By Kristen Verderame, Advisor, Global Government Affairs, Booz Allen Hamilton, and CEO of Pondera International LLC
Critical infrastructure entities and government need to recognise their shared objectives and work together on cyber rules.
The current debate in Congress regarding cyber-security legislation boils down to whether critical infrastructure entities should be ‘regulated’ to ensure that their cyber-security practices are sufficient to protect this country against significant harm. There are differences in how various versions of bills define ‘regulation’ — ranging from mandatory requirements developed and enforced by DHS, to industry-developed ‘guidelines’ against which entities will self-certify. Regardless of how it is defined, it is clear to me that some sort of ‘regulation’ must be put in place.
‘Critical infrastructure’ is called ‘critical’ for a reason. These entities are responsible for ensuring that our citizens have clean and safe drinking water; electricity to power heat and air conditioning, appliances, electronics, lighting, and manufacturing; and communications infrastructure to provide internet connectivity on which businesses run, transactions are conducted, and the financial system is maintained. Over 90 per cent of the critical infrastructure in the US is privately owned. Therefore, without some sort of regulation, the Government does not have control over the activities of these entities, and cannot ensure that appropriate measures are being taken to protect these critical functions.
When I was head of government relations for BT in the US, our frequent mantra to government was ‘no regulation’ in pretty much every context — we were already doing what we needed to do, we did not need help from the government or anyone else, just leave us alone and let us get on with it; so unless there was a market failure, ‘leave us alone.’ I am very familiar with the knee-jerk reaction of industry against any form of regulation, as I was one singing from the choir and preaching from the pulpit on this very theme for years.
However, there was one context where I convinced the company to take a different view — and that was CFIUS. The Committee on Foreign Investment in the US (CFIUS) is a committee of government agencies that reviews acquisitions of domestic assets by foreign companies to ensure that post-transaction the government will not be prevented from fulfilling its law enforcement and national security mandates. The level of pain involved in participating in this process has been described as akin to root canal. After clearing numerous transactions through this process, I can attest that it can be painful. It does not have to be though, if the company realises that it is on the same side as the government with its overall objectives.
As a communications provider and owner of a significant portion of the world’s internet backbone, it was in BT’s interest to have a secure, reliable and resilient network. If we didn’t, simply put, we would not have any customers — certainly not the Fortune 100 multinational companies that were relying on us at that time. In addition, BT had (and still has) a significant portfolio of network security services that it offered to customers. So having an infrastructure that was as secure, reliable and resilient as possible was critical to its survival as a company, and it needed to ‘walk the walk’ for its own infrastructure if it was going to credibly sell network security to other companies.
When I put myself in the shoes of the government in the CFIUS process, what they wanted was essentially the same thing — they wanted to ensure that the portion of the network in the US was as secure and resilient as possible so as to prevent harmful actors from being able to ‘take it down’ or use it for nefarious purposes. Once I convinced my management that we were on the same team as the government, the discussion turned to how to achieve the shared objective, balancing our tight fiscal concerns with the government’s specific requests. I found the CFIUS folks to be fantastic to work with on that score — they absolutely understood the pressures we were under from a commercial and public-company standpoint, and they worked with us to figure out how to satisfy their concerns within that framework.
We (BT) may have ended up doing a few things differently than we would have without undergoing the CFIUS reviews, but because both parties were working toward the same objective with each other’s concerns in mind, any additional measures ended up working to our commercial advantage in the marketplace.
My hope is that the critical infrastructure players can take this same approach — at the end of the day, it would be as much of a disaster to the electricity providers if the grid were to go down as it would to our citizens and businesses; the owners of the water plants would be stuck with tainted water for their own families if the water supply was affected via hackers in their systems; and the internet backbone providers would face not only steep SLA penalties from customers for an outage but also a halt to their own business operations. All of these would cost the critical infrastructure entities massive sums of money.
We are all on the same side in this issue — let’s figure out how to achieve the shared objective, and drop the ‘no regulation’ mantra, at least in the context of cyber security.