Critical infrastructures (CIs) are the backbone of our global society. These infrastructures keep the global economy moving, ensuring the day-to-day delivery of social goods and services. They are the hidden pillars behind our hospitals, financial institutions, logistical hubs, electricity grids, nuclear power plants and information and communication nodes. CIs form a complex web of interdependent assets, systems and processes. For this reason, they are also extremely vulnerable to ‘cascading effects’, occurring when disruption in one infrastructure causes the failure of a second infrastructure and potentially others. As efforts to secure CIs have grown over the past decade, threat assessments have focused on the risks posed by natural disasters, climate change and terrorism. To date, however, this approach has failed to adequately account for the complex threat posed by organised crime.
Over the past few years, many countries have woken up to the need to step up the protection of increasingly vulnerable CIs. Governments, predominantly in the developed world, have implemented national strategies around the identification of a number of sectors regarded as critical, such as energy, transport, health and food, amongst others. In this context, specific infrastructures have then been singled out and responsibilities subsumed under the identified sectors, with coordination roles spread across governmental agencies. Crucial to this approach is the understanding that protecting CI is a multi-stakeholder responsibility starting with on-the-ground operators. For this reason, a number of public–private partnerships have been established to ensure fluid information exchanges at all levels.
Most strategies take an all-hazards approach, meaning that the envisaged institutional frameworks are designed to face all possible threats hanging over CIs. At the same time, most of the attention has been placed on threats stemming from natural events, like earthquakes or hurricanes, or, more recently, terrorist attacks, following the landmark UN Security Council Resolution 2341 (2017). Little has been said, however, about CIs’ exposure to the threat from organised crime groups and their operations. In light of the diverse challenges organised crime represents, it ought to be better integrated into efforts aimed at CI protection and resilience.
Little has been said about critical infrastructures' exposure to the threat from organised crime groups and their operations
Perhaps the best-known and advertised source of threats to CIs is that of criminal groups interfering in the provision of cyber-dependent services to extract the payment of a ransom in exchange for service restoration. According to Europol’s 2017 Internet Organized Crime Threat Assessment, ‘the extent of this threat becomes more apparent when considering attacks on critical infrastructure. Previous reports have focused on worst-case scenarios, such as attacks on systems in power plants and heavy industry. However, it is clear that a greater variety of critical infrastructures are more vulnerable to ‘every-day’ cyber-attacks’. Examples of ransomware attacks against CIs abound: in May 2017, for example, the WannaCry cryptoworm paralyzed hospitals in the UK, threw into disarray rail networks in Germany and Russia, affected telecommunications networks in Spain and Portugal and blighted petrochemical companies in Brazil and China.
But there are also other, more direct ways in which organised crime intersects with CIs. One is the injection of counterfeit items into the supply chains for components that are instrumental in the functioning of CIs. This is what a US Court established in 2010, prosecuting a conspiracy to import fake integrated circuits from China and selling them to, among others, the US Navy as ‘military-grade’ equipment. In other cases, the injection of counterfeit items into these supply chains may not be intentional, but rather a by-product of criminal activity. In both cases, CIs’ operations (as well as the safety of those working around them and the public at large) are put in serious danger through the introduction of what are often sub-standard materials. Crucially, when the affected infrastructure is a military installation, or one potentially compromising key governmental functions, what would normally be framed as a criminal justice or counterfeiting case acquires the worrying contours of a national security issue.
Paradoxically, rather than damaging it, an OCG may also attempt to leverage a CI's point of strength
Paradoxically, rather than damaging it, an organised crime group (OCG) may also attempt to leverage a CI's point of strength. In various parts of the world, OCGs perform state-like functions, or seek to fill in the vacuum left by crumbling state authorities. When this is the case, OCGs may seize certain CIs as part of a strategy to acquire or consolidate their legitimacy over local communities. This type of dynamic has been observed in relation to water-related infrastructures in territories previously controlled by Daesh (also known as ISIS or ISIL). In Iraq, water dams have been exploited by Daesh not just to flood areas of land and disrupt enemies’ military operations, but also to supply water to areas sympathetic to Daesh’s cause. According to Stratfor, by seeming to do a better job of providing necessary services, ‘the group [could] attract more men and women to its ranks’ as a recruitment tool.
OCGs can also target CIs for purely profit-making purposes. Online markets have proven to be formidable platforms not only to trade goods and services, but also information in the form of trade secrets, know-how, customer lists, marketing strategies and much else. It is not absurd to imagine that a criminal group might also trade information that results in the ability to target or predict the functioning of one or more CIs. The possibility to gain insights about catastrophic events that are planned or likely to occur, such as a shutdown of air traffic or a blockage of global financial circuits, may provide traders with not only the knowledge necessary to avoid direct damage, but also to gain huge competitive advantages.
A criminal group might also trade information that results in the ability to target or predict the functioning of one or more CIs
This knowledge may enable them to take out cost-effective insurance policies against risks that nobody is considering yet, modify travel schedules or even adapt marketing strategies ahead of competitors. These are risks that may carry significant political consequences. Recently, the US Department of Homeland Security has designated its electoral system as part of the nation’s critical infrastructure; Spain is following suit. It is easy to imagine how valuable it could be to obtain advance information about plans to disrupt a country’s election process by flooding voters with fake news and planting malware in voting machines. A credible promise to disrupt CIs may be in and of itself a source of profit for criminal enterprises.
The vital roles that these CIs play in modern societies are almost too tempting to ignore. Whilst it is hoped that such scenarios will never materialise, it would be naïve to assume that OCGs will not seek to exploit CIs using new, creative and potentially catastrophic methods. Like many organised crime threats today, OCGs are empowered by the amplifying effect of information and communication technologies. As a minimum, the threat posed by OC should be fully embedded into the risk assessment and crisis management procedures that governments and infrastructure operators are increasingly conducting against natural and man-made hazards. Such assessments should in turn drive the adoption of appropriate mitigation plans and measures. These could range from strengthening businesses’ policies on ‘know your suppliers’ to protect critical supply chains, through to more closely focusing intelligence-gathering activities on OC-related threats. Such measures and plans should also consider investing in more (and more strategically-targeted) cyber security resources. We are just starting to get our head around what is needed to address an unprecedented and multi-faceted threat. Without adequate recognition for the threat posed by organised crime, we risk giving the criminals the upper hand.
Stefano Betti is an expert on transnational criminal law and policy. In addition to being Senior Advisor at the Siracusa Institute, he collaborates with several UN entities including the UN Counter Terrorism Executive Directorate, the UN Office on Drugs and Crime (UNODC) and the UN Interregional Crime and Justice Research Institute (UNICRI). He is currently Deputy Director General at the Transnational Alliance against Illicit Trade (TRACIT) and a member of the Global Initiative against Transnational Organised Crime.
The views expressed in this article are those of the author(s) and do not necessarily reflect the views of RUSI or any other institution.