Five Eyes’ Critical 5 nations focus on adapting to evolving cyber threats to boost critical infrastructure security, resilience

Cybersecurity agencies from the ‘Five Eyes’ alliance provided updates on the evolving risks to critical infrastructure and described how the nations within the Critical 5 partnership are updating their strategies to protect critical infrastructure. The narrative highlighted shared methods to enhance the security and resilience of their critical infrastructure within their borders. Additionally, it emphasized the necessity for collaborative and coordinated efforts internationally, acknowledging the interconnected nature of critical infrastructure.

“Critical 5 nations are working to ensure that their critical infrastructure assets and systems are secure, protected, and resilient so that they may minimize and prevent disruptions when an incident occurs,” according to a document titled ‘Critical 5 Adapting to Evolving Threats: A Summary of Critical 5 Approaches to Critical Infrastructure Security and Resilience’ in partnership with the governments of Australia, Canada, New Zealand, U.K., and the U.S. “The need for such interventions is more pressing than ever before. Critical infrastructure systems are more highly interdependent and interconnected, creating the potential for individual failures to cascade into significant outages. At the same time, hazards and threats to our infrastructure systems are growing,” it added.

The document also highlighted that the shifting geopolitical landscape of the past decade has intensified national security concerns. “Recent conflicts have illustrated how critical infrastructure can be targeted through digital or physical means to weaken a country’s ability to protect itself and its citizens. Below the threshold of armed conflict, hostile threat actors deploy methods such as foreign interference campaigns, intellectual property theft, and operational disruptions to exploit critical infrastructure, resulting in substantial financial losses including maintenance and repair expenses, revenue losses, and increased security costs,” it added. 

The adoption of digital and remotely operated technologies for critical infrastructure systems has also left them increasingly vulnerable to exploitation by cyber criminals and state-sponsored actors. Malicious cyber activities can have consequences, including power outages, drinking water contamination, disruption of transportation networks, and loss of life. Such disruptions can cause significant financial and reputational damage to organizations and reduce trust in institutions.

To meet the challenges of both current and future threats, Critical 5 nations have had to adapt their levers to ensure critical infrastructure security and resilience through modernizing policies; reviewing the definition of critical infrastructure and sector composition; and developing stronger information sharing tools and partnership mechanisms.

When it comes to modernizing policies, since 2014, Critical 5 nations have been making notable policy and program advancements to protect and secure their critical infrastructure.

In Australia, for instance, the 2023 Critical Infrastructure Resilience Strategy provides a national framework to enhance security and resilience in Australia’s critical infrastructure from 2023 to 2028. This plan is supported by the broader 2023-2030 Australian Cyber Security Strategy. Key initiatives include the clarification of the SOCI Act to protect data storage systems, co-designing security obligations with telecommunications providers, and developing regulations for the aviation and maritime sectors. 

Additionally, a compliance framework will address the secondary consequences of cyber incidents, prioritize critical infrastructure protections through partnerships, and enhance government cybersecurity oversight, including expanding the national cyber security exercise program to strengthen national defenses.

Canada is actively updating its approach to critical infrastructure protection. The country initiated a public consultation in 2022 to revise the 2009 National Strategy for Critical Infrastructure, aiming to enhance security measures. Concurrently, the government proposed Bill C-26 along with amendments to the Investment Canada Act to address cyber threats and strengthen economic security, respectively. Moreover, the National Cyber Security Strategy launched in 2018 led to the creation of the Canadian Centre for Cyber Security and the National Cybercrime Coordination Unit to boost cyber resilience and combat cybercrime. 

Canada is in the process of exploring options to modernize its tools to counter foreign interference as the threat rapidly evolves. As part of a public consultation launched last November, opinions were sought regarding potential amendments to several Canadian laws including new foreign interference offenses to the Security of Information Act; and updating the sabotage offense in the Criminal Code to strengthen deterrence of intentional harm to critical infrastructure. It also sought to introduce a review mechanism in the Canada Evidence Act for cases involving sensitive information and amend the Canadian Security Intelligence Service Act to include the ability for the Canadian Security Intelligence Service to disclose sensitive information to those outside the Government of Canada.

Consistent with the direction provided in its national strategies, New Zealand is working to update its settings to deliver a more resilient critical infrastructure system, including by improving access to funding and financing for infrastructure investments; and uplifting the infrastructure sector’s approach to asset management to improve service delivery. It also works towards developing a climate adaptation framework to support investment decisions, cost-sharing, and management of climate risks; streamlining resource management processes, and establishing a standardized, robust approach to the consideration of natural hazards risk in land use planning.

New Zealand is also considering a new systems-based regulatory approach, which would complement existing sectoral regulation with a comprehensive set of resilience requirements for critical infrastructure. This regulatory reform intends to better position the critical infrastructure system to manage hazards and threats including a growing range of national security threats. 

The Critical 5 Nations document revealed that since 2014, the U.K. has adapted and developed its approach to critical national infrastructure, with two new sectors, Space and Defence, being added in 2015. 

The U.K. has built upon the Criticalities Process, by creating a new digital tool, the Critical National Infrastructure (CNI) Knowledge Base. Knowledge Base takes Criticalities information and allows risk owners to view critical national infrastructure on a map or as a network graph and enables visualization of interdependencies and relationships between assets to understand potential cascading impacts of risk. Both tools have become essential in supporting the U.K. government in providing targeted and practical guidance to make better-informed risk management decisions.

Responding to growing cyber challenges, the U.K. launched the National Cyber Strategy in 2022 to bolster cybersecurity across its CNI across public and private sectors. The strategy focuses on enhancing the understanding and management of cyber risks and minimizing the impact of incidents. Additionally, in 2023, the U.K. introduced a new ‘Position, Navigation and Timing’ (PNT) Framework, which includes contingency plans and a dedicated government unit to ensure the uninterrupted operation of critical services. 

Further supporting infrastructure security, the U.K. established two new Technical Authorities and created the National Protective Security Authority in 2023 to provide intelligence-led security advice to crucial sectors. These efforts build on the foundational role of the National Cyber Security Centre (NCSC), formed in 2016, to coordinate a national response to cyber threats.

Since 2014, the U.S. has centralized its critical infrastructure security and resilience efforts under the Department of Homeland Security (DHS) and the Cybersecurity and Infrastructure Security Agency (CISA). The move helped enhance joint and cross-sector coordination across the federal government, focusing on measurable risk reduction and addressing strategic threats. 

Key milestones include the publication of Sector-Specific Plans starting in 2015 to tailor security goals to the unique risks of each sector, including cyber-physical security nexus, climate change, and aging infrastructure. The 2018 Cybersecurity and Infrastructure Security Agency Act transitioned the DHS’s National Protection and Programs Directorate to CISA, promoting an integrated security approach across business, communities, and government levels. 

CISA acts as the National Coordinator for infrastructure security, managing both cyber and physical risks and collaborating with government and private sector stakeholders. Additionally, the Fiscal Year 2021 National Defense Authorization Act defined Sector Risk Management Agencies (SRMAs) under CISA, enhancing the collaborative efforts to protect the nation’s critical infrastructure.

On April 30, 2024, the White House released a National Security Memorandum (NSM-22) on Critical Infrastructure Security and Resilience, superseding the decade-old Presidential Policy Directive 21 (PPD-21). This update reflects the evolving threat landscape, shifting from counterterrorism to concerns like strategic competition, advanced technology, cyber threats from nation-states, and the necessity for international cooperation. 

NSM-22 aims to bolster U.S. critical infrastructure, enhancing the economy, protecting families, and increasing disaster resilience. It empowers DHS, with CISA as the National Coordinator, to lead this effort. Additionally, it mandates a biennial National Risk Management Plan, reconfirms the 16 critical infrastructure sectors with designated federal oversight, and underscores the need for stringent security and resilience standards within these sectors, aligning with the National Cyber Strategy to address the limitations of previous voluntary risk management approaches.

The Critical 5 nations value partnerships and information sharing with critical infrastructure owners and operators, as well as national, regional, and local government counterparts. Engaging in multiple formats, such as engagement forums and web-based information-sharing platforms, allows industry stakeholders and government to collaborate on topics including assessing and identifying the criticality of infrastructure, identifying cross-sector dependencies, and developing best practices for managing vulnerabilities to common risks. Industry and government engagement forums support partnership building and information sharing across the critical infrastructure community. 

Going forward, Critical 5 nations intend to collectively host an official, branded month of focus and action on critical infrastructure security. Some Critical 5 nations use web-based information sharing platforms to allow industry and government to share timely information in a secure environment such as Australia’s Trusted Information Sharing Network engagement platform and Canada’s Critical Infrastructure Information Gateway.

In conclusion, the narrative highlighted that over the past decade, the Critical 5 nations have continually adapted their policy strategies to respond to the rapidly evolving hazard and threat environment. “Climate change, cyber threats, and growing national security risks have led all Critical 5 countries to introduce or consider changes to what constitutes critical infrastructure as well as the regulatory and non-regulatory tools available to critical infrastructure providers to enhance their resilience. This recognizes that collectively investing in critical infrastructure resilience is essential, as failure to do so can be unnecessarily costly in the event of disruption or loss of service,” it added.

Furthermore, the Critical 5 nations continue to share knowledge, experience, and expertise on issues of common interest, which will better equip this community to respond to the growing and evolving risks. The strength of the relationship among the Critical 5 forum has proven to be valuable as they continue to learn from each other on key issues of mutual interest.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.