There are no universally recognised definitions for Critical Infrastructure (CI) and Critical Information Infrastructure (CII). There are varying national, regional, and international definitions for the CII available on CIPedia. A standard definition is provided by the IETF Request for Comments (RFC): 4949 as those systems that are so vital to a nation that their incapacity or destruction would have a debilitating effect on national security, the economy, or public health and safety.’ Defining the CI and CII is important for classification, registration, and resourcing.
When defining a nation’s critical infrastructure, it is a good practice to understand definitions of the CII sectors and services from other nations…‘one may be inspired by the sets of CI sectors and services defined by other nations’.
The African Union Convention on Cybersecurity and Personal Data Protection defines Critical Cyber/ICT Infrastructure as ‘the cyber infrastructure that is essential to vital services for public safety, economic stability, national security, international stability, and for the sustainability and restoration of critical cyberspace.’
The GFCE-MERIDIAN good practice guide defines Critical Information Infrastructure (CII) as ‘those interconnected information and communication infrastructures which are essential for the maintenance of vital societal functions, (health, safety, security, economic or social well-being of people) – the disruption or destruction of which would have serious consequence.’
The United States (U.S.), Cybersecurity and Infrastructure Security Agency (CISA) define critical sectors of the economy as infrastructure sectors whose assets, systems, and networks, whether physical or virtual, are considered so vital that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof.
OECD Recommendation of the Council on the Protection of Critical Information Infrastructures (English, French) defines critical information infrastructures (CII) as ‘interconnected information systems and networks, the disruption or destruction of which would have a serious impact on the health, safety, security, or economic well-being of citizens, or on the effective functioning of government or the economy.’
The UK definition of Critical National Infrastructure is: ‘Those critical elements of infrastructure (namely assets, facilities, systems, networks or processes and the essential workers that operate and facilitate them), the loss or compromise of which could result in: a) Major detrimental impact on the availability, integrity or delivery of essential services – including those services whose integrity, if compromised, could result in significant loss of life or casualties – taking into account significant economic or social impacts; and/or b) Significant impact on national security, national defence, or the functioning of the state.’
Case studies: African countries’ definitions for CI and CII
Ghana’s Cybersecurity Act, 2020 (Act 1038) defines critical information infrastructure as a ‘computer or computer system designated as essential for national security or the economic and social well-being of citizens.’
In Kenya reference to Computer Misuse and Cybercrimes Act, 2018 a system is ‘designated as critical infrastructure if a disruption of the system would result in:
The National Cybersecurity Framework for South Africa defines National Critical Information Infrastructure as ‘all ICT systems, data systems, databases, networks (including people, buildings, facilities and processes), that are fundamental to the effective operation of the Republic.’
The Botswana National Cybersecurity Strategy defines Critical Information Infrastructure as ‘the digital infrastructure whose disruption or damage negatively affects the well-functioning of the economy.’