Asymmetrical Trusted Technology Networks in Developing Economies: A Case Study on Critical Infrastructure in Bhutan

Developing Nations are subject to amplified challenges in terms of the integration of technology, and the exposure to non-domestic opportunism from larger neighboring economies. These challenges are recognizable as asymmetrical differences between what is seen as the normative list of critical infrastructures, and the specialisms that can dominate an emerging economy with early maturity technology networks. This paper discusses the case of Bhutan and demonstrates the need for strengthened approaches to trusted networks to ensure the reliability and continuity of the Nation's critical infrastructures. The paper also links the importance of trusted information sharing networks as part of an overarching technology strategy that protects the Gross National Happiness of the nation.


Introduction
Securing national critical information infrastructure is imperative in the protection of any breakdown that could impact on the daily operation of a nation (Farouk, 2017). Critical information Infrastructure (CII) threats are more complex than before (C and IA, 2019). Man-made cyber threats can bring critical online services and businesses to a halt. Bhutan is an emerging nation that is rapidly developing technology for a range of services and provisions that represent its critical infrastructure (Choejey, 2015;DrukREN, 2019).
Bhutan has received less attention from the modern threats of Cyber security and Information warfare than its larger neighbour India (Sulewski, 2013). The population is small, and the terrains are geographically prohibitive to competing nations. However, the critical infrastructures coordinated by the Royal Government of Bhutan are increasingly susceptible to threats targeted towards the governance, management, continuity, supply, and resilience of the nation. These threats emerge in the form of varied and cross-disciplinary cyber security challenges (Choejey, 2018;Deibert, Rohozinski, Manchanda, Villeneuve, & Walton, 2009).
The 2018 annual report by the Bhutan Computer Incident Response Team (BCIRT) revealed the presence of crypto-mining and The Onion Router relay activities over the Government Intranet in addition to 230 other vulnerabilities (BCIRT, 2018). Further assessments showed threats to CI agencies like Bhutan Telecom, T-Bank, OAG, Thimphu Thromde (City Corporation) (Schmueli, 2010). Additional vulnerabilities have been reported in areas such as VISA card fraud (Business Bhutan, 2019), Facebook scams and privacy breaches in WeChat (Cheki, 2017). Such incidents represent the collective evidence of an emerging nation in terms of technology, ICT, and networked infrastructures. At the same time, many government services are digitally enabled (Cabinet Secretariat, 2015), and payment gateways for taxation and utility services such as power and water are available nationwide.
Bhutan has developed its digital capacity in online asset declaration, audit clearance, security clearance an,d e-Procurement Systems (MOIC, 2014). Banking and Finance incincludeternet banking and mobile apps usage, whilst the Power corporations of Bhutan rely on SCADA systems. These emerging changes represent potential risk scenarios that indicate the need for ra enewed assessment of Bhutan's critical information Infrastructure. In Bhutan, ICT depends on electricity, electricity on hydropower, hydropower on water resources, and water on climate conditions. Considering the inter-dependencies of critical infrastructures, there is a need for the identification and distribution of Critical infrastructure safeguard tactics and planned approaches.

Background
Bhutan is a landlocked country, with a constitutional monarchy and a modest population (National Statistics Bureau, 2018). It is a laggard nation in terms of its ICT progress yet is well positioned on the ICT development index compared to its immediate neighbors (ITU, 2017). Mobile telecommunications operators serving more than 730,000 mobile telephone subscribers (MIOC, 2018). The Government has established the national backbone infrastructure (Gewog) and runs a national intranet that connects agencies and offices such as the Highspeed Education and Research Network (DrukREN, 2019) and the Bhutan Internet Exchange Point for handling local internet traffic (BtIX, 2019).
The rapid development of different government e-Services signposts the ongoing need for a higher prioritization of oversight and scrutiny in terms of automation and digitization. A similar challenge faces the corporate sector. Recorded cyber-attacks include website defacements, SQL injections, botnets, and high impact DDOS attacks (BCIRT, 2018;Schmueli, 2010). These challenges are augmented by Bhutan's unique development philosophy involving Gross National Happiness which puts the Environment, Culture, Good governance and Sustainable development as the driving force for nation's progress (GNHC Centre Bhutan, 2019). The obstacles to citizen harmony alongside online processes, systems and technology are as persistent in Bhutan as in other countries (Pee & Kankanhalli, 2009). With a sharply escalated authority structure, the disclosure of official information to both public and private sectors is problematic for a small nation embracing the need for CI. Whilst some of the CI vulnerabilities are similar to the experiences of other nations, there remain a variety of starkly asymmetrical weaknesses that are specifically related to Bhutan and require a bespoke response that relies on both government input and non-government vendors, users, and stakeholders.
There is a need for a trusted sharing platform for circumstances where information is required to be shared between the organizations quickly. The trusted network would not only provide direct and secure sharing of highly confidential information at critical points in time, but would also promote collaboration among private and public sectors while handling risk, enhancing services, and mutual growth of two or more organizations participating (DHS, 2018).

Literature Review
By comparison to other nations, Bhutan has diminutive military power yet boasts a hardened approach to dealing with natural disasters from glaciers, landslides, and earthquakes (Cooper, 2018). Despite this tough appearance of readiness, Bhutan is under increased pressure to reduce its cyber threat to its sovereignty, integrity, and national safety. Modern-day Bhutan is enormously dependent upon ICT to coordinate its CI against a growing number of aggregated challenges in the critical Information Infrastructure (CII). The over-arching protection described by the Bhutan's Information Communication and Media (ICM) Act is characterized by a likelihood of "debilitating impact on national security, economy, public health, social welfare or safety." (ICM Act, 2018).
The Bhutan ICM act states its capability to declare ICT and Media Infrastructure as critical through its use of centralized management of the systems and reinforces this through its legislation regarding illegal access and/or interception of CI (ICM Act, 2018), however, its internal policy and planning do not describe the important cross-agency sharing that would allow for better management and governance by means of the trusted sharing of information. Clearly, this is a challenge in terms of trust, governance, continuity, supply, and resilience. The CI of Bhutan states the need for sharing CI protection across networks but does not state a trusted network for that sharing except through a single centralized peak body (ICM Act, 2018). The ICM Act needs to allow for additional pathways for trusted information sharing that work in terms of "peer to peer" and "department to department" exchanges.
The nascent developing status of Bhutan's critical network security is reflected by the ITU e-Readiness study (ITU, 2012) and the 2016 cyber security readiness study which identified a lack of resilient ICT networks ISO standards (Roberts, 2016). Additional studies by Choejey, (2018) and Yangden (2018) emphasized the need for increased CII for economic development and national security of assets. In other parts of the world small developing nations also identify with similar challenges. In Ecuador, the mitigation of vulnerabilities and cyber threats has drawn suggestions of an Information Sharing Program to assist with the Financial sector (Catota, Morgan, & Sicker, 2018), whilst in Bangladesh (Satter and Hossain, 2016) the emphasis is focused on information coordination and communication systems. Both the studies had similar recommendations while the approaches were different.
The common thread is the need to reinforce security resilience. Cook (2010) points to Trusted Information Sharing Networks (TISNs) whilst Lu, (2018) suggests participation between public and private stakeholder groups as part of planned improvement measures in Chinese CI. Similarly, in Kuwait (Alsultanny, 2014), there is an identified need for joint approaches in reducing the threat of privacy breaches and unauthorized access. Other nation-state studies point to operatordriven interdependencies and the renewed emphasis on shared responsibilities in the analysis of cyber incidents (Canzani, Kaufmann & Lechner, 2017;Zareen, Akhlaq, Tariq, & Khalid, 2013). In Sri Lanka the SL Cert identifies the "knock-on" effect of vulnerability and interoperability where information is not shared between key stakeholders of the identified interdependencies (Sri Lanka Cert, 2018).

An Approach to Trust and Interdependencies
This paper describes a novel perspective on the critical information infrastructure of Bhutan that calls for an understanding of CI asymmetry. This uneven apportioning of CI fortification is important to understand. This outlook presents a simple conceptual framework for the protection of Bhutan CII. It proposes a multi-layer approach to protecting critical information infrastructure (Izuakor, 2016) by identifying the sectors based on Bhutan's national security goals and the likelihood of cyber threats impacting the CIIs. Such a framework for CII protection draws from Australian CI protection strategies and implementations, particularly the Trusted Information Sharing Network (TISN). A conceptual framework to protect the CII would involve the creation of a trusted information sharing network of Bhutan, the BTISN.  (Mattioli & Levy-Bencheton, 2014) Mattioli & Levy-Bencheton (2014), described two approaches to identify CII within European Union Member states; those that are dependent on critical service approaches and those that focus on noncritical services (Figure 1). A Bhutan framework would work on a critical serservice-based approach to identify the CIIs. Kekete (2011), points to a framework of criticality that concentrates on a Pareto analysis of threats to interdependencies that incorporates time criticalities and quality issues (e.g.: the quality of water, food, air etc). By drawing from the COEC (2005) list of critical sectors and the Australian Government Trusted networks of critical sector groups (TISN, 2019), it is possible to qualify the critical sectors of Bhutan and identify the significant riskbased interdependencies in terms of governance and resilience (CIC, 2019). A Trusted Information Sharing Network (TISN) is a noncompetitive arrangement among businesses and governments to share information in order to build resilience (ibid, 2019) Australia has been actively using a trusted sharing network for CI since 2003 (TISN, 2010).
An analysis and categorization of CIs in Bhutan showed the relationships between different critical infrastructure segments ( Figure  2). The comparison and analysis were carried out on the basis of dependencies, linkages, vulnerabilities and shared exchanges of information. Rather than a uniform distribution between competing infrastructure segments, some areas were clearly more pronounced than others. Differences were clearly identifiable in terms of crossdependent linkages, vulnerabilities, and expected rates of development.
Recognizing the asymmetries that occur in an emerging nation's critical infrastructure is important in order to understand where and how to deploy further increased attention. Bhutan's framework has an additional feature that differs from the Australian model because it must also incorporate strategies that align with Bhutan's Gross National Happiness approach to government and society. The challenge for an authentic Bhutanese model is that whilst the Bhutan GNH approach clearly identifies issues such as climate resilience and sustainability, it is not clearly aligned with CIIs (GNHC, 2017a). In particular water, which is known as white gold in Bhutan (Woodruff, 2018), is vital for the economic stability and financial revenue in areas of hydropower, irrigation, health, and food (Royal Govt, Bhutan, 2018). Bhutan's Power Corporation (BPC) (2018) identifies the use of SCADA and SAP in terms of vulnerability to cyber-attacks (SAP News, 2009). This is an area of asymmetry that is unique to Bhutan in terms of size and scale ( Figure 2). It highlights the need for trusted information sharing and draws attention to the need for an increased focus on an asymmetrical approach to hardening (Lewis, 2019).

Figure 2: Bhutan's interdependencies of CI Infrastructure
CIIs can be dependent on other CIIs. In the case of energy, any disruption would eventually affect the North eastern regional quadrant of India where electricity supply is reliant upon Bhutan infrastructure. Similarly, the International Internet Gateway of Bhutan are drawn from India Internet providers. CII dependencies in Bhutan often incorporate dependencies in physical, logical, geographic, and cyber terms (Herrara and Maennel, 2019). Thus when individual areas of CI require hardening, the central decision processes must include some form of trusted information sharing that does not exclude commercial and individual groups that hold different and diverse perspectives based upon other characteristics outside of internal strategies (Lewis, 2019). Trusted Information Sharing can assist in the timely prevention and mitigation of known and unknown threats by incorporating a discrete protected set of exchanges that benefit Bhutan and its trusted stakeholders yet remains as private and confidential from the public domain (Dunn, 2007;Luiijf, Nieuwenhuijs, Klaver and van Eeten, 2008).
This study found that the critical information infrastructures are either dependent on another CII or two or more CIIs are interdependent. In some scenarios one CII was indirectly dependent on the other CII. The study also identified that some of CII has inter-national dependencies. Energy disruptions affect North Eastern India whilst the International Internet Gateway of Bhutan relies on supply from India. Damage or disruption would affect the cyber security of the country drastically. Herrara & Maennel (2019), describe dependencies of CIIs as: physical, logical, geographic and cyber, which can be destroyed or disrupted by three types of failures: escalating, cascading and common cause. Bhutan coordinates interdependencies, direct dependencies and indirect dependencies in its critical sectors.
While applying the theory of dependencies, river water in Bhutan is the source for electricity production and directly depends upon favourable climatic conditions in terms of rainfall, snow, precipitations and climate change. The flora, fauna and the biodiversity of Bhutan is vital in contributing to the sustainable and free flowing supply of water. Disturbances on national water cycles can reduce the volume of water in rivers, and this has a flow-on effect on energy production in hydrostations.
Similarly, the Bhutan fiber optic network is dependent on the Power transmission network. The power corporation uses the fiber optic network to create private network for Bhutan Power Corporation. The Geographical information of power transmission lines is important to manage the fiber optic network, and the security of fiber optic networks is important for uninterrupted power to the Network. These critical arrangements demonstrate the inter-dependencies of CIIs. Further instances of criticality can be conveyed through the Citizen Service portal, which has numerous public services online that are all hosted in the Government Data Centre (GDC). The security of this system is entirely dependent on the security and safety of the GDC. In return, GDC runs over the Government intranet, thus the criticality of secure and sound Government Intranet is profoundly vital. Since many sectors e-Services are integrated with banks for the payment. Any cyberattacks in the banking sectors can have rippling effect on those services. The complicated relationships between CIIs are important to identify in order to recognize the gaps and develop resilience plans. Differences in terms of size, scale, and capability are important because they highlight areas that require additional response and target hardening to remain highly protected from outside attack. Small countries need to categorise their CIs in terms of asymmetrical differences because they will clearly show areas of greatest need.
The proposed Bhutanese "Trusted Information Sharing Network" is a group consisting of managerial or working level members from critical agencies of Bhutan such as Druk Holding and Investment (DHI), Gross Nation Happiness, and Ministry of Finance, Royal Monetary Authority, Financial CIRT(FiCRT), along with top Banks of Bhutan, Bhutan CIRT, e-Government Programme Management Offices among others. This group members from agencies who possesses high confidential information with regard to Critical Infrastructure and cyberthreats will bear the responsibility to share among other agencies who would benefit from the information.

Figure 3: Typical proposed Trusted Information Sharing Mee
A trusted sharing network wou ld provide a secure environment to collaborate. Participating departments and groups would gain early warnings of cyber threats, the opportunity to learn from others' mistakes, and the chance to develop capacity in protecting their assets (National Cyber Security Centre, 2019). Such arrangements allow for rich exchanges of information under secure arrangements that protect the nation, its citizens, and its stakeholders (figure 3).

Conclusion
This study identifies two strategic areas for the future development and protection of critical infrastructure in Bhutan. The first is a re-evaluation of its critical sectors that takes into account their differences, rather than their similarities. The second is that to continue on a path of development, Bhutan (and other nations of small size and unique geography) must develop new trusted networks that are inclusive of public and private enterprises.
The concept of trusted information sharing, whilst appropriate for most nation-states, is specifically useful for Bhutan. The protection of critical information infrastructure is necessary for countries to prevent damage, destruction and disruption from multifaceted threats. The cyberattacks of critical infrastructures in advanced nations like Estonia, Ukraine, USthe A, and even Sri Lanka demonstrate the value of CI protection of this kind. Bhutan, being a tiny nation, on the verge of graduating from LDC (Least Developed Countries) recognizes multiple vulnerabilities as it develops critical networks in energy, communications, and government.
For reliable technology progress, it is vital to identify the most critical infrastructures, study the underlying inter-dependencies and develop resilience critical infrastructures plan (Assaf, 2008). The creation of a Critical Infrastructure Protection Centre is an ideal approach towards coordinating the safety and security measures of Critical Information Infrastructure, however, Bhutan must also consider the value of public and private information sharing when organized through trusted sharing networks. The formation of trusted information sharing networks is likely to contribute significantly to the development of resilient and secure Critical Information Infrastructures in Bhutan.