The Social Costs of Critical Infrastructure Failures

Posted on by Gib Sorebo

In his seminal work, Bowling Alone, Robert Putnam laments the growing decline in social trust in our society as evidenced by declines in social interaction, civic involvement, and nearly every kind of community activity.  That had led to a wide variety of ills, from increased crime to lower economic output.  More important, many of our major institutions depend upon citizen involvement for their ability to thrive.  Similarly, shared infrastructures, such as power lines, natural gas and water pipelines, sewage treatment plants, roads, and various shared services, all depend upon a critical mass of people to participate to cover the very high costs of deploying and maintaining that infrastructure.  For example, no company or government agency is going to build a power plant to serve one person or even 10.  So, if a substantial group decided to go off the grid and generate their own electricity, the ability to maintain these large shared resources would be more difficult, leaving the remaining customers to shoulder a higher share of the fixed costs of maintaining those assets. 

This economic reality recently came up in the context of a recent large storm that hit the Washington, D.C., metropolitan area.  As is often the case, certain utilities come under criticism for the time it takes to bring the power back on.  Some suggested it was time for certain communities to split off from the larger utility and set up their own municipal-based utility. Such an effort may, in fact, bring communities closer together by relying on each other rather than a large company for their power and thereby increasing social trust. However, that viewpoint seemed in sharp contrast to others that quickly raided home improvement stores of every last generator.  People didn’t want to have to count on anyone to ensure that they had power when they needed it.  Gathering at a local school or library to keep out of the heat was not for them, or at least the part about losing hundreds of dollars of frozen foods wasn’t the shared sacrifice they wanted to be part of. 

Arguably, there was nothing wrong with using a portable generator, and it may not lead to any decline in community involvement.  In fact, some with generators have been known to offer some of their freezer space to neighbors without any electricity.  Nonetheless, the issue got me thinking about what would happen if these failures in shared critical infrastructure were more frequent – if cyber or physical attacks caused routine but random outages that people couldn’t plan for.  Because cyber attacks are often hard to detect, and it’s even more difficult to determine their source, a continuing series of attacks launched against one or more economic sectors could prove psychologically destabilizing by undermining the trust we place in the transactional and industrial control systems that we rely on to accurately tell us the value of a financial transaction, the amount of electricity flowing over a line, the amount of natural gas that is available in storage, the amount of radiation present in a containment unit, or the oxygen levels of a patient connected to a respirator.  

A hacker does not need to successfully attack all those pieces of critical infrastructure; he/she simply needs to compromise a few pieces of infrastructure that lead to data corruption, damaged equipment, and physical harm to people in order to undermine trust elsewhere.  Such an event could provoke widespread fear and panic, leading to runs on banks and hoarding of food, water, and other essential resources. Research demonstrates that human beings do not react well to very infrequent but potentially disastrous events like plane crashes, terrorist attacks, deadly disease outbreaks, nuclear meltdowns, and even shark attacks.  After the event, people tend to overcompensate in many counterproductive and illogical ways, such as choosing to drive rather than fly, opting for energy sources that result in more pollution and greater harm to more people, or no longer donating blood.  Similarly, we’ve seen economic inefficiencies in many lesser-developed countries where people cannot count on their critical infrastructures for reliable electricity, clean water, plentiful sources of food, a financial system they can trust, quality health care, protection from crime and foreign attack, and a predictable transportation system.  The result is that people progressively choose to rely less on shared infrastructures and more on more localized infrastructures that they have wider control over. This, of course, further exacerbates the decline in the quality and reliability of shared infrastructure and inevitably leads to dramatic declines in social trust, the further erosion of governmental and civic institutions, significant declines in both aggregate economic activity and the economic well-being of citizens, and grave threats to our national security. 

While the scenarios described above are extreme, it is not hard to envision less dramatic, but nonetheless painful, consequences of ongoing attacks on our critical infrastructures.  Increasingly, the only thing preventing some of these outcomes is the lack of highly motivated and well-funded adversaries.  Currently those nation states and criminal enterprises capable of successfully launching such attacks have little incentive to cause such harm, while those that do, such as certain terrorist organizations, may not have the resources to be successful.  However, we cannot count on that always being the case.  Moreover, the widespread theft of intellectual property and low-level financial fraud now occurring is still harming both the resiliency of our critical infrastructures and, perhaps more important, our confidence in them.  It is therefore critical that the private and public sectors work to together to provide appropriate incentives and solutions.

Gib Sorebo

Security Associate Director, Accenture

critical infrastructure

Blogs posted to the website are intended for educational purposes only and do not replace independent professional judgment.  Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA® Conference, RSA Security LLC or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.

Share With Your Community