Corporatisation of critical information infrastructure (CII) is rooted in the 'privatisation wave' of the 1980s-90s, when the ground was laid for outsourcing public utilities. Despite well-known risks relating to reliability, resilience, and accountability, commitment to efficiency imperatives have driven governments to outsource key public services and infrastructures. A recent illustrative case with enormous implications is the 2017 Swedish ICT scandal, where outsourcing of CII caused major

more »

... curity breaches. With the transfer of the Swedish Transport Agency's ICT system to IBM and subcontractors, classified data and protected identities were made accessible to non-vetted foreign private employees -sensitive data could thus now be in anyone's hands. This case clearly demonstrates accountability gaps that can arise in public-private governance of CII. In order to produce, operate and distribute public services and goods to citizens, modern, post-industrial societies rely on complicated logistics systems and intricate asset network architectures. Critical infrastructures can be likened to the arteries and veins of human beings, without which it would be quite impossible for them to function. Essentially, this is why infrastructures such as those for energy, transport, communications and financial services are defined as critical. 1 As large and complex systems, catastrophic effects could follow if they were to break down. 2 Due to rapid technological development and increasing dependence on information and communications technology (ICT), most of these infrastructures are now operated, managed and/or controlled via interconnected computer networks and information flows, so that they have essentially become critical information infrastructures (CII). 3 Elaborating on the body metaphor, this can be seen as the equivalent of adding nerves to the arteries and veins. In the past, destroying or even disrupting physical infrastructures required This is an open access article distributed under the terms of the creative commons attribution-noncommercial-noDerivatives license (http://creativecommons.org/licenses/by-nc-nd/4.0/), which permits non-commercial re-use, distribution, and reproduction in any medium, provided the original work is properly cited, and is not altered, transformed, or built upon in any way. CONTACT lindy newlove-eriksson lindy.newlove-eriksson@fhs.se OPEN ACCESS 1 cohen,"What makes critical infrastructures critical", 53-4. 2 perrow, Normal Accidents; de Brujine and van eeten, "Systems that should have failed"; Metzger, "concept of critical infrastructure protection". 3 Dunn-cavelty and Suter, "The art of cIIp Strategy".