The Need for an International Component to Pending Cybersecurity Legislation

I spoke last Friday at a symposium hosted by the Canada-US Law Institute  at Case Western Reserve University School of Law, where the topic of the day was “The New Perimeter Initiative.”  [For those who are unfamiliar, President Obama and Prime Minister Harper recently announced a new initiative called “Beyond the Border,” dedicated (broadly speaking) to the idea of enhancing joint perimeter border security while easing restrictions on cross-border trade and cooperation.  IMHO, it’s a very good initiative generally speaking.]   I spoke on an afternoon panel on the subject of cross-border cybersecurity cooperation. Preparing for the panel, and participating in it, have led me to one of those “duh” moments that sometimes happen of the “finally putting two and two together and getting four” variety.  Consider: 1)            Much of American critical infrastructure is interconnected with Canadian counterparts.  Most notably our electric grids are actually aligned vertically so that Eastern Canada and the Eastern US serve as a joint operation. Likewise in the West.  [Texas, as always, goes its own way].  When the great Northeast Blackout happened in 2003, its effects rolled from Ohio up into Ontario and then back into Michigan, recognizing no border. 2)            Almost certainly, the vulnerability of the electric grid is one of the principal factors driving cybersecurity concerns.  The SCADA systems are considered highly vulnerable.  Indeed, the recent Senate cyber exercise involved a simulated attack on the electric grid in New York City. But New York’s retail electricity provider, ConEd, gets a lot of its electricity from Canadian companies like Hydro Quebec.  So how stupid would America feel in the following scenario:

• The NSA through sources and methods uncovers a significant SCADA vulnerability.  Using the newly promulgated authorities of the sort being contemplated in both the Lieberman-Collins and McCain bills, NSA shares that information with ConEd, who spends significant resources patching the vulnerability.  Six months later, the lights go out in New York because a malicious actor exploits a nearly-identical vulnerability in the SCADA system at Hydro Quebec, causing a cascading blackout in the Northeastern corridor.  Nobody ever told Hydo Quebec about the vulnerability.

I need to think about this concept some more.  I’m not sure how generalizable the US-Canada electric grid example is to other infrastructures (air traffic?  Cross-border manufacturing?) because I don’t have a good sense of the interconnectedness.  I’m also not sure if there are other foreign critical infrastructures (the LNG facility in Trinidad & Tobago that supplies 70% of our LNG?) that need to be thought about.  And I’m not sure if my “information sharing” hypo can be broadened to a regulatory hypo (how useful is it for DHS to promulgate new security standards for US critical infrastructure under Title I of the Lieberman-Collins bill if Canada does not follow suit?  At a minimum should Canadian companies be part of the conversation?).  There’s a good paper ahead of me answering these! But I don’t need to answer those questions now – I just need to highlight them.  As I read the two Senate bills they are, effectively, silent on an aspect of international partner information sharing or participation in the regulatory process.  No doubt that is because they, like me until this week, simply never thought of the question. But we say, often, that cyber is a borderless domain.  The insight today is that so are at least some of critical infrastructures dependent on cyber.  All that is needed at this point is a little tweak to the legislative language that allows for the possibility that the new information sharing and/or regulatory structures might have international participants.  I am thinking of something simple like “the Secretary is authorized to examine whether and how …” language that just acknowledges the problem. And that is my “duh” moment for the week.