Review of Kevin Quigley, Ben Bisset, and Bryan Mills, Too Critical to Fail: How Canada Manages Threats to Critical Infrastructure. (McGill-Queen’s University Press, Montreal and Ottawa, 2017),
Reviewed by Dr. Robert Martyn.
The book opens with a dedication to the victims of the 2013 Lac-Mégantic train derailment. Through a cascading series of lapses — maintenance, mechanical, judgemental — the unattended train with its load of crude oil rolled downhill, gathering speed until hitting a curve in the heart of the town, where it jumped the track; spilling six million litres of petroleum, which exploded with a blast radius of approximately a kilometre.
The authors then turn to examine the flooding that same year that inundated nearly a quarter of Alberta. This natural disaster destroyed 14,500 homes, 80 schools and 10 healthcare facilities, as well as demolishing 1,000 kilometres of roadway, and washing away hundreds of bridge and culverts. The $6 billion damage made it Canada’s costliest disaster. Yet, in stark contrast to the negative publicity garnered by the rail disaster, Alberta’s population were overwhelmingly positive about both emergency responders and public servants. The book explores these differing reactions.
The research in this book demanded a mixed methodology for data collection and analysis, given the complexity of the issues examined and the diverse nature and specific risk points inherent in the country’s critical infrastructure (CI). The authors conducted interviews with CI regulators, owners, operators, as well as assorted experts in various fields. They also provide valuable context by furnishing additional data from the United States, the United Kingdom and Australia.
Analyzing the subsequent information required both quantitative and qualitative approaches. This includes descriptive statistics, and the incorporation of common themes and outliers via a wide-ranging literature review. The overarching model the authors employed is the commonly accepted, systems-based risk regulation framework established by Christopher Hood et al. The authors also conduct a comprehensive media study, coding references to various CI failures as natural disasters, industrial failures, terrorist plots and attacks, pandemics, and cyber attacks. This methodological approach is persuasive and adds credence to results, which may be otherwise be questioned by those with contrary legal, electoral or personal interests.
The book outlines two general methodologies to protecting CI, based on degree of specificity. A micro approach targets hazards as a discrete problem, solvable through improving engineering standards or management approaches, or tightening security routines. The second method is macro, in which frameworks are developed to guide practices across a broad “all hazards” spectrum.
These approaches play an important informative role but are insufficient explanatory tools without considering other factors, like market structure or interest group sophistication and pressure. As the authors point out, why is airport security so regimented, yet similar mass-transit infrastructure like railroads and bridges are not? Disease and cybersecurity failures also tend to garner greater government response than public concern, but a terrorist attack that kills one individual will reap more media coverage than traffic mishaps that habitually accrue higher death statistics.
The work is presented well and is laid-out in a rational sequence. The case studies are followed by explanatory chapters that provide context and outline pressures, such as regulatory regimes, interest groups, and organizational culture, which impact CI. Appendices cover: methods; interview participants; media events; and significant privatizations in Canada. References provide an exceptional literature for those interested in researching this topic.
For those constrained by time, the concluding chapter alone provides a wealth of detail, a significant amount of which is disconcerting. Key is the almost universal acknowledgement that information sharing is critical for CI protection. However, the structure has some flaws that result in an absence of conclusive evidence that our current system is consequential or productive. The reasons range from the nature of information collection, wherein formal methods tend to overregulate staffs while informal methods risk by-passing key players. This occurs within a system that has a built-in reticence to share information for reasons of security, liability, stock share value, or market image.
The authors also note that a focus on managing information allows a government to look busy, rather than actively addressing the requirements of standards and behaviour change. This is potentially worsened when government and business act as equal partners, which can reduce the efficacy of the government oversight and regulatory responsibilities.
In all, this book provides valid insights and a solid contribution to our understanding of the critical infrastructure protection field. The topic will continue to grow in importance in an era marked by governmental risk-aversion, coupled with rapid public- and social-media dissemination of negative news to a public increasingly concerned about the risks and hazards facing their communities.
Bob Martyn, PhD, is affiliated with Queen’s University’s Centre for International and Defence Policy, as well as the Canadian Institute for Military and Veteran Health Research. He has taught History and Politics courses at the Royal Military College of Canada, Canadian Forces College, and Queen’s University. His previous military career included deployments to Cyprus, Bosnia, Kosovo, and Afghanistan, as well as jumping from airplanes at every opportunity.
 Christopher Hood, Henry Rothstein, and Robert Baldwin, The Government of Risk: Understanding Risk Regulation Regimes (Oxford: Oxford University Press, 2001)
*Photo Credit: Trend Micro & Organization of American States