by Keith Edmund White
This panel discussed Canada and the United States’ plans to reform cybersecurity and critical infrastructure and some of the secondary impacts that will have on privacy rights and trade. Critical discussion resolved around (1) what role the government should play in these areas (and can it keep up with breakneck changes in cybersecurity) and (2) the risk that even if like-minded countries come together for critical infrastructure and cyber-security, will this just push the leading industries to put them serves in non-member countries? In any case, one thing is clear: while nations have seen first hand, re: the 2003 power grid failure that rocked both nations, little--if anything--has happened when it comes to Canada and the United States to adopting a joint risk assessment approach and response plan.
This panel discussed Canada and the United States’ plans to reform cybersecurity and critical infrastructure and some of the secondary impacts that will have on privacy rights and trade. Critical discussion resolved around (1) what role the government should play in these areas (and can it keep up with breakneck changes in cybersecurity) and (2) the risk that even if like-minded countries come together for critical infrastructure and cyber-security, will this just push the leading industries to put them serves in non-member countries? In any case, one thing is clear: while nations have seen first hand, re: the 2003 power grid failure that rocked both nations, little--if anything--has happened when it comes to Canada and the United States to adopting a joint risk assessment approach and response plan.
Chaired by Eric Miller, Canadian Embassy
Paul Rosenzweig, Private Practitioner focusing in Cyber Security Law
Michael McDaniel, Professor of Law at Cooley
William de Laat, de Laat Global
Paul Rosenzweig: What Cyber-Security Law Applied When Servers Are All World? Short Answer—No One Knows.
Paul Rosenzweig opened his remarks pointing out that viruses can do physical damage—just look at the Stutnet virus that set back the Iranian program back. So, this means America has to make sure other Stutnet’s don’t disable our transportation grids, agricultural grids, and manufacturing grids are run on a cyber-infrastructure on both sides of the border. And what does this mean? No matter what America does, Rosenzweig continued, that Canada has to work en tandem.
What’s next? We need to get the basic level of risk. But in discussing this, we need to have a joint services approach to cyber security. But are we moving forward the right way? Rosenzweig pointed out two bills moving through Congress now that are now written “with a complete U.S.-centric viewpoint because no one has looked at and said” that a vulnerability in Niagara power facility will want to know what’s happening on the other side. If we don’t do this, the U.S. efforts will be “substantially diminished.”
And the Canadian side? Just like with day-light saving time, Canada has raised its hand and said “hey, what about us?” And this is particularly important since it involved important civil liberalities, and Canada shouldn’t just avoid this discussion by following wherever America may lead it regarding cyber security.
But Rosenzweig is “deeply skeptical” of the government leading the way on cyber-security. The National Energy Regulatory Commission) to set standards for standards for energy grids. But the average time for the production of rules like those is about 24 months, Rosenzweig. But in that time, Rosenzweig, the mutation in threats is vast and the processing power doubled every 18 months. So, Rosenzweig concluded, government can’t keep up with this in terms of specific rules. But government can create a web to enable private industry to address these concerns in the private sector.
The U.S. and Canadian government cannot respond to these cyber security threats comes at our own peril. In short, it “can’t be the be all and end all.” He need “as close to a joint operating model as we can come given the limits of legal and policy models.” One such example is that the NSA has a wide swath of cyber security information that only select individuals are aware of, but it is “essential” that it is shared with CSIS and the Five Eyes Organization, and from that those groups share that as much as possible with U.S. and Canadian private actors who may be subject to the attack, Paul Rosenzweig stated. Also, we have Lockheed Martin plants in Canada and the United States, there’s no reason to make it harder for one of them to get information.
And countering against McDaniel’s push for greater government involvement, while there are areas that the government must take the lead, this can’t be the model. In one study, the NSA only identified 5% of the risk that the private industry did regarding cyber-security. Also, 82% of government alerts on cyber-security come after the private sector alerts occurred. So the government needs to play a role and bring players together, “the structure is moving too fast” when it comes to cyber-security. Thus, what is right for a Ford factory will not be a cure-all for cyber security.
“This is a problem of diplomacy, not technology,” Rosenzweig stated. Like-minded countries have to come together and set standards and then grade ourselves. And once we do that, those countries can then call out other countries, whether its China or Russia, for failing these standards that liberal, western anti-criminality norms regarding cyber-security and critical infrastructure can then call-out those nations who are failing to meet the board.
And when it comes to dealing with choice of law disputes when it comes to cyber-security standards: no one knows what the answer to choice of law disputes yet. And what about privacy standards? When it comes to Canada’s efforts for privacy in cyberspace, the efforts are based on out-dated 1970s notions of privacy. The answer? We need a new conception of privacy.
Michael McDaniel: We need to have a joint approach to responding to threats to critical infrastructure, and we get there by building on regional agreements.
While an optimist, McDaniel cast a critical eye on the one recommendation relating to critical infrastructure that says cyber security will be brought together and working through RRAP (Regional Resilience Assessment Program). But, he cautioned, RWRAP is just a pilot program, that may or may not actually happen.
“The plan doesn’t even talk about planning for a response at all.”
When recommending what to do over the next year, McDaniel stated that we need something like the Emergency Management Assessment Compact (EMAC) —which involved Ontario and the Great Lakes States. Second, we have to have that down at the county level as well for dealing with the effects of a damage to America’s critical infrastructure. Third, we need to “define our taxonomy” when it comes to how we assess risk to our critical infrastructure. And this requires information sharing among governments, different sizes businesses, and within agencies that connect the regulators to the operators to the first-responders.
Is it underwhelming because of lack of internet or its just “too big to get our arms around at this point.” But there are other agreements that show that we can move forward on this topic.
When you look at Michigan, with the just in time automobile system, businesses and States are ready to take on the problem themselves.
McDaniel pointed out that USNORTHCOM should have authority over the countries responses to cybersecurity and critical infrastructure challenges. But we don’t have agreement on that. And the chief hold-out, McDaniel argued, is at the state-level. He stressed that this shows the value of taking an EMAC approach to coordinating Canada and America’s critical infrastructure.
William de Laat: “..the specifics aren’t there.”
DE Laat focused on the link on physical infrastructure, trade, and cyber security in the Action Plan. He emphasized that the BTB Action Plan’s comprehensive view of these matters is critical, whether its power, stock trading, or transportation. But what the plan doesn’t do, and this is not different from past efforts, is “to link cyber security and critical infrastructure.” Both Canada and America divide critical infrastructure and cyber-security, and while de Laat admitted these groups say they talk to each other all the time, but we need formal ties to protect critical infrastructure. But “I’m underwhelmed” by the results we have so far…the specifics aren’t there.” We need a comprehensive plan that “combines the really good, high value information sharing that really…allows us to come up with a clear protocol…and joint operational capacity that says in a crisis or non-crisis this is how we [Canada and the United States] will work together.
And why is this important? Because, de Laat pointed out, one prominent Canadian expert has stated that “the interconnection of CI [critical infrastructure] systems is developing an overlay of what might be called the meta-CI system…” If we don’t protect this emerging meta-system, it appears from this author’s quick read on the topic, it seems that America and Canada are leaving themselves open to natural disasters or computer attacks reaping havoc on their economic and trading relationship.
A number of regional groups are “working really effectively.” But these are treaty level agreements if taken on the bilateral level, and getting these through the national level are much more difficult.
De Laat sees the the path forward on critical infrastructure is working with a few countries who share the same values. But this brings up a difference between Canada and the United States: Canada tends to push more for multinational engagement.
Addressing if industry can take care of itself, he pointed out that industries may not take a strategic view. “Governments will not save the day, but if governments do not make this a priority we will have problems on our hands…they have to work with the private sector. Unfortunately, “we’re all sitting on our hands right now.”
No comments:
Post a Comment