Threat Analysis Number: TA03-001 Date: 12 March 2003

Emergency managers in the public and private sectors could also employ this report to enhance their understanding of the variety of threats and hazards which the Government of Canada is addressing.

Finally, policy makers at all levels of government may use the paper as a jumping-off point to examine threats and vulnerabilities in CI sectors within their constituencies.

Note: For the purposes of this paper the terms "threats" and "hazards" will be used interchangeably to describe the independent variables which affect existing vulnerabilities to produce risk/disaster scenarios.

Click here to download full text of report in PDF


Executive Summary

• Canada is growing increasingly dependent upon the collection of products and services that make up our domestic critical infrastructure (CI) network. Those sectors, in turn, are becoming increasingly interdependent, as telecommunications and cyber elements continue to underwrite them. These two factors combined make us more vulnerable to threats from natural, accidental and malicious threats to our CI.
  
  
• Risk is assessed as a combination of threat (expressed as the probability that a given action, attack, or incident will occur), vulnerability (expressed as the probability that a given attack, or vulnerability will succeed, given that the action, attack or incident occurs), and consequence (expressed as some measure of loss, such as dollar cost, resources loss, programmatic impact, etc.). The total risk of operating a system is assessed as a combination of the risks associated with all possible threat scenarios. Risk is reduced by countermeasures. However, the cost of countermeasures (relative to the potential risks) is applied when arriving at any holistic risk management strategy.
  
  
• Four factors contribute to Canada's vulnerability to the broad spectrum of threats. First, Canada's population, built environment, and wealth, are increasingly concentrated in a small number of highly vulnerable areas and many such communities are at risk from multiple hazards. Second, climate change could increase the frequency and severity of extreme weather events. Third, Canada's built environment is aging and is more susceptible to damage. Fourth, communities are increasingly more reliant on advanced technologies that are frequently disrupted during disasters.
  
  
• Traditionally, the Canadian government has viewed infrastructure protection in the context of physical security and the protection of physical assets. The basis of this activity was the Vital Points Programme (VPP), established in 1938 to identify and protect facilities and services critical to the national interest. The Government of Canada's ability to gauge threats to CI has traditionally been contingent upon an ability to evaluate the intent of an actor, coupled with their capability to carry out a deliberate action. This process was significantly easier when dealing purely in the physical realm. However, with the advent of cyber-based threats, threat agents are diffuse in nature, and the capacity to inflict significant damage is readily available and relatively easy to use by those with even a cursory knowledge of and ability with computer technologies.
  
  
• The ongoing phenomenon of climate change is altering our capacity to effectively manage the risks associated with natural disasters. Moreover, it is affecting Canada in particularly distinct ways. In the past 10 years, Canada has faced the greatest increases in average annual temperatures of any country, and a commensurate rise in severe weather-related natural disasters. Associated with these shifts has been an increased occurrence of phenomena such as severe storms, floods, droughts and forest fires.
  

Natural Hazards Threats to Canadian CI

• Natural disasters have accounted for 69.9 percent of all disasters in Canadian history. Flooding has been, by far, the greatest cause of disasters in Canada in the 20th century, followed by severe storms.
  
  
• Geomagnetic storms, earthquakes, forest fires, tsunamis and health-related epidemics all represent significant natural hazard threats to Canadian CI.
  
  
• In recent years, the death toll due to natural disasters in Canada has decreased, while the economic costs of the damage has increased. The trend is possibly the result of two divergent factors. The response to natural disasters has become more sophisticated and better coordinated among all the partners, while the cost of securing our domestic infrastructure has risen greatly as the Canadian CI network becomes more complex and interconnected.
  
  
• Trends in the number of annual natural hazard-related threats should continue along an upward trend.

Accidental Threats to Canadian CI

• Accidents are, by definition, unforeseen. It is, therefore, difficult to predict future trends in accidents involving the critical infrastructure.
  
  
• Accidents involving CI generally involve human-error, mechanical failures and computer programming errors.
  
  
• With the increased scrutiny in both the public and private sectors on critical infrastructure protection and business continuity planning, accidental threats to CI are less likely than ever before. CI robustness has been reinforced in virtually all sectors, and where the primary infrastructure has been deemed vulnerable, redundancies have been built in. These measures have made most CI sectors less prone to the negative impacts of accidents on CI facilities and networks.
  
  
• The negative impact resulting from accidents involving CI elements should continue along a downward trend.

Malicious Threats to Canadian CI

• Infrastructure has long been a target for malicious attack, whether for criminal, military or political purposes.
  
  
• There are a range of actors, employing a range of tools (from conventional weapons, weapons of mass destruction - including chemical, biological radiological and nuclear agents, to cyber tools) who have displayed a willingness to engage in malicious activity directed to cyber and physical CI.
  
  
• The September 11 attacks have served to heighten our awareness of the threats to, and potential vulnerabilities within, Canada's physical and cyber infrastructure (and the nexus points where the two interconnect).
  
  
• Cyber crime and the criminal and terrorist use of information technology are significant issues for law enforcement. A sophisticated information infrastructure, a large pool of potential hackers within the country and heavy reliance on computer-based CI are all factors in making computer-based crime a serious threat to Canada. However, currently there is a limited ability on the part of federal and provincial government departments and agencies to collect, collate, analyze and synthesize the modest amount of substantive qualitative information on actors, their actual and potential capabilities, intended targets, and recorded attempts to penetrate or attack assets or systems.
  
  
• The Water, transportation and oil pipeline systems make appealing targets, given their diffuse nature and the difficulty of effectively protecting them from attack.
  
  
• In spite of attempts to secure these systems, the threat of a malicious attack on CI could increase. Canadian society relies on these networks, services and systems to increasing degree, thus making them ever more attractive targets.
  
  
• Responsibility for emergency measures, including CIP, in Canada is shared among all three levels of government. The federal government provides national leadership and coordinates the overall CIP effort. Those agencies with mandates that incorporate CIP are listed in Annex A