Snap parliamentary elections are a good opportunity to review national priorities. The election programmes of the registered candidates refer to national security only indirectly and through the glance of other priorities. Moreover, they do not correspond to the urgent needs of the national security sector. Critical infrastructure, an essential component of national security, is missing from the election programmes of most of the registered candidates. Therefore, an additional effort to understand the essence of the critical infrastructure sector, and the need for a strengthened regulatory and institutional framework to protect it, is necessary…

What is critical infrastructure?

According to EU Directive 2008/114/EC, critical infrastructure is “an asset, system or part (…) which is essential for the maintenance of vital societal functions, health, safety, security, economic or social well-being of people, and the disruption or destruction of which would have a significant impact in a state”.

According to Green Paper on a European programme for critical infrastructure protection (EPCIP), critical infrastructure consists of both physical components, such as hydro-technical constructions, and virtual components, such as cyberspace. Thus, critical infrastructure components can be of different nature, such as public services (UK), organizations (Germany), physical facilities (France) and financial institutions (USA). The central criterion for designating a component as critical infrastructure is determined based on the potential risks, including to society as a whole, which may be caused by disruption or destruction of these objects. Critical infrastructure is therefore a key national security interest and its protection should be a political priority.

Critical infrastructure – increasingly exposed to cyber attacks

The Republic of Moldova is exposed to multiple external security risks, including of cyber nature. Physical attacks are almost non-existent in Eastern European countries, with the exception of two terrorist attacks that took place on the territory of Ukraine (the attack on Malaysia Airlines Flight 17 in 2014). However, countries in this region are also exposed to virtual attacks, especially on critical infrastructure components. Ukraine faced a cyber-attack on its electricity grid in 2015 in which at least 230,000 people were left without electricity. However, the most destructive cyber-attack Ukraine faced occurred in 2017, which disrupted the functioning of ministries, transport companies, commercial banks and electricity grids. Recently, the administration in Washington blamed Russia for orchestrating several cyber-attacks on US critical infrastructure. To date, apparently at least, similar attacks on the Republic of Moldova have not been recorded, but that does not mean they could not occur in the future. Therefore, it is important that national authorities pay special attention to this sector.

How is critical infrastructure protected in the Republic of Moldova?

The critical infrastructure components in the Republic of Moldova correspond to those in most economically developed countries, with some exceptions. Currently, the relevant national regulatory framework is partially ensured by the Regulation on counter-terrorism protection of critical infrastructure, adopted by the Government in 2018. The Regulation indicates 11 sectors, from water supply to highly crowded places, and 27 sub-sectors, from naval transport to healthcare. The major components are natural resources – 3,500 artificial water structures, including the Stânca-Costești and Dubăsari hydropower dams. Components with high vulnerability are those in the information and communication technology sector. Even though this sector benefits from increased economic attractiveness, with sales accounting 7% of the national GDP in 2019, and dynamic development, critical ICT infrastructure receives limited protection. However, the components exposed to the most significant risks are located in the administrative units on the left side of the Nistru. In the Transnistrian region, on the one hand, critical infrastructure components have the highest vulnerability and, on the other hand, protection procedures are not under the control of the constitutional authorities of the Republic of Moldova.

Currently, several public institutions, depending on the nature of potential threats, provide critical infrastructure protection in the Republic of Moldova. The Civil Protection and Emergencies Service (SPCSE) is responsible for the management of technical, natural and biological-social exceptional situations. In addition, from a sectoral perspective, the Antiterrorist Centre (CAT) is responsible for the management of terrorist situations and the Information Technology and Cyber Crime Investigation Section (STICC) is responsible for the management of cybercrime situations. At the national level, critical infrastructure components are protected through the application of existing laws, action protocols, security plans, management mechanisms and other operational documents. At international level, the protection of these components is ensured through the application of at least 18 multilateral and bilateral international agreements concluded by the Republic of Moldova.

The regulatory and institutional framework regarding essential infrastructure needs to be reviewed

Problems in the critical infrastructure sector directly affect the Republic of Moldova’s national security. At the institutional level, the main difficulty lies in the key role assigned to the Antiterrorist Centre (CAT) in managing these components. Thus, the protection of critical infrastructure is conducted only from a counter-terrorist perspective, mainly through the provision of anti-terrorist passports, the approval of security plans and the conduct of anti-terrorist tests. However, economically developed countries have created a single public institution specialised in all aspects of critical infrastructure management, such as the the National Center for Coordination of Critical Infrastructure Protection (CNCPIC) in Romania. The Republic of Moldova could consider how the creation of a specialised national authority could improve the institutional framework for the management and protection of critical infrastructure components.

Another issue that needs attention and has to be addressed is the protection protocols of critical infrastructure not only by public authorities but also by private operators. The current regulatory acts do not clearly establish the mechanism for assigning specific critical infrastructure protection procedures to the responsible institutions. Given that critical infrastructures protected by different institutions may become the object of complex attacks, the lack of common protection procedures could be a major obstacle in the management of potential incidents. Some companies providing critical services as private operators of critical infrastructure, such as Moldovagaz S.A., use protection services provided by private companies. The lack of coordinated protection protocols between private companies and responsible institutions could be an impediment in both preventing and solving possible incidents or attacks.

In addition, an operational communication and early warning mechanism on critical infrastructure management and protection is also needed. Even if existing procedures allow preventive actions to be carried out, they remain deficient in ensuring coordinated communication between national and international specialised bodies. Thus, cooperation and possible participation in the European Critical Infrastructure Warning Information Network (CIWIN) could provide Moldova with long-term benefits.

Last but not least, the terminology of ‘critical infrastructure’ needs to be standardised. The current regulatory framework does not specify whether critical infrastructure components are in a certain hierarchy with other types of components, such as strategically important objectives. The methodology of identification and designation of these components also needs to be revised. Thus, the responsibility for their identification should only be assigned to public institutions. Private operators should create a specialised internal body only when managing more than one designated critical infrastructure component and be subject to extensive security verifications by the relevant public institutions.

Instead of conclusions…

The Republic of Moldova has limited and fragmented critical infrastructure protection. Establishing new critical infrastructure regulations must become one of the key national priorities. This needs to be addressed systemically through the adoption and implementation of a framework law on the management and protection of Moldova’s national critical infrastructure. A draft law on the protection of critical infrastructure components to ensure national security and public order is already under consideration in the Moldovan Parliament, which was adopted in first reading at the end of April 2021. Therefore, the most important step will be to generate new political will to drive the implementation of reforms in the critical infrastructure sector in the Republic of Moldova.

Valeriu Țurcanu is an intern within the #StagiuIPRE2021 program and the #BeTheChange initiative of the Institute for European Policies and Reforms. Valeriu Țurcanu is master student at the Aix-Marseille University in France.

Iulian Rusu is an expert in the field of justice, rule of law and good governance.  He is currently Deputy Executive Director at the Institute for European Policies and Reforms and leader of the Justice and Rule of Law programme. Since 2020, Iulian Rusu is a member of the Justice Experts’ Group (GEJ).

This Commentary is prepared within the project “We and Europe – Analysis of EU-Moldovan relations through innovative media and analytical products”, implemented by the Institute for European Policies and Reforms (IPRE), in partnership with IPN, Radio Chisinau, Zugo.md and with the support of Konrad Foundation Adenauer. The opinions presented in this commentary belong to the authors.