CSIS has looked at how different countries protect their most critical infrastructure.
Ten days ago published the U.S. IT security company McAfee report, In the Crossfire (pdf) with the subtitle Critical infrastructure in Cyber wars age.
The report is written by three experts in the U.S. Center for Strategic and International Studies (CSIS), commissioned by IT security company. The raw material is a questionnaire answered by 600 managers in the IT and security at companies and organizations with responsibilities for critical infrastructure spread over seven sectors and fourteen countries: Australia, Brazil, France, India, Italy, Japan, China, Mexico, Russia, Saudi Arabia, Spain, United Kingdom, Germany and the United States. The survey is supplemented with comments and other material from the authors' colleagues and expertise outside of CSIS. The report was distributed to participants at the annual meeting of World Economic Forum in Davos 28 January. 
The ensuing media coverage has largely followed the approach given by McAfee in the press release: There is a cyber issue of the cold war, where critical infrastructure is under constant cyber attack, and where these attacks caused great damage. Over half of the respondents indicated to have been exposed to large-scale attacks or sneaky break from the "organized criminal gangs, terrorists or nation states". National critical infrastructure is oriented in terms of availability and reliability, not to security. It does not help with physical barriers and armed guards for as long as the plant digital control systems are linked to the open Internet without adequate protection. Only 20 percent of respondents believe that their sector is protected against severe cyber attack the coming five years.
Other factors such as McAfee emphasized:
Budget cuts in tight economic times have helped to increase the risk that critical infrastructure affected by cyber attack.
There is a general sense of national governments have been complicit in cyber attack. The countries mentioned most frequently is the United States (36 per cent of respondents) and China (33 percent).
Legislation currently provides inadequate protection against potential attacks.
Insurance company carries the cost of damage caused by cyber attack against critical infrastructure.
A crucial factor that appears in McAfee's press release, but that is highlighted in the report's "executive summary", are the major differences between countries within cyber preparedness.
There is a red thread through the report that China has far better cyber preparedness than for example the United States and India - and European countries.
Companies and organizations responsible for critical infrastructure are subject to far stricter security rules in India, China and Germany than in the U.S. that comes at the bottom of the ranking rules.
In fact, the use of obvious security measures - such as encryption and strong user authentication - China scored highest superior. It is not only the public rules. Chinese and American business leaders in critical infrastructure provides the same feedback on whether they consider safety as "essential". The awareness of the need for security is therefore just as high. But unlike the Americans, following the Chinese business leaders on what they say.
CSIS specialists have developed a methodology to measure cyber security in infrastructure companies. They conclude that China is at 62 percent of the ideal. The next best countries are the United States, Britain and Australia, who scores 50 to 53 percent. All the other scores below 50 percent. Worst are Italy, Spain and India, which are all at 40 percent.
The report reveals interesting differences between India and China. Both countries scored in the top - along with Germany - in the degree of regulation imposed by cyber security. In China, 91 percent responding that they have changed practices as a result of new government regulations. The proportion in India is only 66 percent. All countries surveyed have their own communal organizations for public and private cooperation in critical infrastructure. The proportion who participate in such common organizations are the largest in China, the lowest in India. Those who consider "outsourcing" to India might sharpen the security clauses in the contract draft?
Experts believe that China's combination of public regulations and private monitoring of IT security is about to be included also in other fields than the critical infrastructure: Recently, India has taken over China's status as the most friendly environment for criminal hackers looking for vulnerable computers is the zombie network.
A separate poll - by a method known as Smara for "security measure adoption rate" - the implemented security measures specifically targeting industrial control systems (known as SCADA for "Supervisory Control and Data Acquisition", or ICS for "Industrial Control Systems") reveals also interesting differences in China's favor.
CSISs Smara-metering for SCADA / ICS in China is 74 percent, by far the second best Australia and Brazil respectively 57 and 54 per cent. U.S. and Japan both scored 50 percent. Worst is India and Spain at 29 percent. Germany and France are at 40-percent level with Saudi Arabia and Russia, while Italy and Mexico scored respectively 38 percent and 35 percent.
China was the only one to report that all SCADA systems - which governs, among other things, power and water supply - are subject to ongoing analysis of network traffic. The average for all respondents was here 62 per cent.
In his summary is CSIS specialists clear on what needs to be done. The choice of metaphor reflects who they aim to mainly:
"If cyberspace is the Wild West, the sheriff needs to get to Dodge City."
