Cohesion & Accuracy

If ever forced to read Thomas Paine’s bestselling Common Sense pamphlet during American History class, his posit that “It is not in numbers, but in unity, that our great strength lies” resides within the reader’s brain. Certainly not an argument against checks and balances, but rather a precedent that united within itself, the democratic republic is a much more worthy adversary than splintered sects.

For the last four years, the U.S. Government struggled with how to define, contain, and address the variety of cybersecurity vulnerabilities plaguing the United States. Smartly recognizing cybersecurity as an amorphous crisis, the U.S. Government rapidly (4 years is rapid for large government) built the Cybersecurity and Infrastructure Agency (CISA) in 2018, issued Executive Orders, enacted/proposed legislation, and recently created a National Cyber Director Office within the White House.

While each office certainly brings valuable utility, these efforts struggle with cohesion and thoroughness. One example is the concern regarding data exports to known U.S. adversaries. In June 2022, Congress received two bills suggesting two different end-states on a rather simple matter: may companies holding large amounts of sensitive or personal identifying information of American citizens export (sell) that data to foreign adversaries.

Sen. Marco Rubio and Sen. Ron Wyden’s S. 4495 seeks to amend the Export Reform Control Act of 2018 to prevent personal and sensitive data belonging to Americans from being sold to adversaries of the United States, including China. Contemporaneously, Rep. Frank Pallone’s “American Data Privacy and Protection Act” (ADPPA) only requires any large data holders to disclose whether or not it sends data to China, Russia, Iran, or North Korea. If both S.4495 and the ADPPA pass, there is an immediate conflict on a topic that the Department of Commerce can already (arguably) administratively regulate.

Another example is found in the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). Signed into law on March 15, 2022, the CIRCIA requires critical infrastructure entities, referred to as “covered entities,” to report significant cyber incidents to CISA within 72 hours of realization. Putting aside any Orwellian due process concerns for privately-owned critical infrastructure entities, the bill fails to analyze the following: Who/what is considered critical infrastructure?

CIRCIA defined “critical infrastructure” by referencing the 2013 Presidential Policy Directive -21 (PPD-21), which defined critical infrastructure through a 2001 law, 42 U.S.C. 5195c(e), as “systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, ...”

Seemingly flexible at first glance, this definition fails to consider scales of impact. An element of critical infrastructure on a state or local level, which can jeopardize the health and safety of hundreds of thousands of people (or more), struggles to satisfy 42 U.S.C. 5195c(e) without a “national” impact.

Example: What if the 911 call centers within a major metropolitan area lost operational capacity due to a cyber-attack (VOIP phone systems and data servers crashed) during a massive mudslide, hurricane, or wildfire? Without a national presence, is the 911 call center critical infrastructure? Theoretically, the 911 call center is part of the emergency services sector recognized by CISA but only operates within a single state. Does it make a difference if that 911 call center is responsible for Harris County (Houston), Texas, which has a population of approximately 4.7 million people?

While the dueling legislative items concerning data export represent inconsistences, the 21-year analysis gap regarding critical infrastructure demonstrates a lack of thoroughness. The impact of this “mile wide, inch deep” approach will eventually reveal itself and, hopefully, without proving another annoying cliché: “the devil is in the details.”