Published by The Lawfare Institute
in Cooperation With
The Colonial Pipeline attack was the most recent reminder of a steadily encroaching wave of cyber threats affecting the nation’s critical infrastructure. Although the ransomware attack was considered to be “relatively unsophisticated” in nature, it was powerful enough to shut down America’s largest refined products pipeline for several days. It took Colonial six days to get the Cybersecurity and Infrastructure Security Agency (CISA) any notifications that could then be disseminated to other at-risk industry entities—and even then, acting CISA Director Brandon Wales remarked that he did not think Colonial would have reached out to CISA had the FBI not facilitated the interaction. Much of the discussion around the Colonial Pipeline ransomware attack has obscured a key point: The U.S. government does not have a reliable method to identify, support and secure the most “critical of critical” infrastructure.
The U.S. government is not completely aware of what is critical—as in which companies’ disruption could have devastating or cascading consequences for the economy, national security, or public health and safety. Since its inception, the term “critical infrastructure” has grown so large that it has lost any meaningful specificity. Ranking Member of the House Homeland Security Committee, Rep. John Katko, reaffirmed this evaluation in a recent press release noting that because the United States has diluted what qualifies as critical infrastructure, “the federal government has visibility into a shockingly small sliver of significant cyber incidents across the country.” Underlying this dilution is the fact that no sufficiently granular and legally enforceable designation for “critical infrastructure” exists—consequently, there is no bound that keeps the concept from expanding into obscurity. Previous bills that have attempted to confer benefits or burdens on “critical infrastructure” have been vague and have not provided any clarity on what qualifies as such.
Furthermore, a risk-based approach to national security requires that the U.S. must prioritize its resources in areas where it can have the greatest impact to prevent the worst consequences. The U.S. government’s most capable adversaries, including Russia and China, are constantly looking for opportunities to scale their cyber operations and focus on targets that would have the greatest destructive impact. These past cyberattacks have illustrated that the nation’s adversaries have adopted a clear strategy that targets the “critical of critical” nodes that underlie U.S. national security. Therefore, the United States should respond in kind and reshape its approach to identifying and protecting them. The Cyberspace Solarium Commission’s 2020 report addresses just that.
The commission recommended that the United States codify into law the concept of “systemically important critical infrastructure” (SICI). These entities, responsible for the most important critical systems and assets in the U.S., would be granted special assistance from the federal government as well as assuming increased responsibility for additional security and information security requirements that are vital to their unique status and importance. This proposal answers the increasing need for the identification, partnership, and protection of the most “critical of critical” infrastructure.
Heightened Risks to Critical Infrastructure and Codifying the Concept of Systemically Important Critical Infrastructure
The conceptual forerunner to systemically important critical infrastructure is Section 9 of Executive Order 13636, which similarly attempted to identify the “critical of critical.” The Obama administration issued this order in 2013, recognizing that the risk of cyberattacks against critical infrastructure “continues to grow and represents one of the most serious national security challenges we must confront.” It’s been eight years since the order was signed, and that sentiment is truer today than ever before. In particular, Section 9 of the executive order recognized that U.S. national and economic security is dependent on the functioning of certain critical infrastructure entities over others.
While the original language was not constrained to companies, Section 9 has evolved to functionally focus exclusively on companies rather than systems and assets. This is likely because companies in possession of critical systems are easier to identify than the specific systems and components themselves and there has not been the requisite federal energy to establish such a registry or capability. However, both the private sector and the federal government have a mutual interest in protecting these important systems and assets from cyberattacks by nation-state and non-state adversaries. The federal government must have the assurance that the companies charged with protecting and maintaining this critical infrastructure are fulfilling their security responsibilities and recognize the importance of these systems and assets to the overall security of the United States. The private sector, by contrast, has to trust that the government is utilizing its unique authorities, resources, and intelligence capabilities to support private-sector companies with their security operations and has the capacity to help protect against and respond to significant cyber incidents.
However, there are key limitations in the approach Section 9 adopted that SICI legislation would correct. First, Section 9 exempted the information technology (IT) sector. The IT sector is critical to the public health and safety, national security and economic security of the United States—the SolarWinds hack from December 2020 is an excellent, yet unfortunate, example of why that exemption was a mistake. The SICI proposal would eliminate this exemption and include IT sector companies as entities for protecting critical infrastructure. Second, Section 9 made its determinations for what falls under “critical infrastructure” based on the companies themselves. The SICI proposal shifts this approach and focuses instead on the systems, assets and facilities these companies control. Since these are the entities that require the protection for U.S. national security interests, shifting the focus ensures clarity on what exactly is the most “critical of critical.”
How is a given entity labeled as systemically important critical infrastructure? Under the SICI recommendation in the commission report, the secretary of homeland security could declare a facility, system, or asset as systemically important critical infrastructure if the compromise, damage, and/or destruction of that entity would result in:
- The interruption of critical services, including the energy supply, water supply, electricity grid, and/or emergency services, that could cause mass casualties or lead to mass evacuations.
- Catastrophic damage to the U.S. economy, including disrupting the financial market, disrupting transportation systems, and rendering critical technology services unavailable.
- The degradation and/or disruption of defense, aerospace, military, intelligence, and national security capabilities.
- Widespread compromise or malicious intrusion of technologies, devices, or services across the cyber ecosystem.
These entities would shoulder additional security burdens that highlight the importance of this infrastructure to the national security of the United States.
SICI Benefits and Burdens
Perhaps the greatest limitation to Section 9 is that it lacked teeth: The designation did not confer any additional benefits to those designated, nor did it offer any additional assurance to the U.S. government on the security of those designated. SICI seeks to correct this by introducing “benefits” and “burdens” to companies so designated. These are based on a thought experiment: What if a public-private partnership were real and legally recognized?
There are four main benefits and burdens:
Performance standards. The secretary of homeland security, in coordination with the National Institute of Standards and Technology (NIST), the owners and operators of systemically important critical infrastructure, and other key government stakeholders, would be tasked with identifying and developing risk-based cybersecurity “performance standards” for SICI entities. Like other requirements imposed on SICIs, these standards would issue baseline criteria to ensure the firm has made a good-faith effort to secure its critical assets. Once crafted with input from SICI entities and federal partners, existing regulators would enforce said standards over their own sectors, while those without federal regulators (such as the IT sector) would fall under the Department of Homeland Security.
Cyber incident reporting. SICI legislation would establish a cyber incident reporting requirement, whereby affected entities are required by law to report pertinent information about the breach to the Department of Homeland Security. In return for expedited breach notification, SICI entities would have the ability to request expedited federal assistance in the event they have been compromised or attacked by a malicious actor.
Intelligence sharing. The director of national intelligence would work with relevant authorities to provide indications and warnings to SICI entities regarding threats. Creating a threat awareness partnership between the federal government and SICI entities would allow the U.S. to develop adversarial tactics by piecing together previously disparate indicators.
Liability protection. If a company has complied with government regulations and benefited from intelligence support, it should not be held liable for damages resulting from the attack in question. Underlying this provision is the assumption that the attack was not the result of negligence and that the given entity made good-faith efforts to comply with regulation and report incidents in accordance with law. Liability protection would not extend to instances of gross or criminal negligence.
SICI in Practice
Colonial Pipeline offers an illustrative example of the benefits and burdens described above, and how each would have offered distinct advantages in prevention and response. Regarding prevention, SICI would work to resolve intelligence gaps by requiring the director of national intelligence, working with the secretary of homeland security, national cyber director, and sector risk management agencies as necessary, to establish formal processes to routinely provide intelligence support to covered entities. Status quo threat intelligence sharing is a complex issue in the private sector, particularly because it is difficult to tailor intelligence briefings to specific sectors or companies since the needs of each sector or company can vary. For example, smaller, less mature companies need more general threat awareness since specific information is difficult to act on. Alternatively, larger, more mature companies with more sophisticated security operations need more detailed intelligence—knowledge of specific threats to their lines of business, supply chain, or technology—and have the ability to act on it quickly. The intelligence gaps exist because the intelligence community either is unaware of the private-sector companies’ specific intelligence requests or is unwilling to share in order to preserve intelligence equities.
SICI legislation would do a number of things to correct this gap. First, it would create an affirmative obligation on the intelligence community to provide intelligence to SICI companies (with some clearly designated exceptions for issues of national security). Second, and perhaps more importantly, SICI legislation would direct the Office of the Director of National Intelligence and the Department of Homeland Security to work across sectors to identify intelligence gaps, common lines of business, common technologies and services, and other interdependencies that may be targeted by sophisticated adversaries. This will be useful in tailoring collection and intelligence production of greatest need to SICI entities and providing indications and warning to detect, prevent or mitigate compromises quickly.
Imagine a scenario in which Colonial Pipeline was a SICI-designated entity. If the intelligence community was able to uncover DarkSide’s ransomware threat to Colonial Pipeline in advance, the director of national intelligence would have been required to provide the intelligence directly to the owners and operators of Colonial Pipeline within five days of discovery and within 24 hours in the event the threat was imminent.
In addition to intelligence support, SICI legislation would work to raise the floor in critical infrastructure cybersecurity with measured performance standards. While it is true that there are some regulatory cybersecurity requirements, there are inconsistencies both within and across different sectors. Part of this is due to considerable variance in size, criticality, profit margin, and operating capital for companies within each sector; as a result, it is difficult to adopt a one-size-fits-all solution through regulation that accounts for these differences and still yields optimal security outcomes without undue burden that would place some companies at a competitive disadvantage. Additionally, there is little political will to update regulatory requirements, with the exception of a significant event that would trigger a discussion about regulations (such as Colonial Pipeline). To resolve this, the SICI legislation would focus only on a portion of each sector, by identifying the “critical of critical” across all sectors. These standards would be created with sector input and would account for an entity’s size, capabilities, and resources and the type of risk presented in a potential breach of its systems. Furthermore, the secretary of homeland security would be able to consult with the relevant sector risk management agency and federal regulator to adopt industry-specific standards where unique circumstances warrant tailored attention. Universal standards would begin to codify and normalize proper cybersecurity hygiene where there currently is no cross-sector consensus. As such, SICI standards provide a solid foundation on which mutual trust between the federal government and private-sector operators of critical infrastructure can be built.
Another way in which SICI would work to build trust is through its cyber incident reporting mandate. Such a mandate would require that once an entity discovers a cyber incident, they must report it directly to the secretary of homeland security within 72 hours. In the event that a federal government entity, such as the intelligence community, discovers the incident, the federal entity will also be mandated to report the relevant incident to the secretary. Consequently, once the secretary of homeland security is notified, the secretary will work directly with the covered entity to assist in incident response, technical assistance, mitigation and recovery efforts. In addition to assisting the affected entity, the secretary of homeland security would be authorized to share indicators with other actors that may be at risk. A coherent ecosystem with attack reporting and common threat awareness will further rebuild the trust that ensures the nation’s most critical infrastructure remains secure.
Furthermore, SICI legislation would work to ensure that covered cyberattack victims that have acted in good faith to meet requirements are not unduly litigated against. If, and only if, SICI entities have complied with the aforementioned regulations and benefited from government support, they should not be liable for damages resulting from the specified attack. This benefit to companies springs from the earlier reporting process imposed on SICI entities. Thus, while regulations would incur short-term costs, critical infrastructure providers would likely see the benefits of SICI in the medium and long terms with formal tracking of internal cybersecurity. The record of compliance would serve as a clean bill of health in the case of lawsuits arising in the wake of an attack on a SICI-designated entity. A clear legal standard for cybersecurity should offer protection to actors that comply fully. Failure to provide this will do lasting damage to the government’s reputation when it comes to facilitating a public-private sharing ecosystem at a time when such a relationship has never been more important.
The existing paradigm of public-private collaboration continues to be hampered by high levels of distrust. Legal and procedural barriers only continue to exacerbate these problems. Codifying the concept of systemically important critical infrastructure overcomes these obstacles by bridging the gap in trust between the federal government and the private-sector entities that are responsible for securing the nation’s critical infrastructure. The status quo is unacceptable—the United States cannot continue to act lackadaisical in the face of a serious national security risk. The Colonial Pipeline attack will certainly not be the last attack on America’s infrastructure, nor will it be the most complex. It is imperative that all actors involved in the defense of the nation’s most important assets understand the “critical of critical.” Prioritizing the defense of systemically important critical infrastructure—whose disruption and collapse would have debilitating effects on U.S. national security, economic security, public health, and safety—is a vital step in keeping the United States secure from malicious cyberattacks.