Written by G. Andrew Ouellette, Class of 2022
I. Introduction
On February 5, 2021, hackers gained unauthorized access to the control systems of a water treatment facility in Oldsmar, Florida.[1] The Oldsmar facility, located about fifteen miles from Tampa, which hosted the Super Bowl the day before, provides water for businesses and over 15,000 residents.[2] Once inside the computer system, the hackers were able to locate the software function controlling the levels of sodium hydroxide, commonly known as lye, that is added to the water. They proceeded to raise the levels of sodium hydroxide by more than 110 times the standard level, a level that could potentially be fatal to humans if ingested.[3] Luckily, this crisis was averted thanks to the watchful eye of a plant operator who was able to return the levels to normal before any of the changes could take effect.[4]
Though no casualties were suffered as a result of the Oldsmar attack, the incident highlights a significant and growing threat to national security, a threat that the United States is increasingly unprepared to defend against. This is just one example in a long string of cyberattacks on infrastructure in recent years. According to the FBI, cyberattacks resulted in over $3.5 billion in financial losses reported in 2019 alone,[5] and experts estimate that this could reach $10.5 trillion globally by the year 2025.[6] Generally, when people think of cyberattacks, they think of data breaches and theft of personal information due to the numerous cases affecting high-profile companies in recent years.[7] However, more serious cyber threats exist, namely cyberattacks that target our nation’s critical infrastructure. Critical infrastructure (CI) is becoming an increasingly attractive target for terrorists and hackers due to both the strategic importance of CI and the “numerous vulnerabilities found within these assets and systems.”[8] Experts have noted that “as industries become more digitally connected, we will continue to see more states and criminals target these sites for the impact they have on society.”[9] A recent report distributed to the Senate Select Committee on Intelligence noted that China, Iran, and Russia all have the ability to launch disruptive cyberattacks on the U.S.’s critical infrastructure, including gas pipelines and electrical grids.[10] Additionally, former Director of National Intelligence Dan Coats has warned that “Moscow is mapping our critical infrastructure with the long-term goal of being able to cause substantial damage.”[11]
While the concept of the federal government playing a significant role in protecting CI from attack is not a new one, the increasing interconnectivity of CI to the internet has brought a host of new challenges. Prior to the cyber-era, “the government’s role in protecting infrastructures was relatively justifiable and straightforward, as risks both originated and materialized in the kinetic realm.”[12] However, risks have multiplied due to an increasing dependence on the internet, as well as the internet itself being classified as CI.[13] The Covid-19 pandemic has only increased vulnerability with thousands of employees connecting to systems remotely, often with inadequate protection in place.
Rapid development, increasing complexity, and argument over the appropriate approach have led to a lag in policy addressing security regulations in the area. The United States, along with other countries, has so far been hesitant to impose strict regulations, instead opting for a “voluntary participation” based approach.[14] Not only have recent attacks and an increased reliance on remote connectivity laid bare the shortcomings of the current approach to protecting CI, but they have shown that it is time for the adoption of stricter regulation to protect against far more serious attacks.
This paper seeks to highlight some of the issues arising out of the current policy approach to protecting CI from cyberattack and propose recommendations in several key areas. Section II will begin by presenting an overview of relevant background information, including how critical infrastructure is categorized, the current landscape of the CI sectors, as well as current vulnerabilities to cyberattack. Next, Section III will briefly cover the policy history of CI protection in the United States with a focus on major developments to highlight how this policy has evolved as well as recent developments in this area. Section IV will explore the current policy approach as well as some of the significant benefits and drawbacks in key areas.
Section V will conclude by building on the topics discussed in the previous sections and present several proposals, including strengthening incentives for companies to build and maintain robust cybersecurity, furthering public-private information sharing, as well as creating a standardized federal cybersecurity requirement for CI sectors.
II. Background
According to the Cybersecurity and Infrastructure Security Agency (CISA) website, “[c]ritical infrastructure describes the physical and cyber systems and assets that are so vital to the United States that their incapacity or destruction would have a debilitating impact on our physical or economic security or public health or safety.”[15] While seemingly broad in scope, this definition was the result of several years of policy discussions on what should be considered “critical” and how CI should be legally defined.[16] Since its adoption in 1998, the language has undergone several revisions, taking into account the shifting landscape of potential threats, as well as the need to balance public and private interests.[17] As one scholar notes, “[t]oo broad of a definition would place an economic burden on private corporations, government, and thus consumers, and taxpayers. But too narrow of a definition would exclude truly critical infrastructures from regulatory schemes and lead to vulnerabilities, costs, and possible catastrophic outcomes.”[18]
Currently, sixteen sectors are designated as “critical” by CISA: Chemical; Commercial Facilities; Communications; Critical Manufacturing; Dams; Defense Industrial Base; Emergency Services; Energy; Financial Services; Food and Agriculture; Government Facilities; Healthcare and Public Health; Information Technology; Nuclear Reactors, Materials, and Waste; Transportation Systems; and Water and Wastewater Systems.[19]
The significance of a “critical” designation goes beyond merely signaling that the federal government deems certain infrastructure as essential. A formal designation “immediately elevates a given asset making it an object of national significance under relevant statutes.”[20] This designation can affect how the government prioritizes certain threat responses such as “on-site risk assessments, administration of regulatory regimes and grant programs, conduct of certain criminal prosecutions, and emergency preparedness and response coordination, among other available activities.”[21] In 2009, the Department of Homeland Security (DHS) adopted the framework for determining whether infrastructure assets should be deemed critical. In adopting the criteria and reporting format used by the National Critical Infrastructure Prioritization Program (NCIPP), a program established in the wake of 9/11, a critical designation is based on four factors: risk of fatalities, economic loss, mass evacuation length, and impact on national security.[22] In some cases, methodological adjustments were made to account for unique CI characteristics.[23] For example, while “collapse of the U.S. financial system would likely not cause immediate mass casualties, [it] might still have debilitating second-order effects on national security, economic security, and public health and safety.”[24]
While the exact number of nominated assets in the United States are not publicly known due to classification requirements, over 85% of CI is privately owned.[25] This private-based system allows each entity to largely make its own cybersecurity decisions, each subject to a number of factors including economic and practical challenges. In turn, this has given rise to two key vulnerabilities: resource disparity and outsourcing complexity.[26] Though much of CI is owned by large companies who have the financial resources to invest in cybersecurity, many small companies, including third-party companies that contract to support larger infrastructure, rarely have the resources to adequately secure against an outside attack. This gap “leaves essential critical infrastructure . . . under-protected and exposed.”[27] Further, “companies and organizations tend to focus on core competencies and outsource all else to outside providers,” including “transportation, utilities, healthcare, financial service providers and many other companies.”[28] This outsourcing also includes cyber protection services that “mak[e] optimized defense more complicated . . . creating more opportunities for leaked defense-related knowledge, procedures, and data, and contributes to shortages of highly skilled personnel.”[29]
CI systems around the world are increasingly monitored and operated through the use of Supervisory Control and Data Acquisition (SCADA) systems, which allow workers to access and control them remotely. Despite the increase in efficiency and convenience, the use of this technology has “open[ed] a doorway through which cyber-attacks may infiltrate.”[30] In fact, “[c]omputers seized from al-Qaeda have been found to contain details about American SCADA systems that control electrical grids, oil and gas pipelines, water storage, and distribution facilities and other systems.”[31] According to one study, “56% of organizations using SCADA[] reported a breach in the second half of 2018 through the first half of 2019.”[32] More troubling is the fact that only 11% of these companies reported not having been breached.[33]
One reason for these alarming numbers is the fact that, as more CI sectors implement SCADA and other internet-based technology to monitor and control their systems, they are increasingly abandoning proprietary software for standardized technology in an effort to reduce cost.[34] This shift away from proprietary software, the development of which focused on controlling a specific system, has created greater vulnerability due to wider knowledge of standardized technologies’ weaknesses.[35] In turn, this has eliminated the need for bad actors “to specifically prepare for a particular target,” as a smaller range of systems are being implemented across entire sectors.[36] Additional contributing factors to the growing number of incidents include failure to adopt or update IT procedures, operating systems, and other common tools used to protect against attack.[37]
III. Brief Policy History
Critical Infrastructure as a concept of national security is not new, despite the fact that much of the historical analysis of its development focuses on its evolution over the last thirty years. As a recent Congressional Research Service report distributed to members of Congress explains:
The concept of critical infrastructure dates at least to the interwar era, when American and British military theorists first speculated that targeting the industrial infrastructure and civilian morale of the Axis powers with long range strategic bombing might bring victory at a comparatively low cost. During World War II, strategists sought to identify critical vulnerabilities of the Axis industrial base: specific enemy industrial systems and assets, which if destroyed, would pose systemic risk to the Axis war economy. Allied planners faced persistent difficulty in identifying truly critical nodes, and strategic effects of tactically-successful bombing strikes were often mitigated by the system-level resilience of the Axis war economy.[38]
In general, policy development around CI can be categorized into three periods: (1) late 1990s development, (2) post-9/11 reorganization, and (3) ongoing transition to a “resilience framework.”[39] For much of the period prior to these eras, little public information has been released due to its classified status.[40] However, policy focus in the area grew rapidly in the years following the Oklahoma City Bombing in 1995.[41] The event also served as a catalyst for the government to recognize the growing influence that the internet would have on national
a. Late 1990’s Development
On May 22, 1998, President Clinton signed Presidential Decision Directive 63 (PDD-63) titled “Protecting America’s Critical Infrastructures.”[43] The culmination of several years of work by the President’s Commission on Critical Infrastructure Protection (PCCIP) in the wake of the Oklahoma City Bombing, the directive’s goal was “to achieve adequate protection of the nation’s critical infrastructure from intentional attacks (both physical and cyber) by the year 2003.”[44] The directive argued that “because the U.S. possessed the world’s strongest military and largest economy, future enemies could harm us in non-traditional ways by instead attacking these vulnerable systems that our national power is reliant upon.”[45] PDD-63 identified eight sectors is considered “critical,” as well as four areas where the government had traditionally controlled the infrastructure: (1) security/law enforcement, (2) foreign intelligence, (3) foreign affairs, and (4) national defense.[46] Additionally, federal agencies, responsible for appointing a Sector Liaison Official to act as an intermediary to the private sector, were assigned to each of these sectors and tasked with “coordinating the federal government’s own internal security measures.”[47] It was also through this directive that Information Sharing & Analysis Centers (ISACs) were established to “facilitate broader risk awareness in government and industry about infrastructure vulnerabilities . . . .”[48] These centers are independently organized trade groups that coordinate the sharing of information between sector members and the government and remain as one of the most important tools in identifying risk and protecting against cyberattack on CI.[49]
b. Post-9/11 Reorganization
Following the attacks of September 11, 2001, Congress passed the Patriot Act, which provided the first official definition of critical infrastructure.[50] The Act defined CI as “systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.”[51] This statutory definition remains in use today. the following year and absorbed many of the organizations created throughout various directives passed by the previous administration.[52]
In 2003, PDD-63 was updated through the Homeland Security Presidential Directive 7 (HSPD-7), which expanded the number of sectors designated as “critical” and emphasized other physical assets and systems in addition to cybersecurity.[53] It was also during this time that the White House released the National Strategy to Secure Cyberspace (NSSC).[54] While the strategy reiterated the importance of protecting the nation’s CI, it also “made it clear that the federal government was not, nor would it be, responsible for securing private computer networks.”[55]
c. Ongoing Transition to “Resilience Framework”
While the Obama administration ordered a reexamination of the existing CI protection strategy, no significant policy changes were made. Instead, the administration released PDD-21 in 2013 (which superseded HSPD-7) in an attempt to clarify the organizational relationships across the federal government and enable a more efficient system of information sharing better aligned with the original vision of PPD-63.[56] Further attempts to clarify policy followed in 2013 with Executive Order 13636, which instructed the National Institute of Standards and Technology (NIST) “to develop a voluntary risk-based Cybersecurity Framework . . . that is a set of industry standards and best practices to help organizations identify, assess, and manage cybersecurity risks.”[57] This framework was issued in 2014 and remains another key tool in standardizing the protection of CI.[58]
In 2018, the Cybersecurity and Infrastructure Security Agency (CISA) was established through the passage of legislation that “‘rebranded’ the Department of Homeland Security’s National Protection and Programs Directorate . . . and transferred resources and responsibilities . . . to the newly created agency.”[59] CISA, now a standalone agency, is the main branch of the federal government whose responsibility is to “provide[] 24×7 cyber-situational awareness, analysis, incident response and cyber-defense capabilities to the federal government; state, local, tribal and territorial governments; the private sector; and international partners.”[60]
In March of 2022, Congress passed the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) as part of the larger Strengthening American Cybersecurity Act of 2022.[61] CIRCIA establishes reporting requirements for CI entities to “report [a] covered cyber incident to the [CISA] not later than 72 hours after the covered entity reasonably believes that the covered cyber incident has occurred.”[62] Additionally, the law requires entities who pay a ransom payment as the result of a ransomware attack to report such payment “not later than 24 hours after the ransom payment has been made.”[63] The bill grants CISA significant authority to draft and implement regulations that will determine the scope and applicability of CIRCIA with the final proposed regulations expected sometime in late 2025.[64]
With the exception of these new reporting requirements, CI protection policy has largely remained unchanged under the last two administrations. The focus has increasingly shifted toward providing organizations with standardized tools to protect these assets, as well as making it easier to share risk information with the government and between sector entities.
IV. Current Policy Approach
As noted in the previous section, aside from mandatory reporting, the United States’ current approach to CI protection could generally be described as a system of voluntary participation. This “market-based” approach to cybersecurity allows market forces, as opposed to the government, to provide the incentive for CI owners and operators to enact adequate levels of protection against cyberattack.[65] Many have argued that “a regulatory framework for selected critical infrastructure should be created to require a minimum level of security from cyber threats.”[66] However, others counter that “such regulatory schemes would not improve cybersecurity while increasing the costs to businesses, expose businesses to additional liability if they fail to meet the imposed cybersecurity standards, and increase the risk that proprietary or confidential business information may be inappropriately disclosed.”[67] Despite the decades-long debate over whether this is the correct approach to protecting CI, one reason for its development lies in the structure of government in the United States.[68] Historically, responsibility for providing and regulating services has fallen on state and local governments, a concept originating from the separation of powers laid out in the Constitution.[69]
While on its face the lack of federal regulation, especially where potential threats are increasing in scope and number, seems concerning, this “market-based” approach has several benefits. First, a lack of government regulation reduces the cost of complex enforcement and systematic errors, both of which ultimately fall on taxpayers.[70] It also “limits fears and problems associated with regulatory capture,” which could lead to inadequate policies and regulations.[71] Basically, under the theory of regulatory capture, regulatory agencies become dominated by the interests of the entities they oversee, eventually causing them to act in ways that benefit such entities and not the public good.[72] It has also been argued that CI operators are in a better position to determine which measures are sufficient to protect their own infrastructure as opposed to leaving such determinations to the government, which may not possess the individualized knowledge or resources to enact adequate regulatory policies.[73] As one scholar notes, “[E]xperts and leaders of innovation usually work in the private sector, and technological advances often originate in the private sector. The leaders of the private sector, as a group, have superior expertise and knowledge to that of government officials.”[74]
Additionally, some have argued that limited regulation creates “social value” in terms of limiting constitutional and human rights violations that can arise out of governmental oversight, especially in the area of privacy.[75]
Even with this voluntary system, entities have sometimes found difficulty in implementing recommended government protocol. Owners and operators of CI cite several factors, such as high costs, limited manpower, lack of understanding (either of risks or recommended procedures), other priorities, and worries about liability, as barriers to compliance. Where investment in the security of privately-owned CI is largely in the purview of the private sector, the “most serious risks are borne collectively by the public and larger business community.”[76] As a 2019 government report notes:
While there is little question that businesses, government, and society have a “clear and shared interest” in CI resilience, it is often difficult at the policy level to work out exactly who should bear responsibility for up-front costs of investment, and what mandatory requirements, regulatory oversight measures, and cost-recovery mechanisms might be necessary in a given case.[77]
These arguments highlight two areas of CI protection policy that offer both solutions to, as well as significant challenges in, addressing some of the issues discussed above: incentives and information sharing. The following sections will focus on these key areas, including the benefits and drawbacks associated with various approaches, as well as the government’s role in implementing both.
a. Externalities, Incentives, and the “Public Good”
A “public good” refers to “a thing or condition that benefits all members of a society” regardless of whether an individual has paid for that benefit.[78] It is not limited to things that physically exist and its benefit is not diminished as people consume it.[79] National security and infrastructure are both examples of public goods as citizens enjoy their benefits, regardless of whether they pay taxes, and their enjoyment of these goods does not decrease the benefit to others.
But what does the concept of “public good” have to do with externalities, and how do these concepts relate to the protection of critical infrastructure from cyberattack? As one scholar explains,
“Economic theory states that no rational person will voluntarily pay for a public good as long as someone else does. An individual enjoys clean air as long as someone else pays for the cost of clean air. An American within the United States is protected by America’s defense whether she pays taxes or not. This is the classic ‘free rider’ problem.”[80]
Current cybersecurity regulations (or lack thereof) have incentivized private sector entities to underinvest in cybersecurity. This underinvestment, in turn, “imposes negative externalities on other economic entities and on private citizens.”[81] Basically, externalities are costs or benefits produced by an entity that is not borne by that entity.[82] Externalities can be either positive or negative and can be felt by both private and public actors.[83] The risk of negative externalities on the greater economy is especially great in the area of critical infrastructure protection because much of the resulting harm from an attack will fall on third parties.[84]
Due to the broad scope of resulting harm, it can be extremely difficult for entities to internalize the costs since the number of people affected “will often be so large that it would be prohibitively expensive to use market exchanges to internalize the resulting externalities.”[85] It has been noted that “[b]ecause the investing company doesn’t capture the full benefit of its expenditures, it has weaker incentives to secure its systems. And because other companies are able to free-ride on the investing firm’s expenditures, they have weaker incentive to adopt defenses of their own.”[86]
Another reason for the failure to invest in cybersecurity at the socially optimal level is a lack of understanding concerning the risks that cyberattacks on CI pose.[87] This continues to be one of the biggest challenges in convincing companies to implement adequate security measures. While identifying the consequences of an attack is relatively straightforward (physical destruction, death, financial loss, loss of data, etc.), understanding the level of threat is more difficult to discern.[88] This is why it is critical for the government to “create a meaningful value proposition that will encourage private sector owners and operators to make significant investment in security.”[89] To do so, the government must either provide better information regarding the level of threat or show how increased investment would provide a benefit to CI entities’ bottom lines.
But even entities that are aware of the full scope of risks associated with a cyberattack face barriers to protecting against them. As touched upon earlier, reporting has shown that entities may be limited in their ability to commit necessary resources toward framework adoption, especially small companies that lack funds or qualified personnel. One way to address this issue would be for the federal government to subsidize the costs of upgrading cyber defense systems.[90] This traditional approach of encouraging the production of public goods is particularly appealing as the federal government already subsidizes certain areas of CI protection through the Critical Infrastructure Act of 2001.[91]
Another approach to addressing cost by the Small Business Administration (SBA) in response to a Department of Defense (DoD) rule change requiring contractors to meet certain security standards.[92] Under this proposal, the SBA recommended that the government promote collaboration “with universities or other organizations to provide low-cost cybersecurity services to small businesses” to ease the financial burden of upgrading their systems.[93] Additionally, an approach by the federal government focused on the “resilience” of entities following an attack which would help increase both awareness of risk and willingness to internalize more of the costs of protection. Under this approach, which would focus on minimizing the disruption of CI operation following an attack, the government “would engage the private sector to promote security measures by asserting that minimization of effects of disruptions would not only help promote national security but would benefit their bottom-line.”[94]
b. Information Sharing
One of the most effective tools in protecting CI from cyberattack is a robust information-sharing scheme between the government and the private sector. Not only does information sharing increase levels of “situational awareness” of cyber threats in the government and private sectors, but it allows both to more “effectively respond to light-speed cyber-attacks.”[95] Through strong collaborative efforts, both government and private entities would be better able to pool their resources to form stronger analysis and solutions to protect areas vulnerable to similar attacks. This is how one scholar outlines such an approach:
“The starting point would be to have both the government and private critical infrastructure monitoring their respective computer network traffic. The parties would, in real-time, scour their networks for both malicious computer code and unusual behavior . . . Information from these events would then be shared throughout government and critical infrastructure networks, including the malicious code captured and anything that can be discerned about it.”[96]
The benefits of information sharing have been understood since the enactment of PDD-63 in 1998, which encouraged CI owners to establish ISACs to “act as a focal point for gathering and disseminating timely threat warnings and attack analysis of attacks for their respective sectors.”[97] These ISACs remain one of the most critical aspects of the United States’ approach to identifying serious threats of cyberattack on CI. However, few studies have been done to determine their actual effectiveness, and some reports have found that they have not achieved the level of success as originally envisioned by PDD-63.[98] As noted earlier, the government seeks to address this issue through CIRCIA, which mandates reporting by CI entities of cybersecurity incidents to CISA. Under the act, the information collected through these reports will be used to “provide appropriate entities . . . with timely, actionable, and anonymized reports of cyber incident campaigns and trends.”[99] Time will tell whether CISA’s information-sharing processes will achieve greater effectiveness in facilitating timely alerts to CI stakeholders and preventing future cyber incidents.
i. Barriers to Information Sharing
Given their status as a “focal point” for information sharing, why have ISACs not achieved greater success in protecting CI? According to one report, ISACs often only share information internally with trusted members, as opposed to freely distributing such information to all members.[100] In other cases, ISACs have been slow to react to threats, only sharing information after the attack has occurred. It is yet to be seen if CISA will be more effective in addressing these issues as they promulgate rules defining when a “cyber incident” has occurred under CIRCIA. Beyond this, a number of other barriers, both legal and governmental, exist that prevent the full realization of the benefits of information sharing.
Among the barriers cited by CI entities are the fear of divulging trade secrets and business models with other private sector entities, even if the sharing is mutually beneficial.[101] Related is a fear of violating antitrust regulations, which could be triggered by entities sharing such information.[102] The threat of civil litigation due to potential privacy violations if personal information is shared has also been a concern for CI entities.[103] To mitigate these concerns and encourage information sharing, companies must have “confidence that if they were to disclose . . . vulnerabilities to an agency with regulatory authority that that agency wouldn’t then turn around and turn it into a rule and basically penalize them for their act of good samaritanship.”[104]
CIRCIA also attempts to address some of these concerns by including liability protections and enforcement restrictions for entities that report cybersecurity incidents under the requirements. These protections include immunity from civil suits based on the information reported, as well as exemptions for shared “commercial, financial and proprietary information” from public access under the Freedom of Information Act (FOIA).[105] However, some have noted that the liability protection only applies to “litigation that is solely based on the submission” of a report and that materials and other records created for the submission of such a report may not be received as evidence if “created for the sole purpose of preparing, drafting, or submitting such report.”[106] This language may be of concern for entities, which often collect information related to a cybersecurity event for multiple purposes, as this submitted information may fall outside of the scope of protection.[107]
Despite protections prohibiting shared information from being disclosed through FOIA, privacy concerns remain. Congress attempted to address these concerns by requiring CISA’s rules and regulations for CIRCIA to “protect[] privacy and civil liberties . . . [by] anonymizing and safeguarding, or no longer retaining, information received and disclosed . . . .”[108] Further, some covered entities may be subject to other privacy regulations such as the Health Insurance Portability and Accountability Act (HIPAA), which have their own privacy and reporting requirements.[109] To address this issue, CIRCIA established the Cyber Incident Reporting Council whose job is to “coordinate, deconflict, and harmonize Federal incident reporting requirements, including those issued through [CIRCIA].”[110] Again, it remains to be seen if these coordination efforts will clarify the liability gap should entities compile incident reports with the dual-purpose of complying with HIPAA and CIRCIA, given the current “sole purpose” language.
c. Verification
Without cohesive federal regulation or baseline security requirements, CISA and other agencies have no way to verify that companies are taking necessary measures to protect CI. Thus far, reports provided to Congress by DHS as required by regulation have not provided an adequate level of detail on which to base important policy decisions.[111] As Congressman and chair of the House Homeland Security Committee, Bennie Thompson, has pointed out, this annual report should “provide[] Congress with a snapshot of the state of security of critical infrastructure in the United States. Compiled by public and private sector partners, the report is meant to discuss all risks to the eighteen sectors and provide a potential mechanism to better inform the prioritization of budget resources.”[112] The reporting requirements implemented under CIRCIA will likely serve as an important tool in bridging this gap by providing Congress with a clearer picture of the CI cybersecurity landscape. This will, in turn, allow Congress to make better policy decisions regarding the allocation of federal resources.
Despite criticism by many in the private sector, a mandate requiring specific standards, or at least a minimum-security standard, would have notable benefits. Many of these are essentially the mirror-image of the issues created by the market-based approach previously discussed.[113] For example, “implementation of government-set guidelines could shield private CIs from governmental and public scrutiny and help rebut negligence claims in tort lawsuits.”[114] Additionally, mandatory government regulation may help address the lack of threat awareness and the gaps in information sharing previously discussed.[115] By providing a baseline mandatory verification structure the government could “serve as the central hub for both information and knowledge. Because the government would receive and handle all relevant cyberattack information, the government-centered scheme would overcome the business and legal constraints” of the market-based model.[116]
However, while the cost of implementing a strong regulatory system can be measured in dollars (cost of system upgrades, compliance costs, legal fees, etc.), it is difficult to put a monetary value on the benefits associated with its implementation.[117] Without being able to compare the costs versus the benefits of such a regulatory scheme, the government will face a high hurdle in justifying strong regulations.
V. Proposals & Conclusion
There is no question that “[n]ational cybersecurity is one of the most pressing domestic policy issues in the U.S. today. While the new coronavirus has caused a crisis, a malicious cyber-attack could cause the next crisis–one that would spread faster than a biological virus and with greater economic impact.”[118] However, arguments remain over how to implement policy aimed at protecting critical infrastructure and upon whom the costs of implementing such policies should fall. Currently, the United States’ CI cybersecurity policy is made up of a “patchwork of related laws, much of which is focused on data breaches and privacy.”[119]
However, to better secure CI from cyberattack, it is not necessary to implement sweeping regulatory changes. Some of the biggest challenges can be addressed by the government by building upon the current framework of the most effective tools for protecting CI: incentives and a robust information sharing environment. By providing incentives, such as tax breaks, grants, subsidies, and other financial tools already widely used by the government to boost the production of public goods, it can encourage privately-owned CI stakeholders to internalize some of the costs associated with cyber protection. This, in turn, will reduce the negative externalities discussed in section IV(a). Further, in building upon the SBA’s proposal to partner with universities and other organizations to provide free or low-cost services to small businesses, it will not only close the vulnerability gap but serve as a training ground for future experts in this area.
In addressing the information-sharing gap, the passage of CIRCIA is a step in the right direction. By implementing reporting requirements for CI entities, along with identifying CISA as the central agency tasked with collecting, analyzing, and sharing threat information the issues associated with voluntary participation will be greatly reduced. However, other issues will remain, particularly in areas of “regulatory capture” and “social value” previously discussed. The establishment of a single recognized information-sharing body in the form of a centralized nongovernment, nonprofit clearinghouse could better facilitate an ongoing dialogue between the government and the private sector. This organization, overseen by an elected board of representatives from CISA and other agencies, as well as private industry CI stakeholders, could also help address the “expert knowledge” gap discussed in Section IV. Concurrently, the government should address liability concerns stemming from information sharing by updating overlapping antitrust and privacy laws, as well as the potential gap in liability protection based on the current language of CIRCIA.
Lastly, while mandatory incident reporting will now allow the government to better monitor the levels of protection that CIs are implementing, mandating entities to hold a membership in either an ISAC or the newly formed clearinghouse described above would allow the government to ensure that all CIs are complying with an adequate baseline level of protection. This approach could mirror the DoD requirements for contractors that require compliance with NIST standards.[120]
While the task of setting goals for protecting critical infrastructure has traditionally fallen on the government, “implementation of steps to reduce the vulnerability of privately owned and corporate assets depends primarily on private-sector knowledge and action.”[121] It is time that we reassess and build upon this public-private relationship to protect our critical infrastructure as we move further into the twenty-first century.
[1] Frank Bajak, In Florida City, a Hacker Tried to Poison the Drinking Water, AP News, Feb. 8, 2021, https://apnews.com/article/hacker-tried-poison-water-florida-ab175add0454bcb914c0eb3fb9588466.
[2] Id.
[3] Id.
[4] Id.
[5] 2019 Internet Crime Report, FBI https://www.ic3.gov/Media/PDF/AnnualReport/2019_IC3Report.pdf
[6] Steve Morgan, Cybersecurity Ventures, 2021 Report: Cyberwarfare in the C-Suite 1 (2021), https://1c7fab3im83f5gqiow2qqs2k-wpengine.netdna-ssl.com/wp-content/uploads/2021/01/Cyberwarfare-2021-Report.pdf.
[7] See John J. Chung, Critical Infrastructure, Cybersecurity, and Market Failure, 96 Or. L. Rev. 441, 441 (2018).
[8] David A. Wallace & Shane R. Reeves, Protecting Critical Infrastructure in Cyber Warfare: Is It Time for States to Reassert Themselves?, 53 U.C. Davis L. Rev. 1607, 1616 (2020).
[9] Bajak, supra note 1. In fact, one poll conducted by Siemens and the Ponemon Institute found that 54% of experts expected an attack on critical infrastructure in the next twelve months and 74% were more concerned about the threat of cyberattack on critical infrastructure than and enterprise data breach. Siemens, Caught in the Crosshairs: Are Utilities Keeping Up With the Industrial Cyber Threat? 12 (2019); OT Cyberattack a Greater Concern Than Enterprise Data Breach for 3 in 4 IT Security Professionals, Claroty (Mar. 25, 2020), https://claroty.com/resource/ot-cyberattack-a-greater-concern-than-enterprise-data-breach-for-3-in-4-it-security-professionals/.
[10] See Daniel R. Coates, Office the Dir. of Nat’l Intelligence, Statement for the Record: Worldwide Threat Assessment of the US Intelligence Community 5-6 (2019).
[11] Id.
[12] Eldar Haber & Tal Zarsky, Cybersecurity for Infrastructure: A Critical Analysis, 44 Fl. St. U. L. Rev. 515, 516 (2018).
[13] Chung, supra note 7, at 452.
[14] Id. at 534.
[15] Infrastructure Security, Cybersecurity & Infrastructure Sec. Agency, https://www.cisa.gov/infrastructure-security. (last visited Mar. 27, 2022).
[16] Jakub Harasta, Legally Critical: Defining Critical Infrastructure in an Interconnected World, 21 Int’l J. of Critical Infrastructure Protection 47, 48 (2018).
[17] See Presidential Decision Directive NSC-63 Critical Infrastructure Protection (1998) (“Critical infrastructures are those physical and cyber-based systems essential to the minimum operations of the economy and government.”).
[18] Haber & Zarsky, supra note 12, at 518-19.
[19] Critical Infrastructure Sectors, Cybersecurity & Infrastructure Security Agency, https://www.cisa.gov/critical-infrastructure-sectors. (last visited Mar. 27, 2022).
[20] Cong. Research Serv., R45809, Critical Infrastructure: Emerging Trends and Policy Considerations for Congress 7 (2019), https://fas.org/sgp/crs/homesec/R45809.pdf. [hereinafter Emerging Trends]
[21] Id. at 7.
[22] Id.
[23] Id.
[24] Id.
[25] Cyber, Intelligence, and Supply Chain Security, U.S. Chamber of Commerce, https://www.uschamber.com/program/policy/cyber-intelligence-and-security-devision.
[26] Jonathan Tal, America’s Critical Infrastruture: Threats, Vulnerabilities and Solutions, Security InfoWatch (Sep. 20, 2018), https://www.securityinfowatch.com/access-identity/access-control/article/12427447/americas-critical-infrastructure-threats-vulnerabilities-and-solutions#:~:text=There%20are%20three%20classes%20of,floods%2C%20draught)%2C%20fires.
[27] Id.
[28] Id.
[29] Id.
[30] Robert Kenneth Palmer, Critical Infrastructure: Legislative Factors for Preventing a “Cyber-Pearl Harbor”, 18 Va. J. of L. & Tech. 302-303 (2014).
[31] Id. (“One set of computers even contained schematics of a U.S. dam and control system engineering software that enabled them to simulate the effects of catastrophic flooding.”).
[32] Pierluigi Paganini, SCADA & Security of Critical Infrastructures [Updated 2020], INFOSEC (Jul. 15, 2020), https://resources.infosecinstitute.com/topic/scada-security-of-critical-infrastructures/.
[33] Id.
[34] See Haber & Zarsky, supra note 12, at 561.
[35] Id.
[36] Palmer, supra note 30, at 335.
[37] See Jan Trobisch, Challenges in the Protection of US Critical Infrastructure in the Cyber Realm 12 (May 22, 2014) (unpublished Master’s thesis, U.S. Army and General Staff College, School of Advanced Military Studies), available at https://www.hsdl.org/?view&did=791151.
[38] Emerging Trends, supra note 20, at 2.
[39] See generally id.
[40] See Kathi Ann Brown, Critical Path: A Brief History of Critical Infrastructure Protection in the United States 80 (2006).
[41] See id. at 72
[42] Id.
[43] Id. at 142
[44] Id. at 145
[45] Palmer, supra note 30, at 295.
[46] The eight sectors identified by PDD-63 were information and communications; banking and finance; water supply; aviation, highways, mass transit, pipelines, rail, and waterborne commerce; emergency and law enforcement services; emergency, fire and continuity of government services; public health services; electric power, oil and gas production, and storage. Brown, supra note 40, at 145-46.
[47] Id. at 145-47.
[48] Emerging Trends, supra note 20, at 12.
[49] Id. at 21.
[50] Id. at 1.
[51] Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism (USA PATRIOT Act) Act of 2001 § 1016, 42 U.S.C. § 5195c(e) (2012).
[52] See Brown, supra note 40, at 158.
[53] Emerging Trends, supra note 20, at 6.
[54] Haber & Zarsky, supra note 12, at 528.
[55] Id.
[56] Id. at 530.
[57] Andrea Arias, The NIST Cybersecurity Framework and the FTC, Fed. Trade Comm’n (Aug. 31, 2016), https://www.ftc.gov/news-events/blogs/business-blog/2016/08/nist-cybersecurity-framework-ftc.
[58] Id.
[59] Cynthia Brumfield, What is the CISA? How the New Federal Agency Protects Critical Infrastructure From Cyber Threats, CSO (Jul. 1, 2019), https://www.csoonline.com/article/3405580/what-is-the-cisa-how-the-new-federal-agency-protects-critical-infrastructure-from-cyber-threats.html.
[60] Id.
[61] David Uberti, Fearing More Cyberattacks, Congress Requires Key Businesses to Report Digital Breaches, Wall Street Journal (March 17, 2022), https://www.wsj.com/articles/fears-of-cybersecurity-attacks-may-increase-disclosure-requirements-for-businesses-11647444384.
[62] Strengthening American Cybersecurity Act of 2022, S. 3600, 117th Cong. § 2242(a)(1)(A) (2022).
[63] Id. at (2)(A).
[64] See id. at (b)(1)-(2).
[65] See Haber & Zersky, supra note 12, at 542-43.
[66] Edward C. Liu et. al, R42409, Cong. Research Serv., Cybersecurity: Selected Legal Issues (2013).
[67] Id.
[68] See Rober M. Clark et. al., Idaho Nat’l Lab., Protecting Drinking Water Utilities From Cyber Threats, Idaho National Laboratory 5 (2016) available at https://www.osti.gov/pages/servlets/purl/1372266.
[69] See id.
[70] See Haber & Zarsky, supra note 12, at 543.
[71] Id.
[72] See generally Scott Hempling, “Regulatory Capture”: Sources and Solutions, 1 Emory Corp. Governance & Accountability Rev. 23, 24 (2014).
[73] See Haber & Zarsky, supra note 12, at 543.
[74] Chung, supra note 7, at 460-61.
[75] See Haber & Zarsky, supra note 12, at 543.
[76] Emerging Trends, supra note 20, at 18.
[77] Id. at 16.
[78] Chung, supra note 7, at 453.
[79] Id. at 454.
[80] Id. at 455.
[81] Council of Economic Advisors, The Cost of Malicious Cyber Activity to the U.S. Economy 1 (2018)
[82] See Thomas Helbling, Externalities: Prices Do Not Capture All Costs, IMF (updated Feb. 24, 2020) https://www.imf.org/external/pubs/ft/fandd/basics/external.htm.
[83] Id.
[84] See Chung, supra note 7, at 457.
[85] Id.
[86] Id. at 457-58
[87] See Bennie G. Thompson, A Legislative Prescription for Confronting 21st-Century Risks to the Homeland, 47 Harv. J. Legis. 277, 292 (2010).
[88] See Palmer, supra, note 30, at 330.
[89] Thompson, supra note 87, at 297.
[90] See Chung, supra note 7, at 473.
[91] Id.
[92] Id. at 474.
[93] Id.
[94] Thompson, supra note 87, at 298.
[95] Palmer, supra note 30, at 314.
[96] Id. at 314-15.
[97] Id. at 316.
[98] Id. at 317
[99] Strengthening American Cybersecurity Act of 2022, S. 3600, 117th Cong. § 2241(a)(3)(B) (2022).
[100] Palmer, supra note 30, at 317-18.
[101] See Haber & Zarsky, supra note 12, at 548.
[102] Id.
[103] Id.
[104] Brown, supra note 40, at 111.
[105] Strengthening American Cybersecurity Act of 2022, S. 3600, 117th Cong. § 2245(b)(1) (2022).
[106] Id. at (c)(3) (emphasis added).
[107] Steve Stransky, The 2022 Cyber Incident Reporting Law: Key Issues to Watch, Lawfare (Mar. 25, 2022), https://www.lawfareblog.com/2022-cyber-incident-reporting-law-key-issues-watch.
[108] S. 3600, 117th Cong. § 2242(c)(8)(D) (2022).
[109] See 45 CFR §§ 164.400-414
[110] S. 3600, 117th Cong. § 2246(a) (2022).
[111] See Thompson, supra note 87 at 290-91. There are currently sixteen sectors categorized as “critical”.
[112] Id. at 290.
[113] See Haber & Zarsky, supra note 12, at 558.
[114] Id. at 536.
[115] See id. at 558
[116] Id. This seems to be the approach, at least in part, that the government is taking by tasking CISA with expanded information sharing duties outlined in CIRCIA.
[117] See Chung, supra note 7, at 466.
[118] Tabrez Y. Ebrahim, National Cybersecurity Innovation, 123 W. Va. L. Rev. 483, 504 (2020).
[119] Chung, supra note 7, at 458.
[120] See NIST SP 800-171 DoD Assessment Requirements, DFARS 252.204-7020 (2022). available at https://www.acquisition.gov/dfars/252.204-7020-nist-sp-800-171-dod-assessment-requirements.
[121] Philip Auerswald et. al, The Challenge of Protecting Critical Infrastructure, Issues in Sci. & Tech., Fall 2005. available at https://issues.org/auerswald/.