Securing North American critical infrastructure: a comparative case study in cybersecurity regulation.

• Author: Shackelford, Scott J.

ABSTRACT: The United States and Canada are interdependent along a number of dimensions, such as their mutual reliance on shared critical infrastructure. As a result, regulatory efforts aimed at securing critical infrastructure in one nation impact the other, including in the cybersecurity context. This article explores one such innovation in the form of the 2014 National Institute for Standards and Technology ("NIST") Cybersecurity Framework. It reviews the evolution of the NIST Framework, comparing and contrasting it with ongoing Canadian efforts to secure vulnerable critical infrastructure against cyber threats. Its purpose is to discover North American governance trends that could impact wider debates about the appropriate role of the public and private sectors in enhancing cybersecurity.

TABLE OF CONTENTS I. Introduction II. Unpacking the Cyber Threat Affecting North American Critical Infrastructure III. U.S. Approaches to Securing Critical Infrastructure: Enter the NIST Framework IV. An Introduction to Canadian Critical Infrastructure Cybersecurity Law and Policy V. Conclusion I. INTRODUCTION

Neither the United States nor Canada is a stranger to cyber attacks. These have increasingly targeted both the private and public sectors to steal valuable intellectual property, such as state and trade secrets. In one instance, the Canadian government reported a major cyber attack in 2011 that forced the Finance Department and Treasury Board, Canada's main economic agencies, to disconnect from the Internet. (1) Hundreds of systems within the United States Department of Commerce have similarly been forced offline due to cyber attacks in recent years." In total, more than 40 million global cyber attacks were reported in 2014, representing a nearly 50% increase over 2013. (3)

In response to this wave of cyber attacks, the U.S. and Canadian governments have created a number of national and bilateral initiatives to enhance North American cyber security. This includes the 2012 Cybersecurity Action Plan Between Public Safety Canada and the Department of Homeland Security. (4) Such collaborative actions reflect the fact that the United States and Canada are interdependent along a number of dimensions, including the two nations' mutual reliance on shared critical infrastructure ("CI"). For example, in 2012, electricity exports from Canada to the United States totaled nearly 60 million megawatt-hours, or roughly 1% to 2% of total U.S. consumption. Certain regions, such as the U.S. Northeast and Midwest are particularly dependent upon Canadian power supplies. (5) As a result of this interdependence, regulatory efforts aimed at security CI in one nation impact the other, even in the cybersecurity context.

This article explores one such innovation, the 2014 National Institute for Standards and Technology Cybersecurity Framework ("NIST Framework"). (6) It briefly reviews the evolution of the NIST Framework, comparing and contrasting it with ongoing Canadian efforts to secure vulnerable CI against cyber threats. Its purpose is to discover North American governance trends that may impact wider debates about the appropriate role of the public and private sectors in enhancing CI for cyber security.

The article proceeds as follows. Part I unpacks the multifaceted cyber threat facing North American CI operators. Part II then delves into regulatory efforts aimed at enhancing U.S. CI cyber security, focusing on the NIST Framework. Part III investigates Canadian CI regulation, with a special emphasis on the government's reception to the NIST Framework. We conclude by couching this investigation within the wider debate surrounding international CI protection, including the emergence of cybersecurity norms in this space.

2. UNPACKING THE CYBER THREAT AFFECTING NORTH AMERICAN CRITICAL INFRASTRUCTURE

   It is notoriously difficult to find verifiable data on the number, type, and severity of cyber attacks afflicting various nations and regions around the world. (7) Without clear definitions, shared and meaningful values, or reliable data, information about cyber attacks that impact North American CI remains limited and unsophisticated. That said, more than one-third of Canadian firms have reported being victims of cyber attacks. (8) In a 2015 survey done by Kaspersky Labs, Canada was named the tenth most-attacked nation in the world. (9) The Kaspersky survey also notes that the United States is third most-attacked nation as of March 2015. (10) Also, from 2000 to 2008, U.S. cybersecurity surveys found that the proportion of organizations reporting cyber attacks ranged from forty-three percent to seventy percent. (11)

   In 2010, seventy-five percent of surveyed IT executives in twenty-seven countries stated that they had detected one or more attacks and forty-one percent characterized such attacks as "somewhat or highly effective." (12) Verizon's 2012 Data Breach Investigations Report found that "174 million records were compromised in 2011, the second-highest total since the company began tracking breaches in 2004." (13) Even that figure was surpassed in 2013. (14)

   Yet, despite this multifaceted and growing threat, the Canadian government audits noted an absence of action plans, the slow pace of private-sector CI partnership building, and the lack of timeliness and completion of monitoring programs that protect CI from cyber threats. (15) What is more, a 2012 report from the Auditor General of Canada noted that the Canadian government appropriated only 780 million dollars in funding to improve security for Canada's critical infrastructure and less than this total was directed toward enhancing cybersecurity. (16)

   Other data points support the need for reform. As noted by the Canadian Security Intelligence Service:

   The speed of evolving new cyber threats, the lack of geographic boundaries and the problem of determining attribution impede efforts to counter attacks on information systems. Obstacles include not only domestic jurisdictional barriers to effective regulation, legislation and information-sharing but also the fragmented ownership and regulatory control of ICT infrastructure, which represents a major challenge at the global level ... Accordingly, it would seem appropriate that the costs of protecting critical infrastructure against certain threats...