Our national infrastructure is undergoing a major digital migration. Physical infrastructure assets are merging with the digital world via the Fourth Industrial Revolution (4IR) technologies. 4IR technologies have the potential to make our infrastructure more sustainable, efficient, and connected while enabling once-futuristic ideas such as “Smart Cities” and autonomous transportations. However, such technological developments pose a grave threat to our national security. When the physical world and the digital world are integrated, repercussions from a cyberattack can materialize in the real world. This means a hacker can take control of a nation’s critical infrastructure digitally and extend his or her control to the physical world. A cyberattack debilitating an entire nation by digitally attacking its critical infrastructure is not entirely hypothetical anymore. Despite the national interest in bolstering our cybersecurity, deficiencies in our national cybersecurity continue to grow. An expansion of public-private partnerships (P3s) can be an efficient way to narrow the gaps in our national cybersecurity despite concerns raised by cyber legal scholars.
The Fourth Industrial Revolution
The rapid convergence of the physical world and the digital world is driving the world economy into another major industrial revolution. The World Economic Forum has coined this significant shift the “Fourth Industrial Revolution.” 4IR technologies have the potential to create more connected, efficient, and sustainable infrastructure by allowing physical infrastructure assets to integrate with the digital world. With the emergence of technologies such as autonomous vehicles and the Internet of Things (IoT), the speed of the digitalization of such assets is likely to only increase. The European Union Agency for Cyber Security identified recent trends of deploying IoT in national infrastructure and described the transformed assets as “Smart Infrastructure.” Such assets have the capability to enable “Smart Cities,” “Smart Transportations,” and the like. In the not-too-distant future, many of the physical infrastructure assets are likely to have the capability to at the least interact with the digital world.
Scope of the Threat from Cyberattacks on National Infrastructure
The cybersecurity risk posed by 4IR technologies is just as immense as their benefits due to the possible materialization of repercussions in the physical world. A cyberattack can result in not only a theft of data, but also a complete overtake of network systems. If digitalized physical infrastructure assets are compromised, a hacker potentially could gain control of these assets digitally and extend his or her control to the real world. Imagine a hacker shutting down an entire nation’s power grid and telecommunications systems, or opening floodgates of all dams, or controlling autonomous transportation systems. A debilitation of an entire nation via a cyberattack is not entirely hypothetical anymore. As many nations’ infrastructure such as power plants and transportation systems migrate to the digital world, the magnitude of damage a hacker can potentially inflict on a nation becomes significantly more unpredictable and destructive.
In September 2012, Telvent, an information technology (IT) company that provides oil and gas pipeline and power grid operators, was digitally attacked by Chinese hackers. Although they fortunately could not gain access to valves, switches, and security systems, they successfully stole project files. Disturbingly, this is only one example out of numerous attempted and successful cyberattacks on our national infrastructure. Shortly after this attack, former Secretary of Defense Leon Panetta warned that the United States is vulnerable to a “Cyber Pearl Harbor.”
Public-Private Partnerships (P3s)
P3s have been a “key tool of public policy across the world” since the early 1990s, and the number of P3s in many industries have been steadily increasing globally. Not a single definition of a P3 has been internationally accepted as P3s have been constantly evolving and exist on a spectrum of varying private sector involvement. The PPP Knowledge Lab, jointly developed by the World Bank and other global financial institutions, gives “P3” a broad definition to encompass most common forms of P3s: “a long-term contract between a private party and a government entity for providing a public asset or service, in which the private party bears significant risk and management responsibility and remuneration is linked to performance.”
Arguments for Expanding Public-Private Partnerships in Cybersecurity
The expansion of P3s in cybersecurity is necessary to enhance protection over our national infrastructure from cyberthreats. P3s have been used to solve a range of cybersecurity problems for more than two decades. However, a greater level of effective, coordinated partnerships between the public and the private sector is required to keep pace with growing cyberthreats.
a. An estimated 85% of our nation’s critical infrastructure is owned and operated by the private sector.
The private sector’s involvement in national cybersecurity is unavoidable as an estimated of 85% of our nation’s critical infrastructure is owned and operated by the private sector. Further, a large percentage of these private firms are government contractors. Since contractors may offer a digital backdoor to the government network systems, contractors face a heightened risk from cyberattacks. The public sector cannot be expected to efficiently resolve cybersecurity issues over assets that it does not own or operate.
b. The private sector already has been deeply embedded in various aspects of national cybersecurity.
Private firms already participate in various functions to provide cyber protection over national infrastructure. The current division of labor between the government and the private sector is likely to remain acceptable as a P3. Corporations have been producing most of the software and hardware that the government uses, and corporations have been executing cybersecurity functions under contract with the government. The private sector’s long-standing history of performance and innovation in the cybersecurity functions supports the conclusion that the private sector should continue to be involved in national cybersecurity. For example, Microsoft pioneered legal tactics to take down cybercriminal operations, which required a public-private collaboration. No compelling reasons exist to suddenly reduce or eliminate the participation from the private sector.
c. P3s can significantly reduce the cost of cybersecurity for both the public and the private sector.
The private sector already has pre-existing measures in place to combat cyberattacks. On average, private companies spend 28% of their IT budget on security technologies. Expensive, sophisticated cybersecurity technologies from the private sector and the public sector generally coexist where both private and public computer networks reside. Implementing a governmental cybersecurity system in addition to what is already available is redundant and wasteful. Instead, an integration of systems for both private and public sector networks can provide a significant reduction in costs for both parties.
d. A strong synergy exists between the public and the private sector.
Coordinated partnerships between the government and private entities can provide the additional resources necessary to employ effective cybersecurity measures. As cybersecurity is a complex field, implementation of capable cybersecurity may be beyond the capability of each party on its own. The federal government does not possess the means to protect itself as demonstrated by recent successful attacks. At the state level, most states face resource challenges. In most states, the only source of cybersecurity funding is derived from the state’s IT budget, which has not kept up with the evolving needs. Private entities have the responsiveness, the subject matter expertise, and the talent in the work force that the public sector requires and could not match. In exchange, the public sector can offer its access to a vast number of resources and various forms of power. The government has the capability to understand gaps on a national level, invest in valuable research and development, and deploy intelligence agencies. Most importantly, the government has legislative powers such as standardizing a national partnership model, offering subsidies and tax reliefs, and allocating public funds.
Concerns with the Use of P3s in Cybersecurity
Many cyber law scholars like Kristen Eichensehr believe the private sector should not be involved in cybersecurity. Professor Eichensehr’s Texas Law Review article argues that “[cybersecurity] functions exist solely in the realm of government and within the expectations of the state.” Main arguments advanced by the opponents of using P3s in cybersecurity are outlined below.
a. A well-functioning government should be capable of defending computer networks at the national level.
Ideally, our government should be able to implement appropriate cybersecurity measures on its own to protect its national infrastructure. Realistically, a complete reliance on the government agencies to defend our national digital borders is not a sound public policy. The attack surface is too broad, and the magnitude of potential damage continues to increase for the public sector to deal with on its own. First, our government has not been able to effectively defend itself digitally nor organize a robust cybersecurity structure. General Paul Nakasone, commander of the United States Cyber Command, stated “thus far, our responses against adversaries who have penetrated our networks…have not worked.” Second, approximately 85% of the national critical infrastructure is owned by private entities. Even with strict regulations, defending such infrastructure assets may be beyond the control of the public sector. Third, every administration has heavily relied on the private sector for cybersecurity. Reversing this trend would not only produce a transition period that would pose an unimaginable amount of risk on national infrastructure, but also be extremely costly. Finally, not utilizing pre-existing measures, the labor force, and technologies in the private sector would be a huge waste of resources.
b. Involving the private sector in a quasi-governmental role compromises public law values with corporate profit motives.
Professor Eichensehr raises a concern with privatization of cybersecurity violating public law values like transparency, fairness, and privacy. Preservations of public law values should be a priority, and the continuous monitoring of protections and supporting the checks and balances between the public and the private sector can help ensure a successful execution of P3s that protect public law values. First, the public sector can put in place regulations and oversight committees to support transparency and competition. Second, awarding, administering, and terminating contracts should exclusively be under the public sector’s responsibilities to ensure a fair participation from the private sector. When two private companies, Boeing and SAIC, were involved in selecting contractors in the Army’s Future Combat Systems project, no return on investment of $18 billion taxpayer dollars was shown. A profit motive should never be factored into governmental decision-making power. Finally, although Professor Eichensehr observes that “individuals…are typically more concerned about the government accessing their private information than about corporations accessing it,” preventing the undue private-sector access to sensitive private individual information should still be an important factor. In Netherlands, its government and companies engaging in a P3 designed a network system that prevented direct access to any sensitive information without appropriate permission levels and manual intervention. A similar model should be standardized in the United States.
c. The Use of P3s is likely to deter the private sector from reporting cyberattacks.
The use of P3s can deter contractors that own and operate critical infrastructure from reporting cyber incidents, which is highly likely to increase risk to national cybersecurity. If a contractor reports a cyberbreach incident, the government is likely to view that contractor “as a less secure partner.” Therefore, contractors may fear losing future contracts, terminations for default, or facing legal consequences as a result of being transparent about their cyber-incidents. Such a deterrence would cause a P3 model to fail because it cannot be secure. To address this concern, the government can mandate a standardized reporting structure and restrict the use of reported information to only cybersecurity-related purposes that exclude purchasing decisions.
For better or for worse, 4IR technologies are rapidly changing the world that we live in. As our national infrastructure is converging with the digital world, the scope and the magnitude of cyberthreats are rapidly increasing. Recent cyber incidents demonstrate the deficiencies in national cybersecurity, and the gap continues to grow. Strong justifications for the use of P3s exist in the cybersecurity space: an estimated 85% of national infrastructure is owned and operated by the private sector; the private sector already has been deeply embedded in various aspects of national cybersecurity; P3s can significantly bring down the cost of cybersecurity for both the public and the private sector; and a strong synergy exists between the public and the private sector. By learning from successes and failures of P3s around the world, a standard P3 model should be developed that can mitigate the concerns from cyber legal scholars.
* Robert Kim is an Associate Editor on the Michigan Technology Law Review.