc plaster to apply to the back that had been torn and
lacerated in the morning.
This treatment in no way reflects on the prison officials, who simply
carry out the regulations; it is the system that is to blame, and is
capable, like the dispensation of justice before described, of
considerable improvement on the score of humanity.
Floggings and birchings appear to have no effect on these hardened
criminals, and though they shriek and bellow during the infliction,
they invariably revert to the same offence, and qualify for a second
edition. Shamming madness is a favourite form of malingering
indulged in by prisoners. The uneducated mind, however, invariably
resorts to the same tactics—a combination between the symptoms
of idiocy and hydrophobia that generally fails in its objects, and
invariably yields to treatment by the cat.
The boys that find their way into Coldbath are the most hardened
young scamps I ever saw. They are supposed to be isolated, as
required by recent agitation on the subject of juvenile offenders.
That the isolation is a farce need hardly be said. At chapel they
certainly occupy benches to themselves, but so do the various wards
and trades; the tasks they are put to are similar to those done by
adults; and the pains and penalties they undergo are identical in
time and circumstance to those of the full-blown criminal. I have
seen these urchins on arrival, with their knuckles in their eyes,
blubbering in chapel, and a week later winking and making signs as
if determined to assert their qualification to be clothed and treated
like their adult fellow-prisoners.
Tearing up their clothes is the favourite pastime of these promising
youths. I have frequently seen these children marched along a
passage, handcuffed behind, and preceded by a warder carrying a
bundle of rags three inches square, that formerly represented their
linen and clothes. The treatment they receive puts this crime at a
premium. Boys are admittedly vain, and desirous of appearing as
men to their older associates, what more natural then, that a child
(one of the instances I refer to could not have been fourteen) should
aspire to the honour of appearing as a hero; marching through a
crowded passage with his manly work conspicuously displayed,
treated, moreover, like a real man, manacled, and eventually
birched, and receiving the approbation invariably accorded by the
criminal classes to the perpetrators of wanton mischief. One would
suppose that in a huge building like Coldbath Fields these urchins
might be absolutely isolated, and if their offences were punished
without the publicity that at present attends them, they would soon
be given up as not worth the consequence. That the treatment of
this hardened class of boys is a difficult problem, cannot be denied,
and the cunning and ingenuity they display is almost incredible.
Fully aware that the visiting Justices only visit the prison once a
fortnight, and that without their order a birching is impossible, it
frequently happens that on the day of their discharge every article of
their clothing is made into mincemeat. For this mischief they are
absolutely free from any consequence, it being an offence against
the prison, and not against the law. If a remedy was applied to this
crime, similar to the Article of War that provides against the
destruction of Government property, the delinquent might be handed
over to a policeman, and this would effectually stop the practice.
 CHAPTER XXII.
THE TREAD-WHEEL.

By Act of Parliament, all prisoners, till quite recently, were

photographed after admission to the various prisons. This universal
system is now abolished, and since January, 1882, it is only reserved
for habitual criminals and prisoners sentenced to police supervision.
I had the good fortune to add to my experiences and my desire to
see everything, by coming under the universal system, I having
become a Government ward exactly eleven days before the
expiration of the Act. One morning, whilst at exercise, my name was
called amongst some half-a-dozen others. I could not conceive what
new atrocity I had perpetrated, and what could have occurred to
disturb the even tenor of my ways. A few of my more experienced
comrades, however, enlightened me by remarking I was “a-goin’ to
be tuk,” and I found myself on the road to the studio.
Photography such as this can hardly be considered artistic, though I
have seen worse, but not much. It probably, however, answers all
the requirements it is intended for. These works of art are only
produced in duplicate, and though I offered a fabulous price to the
seedy artist for an extra copy, no business was done; for though
negatives are kept, they are kept under lock and key. Of the copies
usually printed one was presented to the Governor of Newgate (this
individual being lately abolished, I do not know who is now the
recipient), the other finds its way into the Coldbath album, and no
doubt affords pleasure and instruction at such jubilant gatherings as
prison lawn tennis parties, or warders’ beanfeasts, which I was
informed (though never invited) are occasionally indulged in.
Prisoners are taken in their own clothes, and it is a matter of regret
that the ones I then wore have gone the way of all old clothes, for,
like their owner, they did not improve by their incarceration, and
their huge proportions made them worthless without alteration.
Pose or position is a secondary consideration, a good out-and-out
resemblance is the thing to be attained; a deformed ear, or a fly-
blown nose, would at once be seized upon, and the lens directed
point blank at such fortunate distinctions. In my case there was
nothing to merit special reproduction, so with a smirk that would
have hanged me fifty years ago (for even here the “artist” could not
resist the conventional request) I qualified for the Government
album. On one side one’s number is pinned to one’s coat, on the
other is a slate with one’s name in full, thus supplying an index
simple but complete, and in proportion to the intellects of such
probable students as the motley crew one periodically saw at
Newgate. To me the ordeal had neither terror nor charms, though
to some of my companions it was evidently not agreeable. One
rogue caused considerable trouble by persistently protruding his chin
or distorting some feature; these antics were not indulged in in a
spirit of levity, but resorted to gradually as the cap was being taken
off. He evidently objected to an accurate likeness, and so he might.
I never could find out particulars, but not long after he disappeared
from Coldbath, and whether hanged or a “lifer,” I never heard. That
photograph had fulfilled its mission.
Visits to Coldbath cannot under ordinary circumstances be
undertaken by any but the most robust. The accommodation is
clearly intended for the scum of London, and it is unfair to expect
any respectable person to come unless smell-proof and provided
with a box of Keating’s insect powder. I received one visit under
these revolting conditions, though my subsequent ones left nothing
to be desired. Conceive, then, a cell eighteen feet by twelve, fitted
with four partitions on either side, divided by a narrow passage, with
a warder walking up and down. Into one of these cages the visitor
is conducted and locked in. Immediately opposite, and similarly
enclosed, is the object of his visit. In appearance they resemble a
Cochin China hen-coop; in size they about equal the den of the
untameable hyæna in a travelling menagerie. Conversation of a
private nature is out of the question, as, indeed, is intended; topical
subjects are tabooed, and but for the sake of adding to my
experiences I should never have subjected myself or my friend to
such nasty conditions. Within a foot of one, and flanked on both
sides, was either a costermonger talking to his missus and her
frowsy, unvaccinated-looking offspring, or a pickpocket hearing the
latest news from the Seven Dials; the Babel consequent being such
as to leave no alternative but to say nothing, or shout at the top of
one’s voice. There is a snobbishness about this custom that went far
to determine me in my course of telephoning as the only way to
retaliate effectually on official inconsideration. No one would be
foolish enough to expect that a gentleman should be better treated
than a costermonger under such painful circumstances, although it
would be an act of consideration, involving neither inconvenience
nor relaxation of discipline, if some little discretion were exercised,
as at Newgate, regarding the visitors.
The tread-wheel occupies a prominent position in prison life. There
was none at Coldbath on my arrival, the old one having been burnt
down a short time previously. There is a delightful interpretation to
the three magic letters, C. B. F. (Cold Bath Fields), that long puzzled
me, and which takes its origin—as I heard—from the ancient
structure. I had frequently heard this cheerful place referred to as
“The Farm,” and on enquiry it was explained that it was facetiously
known as “Charley Bates’s Farm.” “Charley,” it appears, was a
peculiarly ferocious turnkey that some years ago superintended the
tread-wheel, but whether burnt, like his toy, or still burning, or alive,
I have not the remotest idea. Its successor was now being rapidly
built, and all the artisan talent procurable was laid on, in order to
complete without delay this necessary adjunct to hard labour.
A reference to the “system of progressive stages” will obviate my
repeating many details as to the particular men put to this
punishment, etc.
I had never seen a tread-wheel except from the stalls of the Adelphi
Theatre, and was particularly anxious to gratify my curiosity. I
cudgelled my brains as to how it was to be managed, with such
success that I eventually found myself on the “works.” As I have the
misfortune to be neither a mechanic nor an artisan, and incapable of
driving in a nail without hammering my finger, and being a perfect
infant in the use of a shovel, I was at a loss to conceive how I could
possibly be employed; but this difficulty was at length surmounted,
and armed with a brush I was put on a roving job. I had the run of
the building, with a kind of general instruction to brush everything
and everybody, up stairs and down stairs, and in the warder’s
chamber. The warder in charge of this building in course of
construction, was a worthy man, incapable of being tampered with,
though I never tried him (why should I?), but withal courteous,
respectful, and considerate—one of those men whose bringing up
had thrown him amongst gentlemen, and who knew how to
maintain his own position without offending the susceptibilities of
others. The artisans under him worked with a will, and reports and
rows were things unknown, except on scrubbing days, when some
ill-conditioned hound happened to be temporarily employed. My
duties consisted in sitting about in sheltered nooks with the broom
between my knees, and on the approach of a spy, with which the
place was infested, to rise and make furious lunges at imaginary
spiders. These sweeps into space were very effective, and, fatal as
they would have been to any insect had I seen one, were equally
gratifying to their human prototypes, whose desire was to see one
working hard. During my employment in this building it was, I verily
believe, the object of more inspection than it had ever been before.
I had been informed by telephone that my antipathy had given a
hint that I was to be looked after, and if he was satisfied with the
result I certainly was. Not twenty minutes elapsed between the
various inspections, and occasionally they swarmed like horse-flies in
summer round a lump of sugar. These frequent visits involved an
immense loss of energy, and the casualties amongst the spiders
must have been enormous. When all had been destroyed I
constructed a pile of dirt—one pound of dust to four of shavings—
which I placed in a conspicuous position. This was violently
propelled from me during a visit, and gently restored when the
intruder had passed.
I had the opportunity of inspecting this huge instrument of torture,
and was considerably disappointed that I could not try its effect. I
had the gratification, however, of putting some paint on one panel
and a piece of putty into a hole, thereby having assisted at the
making of the wheel. Putting putty into a hole is not so easy as it
may sound. At the inspection of work next day I had the
mortification of seeing my lump condemned, and cruelly removed.
The tread-wheel is moved by elaborate machinery worked by
powerful engines, which, in addition to setting the wheel in motion,
grinds corn in an adjoining building for the use of the prison. It is
entirely different from the Adelphi one, and may be described as
four long cylindrical wheels extending the length of the building on
either side and along the gallery. Partitions, of sufficient dimensions
to enable a man to stand up, run the entire length of the various
wheels, thereby precluding all communication between the several
occupants. Two hundred and sixty men can be “on” at once, and
the punishment is carried out on the principle of ten minutes “off”
and twenty minutes “on.” The victims are marched down at 7.30
A.M., and beguile the time thus pleasantly till 11.30. They return at
1.30 p.m., and continue the enjoyment till 5.
I am told this is considered an easy wheel, and men who have
experienced the working of others assured me that this one was
mere child’s play. A great deal depends on the worker, and the
experienced jail-bird rises—or, as it was termed to me, “waits for”—
the step with little or no exertion. With the novice, however, it is
severe labour, and the exertion involved bathes him in perspiration.
A supply of warm water is given them on returning to their cells of
an evening, to obliterate in a degree the unpleasant consequences
of the wheel. But the discomfort—can one estimate it? A poor
wretch bathed in perspiration, and having to sleep in the same shirt
and work in it for a week! Only prisoners fit for hard labour are put
to the wheel, and no man is ever so employed unless passed by the
surgeon. The doctor’s work is considerably augmented by the
reconstruction of the wheel, and besides having to visit the yard
frequently during the day, he is persecuted by strings of schemers
trying by every conceivable subterfuge to evade the punishment.
Some go the length of tumbling off, and occasionally succeed in
temporarily disqualifying themselves by a sprained ankle or wrist. I
was much amused during my employment at its construction at the
interest that the various officials took in every detail connected with
its progress. They revelled at the prospect of the treat in store for
them, and seemed to gloat over the exquisite misery awaiting some
of their lambs. Bunches of these warders would occasionally meet,
and discuss the intricacies of the machinery with a gusto only to be
acquired by prison contagion. It would not have surprised me to
have heard that the opening ceremony had been attended by some
kind of fête, to which the warders and “their ladies” had been
invited, and condiments—made on the premises—distributed
wholesale.
My worst enemies, and those I had to fear most, were the
prisoners. They were all jealous of me, and had got an absurd
notion into their heads that I could do as I liked, and, though there
was no truth in such an impression, never lost an opportunity of
“rounding” on me. A one-eyed scoundrel, who was one day checked
and eventually punished for idleness, complained to the Governor
that he didn’t see why he should work all day and another man (me)
sit down and do nothing. This had the effect of causing me to be
transferred elsewhere, and I next added to my experiences by
becoming a gardener. I was not sorry to leave the wheelhouse, for
it had a depressing effect on me, which the hum of the traffic just
outside did not assist in allaying. As a wag said to me one day, “This
will be a nice place when it’s finished.”
 CHAPTER XXIII.
GARDENING.

I had at last indeed tumbled on my legs. My new duties offered a

combination of advantages—such as variety, fresh air, newspapers,
tobacco, etc.—far in excess of my fondest dreams. There are six so-
called gardeners, who are constantly employed in the grounds. At
7.30 they go out, and rarely return before dinner; and again at 2,
remaining out till 5. In fine weather this is a great relief, and I
enjoyed many an afternoon basking in the sun on a grassy bank.

The general duties of a so-called gardener are a combination of the

qualifications necessary for a dustman, carpet-beater, and
agricultural labourer. They are, in fact, the scavengers of the
establishment, and poke about all day under a curiosity of the
turnkey species, and overhaul everything and everybody. Their
duties are absolutely legion, and carpet-beating, mowing, weeding,
and raking the walks are only a moiety of their accomplishments. I
was appointed to this favoured team through the kindly
recommendation of the assistant surgeon after my recent temporary
discharge from hospital; and the master gardener, not having been
consulted, as I fancy he usually was, was not by any means
predisposed in my favour. That, however, wore off; and though I
found him the most crotchety, three-cornered eccentricity I had ever
met, I soon discovered his weak point, and did pretty much as I
pleased. I must here repudiate any insinuation that by this I mean
to imply he was to be squared. I might as well have tried to square
the Marble Arch. Besides which, I did not require to, my supply
being greater than my demand.
Our first duty was to proceed to the tool-house, and, armed with
shovels, wheelbarrows, baskets, etc., to commence grubbing about.
As a newcomer I was selected for the “barrer,” and a heavier
“barrer” I never felt; but having knocked some paint off a gate, and
rolled it over a sacred grass plot, my incapacity was so manifest that
I was disrated to a shovel. Here, too, I was lamentably ignorant,
and out of every spoonful I collected a third went into the “barrer”
and the remainder everywhere else. I was, in fact, trying to emulate
the scavengers one sees ladling mud on wet days. The long shots
they make have always inspired me with admiration; their revels in
the oceans of mud exercised a fascination over me, causing me till
now to overlook the science that is required to produce such
apparently simple efforts.
I have often driven up the hill that runs outside the front of the
prison and fancied it was steep; that fancy has since been
confirmed, and I am now in a position to assert positively that it is
very steep, especially between the shafts of a “barrer.”
A duty we were about to undertake one day was the weekly
overhaul of the head warder’s quarters. I was spared a share in this
revolting exercise—I never knew how—but was simply told I should
not be required.
I had often sympathized with these gardeners long before I joined
them, when seeing them shaking the frowsy rugs and rags, carpet
slippers, and other gimcracks, and dusting Mrs. Head Warder’s best
Sunday willow-pattern teapot. My general ignorance, too, in the
various branches of scavengering had become so apparent that I felt
convinced I should be informed that I “didn’t suit”; but, thanks to
the consideration of the Governor and assistant surgeon, I was
retained, though otherwise employed. I was henceforth entirely
detached, and turned out into various portions of the grounds, and
told to do the best I could. My special instructions were to
annihilate a certain weed, for which purpose I was armed with a
knife, though I seldom used it for that particular purpose. The effect
of this weed on the funny head gardener was very strange, and he
would grind his teeth and mutter at the very sight of one. I at once
took the cue, and feeling it would please him, besides showing my
zeal, used the strongest language I could lay tongue to whenever I
detected one. My zeal, I fear, often led me into mistakes, and
valuable clover and priceless dandelions were ruthlessly sacrificed to
my want of discrimination. These errors in uprooting the wrong
plants generally elicited a gentle rebuke, but the “cussing” at the
hated fungus condoned my offence. “It was zeal, sir, zeal,” and he
began to “like that chap—he was willing, anxious like.” But the way
I won the old boy’s heart was my love for old coins (as a fact, I
know nothing about them, and prefer the more modern specimens).
It happened one day he picked up a rusty coin—whether a button or
an obsolete farthing I cannot say. I boldly, however, pronounced it
to be a Henry the Seventh, said I would gladly pay five shillings for
one like it, rattled along about Museum Street, my collection, etc., till
he recognized a brother-collector, and a bond of sympathy was
established; and as he dropped the Henry the Seventh into his
pocket, he led me to understand he had many like it at home.
Whether he undertook a pilgrimage to Museum Street I cannot say,
but about a month later a coolness showed itself in his manner
towards me, which rather led me to suspect he had.
I now found myself my own master. No one was specially interested
in my movements. I was on my own hook, and so long as I
appeared to be occupied when certain individuals were going their
rounds, I was never interfered with; and as these rounds took place
at about the same hours daily, I mapped out my occupation
accordingly.

At 7.30 I was turned into a large lawn, with sloping banks on three
sides and railings on the fourth; between these and the outer wall
was a gravel walk that circumvented the prison. A turnkey patrolled
this walk day and night, armed with a cutlass. I asked one of them
one day what he should do if he found anyone scaling the wall.
“Do?” he said. “If it was you, I should say, ‘Don’t be a fool; you’ll
sprain your ankle dropping down t’other side.’” “And suppose it was
some other chap?” I inquired. “Ah! then,” he added, “I should carve
him about a foot below the waist.”
Between 8 and 9 parties of men were constantly passing to and fro
to their various work. I usually, therefore, devoted that hour to
contemplation, the selection of some half-a-dozen weeds for future
decapitation, and a general look round. When things had settled
down a bit, my knife came into requisition, and proceeding to one of
my hiding-places I selected one piece of tobacco for immediate use,
and sliced enough for my day’s consumption. I had some of these
holes in various parts of the grounds, constructed of a slate floor
about three inches square, with bricks for the roof and sides. I
found them admirably adapted to resist rain, and many I daresay are
still in existence. This enjoyment lasted till 11, when it became
dangerous. (I was nearly choked on one occasion by foolishly
having a lump of tobacco in my mouth when suddenly confronted by
an official.) After dinner I had a good hour’s reading (the papers
don’t arrive before; indeed, the postal arrangements are capable of
considerable improvement), and so the afternoon passed
comparatively pleasantly, between the daily paper, ’baccy, and the
sloping bank. I often felt amused at the thought of how different all
this was to what some people believed; and a conversation I
“overheard” in the previous January, when one cad was explaining to
his inebriated companion that imprisonment with hard labour was
worse than penal servitude, came vividly to my recollection. On one
of these sunny days I was much amused by an outline of the day’s
telegrams as given me by a friendly turnkey. It was the day on
which the news of young Vyse’s death whilst reconnoitring Arabi’s
position reached England. “Them Arabians are rum chaps; ah, and
can shoot too, I tell yer: that officer as was recognisizing—look at
that!”
Chewing was an accomplishment I did not acquire in a day; indeed,
it took me weeks. At first it made me absolutely poorly, but I
persevered, and eventually found it as agreeable as smoking. I
could not, however, manage the twist, and invariably used the
honey-dew or negro-head. This daintiness was not unattended with
inconvenience, as no shop in the neighbourhood kept such a thing,
and involved journeys to the Strand or Oxford Street. I was never
so foolish as to keep the tobacco about me, and my cell was as free
of it as any hermit’s. In the grounds, however, it was perfectly safe;
tobacco under a stone might belong to anybody, and though the
suspicion would probably have cost me my staff appointment,
absolute conviction would have been impossible. To say that I was
free from some sort of suspicion would be hardly correct, for
although I was never searched myself—except on the one occasion
before mentioned—my next-door neighbour was “turned over” about
twice a week. The reason that led to this was as follows:—I had
found this man specially useful—he was quite a second Mike to me;
anything I required he did, and in return I gave him portions of my
superfluous food, and occasionally a piece of tobacco. This traffic
had not passed unnoticed, and had been communicated to a warder
by another prisoner, who felt himself aggrieved at the preference
shown by me for his fellow prisoner. These sneakings are universally
practised, and through my entire experience I had to be careful of
these wretches; they watched me and hated me, and if they got the
chance, always rounded on “The Swell.” Swell indeed! The swelling
had long ago subsided. I only weighed, thank heavens! about
fourteen stone. These sneakings never affected me, and one of
these individuals was once considerably astonished at getting three
days bread and water for a privileged communication about me. A
circumstance that occurred one day impressed me very much on the
matter of destiny, and the accidents that sometimes combine to form
a link between two individuals that a month or two previously would
never have been dreamed of. It was the day on which (the late) Dr.
Lamson had been sentenced to death. I was standing not far from
the prison van, which had lately returned after depositing him at the
House of Detention, and watching two prisoners cleaning it out. The
partition that he had occupied contained three or four pillows, and I
was informed it was a delicate attention on the part of the
Government to prevent condemned men intentionally injuring
themselves. “What are those pillows for?” I asked of a turnkey.
“Oh, they’re only Dr. Lamson’s,” was the facetious reply; “he was
sentenced to-day, so we just put them in for fear he should chafe
himself, poor fellow.” When the cleaning was over my brother
reprobate led me to understand he had made a discovery. Beneath
the pillows he had found three cigars; he considerately gave me one,
as indeed prison etiquette demanded, it being an axiom that an
uncompromised holder of a secret is never to be trusted. I certainly
should not have rounded on my confrère, but was nevertheless very
glad to be the recipient of a specimen of this “Marwood” brand. It
was a sin to chew them, but there was no alternative, as smoking
was out of the question. Half-an-hour later, as I bit off a piece, the
thought forced itself upon me, “Three months ago, he at
Bournemouth, and I at Brighton, had never heard of one another,
and here I am chewing the condemned man’s tobacco.” Funny
thing, destiny!
Welcome to our website – the ideal destination for book lovers and
knowledge seekers. With a mission to inspire endlessly, we offer a
vast collection of books, ranging from classic literary works to
specialized publications, self-development books, and children's
literature. Each book is a new journey of discovery, expanding
knowledge and enriching the soul of the reade

Our website is not just a platform for buying books, but a bridge
connecting readers to the timeless values of culture and wisdom. With
an elegant, user-friendly interface and an intelligent search system,
we are committed to providing a quick and convenient shopping
experience. Additionally, our special promotions and home delivery
services ensure that you save time and fully enjoy the joy of reading.

Let us accompany you on the journey of exploring knowledge and

personal growth!

ebookball.com