An Improvised Patchwork: Success and Failure in Cybersecurity Policy for Critical Infrastructure
Published date | 01 September 2021 |
Author | Sean Atkins,Chappell Lawson |
Date | 01 September 2021 |
DOI | http://doi.org/10.1111/puar.13322 |
Research Article
An Improvised Patchwork: Success and Failure in Cybersecurity Policy for Critical Infrastructure 847
Abstract: The last two decades have revealed the vulnerability of privately owned “critical infrastructure”—the power
grid, pipelines, financial networks, and other vital systems—to cyberattack. The central U.S. response to this challenge
has been a series of sectoral “partnerships” with private owner-operators of critical infrastructure, involving varying
degrees of regulation. Qualitative analysis based on in-depth interviews with over 40 policymakers and senior private
sector managers, as well as public documents, reveals considerable variation in how well this approach has worked in
practice. The main predictors of policy success appear to be (a) the nature of the cyber threat to firms’ operations and
(b) regulatory pressure on firms. However, other factors—such as the nature of intra-industry competition—also affect
how well the current regime works in specific sectors. Our findings have implications for public administration on
civilian cybersecurity, as well as ramifications for regulation in other policy domains.
Evidence for Practice
• Collaboration between business and government in cybersecurity is distinct from conventional public–
private partnerships designed to address capital markets failures, in that it must be highly flexible and
adaptive.
• Cybersecurity policies should be tailored to critical infrastructure sectors or subsectors, to take into account
the nature of industry competition, the size and complexity of the sector, and longstanding relationships
between business and the government in the sector.
• Government agencies that possess a strong historical relationship to their assigned sector, expertise in
cyber, and resources to help firms are better able than other lead agencies to build an effective cybersecurity
partnership with industry.
• Irrespective of sector, collaboration between the government and private owner-operators of critical
infrastructure requires a high level of trust, often built through personal relationships and then reinforced
through iterated interactions.
Critical infrastructure refers to the systems that
undergird modern society: the power grid
that provides electricity to businesses and
households, financial networks that allow the market
economy to function, water and sewerage systems,
and the like (Alcaraz and Zeadally 2015; CIPA 2001;
DHS 2019). Because ordinary operations in these
sectors are increasingly digitalized, and because the
hardware and software components of these systems
often have exploitable features (NIST 2019), much of
this infrastructure is susceptible to cyberattack (Clinton
and Perera 2016; Johnson 2015). The increasing
connectivity of critical infrastructures to other networks,
including the internet, has exacerbated this vulnerability
(inter alia Clinton 2016; Speake 2015; Johnson 2015).
Not only do attacks threaten targeted firms and
sectors themselves, but they could also potentially
trigger cascading failures (Bennet 2018, 50–51;
Durkovich 2020; Carlin 2020; Gow 2019;
Cordesman and Cordesman 2002). For instance, a
cyberattack that disabled the electricity grid would
disrupt communication networks, which would in
turn impede emergency response, and so forth. In
addition, in certain sectors—such as dams, pipelines,
oil refineries, aviation, or nuclear reactors—successful
cyberattacks on control and safety systems could
potentially cause property damage and loss of life
(Greenberg 2019; Angle, Madnick, and Kirtley
Jr. 2019; Khan, Madnick, and Moulton 2018;
Nourian and Madnick 2018; MacKinnan et al.
2013, Clayton and Segal 2013; Lee, Assante, and
Conway 2016; Bronk and Tikk-Ringas 2013).
Some critical infrastructure sectors are near-
constant targets of probes and intrusions, whether
by isolated individuals, hacker collectives, criminal
organizations, or hostile nation-states (Johnson 2015;
Lewis 2018). The broad attack surface, a growing
Sean Atkins
Chappell Lawson
Massachusetts Institute of Technology
An Improvised Patchwork: Success and Failure in
Cybersecurity Policy for Critical Infrastructure
Chappell Lawson is an Associate
Professor of Political Science at the
Massachusetts Institute of Technology
(MIT). He previously served, among other
positions, as Executive Director of Policy at
U.S. Customs and Border Protection during
the Obama Administration and a Director
on the National Security Council staff during
the Clinton Administration.
Email: clawson@mit.edu
Sean Atkins is a Political Science Ph.D.
student at the Massachusetts Institute of
Technology and an active duty Air Force
officer. His research focuses on national
defense in cyberspace and cyber statecraft.
His military service includes national cyber
policy experience.
Email: atkinss@mit.edu
Public Administration Review,
Vol. 81, Iss. 5, pp. 847–861. © 2020 by
The American Society for Public Administration.
DOI: 10.1111/puar.13322.
To continue reading
Request your trial