ABSTRACT
Introduction The bombings inMadrid and London have been a wake-up call for European governments on the importance of protecting the critical systems that enable societies to function from its targeting by terrorist groups. The explosions in Madrid’s commuter trains in March 2004 and London’s underground and bus networks in July 2005 demonstrated that, by attacking these transport
and communication nodes, it was possible for terrorist networks to damage European cities’ means of mass transit and, in the process, ensure a terrible cost in human lives. The consequences were wide-ranging: usage of public transport in the aftermath of the attacks in Madrid and London seriously diminished and the economic costs were very significant, not least in areas such as tourism. Protecting a state’s infrastructures from external damage is not an easy
task. Modern societies are sustained by tightly coupled and increasingly complex interdependent systems of infrastructures. This interconnectedness renders critical infrastructures (CIs) vulnerable because a contingency in one element of the wider system is increasingly likely to affect other parts, leading to potential rapid escalations from individual disruptions. Just the fear of an attack may dislocate the functioning of critical nodes like national airports, as has been demonstrated time and again by terror alarms since 9/11.1 Moreover, due to processes of liberalization, deregulation and privatization of European national economic markets, it is not always clear who the key operators are for particular infrastructures and fragmented and diffuse ownership means that holistic policies in this area require the involvement of a large number of public and private actors. The management of public assets is even more challenging in the context of
the European common market. The density and transnational character of many European CIs plus the interdependency of border security, transport and other cross-border infrastructures have increased the opportunities for multifaceted crises. Deregulation in the energy and telecommunication industries has also contributed to growing number of operators owning assets in more than one European country.2 Compounding this situation, increasing economic integration, freedomofmovement and the geography of Europe3 are factors that would enhance the cross-border impact of large terrorist incidents, particularly if they involve CBRN materials. As critical systems become increasingly complex and integrated across geographic borders, a terrorist attack on a particular network could have a ‘cascade’ effect on the supply chain, multiplying the negative effects in the process (i.e. disruption of electric supply on air traffic control systems) and having significant cross-border effects in two or more countries (i.e. a chemical plant located near the border). As a case in point, a major terrorist attack in the port of Rotterdam could paralyzewhole economic sectors in several European states, notablyGermany. All of these factors have encouraged member states to better coordinate their efforts by inviting the European Union (EU) to become involved. In this respect, guarding CIs against breakdowns caused by terrorism is
addressed by the 2005 EU Counter-terrorism Strategy under the Protect
pillar, one of the four strands of the EU response.4 The EU Counter-terrorism Strategy understood that the Protect dimension should be about ‘strengthening the defences of key targets, by reducing their vulnerability to attacks, and also by reducing the impact of an attack’.5 The document contends that the EU should provide a platform through which to share information about national responses, foster public-private actors’ networks and deliver good practices and innovations. Conceptually, the protection of infrastructures from terrorist attacks is just
one aspect of this Protect pillar. Protect is also about border control, defined as the ‘protection of our external borders’, and the non-proliferation of chemical, biological, radiological and nuclear (CBRN) materials and small and light weapons. In fact, most serious developments in this pillar have been in border protection, a well-established sphere of EU action. Progress here has occurred both internally, though the inclusion of biometric data in passports, establishment of the Visa Information System and the secondgeneration Schengen Information System under development, and in the field of transatlantic cooperation with initiatives such as the Passenger Name Records Agreement or the Visa Waiver programme.6 These new technological tools are part of the development of the so-called ‘integrated border management system’. Likewise, the 2005 Strategy makes a clear conceptual distinction between
infrastructure protection and consequence management, even if they are both linked in practice and often discussed together in academic literature. The former aims tomake less amenable to external attacks potential targets that are fundamental for theday-to-day functioningof a society in sectors suchas energy, transportation, communication technologies, industry and others. The latter relates to incident detection and disaster mitigation and recovery, and matters such asmultinational joint exercises, contingency plans and alert systems. They are part of the Respond pillar and therefore outside the scope of this paper. Instead, the goal here is precisely to use the EU Counter-terrorism Strategy
as a yardstick to assess the post-9/11 progress of EU policies on CI protection fromman-made attacks. The argument that will be put forward is that the EU has become engaged in areas in which it had little involvement before the 9/11 attacks. The EU’s growing engagement is partially a result of the focusing effect brought about by the attacks inMadrid and London, which contributed to move these subjects up in European governments’ political agendas. At the same time, developments on the ground have been generally rather humble, in a context where a few remarkable practical successes contrast with a morass of slow-moving policy programmes. Although there seems to be a general agreement amongst national governments that the EU has a role to play in this field, the absence of major progress can be attributed to European 4The other three being Pursue, Prevent and Respond. See Council of the European Union (2005) ‘The European Union Counter-Terrorism Strategy’, 14469/4/05, 30 November 2005. 5Ibid., p.8. 6For a more in-depth examination of these border control policies, see Leonard, Monar and
governments’ lack of political will for pooling efforts in aspects that are sensitive to national sovereignty. The EU has followed a sectorial approach in this field, with activity scattered
across spheres of action governed by a variety of institutional actors. In principle, this allows for a tailored approach to different CI needs and varying legal competences across the policy spectrum,7 yet aswill later be discussed, this also has important implications for a coherent and holistic European response. Although an external observer would expect to find most policy action to be concentratedwithin the critical infrastructure protection (CIP) sphere, in reality much practical work has come under the transport security policy space. In parallel, the protection of computer communication structures has beenmainly discussed under the cyber-security policy sphere. These three are sectors with strong individual dynamics but also functional overlaps. Finally, some horizontal programmes such as the CBRN policy package, the security of explosives policies Action Plan and Security Research funding schemes possess some elements that are relevant to the hardening of critical assets from intentional damage. Thus, CIP, transport security, cyber-security and crosssector programmes are, in that order, themain sections that this paperwill cover before producing a general assessment at the end.
