GFCE and Meridian: Combining forces on CIIP

Author: Peter Burnett, Meridian Coordinator

CIIP was a fashionable topic for governments when Meridian launched its international conference series in 2005, but CIIP has since been eclipsed by Cyber Security as the key subject on government agendas.  Careful analysis, however, will show that CIIP is just as vital today, if not moreso, as critical services move online. It is therefore vital that Cyber Security Capacity Building does not neglect this crucial element in developing countries, particularly as it becomes increasingly difficult to implement CIIP successfully.  GFCE and Meridian have combined forces to assist this challenging endeavour.

The historic setting of the 16th century Hostal de San Marcos in Léon was the birthplace for this initiative. It was conceived following the Meridian CIIP Conference, which was hosted by Spain in October 2015. The GFCE had played a major role in the event and the Meridian Steering Committee considered it a ‘no-brainer’ to invite the GFCE to collaborate with Meridian.  A common cause was found on the issue of Critical Information Infrastructure Protection (CIIP), which Meridian has been promoting since its own birth in the equally historic setting of Greenwich, London, 10 years earlier. The aim of the GFCE-Meridian initiative was to draw upon the established global network of knowledge and experience of the Meridian members, thereby stimulating new activities to enhance Cyber Capacity Building.

From Léon to Mexico City

A broad range of countries became involved in discussions on CIIP, and the first results were delivered in another historic setting at the 2016 Meridian Conference in Mexico City.   The 1st product was a remarkably successful ’Primer Day’ aimed at new delegates to help them get ‘up to speed’ and feel comfortable engaging in the discussions and workshops of the main event - attended by 70% of the delegates.  This was an optional session and included a description of the basic terminology and concepts commonly used in CIIP as well as an innovative ice-breaking session.  It also involved panels of experts to introduce some of the key international organisations active in the CIIP field (such as the OAS, World Bank, and the GFCE), and a chance for delegates to ask another panel of experts about any aspects of CIIP. 

MERIDIAN Community Members 2016

MERIDIAN Community Members 2016

Identifying Good Practices

The 2nd deliverable of the Initiative was also aimed at new delegates and countries who are finding their way in the field of CIIP.  This was a back-to-basics Good Practice Guide (GPG) to CIIP.  It explains the fundamental principles and processes of developing a regime for Protecting the CII, from the precursors of Critical Infrastructure Identification, to the more advanced phases of monitoring and review, and information sharing.  The Guide was designed to be brief and easy to read, to get a good overview of the elements, but it also has a well-researched list of references and further reading.  It is freely available to download from the GFCE- or the Meridian website (www.meridianprocess.org) and is considered essential reading for anyone involved in Cyber Capacity Building as well as CIIP.

The GFCE-MERIDIAN Good Practice Guide on Critical Information Infrastructure Protection

The GFCE-MERIDIAN Good Practice Guide on Critical Information Infrastructure Protection

Preparing for the Future

The GPG was launched and discussed widely at Meridian 2016 and some of the feedback from the more developed and developing countries was that there were some aspects that could benefit from a more in-depth discussion. These additional aspects reflect the challenges of keeping up with what is critical, against the background of a continuously changing cyberspace, and how to maintain protection when services, some of them essential, are migrating towards digital and often offshore environments. These developments can undermine previous assumptions about what is critical and how it needs to be protected.  This is just as much a challenge for the development of National Cyber Security Strategies, but when it comes to the CII, the stakes are very high; it is, by definition, the most important element of a nation’s cyberspace, since it supports all critical services. 

The evolution of terminology also needs to be kept under review, to ensure that the fundamentals of CIIP are still being addressed, even if new terms such as ‘cyber resilience’ come to replace CIIP.  These will be discussed in a ‘Next Steps’ successor to the original GPG being developed for Meridian 2017, which will take place in Oslo on October 24th - 25th.

The CIIP Initiative has a ‘Buddying’ programme, which is aimed at all Meridian countries, whether developed or developing, as it has a peer model as well as the more traditional hierarchical relationship pattern.  This is being tested this year and will be further developed at Meridian 2017.  Other elements of the Initiative include plans to develop a free-standing CIIP Training Package based on the GPG and the Primer Day, in conjunction with a UK Cyber Capacity Building project, which will trial it in Africa. Further developments of the Initiative are also under discussion.

Meridian & GFCE

There is no doubt that that the collaboration between GFCE and Meridian has been a great success so far, and has plenty of potential to go much further if the resources are forthcoming. It is also clear that, despite the ascendance of Cyber Security as a key topic on the agenda of every government, the subject of CIIP is still as important as it was 12 years ago when Meridian was conceived. Consequently, the issue of CIIP will continue to have a key place in the GFCE portfolio.

This article first appeared in the fourth issuse of the Global Cyber Expertise Magazine - November 2017