The Need for an International Component to Pending Cybersecurity Legislation
I spoke last Friday at a symposium hosted by the Canada-US Law Institute at Case Western Reserve University School of Law, where the topic of the day was “The New Perimeter Initiative.” [For those who are unfamiliar, President Obama and Prime Minister Harper recently announced a new initiative called “Beyond the Border,” dedicated (broadly speaking) to the i
Published by The Lawfare Institute
in Cooperation With
I spoke last Friday at a symposium hosted by the Canada-US Law Institute at Case Western Reserve University School of Law, where the topic of the day was “The New Perimeter Initiative.” [For those who are unfamiliar, President Obama and Prime Minister Harper recently announced a new initiative called “Beyond the Border,” dedicated (broadly speaking) to the idea of enhancing joint perimeter border security while easing restrictions on cross-border trade and cooperation. IMHO, it’s a very good initiative generally speaking.] I spoke on an afternoon panel on the subject of cross-border cybersecurity cooperation.
Preparing for the panel, and participating in it, have led me to one of those “duh” moments that sometimes happen of the “finally putting two and two together and getting four” variety. Consider:
1) Much of American critical infrastructure is interconnected with Canadian counterparts. Most notably our electric grids are actually aligned vertically so that Eastern Canada and the Eastern US serve as a joint operation. Likewise in the West. [Texas, as always, goes its own way]. When the great Northeast Blackout happened in 2003, its effects rolled from Ohio up into Ontario and then back into Michigan, recognizing no border.
2) Almost certainly, the vulnerability of the electric grid is one of the principal factors driving cybersecurity concerns. The SCADA systems are considered highly vulnerable. Indeed, the recent Senate cyber exercise involved a simulated attack on the electric grid in New York City.
But New York’s retail electricity provider, ConEd, gets a lot of its electricity from Canadian companies like Hydro Quebec. So how stupid would America feel in the following scenario:
- The NSA through sources and methods uncovers a significant SCADA vulnerability. Using the newly promulgated authorities of the sort being contemplated in both the Lieberman-Collins and McCain bills, NSA shares that information with ConEd, who spends significant resources patching the vulnerability. Six months later, the lights go out in New York because a malicious actor exploits a nearly-identical vulnerability in the SCADA system at Hydro Quebec, causing a cascading blackout in the Northeastern corridor. Nobody ever told Hydo Quebec about the vulnerability.
Paul Rosenzweig is the founder of Red Branch Consulting PLLC, a homeland security consulting company and a Senior Advisor to The Chertoff Group. Mr. Rosenzweig formerly served as Deputy Assistant Secretary for Policy in the Department of Homeland Security. He is a Professorial Lecturer in Law at George Washington University, a Senior Fellow in the Tech, Law & Security program at American University, and a Board Member of the Journal of National Security Law and Policy.