Cybersecurity of Critical Infrastructure

This chapter from the book The Ethics of Cybersecurity centers on the ethical angle of improving the cybersecurity of critical infrastructure, defined to be infrastructures that serve as “general purpose means to different kinds of human activities, in particular economic activities, but also activities necessary to protect security and health.” The authors begin by reporting the results of their literature review on the topic of ethics and cybersecurity in general national security, organizing the key ethical concerns that arise, along with the more fundamental value conflict each is associated with, in tabular form. These issues include the fact that a predominant focus on state- and population-level security obscures individual security, in which the value conflict is state security vs. individual security; that infrastructure is largely operated by private rather than public organizations, where the value conflict is security vs. surveillance/protection of data; and that the growth in the popularity of the Internet has coincided with an increase in criminal activities, where the value conflict is security vs. accessibility. The authors also describe that the literature they surveyed often concentrated on just one value as opposed to highlighting the reality that multiple values conflict in these discussions, and that two overlooked but relevant ideas are the “limitation of democratic values and the creation of power imbalances.”

In addition, the authors further reveal a classification scheme for the types of cyber-attacks that may target critical infrastructure, where the four classes are formed by the intersection of two axes: (1) the type of the damage caused (whether it is purely functional or also has a physical component) and (2) the means of attack (whether is purely cyber or also has a physical component). The increased vulnerability to each of these attack types is related to the growing connectivity and availability of data access, as well as the growth of AI, and the implications of both of these areas (including a set of value conflicts that arise due to AI) are discussed in great detail. The chapter ends with some concrete case studies that highlight some of the ethical dilemmas that were previously described, including one of the Iranian attack on the US power grid (via Calpine Corporation).