Homeland Security’s Legal Battlegrounds

It's just a matter of time before the federal government issues rules and laws mandating security standards for critical infrastructure, most of which is privately owned.

F

rom power plants and water reservoirs to telecommunications systems and financial markets, critical infrastructure is the backbone of American life. As such, it is a terrorist target. The premise is simple: If they attacked infrastructure with the ferocity and planning of a Sept. 11 plot, terrorists could reap physical and human losses that could cascade throughout the American economy. The case of Iyman Faris, a naturalized American citizen, demonstrates the terrorist desire to do just that. While Faris recently withdrew his initial guilty plea, few doubt that Faris provided material support to terrorists, helping al Qaeda members case critical infrastructure targets that included railroads and the Brooklyn Bridge.

Government officials and security experts agree that protecting critical infrastructure is a fundamental strategy in a defense against terrorism. The issue even has strong bipartisan support. Sen. Joseph Lieberman, D-Conn., has called critical infrastructure "our nation's vital organs." Sen. Robert Bennett, R-Utah, has ominously said "the future battlefield is in private, not public hands."

While the Homeland Security Department's Information Analysis and Infrastructure Protection Directorate is responsible for securing critical infrastructure at the federal level, Washington cannot do it alone. In a nation of more than 66,000 chemical plants, 104 commercial nuclear power plants, 80,000 dams and 590,000 highway bridges, the private sector has a role to play. So far, the private sector's critical infrastructure security improvements have been largely voluntary. But with up to 90 percent of all critical infrastructure owned and operated by industry, many experts believe administrative rules and federal laws mandating minimum security standards for critical infrastructure are a matter of when, not if.

CRITICAL COMPANIES

With hundreds of thousands of companies now classified as critical infrastructure themselves, the cost, administration and management of industrial security is bound to fundamentally change. Industrial security will likely become a matter of compliance with standards reflecting national anti-terror goals. Consider it the national security version of the Occupational Safety and Health Administration meeting Osama bin Laden.

Far-fetched? Not really. The 1999 Gramm-Leach-Bliley Act imposes security requirements for the protection of consumer information within the financial industry. The 1996 Health Insurance Portability and Accountability Act does the same for health care. The actions of lobbying organizations representing critical infrastructure businesses suggest that industry recognizes the possibility of new security responsibilities.

Rather than waiting for government mandates, some business sectors have taken proactive steps. In response to a March 2003 General Accounting Office report (GAO-03-439), that found chemical plants to be attractive terrorist targets, the American Chemistry Council urged Congress to pass laws to improve security. The council's approach would make sure chemical facilities conduct security weakness assessments, while handing over security oversight and enforcement authority to the Homeland Security Department.

The "National Strategy to Secure Cyberspace" and the "National Strategy for the Physical Protection of Critical Infrastructures and Key Assets," released by the Bush administration in early 2003, provide further support. Neither strategy has the force of law nor directly advocates security legislation, but both documents imply that critical infrastructure owners and operators may owe a "security duty of care" to customers, shareholders and the nation at large. Failure to provide reasonable security measures against terrorism may breach that duty and might even result in damages under tort law.

NEW WORLD, NEW RULES

Indeed, as narrow regulations broaden to become de facto standards for other vulnerable critical infrastructures, general guidance, such as that already issued by the administration, will be institutionalized with more nuts-and-bolts regulations. The Cabinet departments charged with protecting the nation's critical infrastructure (Homeland Security, Justice, Defense, Treasury, Health and Human Services, Commerce and Transportation, to say nothing of the independent agencies) will convert broad executive orders into federal regulations. Where this requires too great a leap, congressional committees will further the scope of federal oversight with narrowly tailored legislation. The Patriot Act, passed in October 2001, provides a lesson in how quickly newly perceived threats can be addressed. It also highlights Congress' limitations in terms of oversight by the courts and interest groups.

States, too, are stepping in with new laws; California is in the lead. A sweeping California Senate bill, SB 1386, went into effect July 1, 2003. It requires companies to inform customers when their personal information is "reasonably believed" to have been compromised-typically at the hands of computer hackers. Companies that fail to disclose security breaches can be sued by affected consumers. While many voters would agree that this approach provides a strong incentive for companies to clean up their information-handling practices, it also presents problems. First, the standard of "reasonably believed" is vague and provides too much flexibility for a company looking for every bit of legal gray area in which to hide its misfeasance. Second, if notification would impede a criminal investigation, disclosure may be delayed. This protects the integrity of the investigation, but it also provides a safe harbor for companies hoping to bury bad news. In the past, investigations have stretched to months and even years, and this law provides an incentive to stretch them further still.

The California statute applies far beyond the info-realm, and provides a model approach for empowering citizens and consumers to demand more protection from companies that control and manage critical infrastructure. It also provides a cautionary lesson in the law of unintended consequences and the need to carefully tailor regulations to the complexities of each infrastructure. For example, several years ago the Environmental Protection Agency, in the interest of transparent government, considered posting data related to America's chemical facilities on the Internet. But it turned out such a Web site would have provided one-stop shopping for a chemical terrorist, so the initiative was quietly shelved.

PRESSURE TO PROTECT

Along with legislation, the insurance industry is providing new incentives for the builders and operators of the nation's infrastructure. The 2002 Terrorism Risk Insurance Act is one example. Indeed, owners of some New York City skyscrapers have found their credit ratings downgraded because they fail to carry insurance against the threat of another large-scale terrorist attack. The insurers of critical infrastructure, such as nuclear power plants, water treatment facilities and telecommunications services, may soon be making similar demands on those they underwrite. This pressure will provide another incentive for companies to implement reasonable defenses such as cyber-insurance, business continuity plans and risk management best practices.

Another force that will compel private industry to protect the nation's critical infrastructure is profit. Companies already have an incentive to protect the integrity, confidentiality and availability of customer information. Consumers are more and more aware of the vulnerability of private information transmitted over the Internet and held in corporate servers. And they will discriminate between vendors that provide reasonable protections and those that don't. Horror stories, such as the hacker who gained access to 8 million credit card accounts in February 2003, heighten awareness and shape market demand for cost-effective protection.

An emerging duty to protect, the inevitable product of court decisions in the next few years, will give judges and juries a guide for punishing corporate officers and board members who fail to meet the standards. Most attacks against critical infrastructure are likely to have a cyber component, since infrastructure is increasingly controlled by hyper-efficient computer systems. The fact that most successful cyber crimes are committed "inside the firewall" by trusted insiders with internal access should send a clear message to corporate officers and boards of directors. The challenge will not be just to monitor complex systems and the people at the controls, but to balance these efforts against critical industrial operations. For example, a power grid perfectly protected from external, or even internal intrusion, might be too cumbersome to adapt to rapidly fluctuating energy requirements across the grid. The same might be said of the control systems for all of the nation's critical infrastructure.

We have seen the awful consequences when the targets of terrorism are insufficiently protected, and we can imagine far worse happening to the critical infrastructure upon which the nation depends. It is up to those who own and operate infrastructure to provide adequate protection, and, as some now argue, it is up to the government to quickly but surgically address those cases in which they fail to do so.


Steven E. Roberts, a homeland security consultant, was an intern with Treasury's Financial Crimes Enforcement Network and the Homeland Security Department's Critical Infrastructure Assurance Office. Thomas C. Wingfield, a national security attorney, is director of Tyranny, Democracy and Regime Change at the Potomac Institute for Policy Studies.

NEXT STORY: No News Is Bad News