The Cybersecurity Carve Out -- Revisited

Paul Rosenzweig
Thursday, February 16, 2012, 1:29 PM
Two days ago, I wrote about the “great cybersecurity carve out.”  My point was that the definition of critical cyber infrastructure in the newly-introduced Senate cybersecurity bill seemed to have an important exclusion.  As a reminder, the language reads: “The following commercial items shall not be designated as covered critical infrastructure:

(a) a commercial information technology product, including hardware and software; and

Published by The Lawfare Institute
in Cooperation With
Brookings

Two days ago, I wrote about the “great cybersecurity carve out.”  My point was that the definition of critical cyber infrastructure in the newly-introduced Senate cybersecurity bill seemed to have an important exclusion.  As a reminder, the language reads: “The following commercial items shall not be designated as covered critical infrastructure:

(a) a commercial information technology product, including hardware and software; and

(b) any service provided in support of a product specified in subparagraph (a), including installation services, maintenance services, repair services, training services, and any other services provided in support of the product. “

This concerned me because the architecture of the Internet appeared to be excluded from regulation.   Companies like Oracle, Cisco, Intel, Hewlett-Packard, and Facebook all make “commercial information technology” products. Well, yesterday, I went to a briefing by “Senior Democratic aides” (SDAs) who filled me in on their thinking  and I wanted to give them equal time – so here’s what they had to say (with some of my own thoughts in response): To begin with, they said that this isn’t really an “exclusion” but instead a point of emphasis that reflects the philosophy of the bill.  I’m certainly not going to get into a debate about characterizing the language (when is an exclusion an emphasis?), so let's skip past that and move directly to their explanation of the “philosophy of the bill.”  As described by the SDAs the idea behind the emphasis is that they do not want the government to be in the business of regulating software and hardware components.  Instead of, say, mandating that Microsoft fix a bug in Internet Explorer, they want to set performance security standards for industry and then let industry and the market place figure out the best way to meet those standards. Thus, if the most cost-effective way forward is for industry to demand a debugged IE program they will and, presumably, Microsoft will provide it or lose the business.  But if the best way to advance cybersecurity is simply to start “air gapping” critical systems (an air gap is when you disconnect a system from the Internet or other networks) then that is what they will do.  So the point of the exclusion/emphasis is to make clear that particular solutions are not mandated – only results. That explanation has a great deal of merit.  Indeed, on the whole, if there is to be any regulation at all (a point I'll address in another post), this is by far superior to a rule making process.  Still the explanation leaves me a bit uncertain on two grounds. First, while the point about not managing software or hardware development is certainly well-taken, it does sort of blink the reality of cyber vulnerability.  An awful lot of the malicious activity that happens in cyberspace happens precisely because of gaps in underlying coding.  Indeed, one cyber expert recently told me that the single most effective “bang for the buck” thing we could do to improve our cybersecurity is just exile all of the old, security-gap laden programs like Widows ME and early versions of Internet Explorer.  So it is at least a little odd to take off the table one of the major vectors of vulnerability. On the other hand, as I said, I really do NOT think we want government bureaucrats telling Microsoft and Apple how to upgrade their O/S.  So, on balance, this aspect of the exclusion seems eminently debatable, but also eminently plausible and reasonable. My second question, however, remains a unanswered (at least in my mind).  I asked the SDAs if the exclusion/emphasis would mean that the major ISPs who operate the large backbone services of the Internet would also be outside the definition of covered infrastructure.  It would, I think, be exceedingly odd if Verizon, Comcast, Sprint and the other major backbone operators were not considered critical to the American economy.  The SDAs all assured me that the definition did NOT exclude the backbone operators and that, using the procedures outlined in the bill they would be eligible for designation as critical if the DHS Secretary made the requisite analysis and determinations. If that is so, then that makes a great deal of sense.  But I confess I cannot see it.  I don’t see how you can conclusively argue that Internet backbone services are not a “commercial information technology product.”  To be sure, they are NOT a “retail commercial information technology product” -- they are wholesale.   But backbone Internet transmission service is an IT product if anything is and it is sold commercially to a host of purchasers. The definitions in the bill don’t provide additional clarity.   Under section 2(2) of the bill, a commercial information technology product is defined as “a commercial item that organizes or communicates information electronically.”  Well, the ISPs do that. Then, a "commercial item" is defined, by cross reference to 41 USC 103 as “an item,  that— (1)(A) is of a type customarily used by the general public or by nongovernmental entities for purposes other than governmental purposes.”  And that’s where the ambiguity creeps in, I think – the ISP backbone is “used” by the general public – you are using it right now to read this blog post.  But “used” in this context might mean “marketed to” or  "purchased by"  -- a requirement that might not include the ISP backbone. Then we turn to subsection (6) of section 103, which says that “commercial item” also includes: “services offered and sold competitively, in substantial quantities, in the commercial marketplace based on established catalog or market prices for specific tasks performed or specific outcomes to be achieved and under standard commercial terms and conditions.”  Again, that seems to include the services of transmission that ISP backbone providers offer -- they are sold competitively, in substantial quantities, based on a market price, for tasks to be performed. And so, I’m left with a puzzle – the SDAs are quite confident that the ISP backbone can be designated a critical piece of infrastructure and I think that would be the right result.  Indeed, it almost seems impossible to me that they are not (apologies to my friends at Verizon for that conclusion).  But the language doesn’t seem to quite fit.  If the intent of the bill is to potentially include Internet transmission service providers as covered critical infrastructure, the language may need some tweaking.

Paul Rosenzweig is the founder of Red Branch Consulting PLLC, a homeland security consulting company and a Senior Advisor to The Chertoff Group. Mr. Rosenzweig formerly served as Deputy Assistant Secretary for Policy in the Department of Homeland Security. He is a Professorial Lecturer in Law at George Washington University, a Senior Fellow in the Tech, Law & Security program at American University, and a Board Member of the Journal of National Security Law and Policy.

Subscribe to Lawfare