Presentation by Professor Andrew Graham, School of Policy
Studies, Queens University to the Senate Committee on National
Security and Defence, Monday, March 21, 2016
Good afternoon and thank you for the invitation to participate in this
important discussion of the risks posed to Canada’s vast public and
private infrastructure. I understand that the basis of my invitation to
participate and join with my distinguished colleagues is the research
that I did several years ago on this matter. This was published in two
reports by the Macdonald-Laurier Institute, entitled Canada’s Critical
Infrastructure: When is Safe Enough Safe Enough? I conducted this
research through a review of published material and a series of
interviews with some government officials, a number of industry
representatives at both the senior and operational level, and discussions
with certain police services across the country. While I came to this
research with relatively fresh eyes in terms of both the security of
infrastructure issue and its relationship to terrorist threats, I based my
work on my extensive experience within the criminal justice system
culminating with my role as Senior Deputy Commission of Corrections
and my continuing work, through the Canadian Association of Police
Governance, with issues of modern policing in Canada.
What I would propose to do briefly is summarize my own research
findings in the first report. I will conclude with a brief commentary on
issues that Senators might consider in terms of direction for policy and
practice in this area.
Perhaps the rub of my findings was that we have a massive,
decentralized complex of critical infrastructure for which there are
many residual forms of risk, but that we have scant evidence that there
are specific risks associated specifically with terrorism that we can
respond to. This is hardly a “Don’t worry, do nothing, be happy” sort of
conclusion. Rather, it was an effort to take a realistic approach to what
should be done. It is very easy in this area to foresee all kinds of
unforeseen risks and create more fear and anxiety than a resolve to
mitigate real risks. Coming to a ready conclusion that we are doing
enough, even if we knew what enough looks like, is fraught with danger.
1
I can readily see what this whole issue fits so well into the notion of a
wicked problem.
After taking a close look at the various forms of critical infrastructure, I
realized that we do not have a system, but rather a complex of
infrastructures. Further, within that complex, there are certain welldefined systems such as electrical distribution and oil pipelines that
function very well as systems, but mostly on their own, having
developed over the years to respond to specific challenges. We have
only a starting grasp of interdependencies and how to do something
about them.
CI in Canada is complex and getting more so. It is geographically
dispersed, owned by many different players with different agendas and
concern for threats, real or perceived. By its very nature, much of it is
vulnerable. That is what I refer to when I talk of residual risk: it is
inherent in the design. Power lines or pipelines that cross vast sparsely
inhabited areas of this country are by definition more vulnerable than
those in more populated areas due to isolation. Conversely, the intensity
of CI in more populated areas also represents an inherent risk due to its
complexity. The degree to which such risk can be mitigated is defined by
the interests at stake, not necessarily by the degree of the risk. For
instance, the costs of mitigation for privately held CI are a real concern
to the owners. They rightly would assess such risks with an eye to how
credible the risk is and what it would cost to fully mitigate it. Such
calculations weigh heavily in this field, even when regulatory oversight
comes into play.
My broadly based conclusion was that we really lack the metrics to
determine an adequate level of response to threats. This is a dynamic
process and I give the federal government some credit for trying to herd
this bunch of kittens. By that I mean that there are some many
jurisdictions and sectors involved that having the ability to say that
everything is under control would be a fanciful fiction at best. My
overview conclusion, however, was that the actual threats to CI, most
notably from a terrorist source, are unstated, but also subject to
exaggeration based on what we call in risk analysis, the available
heuristic (If that terrible thing happened in Ankara, it might happen
here.)
2
I would just add four critical observation arising from the research that I
conducted:
 I saw a real disconnect between those taking the national, macro
view with a strong focus on terrorism and those engaged at the
front end of CI systems and local police, with a greater concern for
vandalism leading to major systems breakdown and what we are
now seeing emerging as an alarming threat, the single radicalized
actor working on his or her own, but generally inspired to “do
something” by such groups as IS. I have long believed that we
need to listen to those at the front end of organizations. I am not
sure their voices are being heard enough.
 There is a real human resource capacity issue at play here.
Developing areas of expertise within various CI systems and
across them is a human resources challenge. There are people
with considerable skill in their areas. They often work either in
isolation or within one of the system stovepipes. There is no
human resource strategy in a field that demands a human eye and
instinct to understand potential risk and validate it. I would
advocate for a sector human resources council to start the process
of building this new field’s capacity.
 There is a knowledge capacity issue at play as well. In some
respects, we really do not know what we do not know in terms of
the nature of the risks, what can be done, who is doing things that
we can learn from and how can we develop transferable
knowledge of solutions, techniques and risk mitigation that
transcends our CI stovepipes. I would suggest that we need more
research capacity in our government’s and in our universities,
with more funded chairs. These are proven engines in the creation
of solid evidence and innovation.
 The speed of change in the cybernetic area is a concern, but for
two reasons. Obviously the hacker phenomenon remains a
growing concern. We now see nations stage attacks and their
victims responding. What can this mean for the future? The need
to ensure that our defense systems are up to date. The other side
of this phenomenon with respect to CI is the growth of remotely
monitored control and observation systems for the CI systems
themselves. These are not immune from manipulation and attack.
3
 I cannot leave these observations without saying something about
policing. Over the past decade, I have seen our police services,
nationally, of course, but most notably large urban police service,
engage more and more in investigations, operations and
interventions associated with terrorist activities. For the policy
services, this is a form of mission creep. Of course, police services
have to respond to changing circumstances and many have done
exemplary work in this area. However, this has become a major
cost driver, as resources are deployed, new analytical capacity
added, greater interoperability adopted. These costs have not
been given the recognition they deserve.
These are some trends that my research identified. I would suggest that,
as my colleagues here have identified, there are a number of remedies
available. I see three broad areas where we need to improve:
 Improve how governments and industry assess risk and
communicate about it.
 Grow our knowledge base through research through centres of
excellence, sharing of leading practice through documented cases
and forums for professional in this field to interact.
 Develop more incentives for industry to invest in CI resiliency and
resource new players within the public sector.
Thank you.
4