There has recently been a lot of talk in the national media
and political theater about the need for cybersecurity legislation to protect
against cybersecurity threats such as the SolarWinds hack and the water
facility ‘attack’ in Florida. Before one starts talking about the potential
nuts and bolts of such legislation, I think that it is important to consider what
I like to call the philosophy of cybersecurity legislation; the what and why of
What to Legislate
The first thing that you need to establish is what one wants
the federal government to regulate, or more importantly what one wants to
accomplish with that regulation. For cybersecurity the most obvious desire
would be to stop any foreign adversary from disrupting government and private-sector
cyber-operations within the United States. That would certainly fit with the ‘provide
for the common Defence’ provision of Article 1, Section 8, Clause 1 of the Constitution.
Unfortunately, short of throwing up a national firewall
around the United States where the federal government controls all information
and communications flowing into and out of the country, there is no method that
the government is going to be able to intercept and prevent all attacks via either
the internet or telecommunications infrastructure. Such governmental control of
information flow would be an intolerable anathema to most Americans and
legislators. So, the scope of the legislative intent will almost certainly have
to be reduced.
We already have legislation in place that give the DHS Cybersecurity
and Infrastructure Security Agency (CISA) extensive authority for protecting
the federal government (except DOD and intelligence agencies) from cyber-attacks.
Thus, broad new authority is not needed; just fine tuning and perhaps funding
adjustments are all that should be required for preventing future SolarWinds
type attacks. (Okay, that is being a tad simplistic as the nuts and bolts of
such prevention have yet to be adequately discussed, but for a philosophy
discussion that is just left as an exercise for the student – GRIN.)
With a national firewall off the board as a means of defense,
we have to decide if preventing all foreign adversary attacks on private-sector
cyber-operations is a reasonable goal for our legislative intent. First off, do
we really suspect that a foreign government is going to want to target the
disruption of the private email between ordinary citizens or the operation of
my wife’s jewelry sales site on
Etsy (I’ve been trying for weeks to figure out how to get that
advertisement into my blog)? And if they did, for some obscure reason, would
that really fit within the description of ‘provide for the common defense’?
Limit the Scope to CI
A more reasonable use of the federal government’s cyber resources,
both money and personnel are significant constraints on any legislative endeavor,
would be to limit non-federal government cyber defense to critical
infrastructure. That is still an expansive (and potentially expanding) set
of cyber resources to protect, but it would certainly be a more justifiable use
of federal resources.
That leaves an important gap in the area needing cyber
protection, that is the protection of the cyber resources of State, local, Tribal
and Territorial (SLTT) government. Because of the curious constitutional
separation of rights and responsibilities of governmental authority in the
United States, the current CISA authority over governmental cybersecurity does
not directly extend to SLTT government operations. They are currently restricted
to providing advice and limited assistance to those governments.
For the purposes of this discussion, I will assume that general
SLTT government cybersecurity is going to take separate legislation from that
being discussed here due to the wide disparity in the needs and desires for
federal cybersecurity support from SLTT governments. I will, however, include
in the remaining discussion those SLTT operated pieces of critical infrastructure
like drinking water treatment plants and wastewater treatment facilities.
So, for this discussion we are looking to discuss writing legislation
that attempt to prevent a foreign adversary from disrupting the cyber-operations
of private-sector critical infrastructure (PSCI) including SLTT owned and
operated water and wastewater operations.
What Cyber-Operations Will Be Protected?
Are we going to try to protect all of the cyber-operations
of these PSCI entities? That is a very wide field of dreams, covering email,
payroll, personnel administration, security, and operations. On one hand, the
one thing that differentiates PSCI from other private sector entities is typically
the output of their operations. The federal government’s interest is in ensuring
the continued output of the critical operations (CO) of PSCI so the intent of the
legislation is to protect those CO of PSCI from disruption by foreign adversaries.
To be sure CO of PSCI protection may necessitate providing protections against
disruption of other cyber-operations of PSCI or at least mitigating the effect
of those other disruptions on the CO.
Congressional Oversight Impact
So, a critical portion of the any legislative action will be
how to identify what facilities in the United States will be affected by the
legislation. The problem here is that different sorts of critical
infrastructure are regulated by different portions of the federal government.
Even when considering security, the different executive departments did not surrender
their oversight to the Department of Homeland Security.
Even if new legislation did give CISA authority to regulate
cybersecurity at PSCI, there would still be the problem of congressional
oversight to deal with. We have specifically seen this with the CFATS program
legislation. While there is frequently disagreement between the House and
Senate on legislative matters, the larger stumbling block for CFATS legislation
has been the conflict between the House Homeland Security Committee and the Energy
and Commerce Committee. This has more to do with the different foci of the two
Committees than inter-party conflict we typically seen in House-Senate
relations. The internecine conflict between House committees would be intense
in any PSCI cyber-legislative effort.
Infrastructure Protection Plan (NIPP) provides a methodology to overcome
the problems identified above. The federal government has already designated which
executive departments are responsible for the oversight of security at the 16 different
critical infrastructure sectors; these are designated as Sector Specific
Agencies (SSA). Thus, our cybersecurity legislation does not need to identify
who will be responsible for regulating which sectors, it can simply rely on the
oversight designations that already exist.
Identifying Operations to be Protected
With these political considerations and the inevitable
push-back by industry against any new regulations, defining what cyber-operations
would be covered in different industries would be difficult. The general
definition though, should be easier. We would only have a federal interest in
regulating those cyber-operations that have a direct impact on the entities
capability of providing the critical output for which receive the critical
infrastructure definition. While protecting other cyberoperations might be beneficial,
the federal interest in ensuring critical output should limit the application
of federal influence to just those operations.
Legislation would each SSA to establish by regulations
criteria for identifying PSCI entities that require cybersecurity oversight to
protect national security and national preparedness. The intent would not be a
broad definition to encompass as many facilities as possible, but rather to
limit the identification of facilities to those that are the most critical to
the economy or national security of the United States. The reason for this
limitation is that the government agencies responsible for the oversight have
only limited resources for ensuring that the resulting cybersecurity
regulations are followed by the identified agencies.
And make no mistake about it, enforcement of cybersecurity
regulations will be necessary. We need look no further than the various OSHA
and EPA safety regulations to see that without effective enforcement many
facilities are going to only have paperwork, check-the-box, cybersecurity
programs. Even with the facilities that are going to make an honest effort to comply with the regulations,
the lack of facility cybersecurity expertise will limit the effectiveness of those
In Part 2, I will look at the philosophy of how to regulate
that should drive cybersecurity legislation.
Go to Source of this post
Author Of this post: PJCoyle