1
Defining Critical Information Infrastructure
in the Context of Cyber Threats:
The Privacy Perspective
Eneken TIKK
Cooperative Cyber Defence Centre of Excellence Tallinn, Estonia
Head of the Legal Task Team
eneken.tikk@ccdcoe.org
Introduction
About a year ago, NATO adopted two documents that will shape the way cyber
incidents of concern to (inter)national security will be managed.
The cooperative
aspect of managing cyber incidents of relevance for NATO will require national
regulatory action in regard to defining the critical information infrastructure and
providing a proper legal basis for information exchange between NATO and its
member states.
Cyber incidents may range anywhere from simple deviations from internal security
regulations to criminal acts, acts of cyber terrorism, and even warfare. The
investigation and management of such incidents is based on sharing and comparing
traffic data and server logs, including IP addresses. Countries subject to both the EU
and NATO organisational framework of cyber defence
will face difficulties
transferring such data to NATO or another member state‟s national authorities since the
legal view governing EU data protection institutions categorises IP addresses and logs
as personal data.
The EU legal framework on data privacy thus creates obstacles to processing cyber
incident data for the purpose of cooperative cyber defence management. While there
are legally safe ways to secure evidence and manage cyber incidents, recent trends in
EU member states require that more attention be paid to these issues on the national
regulatory level.
Eneken Tikk works as the Legal Advisor to the NATO Cooperative Cyber Defence Centre of Excellence
(“CCD COE”) and is currently the Research Fellow for the Center for Infrastructure Protection of the
George Mason University Law School.
NATO Cyber Defence Concept (MC, 13 March 2008), based on the NATO Cyber Defence Policy (NAC,
20 December 2007).
While there is no internationally accepted legal definition of cyber threats (one of the key reasons for
difficulties related to the implementation of personal data protection rules), the concerns of cyber security
involve stakeholders such as international organisations, governments, the private sector and IT infrastructure
providers, as well as home users. The incidents that may affect the functioning of a society‟s critical
infrastructure may initially occur as simple human error and the deviation from internal information security
regulations, or they may turn out to be intentional, often politically motivated, criminal activities or
coordinated and well-targeted attacks that support other hostile activities towards the entity or nation in
question. Therefore, the term “cyber defence” is to be understood to cover the prevention of and potential
responses to different types and levels of cyber threats.
