cisr

For over a quarter century the United States and the European Union have been diligently planning and implementing policies and procedures to protect the critical infrastructure sectors that are vital to the prosperity and security the majority of their citizens enjoy. Given the evolving nature of threats against critical infrastructure, recent US and EU efforts have focused on enhancing collective critical infrastructure security and resilience (CISR) posture. The core objective of these CISR initiatives is to strengthen their ability to deter, prevent, reduce the consequences of, respond to, and recover from a broad array of vulnerabilities, hazards, and threats to critical infrastructure. Any such disruptions to or destruction of these critical infrastructure systems and assets can have damaging impacts on individual nations, the transatlantic economy and security environment, and the ability of the North Atlantic Treaty Organization (NATO) to fulfill its core tasks. This podcast is based on Chapter 10 in Enabling NATO’s Collective Defense: Critical Infrastructure Security and Resiliency (NATO COE-DAT Handbook 1). The goal of this chapter ultimately is to help Allies and partners better understand these two frameworks and apply their key principles and tenets to enhance the CISR posture in their respective countries. Click here to read the book. Click here to watch the webinar. Episode Transcript: “Comparing Policy Frameworks: CISR in the United States and the European Union” Stephanie Crider (Host) You’re listening to Conversations on Strategy. The views and opinions expressed in this podcast are those of the authors and are not necessarily those of the Department of the Army, the US Army War College, or any other agency of the US government. Conversations on Strategy welcomes Dr. Alessandro Lazari, coauthor of “Comparing Policy Frameworks: CISR in the United States and the European Union.” Lazari’s been working as a specialist in critical infrastructure protection, resilience, and cybersecurity since 2004. He is currently a senior key account manager at 24 AG (F24 AG), focused on incident and crisis management in Europe. Alessandro, welcome to Conversations on Strategy. I’m glad you’re here. Alessandro Lazari Thank you very much indeed for inviting me over. It’s a pleasure to be here. Host You recently contributed to the book Enabling NATO’s Collective Defense: Critical Infrastructure Security and Resiliency. The chapter you worked on compares policy frameworks of critical infrastructure security and resiliency in the US and the EU. The US (critical infrastructure security and resilience or) CISR framework: What do we need to know? Lazari I mean, thanks for asking about this. This has been part of my PhD studies—to go on deep between the lines about everything that the US has built in the past decades—and I have to say that this is really considerable. If you think that the (Presidential Decision Directive 63 or) PDD-63, just to give an example . . . presidential directive signed by (Bill) Clinton in May ’98 still stands as one of the brightest examples of CISR policies for a while—if you look at it nowadays, after so many years, you see how very well defined is the problem, how very well defined the mechanism to tackle it and to, you know, deal with it and to improve the overall posture of US against the threat of, you know, any potential attack to national critical infrastructure. I mean, there is many examples in . . . in the US policies of things that really worked. I can tell that they constitute a milestone to which many, many countries are looking at because of the comprehensiveness. Because I can tell also that due to its particular system, (the) US has experienced a wide range of events that span across all the potential threats of critical infrastructure in the 50 states and as a federal system, so they’ve really wanted to organize something that is really very, very big. Last but not least, the US has also considerable experience in maintaining the infrastructure. One of the greatest examples is the renovation that the US government did in the old railroad . . . you know, riverways in the ’40s and ’50s and ’60s is one . . . also a considerable milestone of the experience in the US. So, it’s very much worth looking at it because there is many countries that are now in the condition of tackling those challenges nowadays. So really, throughout the entire lifespan, you know, a lot of things that are really, you know, in use nowadays that really can provide example to the way the countries should deal with CISR nowadays. Host Let’s go into a little bit more detail. What currently guides the US CISR policy? Lazari One of the latest milestones in . . . in the US CISR policy is (Presidential Policy Directive 21 or) PPD-21, signed by Barack Obama in 2013. I mean, that can be considered one of the examples of the maturity of the policy in the US. You know, in announcing all the functional relationships among the very stakeholders involved in the life cycle of critical infrastructure security and resilience, there’s so many from both public and private side. From the public side, you have (the Department of Homeland Security or) DHS and all the departments that are involved, all the agencies, and from the other side, all the operators and the critical nodes within the country and so on and so forth. So, there is a considerable amount of stakeholders that need to talk to each other to be really aligned to do better. And here, we come to the second pillar that is information sharing. Once you have identified all the functional relationship nodes, you absolutely need to cut short the distance between them. So they need to become closer and closer because they need to talk to each other, and in a country like (the) US, it’s very difficult because it’s a very big country with a big number of stakeholders involved. So for sure, this is also a challenge. And last but not least, after you have enabled, you know, the recognition of the functional relationship and the improvement of the information sharing, you then need to enable one very important pillar that is always mentioned in PPD-21: that is analysis of incident threats and emerging risk. Because you do not only deal with today, you also deal with the future. So you need to understand with . . . how, you know, uh, risks are evolving, so the emerging one . . . and you need to analyze all the incidents and threats constantly because the threats evolve as much as the society because, you know, we have new enemies, new ways to attack the systems, and history evolves; we all know that. So once you put together really this critical mass of activities and knowledge, you can say you are really structuring well all your policy on . . . on CISR. Host Tell me about the EU framework: European Programme for Critical Infrastructure Protection. Lazari The EU, it’s based on the membership of the member states that are part of the EU. There were 28, and, after the Brexit, now it’s 27. You know, every time, the negotiation of each steps of the policy is something that really seeks for the involvement of them all on proposal from the European Commission that is normally proposing new pieces of policy and regulation in this field. But this entails every time that member states are involved because they have a stake, they take a joint decision. But the European Programme for Critical Infrastructure Protection is really the very first milestone. As much as it is for PDD-63 in the case of US, it is really the very first piece of joint policy on critical infrastructure protection on the European side. And this really comes immediately after the September 11 attacks to, you know, London and Madrid in 2004, 2005. It really starts from an all-hazard approach with a clear intent of fighting against terrorism. So, financing of terrorism, all aspects of dealing with terrorism and the impact of terrorism, terrorism of critical infrastructure. Then, immediately, the EU recognized within the program that the all-hazard approach really needs to be developed because it’s not only terrorism that can threaten the continuity, you know, and the existence itself of critical infrastructure, but there is many other threats that can really disrupt or create issues. So, the European program has really put together the member states for the first time ever in discussing the critical infrastructure protection. This is still, nowadays, mainly the international level. The first thing you need: competency. It still relies on the member states that are part of the EU, but the program has, really, the 27 in the condition to discuss together all the challenges, all the state of play of each one of them. So to set new goals that are not overambitious for some of them, because you have to imagine when, in 2008, the European program was launched, there were five or six member states that really had a national framework for critical infrastructure protection, and many others that didn’t have one, or, you know, they really needed to amend it heavily because it was obsolete or not taken care of on all aspects. It can be said that the European program has really created that first spark that has enabled the EU to be in the state of play it is nowadays because, for the first time, it has really asked the member states to discuss national security outside of their own border, but in a joint, coordinated manner. Host So, there were some significant changes to the program in 2016 and 2020. I would love to hear about them. Lazari After a very long journey between 2008 and 2016, the EU in, um, 2016 has decided to move a little bit to focus not only on the critical, physical aspect of critical infrastructure but also on the cyber dimension. Of course, the member states were already dealing with that, but the real pro of the EU is that there is a harmonization effort going on. In 2016, we had the promulgation of the so-called Network and Information Security Directive. This really adds an important layer now on top of the CISR policy, which is very focused on cybersecurity or what we call “operator of essential services.” This new term that is different from critical infrastructure has been introduced to identify all of those services that are delivered through the mean of the network and information system. So, really, to narrow down the focus on the cyber dimension, of course, completely integrated together with the physical aspect, because these are absolutely complimentary. We cannot deal with one or just the other. You need to deal with all of them. And it is very important to notice that even though this first NIS—Network and Information Security—Directive was promulgated back in 2020, on the 16th of December, 2020, the European Commission proposed already an amendment of this directive to launch the second directive, the so-called (Network and Information Security 2 or) NIS 2. You can see that, here, the policy life cycle has been shortened because, normally, there is a very long policy cycle between one policy and another. You have an average of eight to nine years, even 10 sometimes. Here, you see that between 2016 and 2020, you have the promulgation of the first directive, already, in 2020, the proposal. And it’s very likely that in early 2023, this will alter its course, partially substituting the first one, but adding a lot more efforts and a lot more sectors. They go from 19 to 35, so there is a huge recognition and an improvement in the terms of sector. There is also the intent to differentiate between coverage of an essential service and important service. So to create also sort of criticality assessment between the two lists of designated operators. So, I think this is very important. There is also the announcement of the cooperation among the countries, the announcement of the functioning of the EU Computer Security Incident Response Teams—so, better sharing of information regarding the incident and some support. Last but not least, also, I can tell that, uh, 16th of December 2020 can be remembered as one of the really landmark of the EU CISR because on the very same day, apart from the proposal on the NIS 2 directive, same European Commission, sending a very strong message, published the proposal also for the . . . for the so-called Critical Entities Resilience Directive. Also, here, you see a new terminology, critical entity and resilience, that goes . . . it’s very far from critical infrastructure protection. So not only we move, like, the focus is really on resilience, so in being able to withstand, to bounce back after something has gone wrong, but, also, the commission introduced the term “entity.” This is also a clear message that the type of infrastructure that we can designate is not only old style, like we only operate private operator, but entity has been used also to identify offices, departments of the public administration and the government that are really pivotal for the functioning member states and the new institution and so on, so forth. So you see that we move from operator to entities and from protection to resilience. So I think this really be remembered what . . . of the days in which really the EU has recalled the importance of the complementarity of the physical and cyber protection and resilience and the importance, also, of the states and the public administration and the governments in securing national security, EU security, and the international security because, of course, this go beyond that. Host Going forward, what does critical infrastructure security and resilience look like for the US and the EU? Lazari Even though we have this really great example of the European program for critical infrastructure protection, the PDD-63, all the executive orders, you know, every one of them in the US are very comprehensive in, you know, tackling the problem in the way it should be tackled and with all the effects that they have on the European Union, on the allied countries in NATO and so on, so forth. I think that there is some things that . . . on which we . . . we really need to improve. One of these is hybrid threats because we often talk about physical and cybersecurity, but we do not consider the hybrid threats that are all these actions below the threshold of warfare that are still to the entity or to the state or to the operator that is targeted. There is no clarity which is who’s behind these actions. It . . . these actions are also coordinated. So, there could be a state or nonstate actor that has decided to put under pressure certain systems, certain layers of our modern society, and it can be done with a combination of conventional and unconventional types of plot. And this is, for sure, one of the hot topics. The European Union has already recognized the importance of hybrid threats in 2016, and, in 2020, there is two specific documents that are being released on the point they’re working out in creating a framework for governments and public administration to try and recognize some key indicators that there is hybrid threats, that you are subject to hybrid threats, because you have to . . . to imagine this extremely complex type of environment. It’s a number of events that are not correlated because they’re happening here and there. Therefore, you don’t have control on all of them, and, therefore, you cannot really see through the fog what’s going on. You just see the vertical events, but you don’t see the horizontal plot. Social tension, fake news propaganda—they are all part of this big element. Another thing that I think is part of the hybrid threat but is not properly dealt everywhere is that nonfinancial side. We know that all these operators of critical infrastructure, the way you want to call them, or critical entities or operators of essential services—they are companies. They may be on . . . on regulated market, on the stock exchange, on support. Therefore, someone may acquire them, part of them, part of the ownership. To me, the way we scrutinize a certain operation on national critical infrastructure is not yet clear because certain strategic infrastructure should remain of national property. I don’t mean it should be public. I mean that it should have national shareholders with minimum shareholders from abroad because they are strategic infrastructure on which, first of all, speculation shouldn’t take place, but, also, you have to imagine that once you see someone in the, you know, in the board of directors, everything is discussed there, immediately goes as to where as soon as the meeting is over. This shouldn’t really happen. And this is not only happening at the scrutiny, it’s already taking place for big infrastructure. For example, Italy has procedures for that. It’s very advanced, but the . . . the way the . . . the law is tuned on very big operations leaves every small operation outside. Here, we fall into another problem: third parties. It’s not only about critical infrastructure. Critical infrastructure relies on a constellation of third parties. Sometimes, they are also very small companies. They are very important in the supply chain. We don’t know who owns them. There is a little bit of scrutiny the company does on those other companies, third parties, but it’s not enough. So, the vetting procedure, the scrutiny procedure, they should really improve because we need to be sure that we are relying on the right people—that when something is going wrong, will help us out of the mud instead of leaving us in there. To identify friend or foe, as the . . . the military would say. So, this is, to me, among the hybrid threats, the financial aspect—also, the financial or third party. So, trustworthiness of the third party. Third-party risk assessment, to me, is fundamental. Host Do you have any final thoughts before we go? Lazari One last thing that is taking place anyway because of our footprint on planet Earth is climate change. To me, we need to work on the sustainability of critical infrastructure, and we need to do climate change risk assessments. This is something that already the Critical Entities Resilience Directive will ask to critical entities that will be designated under this directive in the future to do. So, to assess what is the impact of climate change on critical infrastructure, you have to imagine that the weather, among other things, is considerably changing. Fifteen years ago, no one could hear about, you know, medicane—that is, the . . . this Mediterranean hurricane, for example, in the Mediterranean. I come from the south of Italy, I’ve never heard about. We never heard “hurricane,” but, all of a sudden, in the last five years, we have initial glimpse of what it could look like, hurricanes. Of course, the proper hurricane, the one that you are experiencing in the US, you know, are much, much different, and their force of devastation is much higher. But, still, I can tell that these medicanes are already threatening our critical infrastructure because they have not been designed to withstand this type of event. Even though some of those that are designed for withstanding certain types of very severe weather events, they can be still disrupted, but ours are not designed at all. So, you can imagine the impact of if these hurricanes keep coming, and they keep increasing in . . . in their strength, the way they . . . we see them behave in other countries that are severely hit by hurricanes, this could really pose a threat to our critical infrastructure. So, for sure, the climate change has to be assessed. We will find ourselves with operators that have been used, like, operating extreme cold and in heat wave and the other way around. Operators used to work in extreme hot having cold wave, and, therefore, the reliabilities of these infrastructures may change, may be really threatened because they are not designed to operate in different condition or in very severe warm or cold. So yeah, that’s another thing that I would definitely take into account that will challenge critical infrastructure in the future. Host Thank you for your time. Thanks for your contribution. This was a real treat to talk with you. Lazari Thank you very much indeed, once again, for inviting, and, uh, all the best. Host Learn more about the CISR frameworks of the United States and the European Union at press.armywarcollege.edu/monographs/955. If you enjoyed this episode and would like to hear more, you can find us on any major podcast platform. Author information: Alessandro Lazari has been working as a specialist in critical infrastructure protection, resilience, and cyber security since 2004. He is currently a senior key account manager at 24 AG, focused on incident and crisis management in Europe. From 2010–19, he provided policy support to two key initiatives at the European Commission: the European Programme for Critical Infrastructure Protection and Strengthening Europe’s Cyber Resilience. Lazari is a fellow in legal informatics at the University of Lecce’s School of Law (Italy) and a lecturer at COE-DAT’s Protecting Critical Infrastructure Against Terrorist Attacks course. He is the author of European Critical Infrastructure Protection, published in 2014 by Springer Inc. He holds a master’s degree in law and a PhD in computer engineering, multimedia, and telecommunications.

Released 6 January 2023 This podcast based on Chapter 1 in Enabling NATO’s Collective Defense: Critical Infrastructure Security and Resiliency (NATO COE-DAT Handbook 1 answers the questions: What is critical infrastructure? Why is it important? What is the difference between critical infrastructure protection (CIP) and critical infrastructure security and resilience (CISR)? What are some of the key terms defined in national CISR policy? What are the core areas of activity or work streams involved in implementing CISR policy in and across the North Atlantic Treaty Organization nations? The answers to these specific questions provide the contextual basis for understanding why CISR is a quintessential societal task for maintaining national security, economic vitality, and public health and safety in a world filled with increasing levels of risk. For NATO member states, building and enhancing CISR at the national level is necessary to safeguard societies, people, and shared values and also provide the foundation for credible deterrence and defense and the Alliance’s ability to fulfill its core tasks of collective defense, crisis management, and cooperative security. Click here to read the book. Click here to watch the webinar. Episode transcript “Understanding Critical Infrastructure” from Enabling NATO’s Collective Defense: Critical Infrastructure Security and Resiliency (NATO COE-DAT Handbook 1) Stephanie Crider (Host) You’re listening to Conversations on Strategy. The views and opinions expressed in this podcast are those of the authors and are not necessarily those of the Department of the Army, the US Army War College, or any other agency of the US government. Conversations on Strategy welcomes Ronald Bearse, author of “Understanding Critical Infrastructure,” featured in Enabling NATO’s Collective Defense: Critical Infrastructure and Resiliency. Bearse is an expert in critical infrastructure protection and national preparedness, with more than 23 years of experience in the US Department of Defense, Homeland Security, and Treasury. Ron, welcome to Conversations on Strategy. You recently contributed to a book, Enabling NATO’s Collective Defense: Critical Infrastructure Security and Resiliency. I’m looking forward to hearing about your chapter, but first, thank you for being here. Ronald Bearse Well thanks Steph. Yeah, I’m happy to discuss that with you today. Host What is critical infrastructure? Bearse Although there’s no real global or standard or universal definition of critical infrastructure, most, if not all, European and NATO nations, which have a national CIP or CISR policy or national plan, define critical infrastructure as those physical and cyber systems, facilities, and assets that are so vital that their incapacity or their destruction would have a debilitating impact on a nation’s national security, economic security, or national public health and safety. We kind of understand them (and most people do) as those facilities and services that are so vital to the basic operations of a given society 9like the one we live in) or those without which the functioning of a given society would be greatly impaired. In our book, for example, we talk about critical infrastructure sectors. Here in the United States, for example, we have 16 critical infrastructure sectors where assets and systems and networks, whether they’re physical or virtual, are considered so vital to the United States that their incapacitation or destruction would have a debilitating effect on our national economic security or public health and safety. Those sectors include, here in the United States, and for most Western nations, the same types and same sectors, such as the chemical sector or the dam sector, commercial facilities. Communications sector. Critical manufacturing. The defense industrial base. Emergency services obviously is one. Energy. Financial services sector, food, agriculture, government facilities, healthcare and public healthcare sector. Information. Information and technology. Nuclear reactors, materials and waste sector. The transportation infrastructure sector is huge as well. As well as water and wastewater systems. So there are a number of economic areas, and we call them sectors, that have critical infrastructure, the loss of which would really be a problem. Within NATO, Allied Command Operations defines critical infrastructure as a nation’s infrastructure, assets, facilities, systems, networks, and processes that support the military, economic, political, and/or social life on which a nation and/or NATO depends. NATO mission readiness depends on the assured availability of critical infrastructure. Let there be no mistake about that. Critical infrastructure, which I should mention is mostly owned by the private sector. For example, during large NATO operations for exercises, about 90 percent, and that’s nine zero percent, of military transport, relies on civilian ships and civilian railways or civilian aircraft. Host Why is critical infrastructure important? Bearse Critical infrastructure is vital because it enables a nation’s productivity and quality of life and economic progression by driving economic growth and creating jobs and improving efficiency. It also provides essential services, such as energy and water, electricity, and transportation. It also connects communities via transport and communications networks, which enables the flow of goods and information—not just across the country but between countries and across the world. Another reason why it’s vital has to do with the fact that it’s highly interconnected today, Stephanie, meaning that critical infrastructure systems often depend on other areas or other critical infrastructure to operate. If it is severely disrupted or destroyed, it can cause severe catastrophic consequences, locally, regionally, nationally, and even globally. And also, if it happens in one sector, you can have cascading events that can cross over into other sectors as well. An increasing number of nations depend on critical infrastructure located in another country, or worse, controlled or operated or owned directly or indirectly by a foreign adversary. And yet another reason is that millions of critical infrastructure systems and the gazillions of devices which connect to them are connected to the Internet. And because of that, you know, we see that there is that vast increase of vulnerability attached with those devices. We’ve all witnessed how COVID-19 and the ongoing Russian invasion of Ukraine have impacted critical infrastructure. The critical infrastructure of NATO and partner nations—those nations face a rising, unprecedented wave of malicious cyber activities and destabilizing and devastating consequences—and public and private entities that are indispensable to the functioning and well-being and cohesion of allied societies (such as energy providers and telecommunications operators and banks and hospitals). And we’re certainly aware of the current situation, hybrid warfare and real actual warfare at the conventional level. And Europe and Ukraine and seeing how critical infrastructure is being targeted that way. Host In the context of keeping critical infrastructure safe and functioning, what’s the difference between critical infrastructure protection and critical infrastructure security and resilience? Bearse Humankind has been protecting critical infrastructure for thousands of years, Stephanie. It goes back a long time. In the Peloponnesian Wars, infrastructure then that nations fought over included ships and grain and ports and brick walls around the cities, if you will. And wells where water was. And you know, 1,000 years later you had the fall of Rome. And with the fall of Rome, you had the contribution of the aqueducts falling apart for a variety of reasons. But again, critical infrastructure in the Roman Empire. The shift that has happened over the last 20 years alone is due to the fact that stakeholders have learned that it’s almost impossible to protect critical infrastructure from all the growing risk factors that they face—where we are moving from the protection of critical infrastructure to securing it and making it more resilient against threats. For example, when we talk about security. Security in the CISR, the S, if you will, means reducing the likelihood of successful attacks against critical infrastructure with the effects of natural or man-made disasters through the application of physical means or defensive cybersecurity measures. And resilience is the ability of critical infrastructure to resist, absorb, recover from, or successfully adapt to changing conditions, including attacks. The concept of critical infrastructure security and resilience is particularly useful to inform policies that mitigate the consequences of such events and speak to the vital need, again, for nations to develop and implement a comprehensive risk-management strategy. Karen McDowell, who 10 years ago was an information security analyst at the University of Virginia, said something that still haunts me and should actually haunt everybody listening in today. I believe she said, “public opinion isn’t going to lead the push to better protection of critical infrastructure since most people aren’t aware of the security issues and don’t even know that they are at risk, let alone understand the risks to critical infrastructure.” Host What are the core areas of activity or workstreams involved in implementing CISR policy in and across the North Atlantic Treaty Organization nations? Bearse There are really three essential tasks—assess the risk, improve security, enhance resilience, right? It’s all in those three. That’s the basic process. But the process of accomplishing those three tasks can be extraordinarily complex and a continuing challenge because it requires numerous what I call “streams of work” to be performed by a number of stakeholders—such as government agencies, (whether they’re federal, state, regional, other types of government agencies), the owners and operators in the private sector themselves of critical infrastructure, academicians, people who do research, subject matter experts, international organizations, technology vendors, people that run the ISACS (information sharing and analysis centers). I mean, there’s just many, many, many stakeholders out there. But what’s really, really important is that the major work streams basically include the following. All these are discussed in the book and how they are applied at different levels and case studies and whatnot. But we need to establish very clear roles and responsibilities for all stakeholders. That’s a major workstream just doing that—identifying and determining the criticality of a nation’s infrastructure. The protection of critical infrastructure is a national responsibility. NATO doesn’t go out and identify what’s critical for other nations. It’s up to that nation to do that. It’s up to that nation to figure out what they’re going to do. NATO can certainly help them. The nations help each other as well, and we certainly want to help our partner nations. So another big workstream here is mapping critical infrastructure dependencies and interdependencies. Determining critical infrastructure vulnerabilities . . . I can’t say enough about that as a workstream. Using applicable risk management, risk analysis, and risk management tools, if you will. Risk assessment tools and approaches. A lot of different critical infrastructure sectors have defined some very good tools to use to do risk-based assessments. They are available to NATO and NATO partner nations. Establishing crisis management capabilities is important. Another key workstream is establishing public-private partnerships between government and private-sector owners and operators of critical infrastructure Establishing and implementing collaboration and information-sharing mechanisms between government and the owners and operators is also important. Developing and exercising continuity of operations and information technology, disaster recovery plans, and providing physical and cyber security and resilience measures is a big workstream, if you will. Ensuring the integrity and security and continuity of critical infrastructure supply chains is huge. Expanding opportunities to deliver CISR education and training. Another key workstream, this one it’s dear to my heart, is implementing a robust (and when I say robust, I mean thorough) test training and exercise program to determine the extent to which a nation’s current CISR policy or legislation or plans, procedure, systems, research and development efforts, you name it, are either meeting, falling below, or exceeding prescribed requirements and established standards. Another key part of the workstream that’s vital to this is fostering the local, regional, national, and international cooperation, collaboration, coordination, communication, and concentration that is required to produce results. So, one of the reasons why this book was actually published is because more nations need to be developing and implementing a national CISR policy. There are many reasons, again, why countries haven’t started down this road, Steph. Let me just share with you the top five really quick. The top three basically, and I believe these are in the correct order, are money, money, and money. The fourth reason is that most countries have been protecting things that they deem important or critical the same way for many years. The military protects W and X. The minister of interior protects Y. And the Department of beta protects Z. And rarely do they coordinate their efforts due to turf, territory, and tradition. And the fifth reason revolves around the realization that CISR is complex, and it is one of the most difficult things a country can do. Even if it had the money and resources to do it. The good news in this, Steph, is that the book that we are discussing today and it’s follow-on book provides several lessons to be learned as I call them. Good practices. Case studies, methods, tools, (and) approaches and experiences that are designed to promote the security and resilience of all NATO populations and strengthen their ability to function in a way that most people want them to during crisis management and to support collective defense or external operations. Failing to achieve CISR goals or objectives is going to reduce NATO’s mission capability and adversely impact member states’ collective societies because critical infrastructure is the foundation on which vital society and economic functions depend. Host Thank you so much for your time today, I really appreciate it. Bearse Thanks, Steph. It’s been a pleasure talking to you and your listening audience. And again, it’s a hot topic. It always will be. And it’s a great way for nations to strengthen their capabilities and for the avid reader in national security, if he really or she really wants to, wrap their head around why things are happening in today’s world and how we could get a better grip on preventing some of those bad things from happening, these books also represent good reads, so with that take care. Host Same to you, thank you. Learn more about critical infrastructure, why it matters, and how to protect it in the monograph visit press.armywarcollege.edu/monographs/955. If you enjoyed this episode and would like to hear more, you can find us on any major podcast platform. Author information: Ronald Bearse is an expert in critical infrastructure protection and national security preparedness, with more than 23 years of experience in the US Departments of Defense, Homeland Security, and Treasury. He is an adjunct professor at the Massachusetts Maritime Academy and an adviser to NATO’s Centre of Excellence for the Defence Against Terrorism (COE-DAT), where he teaches in COE-DAT’s Critical Infrastructure Protection Against Terrorist Attacks training program. Bearse earned an undergraduate degree in political science and Soviet studies from the University of Massachusetts at Amherst and a master of public administration degree from George Washington University. He is a distinguished graduate of the US National Defense University and a former senior fellow at George Mason University’s Center for Infrastructure Protection and Homeland Security