Please assume you have been appointed by the President of the United States and the Prime Minister of Canada to advise them on the laws needed in order to protect the jointly-held areas of

61Shackelford & Bohm – Securing North American Critical Infrastructure

Securing North American Critical Infrastructure:

A Comparative Case Study in Cybersecurity Regulation

Scott J. Shackelford, J.D., Ph.D. * & Zachery Bohm**

Abstract: The United States and Canada are interdependent along a number of dimensions, such as their mutual reliance on shared critical infrastructure. As a result, regulatory efforts aimed at securing critical infrastructure in one nation impact the other, including in the cybersecurity context. This article explores one such innovation in the form of the 2014 National Institute for Standards and Technology (“NIST”) Cybersecurity Framework. It reviews the evolution of the NIST Framework, comparing and contrasting it with ongoing Canadian efforts to secure vulnerable critical infrastructure against cyber threats. Its purpose is to discover North American governance trends that could impact wider debates about the appropriate role of the public and private sectors in enhancing cybersecurity.

Ta b l e of C o n t e n t s

I. Introduction…………………………………………………………………………………………….. 61 II. Unpacking the Cyber Threat Affecting North American Critical Infrastructure……………………………………………………………………………………………… 63 III. U.S. Approaches to Securing Critical Infrastructure: Enter the NIST Framework………………………………………………………………………………………………… 65 IV. An Introduction to Canadian Critical Infrastructure Cybersecurity Law and Policy………………………………………………………………………………………………….. 66 V. Conclusion…………………………………………………………………………………………….. 69

I. In t r o d u c t io n

Neither the United States nor Canada is a stranger to cyber attacks. These have increasingly targeted both the private and public sectors to steal valuable intellectual property, such as state and trade secrets. In one instance, the Canadian government reported a major cyber attack in 2011 that forced the Finance Department and Treasury Board, Canada’s main economic agencies, to disconnect from the Internet.1 Hundreds of systems within the United States

* Assistant Professor of Business Law and Ethics, Indiana University; Senior Fellow, Indiana University Center for Applied Cybersecurity Research; W. Glenn Campbell and Rita Ricardo- Campbell National Fellow, Stanford University Hoover Institution. ** Senior, Indiana University School of Public and Environmental Affairs.

62 CANADA-UNITED STATES LAW JOURNAL [Vol. 40, 2016]

Department of Commerce have similarly been forced offline due to cyber attacks in recent years.” In total, more than 40 million global cyber attacks were reported in 2014, representing a nearly 50% increase over 2013/

In response to this wave of cyber attacks, the U.S. and Canadian governments have created a number of national and bilateral initiatives to enhance North American cyber security. This includes the 2012 Cybersecurity Action Plan Between Public Safety Canada and the Department of Homeland Security.1 * 3 4 5 Such collaborative actions reflect the fact that the United States and Canada are interdependent along a number of dimensions, including the two nations’ mutual reliance on shared critical infrastructure (“Cl”). For example, in 2012, electricity exports from Canada to the United States totaled nearly 60 million megawatt-hours, or roughly 1% to 2% of total U.S. consumption. Certain regions, such as the U.S. Northeast and Midwest are particularly dependent upon Canadian power supplies.3 As a result of this interdependence, regulatory efforts aimed at security Cl in one nation impact the other, even in the cybersecurity context.

This article explores one such innovation, the 2014 National Institute for Standards and Technology Cybersecurity Framework (“NIST Framework”).6 It briefly reviews the evolution of the NIST Framework, comparing and contrasting it with ongoing Canadian efforts to secure vulnerable Cl against cyber threats. Its purpose is to discover North American governance trends that may impact wider debates about the appropriate role of the public and private sectors in enhancing Cl for cyber security.

The article proceeds as follows. Part I unpacks the multifaceted cyber threat facing North American Cl operators. Part II then delves into regulatory efforts

1 Ctr for Strategic & Int’l Studies, Significant Cyber Incidents Since 2006 (Mar. 10, 2014), http://csis.org/files/publication/140310_Significant_Cyber_Incidents_Since_2006. pdf.

See Gregg Keizer, Chinese Hackers Hit Commerce Department, In f o . W k . (Oct. 6, 2006), http://www.informationweek.eom/chinese-hackers-hit-commerce-department/d/d-id/10 47684.

3 See Samantha White, Global Cyber-Attacks Up 48% in 2014, CGMA Magazine (Oct. 8, 2014), http://www.cgma.org/Magazine/News/Pages/201411089.aspx?TestCookiesEnabled= redirect. Blit see, e.g., Peter Maass & Megha Rajagopalan, Does Cybercrime Really Cost SI Trillion?, ProPublica (Aug. 1, 2012), http://www.propublica.org/article/does-cybercrime- really-cost-l-trillion (noting that such surveys should be accepted with caution).

4 See generally Pub. Safety Can. and U.S. Dep’t. of Homeland Sec., Cybersecurity Action Plan Between Public Safety Canada and the Department of Homeland Security (2012), http://www.publicsafety.gc.ca/cnt/rsrcs/pblctns/cybrscrt-ctn-plan/cybrscrt- ctn-plan-eng.pdf.

5 See North American Energy Infrastructure Act Will Bolster U.S.-Canada Electricity Relationship, U.S. Energy & Commerce Comm. (May 7, 2014), http://energycommerce.house .gov/press-release/north-american-energy-infrastructure-act-will-bolster- us%E2%80%93canada-electricity#sthash. VKtC9JA 1 .dpuf.

6 See Executive Order on Improving Critical Infrastructure Cybersecurity, White House Press Sec’y (Feb. 12, 2013), http://www.whitehouse.gov/the-press-office/2013/02/12/ executive-order-improving-critical-infrastructure-cybersecurity-O; see also Mark Clayton, Why Obama’s Executive Order on Cybersecurity Doesn’t Satisfy Most Experts, CHRISTIAN SCI. Monitor (Feb. 13, 2013), http://www.csmonitor.com/USA/Politics/2013/0213/Why-Obama-s- executive-order-on-cybersecurity-doesn-t-satisfy-most-experts.

Shackelford & Bohm – Securing North American Critical Infrastructure 63

aimed at enhancing U.S. Cl cyber security, focusing on the NIST Framework. Part III investigates Canadian Cl regulation, with a special emphasis on the government’s reception to the NIST Framework. We conclude by couching this investigation within the wider debate surrounding international Cl protection, including the emergence of cybersecurity norms in this space.

II. U n p a c k in g t h e C y b e r T h r e a t A f f e c t in g N o r t h A m e r ic a n C r it ic a l In f r a s t r u c t u r e

It is notoriously difficult to find verifiable data on the number, type, and severity of cyber attacks afflicting various nations and regions around the world.7 Without clear definitions, shared and meaningful values, or reliable data, information about cyber attacks that impact North American Cl remains limited and unsophisticated. That said, more than one-third of Canadian firms have reported being victims of cyber attacks.8 In a 2015 survey done by Kaspersky Labs, Canada was named the tenth most-attacked nation in the world.9 The Kaspersky survey also notes that the United States is third most-attacked nation as of March 2015.10 Also, from 2000 to 2008, U.S. cybersecurity surveys found that the proportion of organizations reporting cyber attacks ranged from forty- three percent to seventy percent.* 11

In 2010, seventy-five percent of surveyed IT executives in twenty-seven countries stated that they had detected one or more attacks and forty-one percent characterized such attacks as “somewhat or highly effective.”12 Verizon’s 2012 Data Breach Investigations Report found that “174 million records were compromised in 2011, the second-highest total since the company began tracking breaches in 2004.”13 Even that figure was surpassed in 2013.14

Yet, despite this multifaceted and growing threat, the Canadian government audits noted an absence of action plans, the slow pace of private-sector Cl partnership building, and the lack of timeliness and completion of monitoring

7 See Scott J. Shackelford, Managing Cyber Attacks in International Law, Business, and Relations: In Search of Cyber Peace (2014).

8 See David Paddon, Cyber Attacks Have Hit 36 Per Cent o f Canadian Businesses, Study Says, Globe & Mail (Aug. 18, 2014), http://www.theglobeandmail.com/report-on-business/ cyber-attacks-have-hit-36-per-cent-of-canadian-businesses-study-says/article20096066/.

9 See Cyberthreat Real-Time Map, Kaspersky, http://cybermap.kaspersky.com/ (last visited Mar. 10, 2015).

10 See id. 11 See Robert Richardson, Computer Sec. Inst., CSI Computer Crime & Security

Survey 13 (2008), available at http://ixmpnet.com/v2.gocsi.com/pdf/CSIsurvey2008.pdf. 12 See Symantec, State of Enterprise Security Study 7 (2010), https://www.

symantec.com/content/en/us/about/presskits/SES_report_Feb2010.pdf. 13 Joel Griffin, Report Sheds Light on Intellectual Property Theft, Sec. Infowatch (Oct.

24, 2012), http://www.securityinfowatch.com/article/10819280/report-sheds-light-on- intellectual-property-theft.

14 See Hadley Malcolm, Target: Data Stolen from up to 70 Million Customers, USA Today (Jan. 10, 2014), http://www.usatoday.com/story/money/business/2014/01/10/target- customers-data-breach/4404467/.

64 CANADA-UNITED STATES LA W JOURNAL [Vol. 40, 2016]

programs that protect Cl from cyber threats.13 What is more, a 2012 report from the Auditor General of Canada noted that the Canadian government appropriated only 780 million dollars in funding to improve security for Canada’s critical infrastructure and less than this total was directed toward enhancing cybersecurity.16

Other data points support the need for reform. As noted by the Canadian Security Intelligence Service:

The speed of evolving new cyber threats, the lack of geographic boundaries and the problem of determining attribution impede efforts to counter attacks on information systems. Obstacles include not only domestic jurisdictional barriers to effective regulation, legislation and information-sharing but also the fragmented ownership and regulatory control of 1CT infrastructure, which represents a major challenge at the global level… Accordingly, it would seem appropriate that the costs of protecting critical infrastructure against certain threats to national security be borne in a proportionate manner by all those who benefit…17

However, Canada is far from alone in its struggle to fight the evolving cyber threat to Cl. According to a McAfee survey, Cl owners and operators from the United States reported that their high-level adversaries, such as foreign governments, repeatedly cyber attacked their networks and control systems.18 The consequences of such attacks are potentially devastating. In fact, the U.S. Cyber Consequences Unit estimates losses from a major attack on U.S. Cl at roughly 700 billion U.S. dollars.19 Congress, however, has been slow to meet this challenge, which has prompted executive action. As such, what follows is the analysis of the current U.S. approach to changing the unsustainable cybersecurity status quo. Then, we take a comparative look at some of Canada’s Cl cybersecurity reform efforts.

15 Office of the Auditor Gen. of Can., Report of the Auditor General of Canada – Fall 2012: Chapter 3 (2012), available at http://www.oag-bvg.gc.ca/intemet/docs/parl_oag_ 201210_03_e.pdf.

16 Angela Gendron & Martin Rudner, Can. Sec. Intelligence Serv., Assessing Cyber Threats to Canadian Infrastructure (Mar., 2012), https://www.csis.gc.ca/pblctns/ ccsnlpprs/CyberTrheats_AO_Booklet_ENG.pdf.

17 Id. 18 Stewart Baker, Shaun Waterman & George Ivanov, McAfee, In the Crossfire:

Critical Infrastructure in the Age of Cyber War 1 (2010), available at http://img.en25.com/Web/McAfee/NA_CIP_RPT_REG_2840.pdf.

19 See Jayson M. Spade, Information as Power: China’s Cyber Power and America’s National Security 26 (Jeffrey L. Caton ed., 2012) (citing Eugene Habiger, Cyber Secure Inst., Cyberwarfare and Cyberterrorism: The Need for a New U.S. Strategic Approach 15-17 (2010), available at http://nsarchive.gwu.edu/NSAEBB/NSAEBB424/docs/Cyber-072.pdf).

Shackelford & Bohm – Securing North American Critical Infrastructure 65

III. U.S. A p pr o a c h e s to Se c u r in g C r it ic a l In f r a s t r u c t u r e : En t e r th e

NIST F r a m e w o r k

President Obama issued an executive order in 2013 that expanded public- private information sharing and tasked NIST with establishing the NIST Framework to better secure critical infrastructure.20 Version 1.0, Framework for Improving Critical Infrastructure Cybersecurity, was released in February 2014."' This was designed to harmonize consensus standards and industry best practices. Its proponents argue that it provided a flexible and cost-effective approach to enhancing cybersecurity.22

The NIST Framework does not create any binding obligations for private sector actors and has no means of enforcement for those that choose to adopt it.23 Nonetheless, its widespread implementation may establish a cybersecurity standard of care in the United States, even without Congressional action.24 This holds the potential to spill over beyond traditional Cl sectors into the private sector in the United States. Indeed, the White House announced that, as of February 2015, Intel, Apple, and Walgreens have incorporated the NIST Framework into their cybersecurity efforts. 2:1 Actually, even Bank of America now requires its use by vendors.26

With a deep degree of private-sector participation, the NIST Framework’s basic structure divides cybersecurity into five broad functions.27 These include: identify, protect, detect, respond, and recover.28 Notably, the NIST Framework also provides a series of steps for organizations to follow to assess and address their cyber risk exposure.”4 This permits firms to incorporate cyber risk management in a manner that is consistent with their overarching business goals and financial capabilities. Though it is premature to predict the permanence of the NIST Framework, its inherent flexibility has proven attractive to Cl operators

20 See White House Press Sec’y, supra note 6; see also Mark Clayton, supra note 6. 21 White House Press Sec’y , supra note 6, at 1. 22 Improving Critical Infrastructure Cybersecurity, 78 Fed. Reg. 11739,11741 (February

19,2013). 23 See White House Press Sec’y, supra note 6 24 See, e.g., NIST’s Voluntary Cybersecurity Framework May Be Regarded as De Facto

Mandatory, Homeland Sec. News Wire (Mar. 4, 2014), http://www.homelandsecurity newswire.com/dr20140303-nist-s-voluntary-cybersecurity-framework-may-be-regarded-as-de- facto-mandatory (stating that experts have warned that many of the recommendations in the framework “may be used by courts, regulators, and even consumers to hold institutions accountable for failures that could have been prevented if the cybersecurity framework had been fully implemented by the respective institution”).

25 See White House Press Sec’y , Fact Sheet: White House Summit on Cybersecurity and Consumer Protection (Feb. 13, 2015), http://rn.whitehouse.gov/the- press-office/2015/02/13/fact-sheet-white-house-summit-cybersecurity-and-consumer- protection.

26 See id. 21 White House Press Sec’y, supra note 6, at 7. 28 Id. 29 Nati’l Inst of Standards and Tech, Framework for Improving Critical

Infrastructure Cyber Security Version 1.0 (Feb. 12, 2014), http://www.nist.gov/ cyberframework/upload/cybersecurity-framework-021214.pdf at 13-14.

66 CANADA-UNITED STA TES LAW JOURNAL [Vol. 40, 2016]

and policymakers alike. Already, cyber security consultants are advising private- sector clients that “the ‘standard’ for ‘due diligence’ was now the NIST Cybersecurity Framework.” 30

Over time, the NIST Framework has both the potential to shape a standard of care for domestic Cl organizations and the capability to help harmonize global cybersecurity best practices for the private sector. This is particularly true given the active NIST Framework collaborations that have begun to occur between a number of nations, including the United Kingdom, Japan, Korea, Estonia, Israel, Germany, and Australia. ’ 1 The question considered below is what impact, if any, this initiative has had on reshaping Canada’s cybersecurity policymaking landscape.

IV. A n In t r o d u c t io n t o Ca n a d ia n C r it ic a l In f r a s t r u c t u r e C y b e r s e c u r it y La w a n d Po l ic y

The Canadian government has established various cyber security frameworks that manage the cyber threats facing North American Cl.32 Before diving into this issue, however, the context will first be briefly summarized. Both Canada and the United States have numerous agencies charged with enhancing national cyber security.33 Much of Canada’s cyber security policymaking authority resides in the Department of Public Safety and Emergency Preparedness Canada (“PSEPC” ) .34 This agency is similar to the U.S. Department of Homeland Security (“USDHS”). Like USDHS, PSEPC is responsible for ensuring that the cyber security of civilian government networks and private industry networks related to CL35

j0 John Verry, Why the NIST Cybersecurity Framework Isn’t Really Voluntary, PivotPoint Sec.: Info. Sec. Blog (Feb. 25, 2014), http://www.pivotpointsecurity.com/risky- business/nist-cybersecurity-framework.

31 Gerald Ferguson, NIST Cybersecurity Framework: Don't Underestimate It, INFO. Wk. (Dec. 9, 2013), http://www.informationweek.com/govemment/cybersecurity/nist-cybersecurity -framework-dont-underestimate-it/d/d-id/1112978 (noting that some stakeholders have already argued that “any time a company’s cybersecurity practices are questioned during a regulatory investigation and litigation, the baseline for what’s considered commercially reasonable is likely to become the… Cybersecurity Framework”); Nat’l Inst, of Standards and Tech., Update on the Cybersecurity Framework (July 31, 2014), http://nist.gov/cyberframework/ upload/NIST-Cybersecurity-Framework-update-073114.pdf (“NIST and other U.S. government officials have had discussions about the Framework with multiple foreign governments and regional representatives including organizations throughout the world, including – but not limited to – the United Kingdom (UK), Japan, Korea, Estonia, Israel, Germany, and Australia.”).

j2 See generally Cyber Security: A Shared Responsibility, Pub. Safety Can. (Apr. 3, 2014), http://www.publicsafety.gc.ca/cnt/ntnl-scrt/cbr-scrt/index-eng.aspx.

33 See Gordon M. Snow., Statement Before the Senate Judiciary Committee, Subcommittee on Crime and Investigation, The Fed. Bureau of Investigation (Apr. 12, 2011), https://www.fbi.gov/news/testimony/cybersecurity-responding-to-the-threat-of-cyber- crime-and-terrorism.

34 See Cyber Security: A Shared Responsibility, supra note 32. 35 See U.S. Dep’t Homeland Sec., Safeguard and Secure Cyberspace (Nov. 2, 2012),

available at http://www.dhs.gov/safeguard-and-secure-cyberspace.

Shackelford & Bohm – Securing North American Critical Infrastructure 67

In 2005, the Canadian government created the Canadian Cyber Incident Response Center (“CCIRC”) within PSEPC.36 CCIRC monitors the cyber security of both public- and private-sector networks including Cl. Thus, it is charged with leading the government’s response to and recovery from cyber attacks.37 The manner in which CCIRC achieves this is threefold: (1) it advises the government and private sector how to prepare for and mitigate cyber threats; (2) it provides technical expertise, i.e., forensic cyber analysis; and (3) acts as a framework where experts may share and collaborate their ideas that help support critical Canadian Cl.

CCIRC is Canada’s version of the U.S. Computer Emergency Readiness Team (“US-CERT”). US-CERT was established in 2003 and is under the jurisdiction of the USDHS.39 Thus, both CCIRC and US-CERT provide their government and private sectors with the tools and information necessary to mitigate the effects of cyber attacks. These also identify and share cyber security best practices and threat information.40

In February 2014, the Canadian government announced the Cyber Security Cooperation Program (“CSCP”), which is administered by PSEPC.41 The CSCP is a five-year, 1.5 million Canadian dollars grant initiative that funds research and projects created to improve Canada’s “vital cyber systems” security.42 Specifically, CSCP identifies programs and research that improve best practices, standards, operational methodologies and cyber assessment tools for critical cyber systems and Cl.43

Over the past decade PSEPC has published a number of notable reports related to Cl cyber security. These reports detail how the Canadian government and private sectors should improve Cl cyber security.44 In 2010, PSEPC published the National Strategy for Critical Infrastructure (“National Strategy”) and the Action Plan for Critical Infrastructure (“Action Plan”) reports, which address vital infrastructure safety and security issues.45

36 See Steven Ballew, U.S. Can Learn from Canadian Cybersecurity Shortcomings, Daily Si

Collepals.com Plagiarism Free Papers

Are you looking for custom essay writing service or even dissertation writing services? Just request for our write my paper service, and we'll match you with the best essay writer in your subject! With an exceptional team of professional academic experts in a wide range of subjects, we can guarantee you an unrivaled quality of custom-written papers.

Get ZERO PLAGIARISM, HUMAN WRITTEN ESSAYS

Why Hire Collepals.com writers to do your paper?

Quality- We are experienced and have access to ample research materials.

We write plagiarism Free Content

Confidential- We never share or sell your personal information to third parties.

Support-Chat with us today! We are always waiting to answer all your questions.