WASHINGTON, D.C.—Leading conservative legal scholar Jack Goldsmith Thursday advocated for security standards for the nation’s most critical infrastructure to protect it from probes or attacks by hostile nations, terrorists, and other bad actors. In an opinion piece published on his blog Lawfare, which explores the intersection of law and national security, Goldsmith said critical infrastructure “is central to the security of the nation,” and noted that the Lieberman, Collins, Rockefeller, Feinstein cybersecurity bill is the only one in Congress that addresses critical infrastructure.
Goldsmith, a Harvard Law professor, served as Assistant Attorney General in the Administration of President George Bush and authored the book “Terror President.” In 2007, The New York Times Magazine said he was "widely considered one of the brightest stars in the conservative legal firmament."
The Persuasive General Alexander, and Why Critical Infrastructure Protection Regulation is . . . Critical
By Jack Goldsmith
When Paul [Rosenzweig, former Deputy Assistant Secretary of Homeland Security] says that General Alexander’s response to Senator McCain’s letter over pending cybersecurity legislation is “unpersuasive,” I cannot tell whether Paul found it unpersuasive or whether he is referring to Senator McCain, who clearly found it unpersuasive. What I find unpersuasive is Senator McCain’s letter and, more generally, those who oppose outright not only the Critical Infrastructure (CI) provisions of Title 1 of the Lieberman-Collins bill, but also the idea of government regulation of cybersecurity related to CI.
CI is the physical and organizational structures, systems, and networks that are central to the security of the nation. CI includes the communication system, the electrical and water systems, the banking and finance systems, and the like. These systems are, for good reasons, largely owned and run by the private sector. The question is whether the private sector can adequately protect these systems from destructive cyber-intrusions (a term I use to include cyber-attacks and cyber-exploitations). The key term in this question is “adequately.” The nation depends on CI, and harm to CI will extend far beyond the affected industries; it will also negatively impact dependent industries and everyone in the nation that uses or depends upon the harmed industries or dependent industries. If the electrical system or the finance system goes down, we all suffer – a lot.
There is no reason to think that private firms that own CI will invest in cybersecurity defense and resilience in the ways and to the extent needed to prevent the harms to the industries and persons who depend (directly and indirectly) on the affected CI. As Michael Cherthoff explained in testimony in February:
Left to their own devices, few private companies would invest more in securing their cyber assets than the actual value of those assets. Yet in an interconnected and interdependent world, the failure of one part of the network can have devastating collateral and cascading effects across a wide range of physical, economic and social systems. Thus, the market place is likely to fail in allocating the correct amount of investment to manage risk across the breadth of the networks on which our society relies.
I find this argument compelling, and I have not seen any good response to it. There is no reason to think that the firms who own CI will invest in the amount and types of CI cyber-defense that will adequately protect the nation. This is a classic case for government regulation – indeed, it is the classic case for government supply of the public good we call national defense, since there is every reason to think that the private sector, following its private interests, will undersupply national defense in this context.
It does not follow, of course, that any government regulation in this context will suffice. The government regulation might be poor and might make things worse. Or the national security benefits of regulation might be swamped by the costs to innovation of the regulation. In short, the quality of government regulation matters to whether regulation is justified. But the simple analysis of the incentives of the entities that own CI establishes the prima facie case for some sort of government involvement in the solution.
Which brings me to the CI provisions in the Lieberman-Collins bill (the only bill in Congress that contains serious CI protection provisions). I do not know whether these provisions are optimal. I understand the general concern about giving DHS the lead in this area. And I would prefer a law that defines CI more precisely and gives more guidance on what the performance standards might look like rather than leaving those issues, with little guidance, to DHS. (In this regard, this statement from McCain’s letter is rich: “I am unaware of the Congress ever creating a regulatory regime in which it does not say what entities would be regulated and simultaneously authorizes a government agency, any agency, with few if any regulatory successes, to determine what needs to be regulated and how to regulate it.” McCain needs a course in administrative law, for this is precisely what Congress does, all too often. Of course nothing prevents Congress from exercising its constitutional duties and better specifying the regulated agencies and the nature of the regulation.)
Despite these qualms, the Lieberman-Collins approach strikes me as a good one in general because it (1) focuses on performance standards, leaving it to individual firms how to meet these standards, (2) gives the private sector a large hand in crafting these performance standards, and (3) affirmatively bans the government from regulating technology products and services. As Chertoff said in his testimony:
[The Lieberman-Collins bill does] not seek to impose detailed security regimes, but recognize that for identified highly critical infrastructure outcome-based performance standards are necessary. Such performance standards allow private owners the flexibility to innovate in achieving security, but also require in the end that the owners demonstrate that they have attained that appropriate level of security. Similar performance based approaches work well in promoting physical security in our ports, transportation networks, and other key infrastructure.
As Stewart Baker – who is not a general fan of Internet regulation – similarly said in his February 2012 testimony:
This broad structure is meant to solve the problem of how to regulate a fast movingand complex technology. It does so by leaving as much discretion as possible in the hands of the private sector. It gives the private sector preferential input into the process of assessing and identifying covered critical infrastructure. Performance requirements are supposed to be established, if at all possible, based on private sector proposals or existing industry standards.
What’s more, the title doesn’t call for government simply to tell industry what security technologies to adopt. The point of the process is to identify the risks, warn industry of those risks, and challenge industry to develop standards and adopt measures that industry finds best adapted to the risks.
I find Chertoff’s and Baker’s general support for the Lieberman-Collins approach to CI cybersecurity protection persuasive and I urge readers (and members of Congress) to study their testimony. (I sense that Paul disagrees with his former colleagues here; if I am right, it would be illuminating to know why.) But the point I want to make now is that whether one thinks Lieberman-Collins is the ideal approach to CI regulation or not, there is a vital role for government to play in this context, and those who oppose government involvement in CI protection have their heads in the sand.
Which brings me, finally, to McCain’s letter to Alexander. McCain is upset that Alexander supports giving DHS the role contemplated by the Lieberman-Collins bill, and he asked Alexander to answer some questions about his endorsement. Alexander responded, but McCain did not like the answers, which in brief tracked the case for Lieberman-Collins outlined above and defended by the Obama administration and (for example) the Chertoff and Baker testimonies. McCain does not like DHS (as opposed to DOD) having a large role in cybersecurity, and he thinks that under Lieberman-Collins DHS would have too many unguided authorities to impose burdensome regulations. That is a potentially defensible position – maybe DHS is the wrong agency, and maybe the Lieberman-Collins proposals are not ideal. But Senator McCain, and many other critics of the CI provisions of Lieberman-Collins, seem to oppose any agency of the government having a regulatory role in ensuring that the incentives of CI owners and national security are aligned. That is the position that I do not understand, and that I believe is indefensible.
Cybersecurity is an enormous challenge because most of the targets and the channels of attack are owned by the private sector, and we do not trust government regulation of the private sector, especially in the technology and communications contexts. But the government is the only institution with the resources and the incentives to ensure that the CI on which we all depend is secure, and we must find a way for it to meet its responsibilities. Lieberman-Collins might not be ideal. But it is a good start, and right now it is the only game in town, for it is the only cyber bill to address CI protection in a serious way. The issue should be how to improve Title 1 of Lieberman-Collins, not whether the government should have a serious role in ensuring that the private sector adequately protects CI.