Introduction

The recent developments that took place within the international system have generated, alongside the effects of globalization, the increase in interconnectivity and of interdependencies, a whole new set of threats and vulnerabilities that can directly infringe on the security of critical infrastructures. The contemporary geopolitical context is characterized by unpredictable situations and complex systems and, therefore, cannot accommodate any longer the nationalist, militarized or territorial approach of critical infrastructure protection. A proper understanding of the concept requires, in today's world, a multidisciplinary framework of interpretation.

Presently, the idea that the prosperity and security of national states are inextricably dependent on vital networks of critical infrastructures is widely accepted. The issue of critical infrastructure protection has, therefore, become a method of system analysis, thus ensuring the proper framework for understanding and interpreting the threats to national security. According to some authors1, this approach on security is characterized by the following: the concern for critical elements or structures on which contemporary society, the economy and political regimes depend on, the focus on identifying vulnerabilities, risks and threats to critical infrastructure systems and, last but not least, the effort to develop and implement strategies for alleviating structural vulnerabilities.

From this point of view, the protection of critical infrastructures is part of a new security paradigm, which was shaped as a response to recent changes within the system of international relations. More precisely, a novel approach to security risks was elaborated, in which threats to national security were interpreted through the lenses of system vulnerability analysis. System vulnerabilities were, in their turn, mostly determined by elements of critical infrastructure.

A series of historical events from the early 20th century contributed decisively to shaping this approach. One of them was the development of the doctrine of strategic bombing2 both in Europe and in the United States of America. Strategic bombing meant the destruction of vital targets belonging to the industrial complex of an enemy country, the development of mobilization efforts for defense purposes and, last but not least, during the Cold War, it meant total preparedness3 and disaster planning for emergency situations as a way of defending the American system of production against a Soviet nuclear attack.

These shifts in understanding defense and security, alongside other economic, technological and legislative changes, have modified existent relations between infrastructures. At the same time, the information technology revolution has generated new dependencies of infrastructure components, thus creating complex systems whose control is, usually, computerized and centralized via a nodal server.

The understanding of the concept of critical infrastructure is, therefore, derivative from a certain manner of defining security in terms of intrinsic system vulnerabilities and has become a dominant feature of national security starting with the second half of the 20th century, due to the multiple changes that occurred within the system of international relations, which determined the development of a new type of strategic thinking that, in its own turn, imposed a series of novel concepts and innovative ideas.

For example, the invention of the notion of total war has changed the way in which states related, until the end of the 19th century, to military conflicts and armed combat. This happened because the technological innovations of the 20th century have allowed the development of armaments at a more rapid pace than before. In other words, "the army is industrializing, the industry is militarizing, the army absorbs the nation, and the nation models itself after the organization of the army."4 From this perspective, one can state that the theory of total war has represented, in terms of strategic thinking, the recognition of the idea that a state's military power depends both on the strength of its economy and on its administrative capacity to mobilize and redirect its vital resources to the fulfillment of strategic purposes or objectives. Nations have, therefore, become aware of the importance of their industrial and economic systems and, at the same time, of their vulnerability to potential attacks. This, in turn, has contributed to the development of the strategic bombing theory and of the concept of vital targets.

According to Philip S. Meilinger, the first to theorize the notion of strategic bombing was Giulio Douhet, an Italian military scholar who considered that when a state's resources were waged in war, then the said state's capacity to administer those resources should be annihilated in order to determine the state to admit its defeat. To achieve this goal, Douhet opted for offensive air strikes, aimed at destroying the production and defense capacities of the enemy. Subsequently, Douher identified five vital sectors to the existence and functioning of the modern state, which he named key targets or vital targets: the industrial sector, transportation, roads and railway infrastructures, communication networks, government and administration buildings.5

As one might easily observe, the five vital sectors dubbed by Douhet roughly correspond to certain physical critical infrastructures, although it is only much later that they will be identified and defined as such.

Historically, one of the first moments in which the vital importance of certain infrastructure components has become obvious was during the Second World War, when the Allies' false estimation of the role played by certain infrastructures in Germany's war economy allowed it to continue its warfare production as far as 1944.

Later on, during the Cold War, the ideas that there are certain categories of infrastructures on which national security depended on and that the government's capacity to ensure their functioning is essential to peace keeping and economic development began to make their way into scholarly debate.

1. Critical infrastructures of the United States of America

Certain developments in American strategic thought that contributed decisively to the present approach of national security should be taken into consideration before discussing the evolution of the concept of critical infrastructures in the United States. For example, even though the notion of strategic bombing was initially formulated by an Italian, it was American military experts that substantially contributed to its development by placing the emphasis on the correct identification of vital targets, by which they understood key assets of nodal centers in an industrial system or an infrastructure network. These interpretations of military strategy led to the development of the concept of industrial complexes or networks. It basically stated that modern economic systems were based on complex interdependencies or were made of "interrelated and interdependent structural elements."6

The relationship between various components of a system thus became the major vulnerability of national economies. As a result, a thorough knowledge of an enemy's vital networks and infrastructure systems became necessary for identifying and exploiting these systemic vulnerabilities. The analysis of these critical infrastructure components was beyond the capabilities of mere soldiers, and required the aid of economists and technical experts. The purpose of such exploits was to evaluate and select "those specific targets whose destruction would paralyze or neutralize the enemy."7

This way of thinking also made it clear to strategic military experts that the American infrastructure systems presented the same kind of vulnerabilities, being equally subjected to the threat of a potential attack, which lead to the creation and implementation of defense strategies based on ensuring the protection of those vital parts of the infrastructure. It is worth mentioning at this point that, traditionally, the geographical localization of the United States between two oceans was considered to be one of the main security guarantees of the nation. The naval forces had, therefore, historically assumed the leading role in the nation's defense strategy. However, with the development of the aviation industry and the perfection of the long range bombers, this paradigm suffered significant alterations. The need to identify new security guarantees and to ensure the protection of strategic infrastructures by developing new models of infrastructure network to reduce vulnerabilities became evident.

The first attempts to identify the units of U.S. critical infrastructure can be traced back to interwar period, and can be found in the research made by Air Force experts from the Air Corps Training School (ACTS). In 1938, Muir S. Fairchild stated that the key structures of the American economy comprise a number of 11.842 "critical" factories, almost half of which were located on the East Coast of the United States, in New York, Pennsylvania and Massachusetts.8 A potential deterioration of these factories or the electric power grid that connected them had the capacity of generating significant pressure on U.S. ability to support a war effort.

The efforts to implement organizational and administrative models to ensure critical infrastructure protection were materialized, however, after the Second World War, when the issue of civil defense of strategic sectors against potential nuclear attacks became a major concern for the administration. It was during this period of time that major efforts were made to identify and classify infrastructure components considered vital to the optimal functioning of the state, "maps" of systemic vulnerabilities were elaborated, theoretical models for measuring the effects of a nuclear attack were developed and emergency response plans for disaster situations were implemented.9

In the 1960s and 1970s, these efforts were amplified and became applicable to all administrative levels in the United States, starting from the calamity and disaster evaluation plans developed by city councils, to the energy and transport infrastructures protection strategies of state legislatures and to the federal risk assessment models that evaluated potential damages in case of a nuclear attack. It was during this period of time that system analysis became the predominant method to assess risks and to prepare plans for emergency situations. Quantitative methods were established to measure interdependencies between various structures of the system and theoretical models to identify systemic vulnerabilities were elaborated, such as linear programming, a mathematical method in which the optimal result is obtained from a list of attributes portrayed as linear relations.

By the end of the 1960s, a structure within the Office of Emergency Preparedness-OED had been established. The department was entitled the Systems Evaluation Division-SED10, and its main activity consisted of formally analyzing critical infrastructure networks, such as transportation, the national energy sector and communication, whose vulnerabilities could have been exploited by state and non-state actors that did not otherwise have the military strength to directly lead an attack on the United States of America, or that presented the risk to be extensively affected by calamities and natural disasters and could, therefore, disturb the entire system. For example, according to the analysis of American energy experts, the federal electric grids constitute themselves into a "set of relatively compact targets for saboteurs, terrorists, attackers or lightning."11

As a result of this reality, a national list of facilities that played a key role in the American economy and society had to be elaborated in order to organize and make more the efficient the efforts to protect them. Through such initiatives, in their attempt to define new threats to national security in the framework provided by the Cold War, American government experts were amongst the first to theorize the concept of critical infrastructure. By the end of the 1970s and beginning of the 1980s, the main features of critical infrastructures were settled, and the potential threats that emerged from systemic vulnerabilities were identified. They varied from energy crisis to industrial accidents and terrorist attacks. These new threats were quite different from those possessed by traditional war and even from those of a potential nuclear attack. They could not be anticipated, and their probability of occurrence could not be calculated by classical formulae. This lead to the elaboration of new techniques of management and control, aimed at diminishing system vulnerabilities.

By the beginning of the 1990s, the concept of critical infrastructure already constituted a major concern of the Washington administration, and was actively promoted in other federative states such as Canada and Australia. For example, the Canadian definition of critical infrastructure comprises that part of this category are those infrastructure components whose deterioration would have a "serious impact on the health, safety, security and economic welfare of Canadians or on the normal functioning of the government."12 Similarly, the Australian administration regards emergency services as being an essential component of Australia's critical infrastructure and believed it was necessary to interconnect them into a computerized network for critical infrastructure protection called the Trusted Information Sharing Network for Critical Infrastructure Protection-TISN13.

It is worth mentioning that, even though the infrastructure components that were considered to be "critical" had been identified and studied since the end of the 1970s, the term of "critical infrastructure" was not used until 1996, when the Clinton Administration issued the Executive Order for Critical Infrastructure Protection.

The Executive Order was elaborated so as to implement a set of efficient measures for preventing and countering potential cyber-attacks to critical computer infrastructures of the American nation. It defines critical infrastructures as being a part of the national infrastructure that is vital and whose destruction or incapacity to function properly can seriously diminish the economy or defense of the United States.14 The Executive Order also states that part of the critical infrastructure sector are telecommunications, the national electric grid, the water supply system, the oil and natural gas sector, the financial and banking system, the emergency services as well as those structures that allow the continuity of governmental functions.

The concept of security of critical infrastructure therefore refers to the protection of those elements that are vital to the economy, the population, the government and, last but not least, to national security. The American perspective of the idea uses the following criteria for identifying critical infrastructure components: the population affected by a disturbance in the network, the impact on the national economy and the costs of rehabilitation, the time needed to restore services, and the impact on the population's morale.15 By comparison, the European approach on critical infrastructure uses the following criteria for identifying critical infrastructures: the length and surface of the critical sector, the magnitude and intensity of effects, the probability of being affected by a potential threat and the time frame of effects.16

By elaborating a legal framework of critical infrastructure protection, the American administration wished to ensure the continuity of services and to remediate in the shortest time possible any situation that would affect their functioning. In other words, the main objective of the American government was to offer guarantees that any possible malfunction would not be frequent, would not last long and could be solved.17 To this purpose, the Presidential Commission for Critical Infrastructure Protection submitted, in 1997, a report in which they evaluated the main threats to critical infrastructures in the United States. As a response to the Commission's report, President Clinton issued the Presidential Decision Directive 63-PDD 6318, aimed at creating national capabilities to administer and protect critical infrastructures. It is also worth mentioning that the Directive included cybernetic and computer systems in the category of national critical infrastructures.

In February 1997 the National Infrastructure Protection Center or NIPC19 was created. Its main responsibilities were to detect, deter, prevent, evaluate and investigate the illegal use of information technology (IT) methods to threaten critical infrastructure.

The first draftof the National Plan for Critical Infrastructure, which was elaborated during the mandate of president Clinton, defined critical infrastructures as those systems and goods, albeit physical or virtual, whose incapacity to function or destruction would have a major impact on national defense, economic security or on public health and safety.20

After the terrorist attacks of 9/11, the American security paradigm changed significantly and, as a result of this shift, a national strategy for protecting critical infrastructures was elaborated, in order to prevent a similar tragedy to occur again on American national territory. The 13228 Executive Order established the Office for Homeland Security21, whose responsibilities concerned the protection of the following infrastructure components: the energy sector, telecommunications, the units that produce, use, or store nuclear material, public and private information and intelligence systems, transportation, agriculture, events of national importance, water supply networks and public health systems. One cannot help but remark the inclusion of nuclear facilities, of events of national importance and of agriculture in the category of vital infrastructures, a novel development since, in the previous documents, there was no such reference to the above-mentioned infrastructure components.

Complementary to the provisions of the Executive Order, the Congress ratified the Patriot Act and the Homeland Security Act, thus completing the legislative framework for ensuring the security of the United States' critical infrastructure. It is worth mentioning that, from the two documents, the Homeland Security Act stipulates the creation of the Department of Homeland Security and introduces, in addition to the concept of critical infrastructure, the notion of "key assets", understood as those resources controlled by the state or by private operators that are essential for ensuring minimal functions of the economy and of government.22 Although the document does not clearly enumerate the nation's "key assets" and the protective measures for them and critical infrastructures are fairly similar, they are nonetheless perceived as a separate category.

In order to integrate and synthetize the provisions of the above-mentioned Executive Orders, of the Patriot Act and of the Homeland Security Act, the American Administration issued, in July 2002, the National Strategy for Homeland Security or NSHS. The strategy reinforces the definition of critical infrastructures mentioned in the Patriot Act, while providing supplementary arguments for the classification of certain sectors in the category of critical infrastructures.

According to the NSHS, the American national critical infrastructure comprises a significant number of sectors, such as agriculture, the food industry, public healthcare and emergency services etc. They all ensure basic services that are absolutely necessary for the survival of the American population. Furthermore, the document argues that government institutions are essential for guarantying freedom and national security, while the defense industry contributes to the growth of the country's capability to prevent external threats. Last but not least, the energy sector, transportation, the financial and banking system and other sectors are important for economic growth and influence the American people's quality of life.23

Another important aspect for properly understanding the concept of critical infrastructure security lies in promoting public-private partnerships, aimed at ensuring the protection of vital components. As one can easily observe, most of the United States' critical infrastructure sectors are not owned by the state. It therefore becomes necessary that the private operators assume responsibility for the protection of infrastructure components. The fact that the private sector is taking responsibility for infrastructure protection and thus contributing to national security represent an evolution from the previous security models, in which the state assumed the central role in the field of critical infrastructure protection.

Moreover, it is worth mentioning that the idea of a public-private partnership in the area of vital infrastructure security has encouraging perspectives of development, especially when one takes into consideration that the evermore complex interdependencies established between systemic components make it more and more difficult for a unique, central command station to identify vulnerabilities.

The analysis of new critical infrastructure systems reveals the inefficiency of a traditional security layout, a model that is based on vertical hierarchies. The vertical hierarchies of the traditional framework for understanding critical infrastructure protection was replaced by a horizontal hierarchy, in which the responsibility for the well-functioning of the whole, as well as for ensuring the protective measures of its substructures is dispersed at a local or even at an individual level, without being concentrated or coordinated from a single center.

Not long after this initiative, the Bush Administration emitted, in February 2003, the National Strategy for the Physical Protection of Critical Infrastructures and Key Assets or NSPP), which restates the characteristic attributes of critical infrastructures enumerated in the NSHS and defines three new categories of key assets.24 According to the NSPP, the United States' key assets are: national monuments, symbols and edifices that represent national values and/or traditions, buildings or structures belonging to the economy or to the industrial sector, malls and shopping centers, office buildings and sports stadiums. The document also explicitly nominates nuclear plants and dams as key assets of the U.S.

As it was the case with the NSHS, the necessity of elaborating a national strategy for the protection of critical infrastructure had emerged as a result of security challenges determined by the diversity and complexity of all the entities that together comprise the critical infrastructure of the United States of America. The national strategy was designed to facilitate a federal framework of risk assessment. Before its implementation, the evaluating process of threats was fairly difficult, thus increasing system vulnerabilities. The difficulties mainly resided in the public-private scheme of ownership of U.S. critical infrastructures and in the overlapping authorities and responsibilities of local, state and federal government agencies that dealt with critical infrastructure protection. The National Strategy's main purpose was to create and implement a unitary and comprehensive organizational framework for the protection of critical infrastructures and key assets. This framework had to be characterized by clearly stated objectives, a mutual understanding of roles and responsibilities residing in each administrative level involved in the process, and a set of coordinated actions for implementing security measures.25

As it was mentioned earlier, a wellestablished organizational framework ensures solid foundations for starting offpublic-private partnerships in the field of critical infrastructure security, without which the existence of efficient protection strategies would be nearly impossible in contemporary society. The National Strategy clarifies the functions of both the public and private sectors in ensuring the security of infrastructure components vital to the development and prosperity of the United States, attributing to each sector a personalized set of responsibilities, according to its management and control capabilities, as well as in compliance to each sector's available resources.

The framework created by the National Strategy was completed by the provisions of the Homeland Security Presidential Directive 7 or HSPD 7, issued by President George W. Bush on the 17th of December 2003. The HSPD 7 enumerates the executive agencies responsible for identifying, prioritizing and protecting critical infrastructures and defines the roles and functions assumed by each agency within the framework of the U.S. National Strategy for Critical Infrastructure Security.26 Furthermore, the necessity of publicprivate partnerships for the protection of critical infrastructures is reinforced. Last, but not least, the HSPD-7 mentions the importance of periodically evaluating the "critical" character of infrastructure components, regulating the possibility of including new categories of vital infrastructures and/or key assets, in accordance with economic and social developments, as well as with the nation's security needs.

The effort to ensure a comprehensive organizational and legislative framework for ensuring the protection of critical infrastructure has continued relentlessly. As a result, on the 30th of June 2006, the Congress approved the National Infrastructure Protection Plan or the NIPP, which regulated the procedures for ensuring the security of components and sectors belonging to federal critical infrastructures and redefined the United States' policy in this field.27 The Plan was revised in 2009 and represents an eloquent model of efficient system analysis and risk assessment, reaffirming the importance of critical infrastructure protection in the wider context of national security and the essential part played by public-private partnerships in the process.

According to the NIPP's provisions, the critical infrastructure of the United States has 18 key sectors that can be identified using the criteria of the place and role they play in the mechanisms of American economy, according with the resources involved in their management and the way in which they affect the population. Moreover, the NIPP enumerates the institutions that have legal attributions in assuring and enforcing security measures for critical infrastructures, including several Congress commissions, the Department of Homeland Security, ministries of identified key sectors (transportation, energy, finance, economy, agriculture, communications, health, education etc.), government agencies, NGOs and private operators. Amongst them, the Office of Infrastructure Protection deserves a particular attention. The Office of Infrastructure Protection is part of the National Protection and Programs Directorate from the Department of Homeland Security, an entity that coordinates national programs for the identification, prevention and reduction of risks and vulnerabilities belonging to critical infrastructures. The main responsibilities of the Office are28: identifying and analyzing threats and vulnerabilities, coordinating at both a local and national level of partnerships between private entities and government agencies in the field of critical infrastructure protection, preventing risks and countering effects by ensuring a rapid response mechanism in emergency situations. The Office collaborates with other governmental and non-governmental institutions belonging to the 18 national sectors of critical infrastructure in order to implement federal programs of risk and threat reduction, ranging from preventing acts of terrorism to alleviating natural disasters, as well as measures for consolidating the state's capacity of rapid response in the event of an attack or in other crisis situations. For each sector there is a socalled Sector Specific Agency29 that coordinates the protective measures for the critical infrastructures belonging to that specific sector.

To conclude with, it can easily be observed that the American initiatives in the field of critical infrastructure protection have set new standards, redefining the concept in actual, evaluative and evolving terms. By developing an adequate legislative framework, as well as by transferring a part of the responsibility to coordinated publicprivate partnership formulae, the United States has ensured the dynamicity of the processes of identifying the components of critical infrastructures, analyzing systemic vulnerabilities, preventing and countering threats.

2. Critical infrastructures in the European Union

The American initiatives were followed by similar actions at a European level, which were determined, to a certain extent, by the terrorist attacks of Madrid (2004) and London (2005). The attacks pointed out, both at the level of individual Member States and at the level of the European Union as a whole, the necessity of configuring a legislative and operational framework for defining, identifying and ensuring the protection of national and European critical infrastructures.

In June 2004, the European Council requested for a comprehensive strategy for the protection of critical infrastructures to the elaborated. As a result of the Council's request, on the 20th of October 2004, a Communication concerning the Protection of Critical Infrastructure in the fight against terrorism was issued. The Council's conclusions concerning the prevention of and the response to a terrorist attack have prefaced the Commission's intention to propose a European Program for Critical Infrastructure Protection or EPCIP, which was stated in November 2005 in the provisions of the Green Paper on a European Program for Critical Infrastructure Protection, COM (2005) 576 final-17.11.2005. The Green Paper's main objective was to establish a channel of communication between the governments of Member States, as well as with public or private operators from various critical infrastructure sectors, in order to revise present opportunities and regulate viable political options for ensuring the security of European critical infrastructures30.

In December 2004, the Commission of a Critical Infrastructure Warning Information Network or CIWIN was also established. CIWIN represented a secured system of information and communication destined to assist EU Member States in the exchange of information concerning the vulnerabilities of critical infrastructures, the measures adopted by each state to reduce them, and the national strategies aimed at diminishing risks implemented31. In other words, CIWIN was a first concrete step in the process of creating and implementing a European organizational and legislative framework, based on similar principles as its American counterpart, but adapted to the requirements, needs and particularities of the European Union and of individual Member States.

As a part of the European Program for Critical Infrastructure Protection, the CIWIN initiative approaches the process of exchanging information between EU states in order to assure the functioning and security of those particular infrastructure components that were considered vital to the existence of the European Union32.

To complete these initiatives, in December 2006, the Commission proposed a Directive concerning the identification and classification of European critical infrastructures. The document also stated the need to assess and improve critical infrastructure protective measures, and it lead to the implementation of the EPCIP [COM(2006) 786 final] communication, which established the horizontal framework of critical infrastructure protection. Also, the communication proposed a certain structure for CIWIN and envisaged a series of steps aimed at facilitating the implementation of the EPCIP in all Member States33.

In order to reach the objectives of the EPCIP, it was necessary to impose a method of prioritizing essential infrastructures of the European Union, starting from the premise that it would be completely unrealistic for the EU to assume responsibility for protecting all critical infrastructures of its Member States. For this reason, the EPCIP coordinates the protective measures only for those categories of infrastructures that have a transnational character. The other types of critical infrastructure remain in the responsibility of individual Member States.

The objectives of the EPCIP are: identifying and enumerating, with the help of national governments, all critical infrastructure components located within the national territories of Member States, according to the priorities enforced by the Program; the collaboration between public and private entities within a given sector for the dissemination of information and for reducing the risk of events susceptible of producing major effects on critical infrastructures34; a common, European approach to the security of critical infrastructures.

Other actions taken by the Commission during the same period of time were the creation of a Crisis Management Center that had attributions in preventing terrorists attacks, the implementation of a European rapid response system entitled ARGUS, which assured the connection between EU Member States' emergency systems and, last but not least, the allocation of European funds for research and development in the field of security35.

Moreover, due to the existent connections between various sectors of EU critical infrastructure with networks belonging to the near vicinity, the need to cooperate in extended formats when it regarded critical infrastructure protection became evident. Therefore, at the end of 2004 a Cooperation Agreement in the field of Energy with Balkan states, Turkey and the Republic of Moldova was signed by the EU. Its purpose was to guarantee a sufficient supply of fuel and energy to all EU Member States. The provisions of the Agreement were reinforced by the signing, on the 25th of September 2005 in Athens, of the Treaty that created the Energetic Community that comprised Member States as well as non-EU countries such as Albania, Bosnia-Herzegovina, Bulgaria, Croatia, Macedonia, The Republic of Moldova, Serbia-Montenegro, Romania and Turkey.

After a relatively long period of political and scholarly debates, in December 2008, the Council adopted the 114/2008 Directive concerning the identification and classification of European critical infrastructures, a document that evaluated the necessity of improving critical infrastructure protection. The Directive wished to organize, at a communitarian level, the security of EU critical infrastructures. Member States were given the responsibility for this enterprise, and the authority needed for implementing the necessary security measures was distributed on the basis of the principles of subsidiarity and proportionality36.

Although the intention of the Council was to create a comprehensive document that could eventually lead to a coherent framework applicable to all categories of critical infrastructure, the Directive approaches only two fields, namely those of energy and transportation37, defining critical infrastructure as an element, a system or a systemic component, located on the national territory of Member States, that is essential to the maintenance of societal vital functions, of public health, security, social and economic welfare, and whose disturbance or destruction would have a significant impact on the development of a state, due to their incapacity of maintaining certain functions38.

In order to distinguish from national and European critical infrastructures, the Directive proposes the following definition of EU critical infrastructures: an infrastructure component situated in a Member State whose disturbance or destruction would have a significant impact on at least two Member States. The importance of the effect or impact produced is evaluated from the perspective of cross-sector criteria resulting from various dependencies of other types of infrastructure.39

Concerning the issue of the security of critical infrastructure, the Directive specifically enumerates the following responsibilities of Member States: the nomination of a national contact point whose main task is to coordinate all issues related to the protection of European critical infrastructures; the nomination at the level of individual operators of a "security officer" that is responsible for implementing strategies and measures for the protection of European critical infrastructures; the elaboration, by all operators, of a "Security Plan" that identifies the European critical infrastructure components and presents existent security solutions. These actions taken together comprise a legislative framework for the protection of European critical infrastructures defined, as it was mentioned earlier, as vital infrastructure components whose role and significance is crucial to the functioning of the Community40.

As it can easily be observed, the European critical infrastructures consist of a series of interconnected networks, ensembles and systems whose functioning has cross-border effects on at least two Member States. The interdependency of infrastructures, analyzed at a European level, therefore transcends the principle of territoriality, thus increasing systemic vulnerabilities on account of complex connections established between various systems of national infrastructures, with different degrees of technological development, computerization, and performance. In this context, in the absence of unitary regulations elaborated and implemented at a community level for efficiently protecting the entire EU system of critical infrastructures, the responsibility of Member States in the area of critical infrastructure protection would not be based on realistic assumptions or premises.

According to the European approach, critical infrastructures are comprised of physical and technological installations for information processing, as well as networks, services and other elements whose cease or destruction have the potentiality to produce serious incidents with impact on the health, security and economic welfare of citizens, or on the activities of Member States' governments41.

According to the criteria and classifications of the European Commission42, the EU critical infrastructures are comprised of: installations and networks for energy production, storage, transport and distribution (gas, oil and electricity); communication and information technology systems (telecommunications, radiobroadcasting, IT programs and systems, including the Internet); the finance and banking systems, capital markets, stock markets and investment funds; the public health system (hospital, blood banks and hematology centers, ambulance and emergency services); the agriculture and food sectors; water supply and distribution networks; transportation networks; facilities for producing, storing, transporting and destroying hazardous material (chemical, biological, radiological and nuclear substances); the public administration sector.

According to some authors, the European approach on the protection of critical infrastructures is primarily based on the analysis of the technological factor43, and the critical level of each comprising part can be determined by a careful analysis of the impact-probability relationship, while, at the same time, taking into account the existent interdependencies between various components of different critical infrastructure sectors.

The prevalent interdependencies, alongside the extra-territorial characteristic of European critical infrastructures (as opposed to national critical infrastructures), generate a series of specific traits. One of them is that, in a similar fashion to the American model, most European critical infrastructure components are owned by private operators, which implies sharing responsibility between three levels of command and control: the community level, the state or national level, and the individual or private operator level. In order to implement adequate measures of protection it is needed to develop solid public-private partnerships. Another representative trait is that, due to the EU policies for ensuring freedom of movement and for eliminating economic barriers, the interconnection of national infrastructures was accomplished at a high level, which increased interdependencies and, in certain areas, vulnerabilities as well.

The economic and social differences between Member States, the varying degrees in which European regulations are implemented in national legislations, alongside the high cooperation and dependency between Member States can generate additional vulnerabilities of critical infrastructures. For example, when considering the case of a crossborder network, the capacity of rapid response to crisis situations of the network's weakest sector affects the other sectors that are connected to the networks, producing an impact on the entire system. Moreover, the sovereign EU Member States do not have, for the time being, the possibility to ensure the autonomous protection of critical infrastructure, without the regulatory intervention of a super state authority (at the level of the Union of interstate alliances.44

According to a Center for European Policy Studies (CEPS) report, despite European efforts to define and organize a formal reference framework in the field of security of critical infrastructure, the protective measures adopted by Member States are often fragmentary and uncoordinated, which creates difficulties in the process of implementing a unitary understanding at the level of the European Union of the definition and categories of critical infrastructures.45 Moreover, it is fairly probable that, in the event of new expansion waves, within the larger process of European integration, the number of critical infrastructures will increase and, implicitly, through complex connections and the multiplication of interdependencies, the level of systemic vulnerabilities will amplify.

In a similar fashion to the American approach, the concept of European critical infrastructure is a dynamic one. The European model proposes three criteria for identifying critical infrastructure components, by taking into consideration length or surface, the degree of importance and the effect in time46. The first criterion is that the evaluation of the "critical" character of infrastructure components is made on the basis of the geographical area estimated to be affected in the event of the deterioration or destruction of the evaluated structure, as well as the international, national, regional or local dimension of potential damages. The second criterion considers the economic, political, environmental impact or the potential effects on the population, considered in a binary relationship with the interdependency of the component with other infrastructures. The third criterion is represented by the effect in time, which indicates the estimate moment in which the damage or destruction of an infrastructure might have the most serious impact.

As it was mentioned earlier, the identification of critical infrastructures in the EU is the responsibility of individual Member States, whose task is sometimes made difficult by the complex interdependency relations of infrastructure networks, both within the European Union and in the near vicinity, an eloquent example of this phenomenon being that of the gas pipes that connect the EU with the Russian Federation. Because of these realities, the identification, classification, analysis, evaluation and protection of critical infrastructures attempted at a national level cannot be isolated from similar European efforts.

Fragmentary actions in the field of ensuring the security of critical infrastructures, due to a lack of coordination of state initiatives, can have serious consequences in the long run, by encouraging inadequate protective measures, the perpetuation of technological outdated, inefficient or underperforming networks of state infrastructures and, last but not least, the erroneous identification of critical infrastructure components. In other words, if a single state does not fulfill correctly and accordingly its obligations to identify, on its national territory, those specific infrastructure categories that could be classified as belonging to the European critical infrastructure, and does not take the neces-sary measures to reduce systemic vulnerabilities, to counter threats, to impose security standards and to ensure effective protective measures, the effects of the state's incapacity would become evident, in one way or the other, to all states within the region, the continent, or would be even felt at a global level.47

From this point of view, the perspectives of the concept of security of critical infrastructures depend on the availability of Member States to extend their cross-border cooperation in the field of critical infrastructure protection, on the European Union's capacity to accelerate European integration and to soften the differences in economic and social development, as well as on the flexibility, adaptability and response capacity of private operators involved in the management of infrastructure components. A viable and efficient solution to ensure the security of European critical infrastructures is to promote public-private partnerships, by allowing non-state actors that operate in certain vital sectors to assume more responsibility in terms of security, in a similar way to the American model.

Conclusions

On account of the international context created by globalization, connections between various infrastructure sectors have become extremely complex, increasing the interdependency as well as the vulnerability of the system. The major threats to critical infrastructures are both trans-border and asymmetric.

In this context, the states' ability to ensure their protection without an international organizational framework is extremely limited.

At the same time, most of the critical or potentially critical infrastructures no longer fulfill the territoriality condition, in the sense of limitation to a geographical area of one state. As the threats they face, they are cross-border or international. Given this specificity of critical infrastructures, the increase of the vulnerability level of a state "determines one way or another, the increase of the vulnerability of all critical infrastructures in an area or a network".48

Similarly, the increase of the vulnerability of an element or a sector from a critical infrastructure system contributes, given the links and the interdependencies existent between its components, to the enhancement of the vulnerability level of all the system.

In this context, an efficient strategy for the protection of critical infrastructures requires cross-sector communications, a clear vision of the objectives and political involvement not only at state level but also at a regional level. In order to be able to deal with modern challenges, the organizational framework of critical infrastructures' protection requires clarification and strict delimitation of attributions and responsibilities for every administrative level involved in the process. Moreover, this framework must comprise the idea of a public-private partnership that needs to be structured in a way that does not lead to forming "excessively large groups"49.

For the identification, analysis, and risk evaluation process to be relevant for all the actors involved in an interdependent critical structures' system, it is necessary to establish and apply a standardization of the criteria used for analysis, i.e. to be based on common notions concepts and definitions. By applying these criteria, confusions or erroneous interpretations would be avoided, and the risk of including in the category of critical infrastructure certain components that do not meet necessary characteristics would be diminished, and taking inadequate protection measures would be avoided. At the same time, in order to meet the dynamic, evolutionary and unpredictable characteristics of the concept of critical infrastructure, legislative regulations in this field should have a certain degree of flexibility and adaptation, making it easier to respond to challenges or changes brought by causes from inside or outside the system.