On March 21st, 2016, Dr. Kevin Quigley gave the following presentation to the Senate’s Standing Committee on National Security and Defence on the subject of critical infrastructure in Canada:
“Thank you for the opportunity to comment.
I’d like to talk about risk regulation to limit the possibility of low-probability / high-consequence events—disasters, crises, so-called black swan events—in our critical infrastructure (CI).
My recent research has focused on two critical sectors: the Canadian transportation and chemical manufacturing sectors.
I study risk regulation in a broad context – looking at the law, markets, media, public opinion, organized interests and organizational culture.
In light of my research, I make the following observations.
Markets, left to their own devices, do not always prepare for black swan events. In fact, markets can increase the probability of black swan events by rewarding risk-taking behaviours; we saw this in the Lac Mégantic tragedy, in which regulatory standards and business practices designed to improve efficiencies and reduce costs contributed to a rail disaster. Small and medium-sized enterprises, companies like Montreal, Maine, and Atlantic Railway Ltd., are increasingly important to global supply chains, but they often don’t have adequate risk management staff, expertise or insurance, and they respond to profit motives and don’t pay much attention to preventing disasters that they feel are unlikely to occur. This makes perfect market sense. Markets reward behaviours and ways of thinking that don’t always contribute to effective CI protection.
In particular, I’ve found that while some CI organizations have a “safety culture,” with the exception of large airports and to a lesser extent large rail, few organizations have a “security culture.” Not having a security culture makes companies vulnerable to security threats, but also supply chains and everyone who depends on CI. This is a failure of market forces which governments must address.
Yet governments are ill-equipped to address market failures in CI. Since the 1980s, the dominant narrative in Canada has been that private industry with a profit motive is better at managing CI than government. As a result, most CI has been privatized or outsourced, and—at a minimum—afforded considerable regulatory flexibility.
At the same time, Governments have been ‘hollowed out;’ they have been unable to keep pace with the technical sophistication of CI. As a result government officials now arguably lack the knowledge, skill, time, flexibility and credibility to keep an eye on the CI owners and operators who manage risks to CI.
Government finds itself in a conundrum. Polling data suggests Canadians do not consider security a high priority, and certainly not compared to health care and economic concerns. Yet the public holds government partly if not completely responsible for CI failures, despite the fact that government has less and less control over it. The public expects their governments to act, and will blame them if they do not. In response, governments assume a cooperative stance with industry and use euphemisms to mask unclear accountability, terms like ‘information-sharing’ ‘trust-building,’ ‘partnership,’ ‘stakeholder,’ ‘leadership at all levels’ and ‘federal family.’
Meanwhile, media fails to keep a watchful eye on CI risk regulation. Black swan events generate a lot of media coverage and a ruthless hunt for someone to blame—more so with industrial failures than natural disasters—but disasters and crises are complex and require thoughtful and prolonged examination. Despite this, most media coverage ends the same month it starts and focuses more on personalities than rational risk assessment. When a seemingly healthy boy in Ottawa died of H1N1 in 2009, for example, that event generated fifteen times more media coverage in the Globe and Mail than a computer glitch at the Canada Revenue Agency in 2007 that limited government’s ability to collect or disseminate funds on-line, which – unlike the boy’s death – had very serious and far-reaching economic implications.
Despite the rhetoric of markets and competition, many large CI organizations are protected from market competition; after all, to borrow and modify an American catch-phrase, they are “too critical to fail.” This dynamic increases government’s incentives to restore CI companies after CI failures. Under the guise of competition or security considerations, companies can withhold information from the public; As a result, government often doesn’t know how seriously companies take security and how effectively they are managing risks; we do know, however, there are few incentives for most CI sectors to spend time or money on security.
Market failures, ill-informed media coverage, governments’ diminished capacity for risk policy and management, and companies that are too big and too critical to fail–these forces converge to empower already powerful CI institutions, which the public trust less and less.
While some careers end abruptly after CI disasters, for the most part organizations maintain power after a black swan event, and sometimes even gain power. The governance system in place privileges stability, efficiency and political expediency; it is concerned less with transparency and accountability; its commitment to learning over blame-shifting could be improved.
It is increasingly important that we learn and adapt so that we can address risks associated with climate change, security, aging infrastructure and emerging cyber threats. To strengthen our CI, we must strengthen and extend independent audits, report more frequently on performance, share information more widely, including to the general public, manage the risks associated with SMEs, deconcentrate single points of failure, enforce appropriate standards and behaviour in a timely manner, increase mindfulness about security and enhance fairness in our distribution of risks.
Critical infrastructure protection (CIP) is not exclusively about government or security; it is about the assets that enable our civilization. We all have a stake in CIP. The new government plans to spend considerable sums of money on our CI. These investments can enable a significant step forward toward a more desirable society – smarter, greener cities, for example. CI investments can reflect our values and the communities we wish to build. The planning we do today will take years to come to fruition; we must consider security, climate change, trade, economic challenges, and opportunities of the future to maximize the benefits of today’s CI investments.
Thank you again for this opportunity to comment.”
Kevin Quigley, 2016