During the winter of 2013-14, amidst the school delays and extreme weather conditions in much of the United States, the federal Emergency Alert System issued a warning, but perhaps not the one people expected: "Civil authorities in your area have reported that the bodies of the dead are rising from their graves and attacking the living. . . . Do not attempt to approach or apprehend these bodies, as they are considered extremely dangerous." Hackers had reportedly penetrated the system to issue a "bogus zombie alert" in yet another "disturbingly common" episode showcasing the myriad vulnerabilities buried in "critical systems throughout [U.S.] government . . . ." Aside from being fodder for bored hackers, such weaknesses can be exploited by cyber criminals, terrorists, and nation-states, which makes securing "critical infrastructure" a key test of effective cybersecurity policymaking. Thus far, though, it is a test that many nations, including the United States, the United Kingdom, and India, are failing. However, the release of the National Institute of Standards and Technology (NIST) Cybersecurity Framework could signal a new chapter in securing critical infrastructure not only in the United States, but also in the European Union and potentially around the world.
Nations are taking varying approaches to enhancing critical infrastructure cybersecurity. What has emerged is a governance spectrum with the United States, United Kingdom, and India preferring a more voluntary approach, while other cyber powers, including China, are opting for a larger role for the state. The European Union so far seems to fall toward the middle of the spectrum, with calls for establishing "appropriate cybersecurity performance requirements" as well as mandatory reporting for cyber attacks having a "significant impact" on firms operating across a broad array of sectors.
Time and experience will demonstrate whether a more voluntary or regulatory approach is more effective at securing critical infrastructure. The former, for example, holds the benefit of innovation through experimentation, but the lack of enforcement mechanisms can make the uptake of best practices haphazard. Consider the electric grid. The United States has more than 3,200 independent power utilities, unlike Germany, which has four major providers. Organizing the efforts of a handful of utilities is a far easier undertaking than ensuring the uptake of best practices across thousands of disparate actors.
To help realize the promise of a largely voluntary approach of securing critical infrastructure, President Obama issued an executive order that tasked NIST with developing the Cybersecurity Framework in February 2013, which promises to be a "prioritized, flexible, repeatable, and cost-effective approach" to help "manage cybersecurity-related risk while protecting business confidentiality, individual privacy and civil liberties." Many commentators have gauged this effort as falling short of what is required, but it could help shape a cybersecurity duty of care.
Over time, the Framework could shape the cybersecurity reform efforts of other nations and regions, including India and the European Union, where it has already peaked the interest of E.U. policymakers. Evolving cybersecurity best practices could even be made enforceable through industry councils similar to the process by which norms from the nonprofit North American Electric Reliability Council became binding through Congressional action in the wake of the 2003 northeast blackout. One hopes that it will not take a major cyber attack, or a zombie invasion, to galvanize similar action to enhance security for critical infrastructure.
For further information on this topic, see MANAGING CYBER ATTACKS IN INTERNATIONAL LAW, BUSINESS AND RELATIONS: IN SEARCH OF CYBER PEACE (Cambridge University Press, forthcoming 2014); Beyond the New 'Digital Divide': Analyzing the Evolving Role of Governments in Internet Governance and Enhancing Cybersecurity, STANFORD JOURNAL OF INTERNATIONAL LAW (2014).