Dr Edward Oughton looks at protecting critical national infrastructure from cyber attacks.
Infrastructure expert Dr Edward Oughton of Cambridge Judge Business School was selected for a US State Department programme focusing on cyber security of critical national infrastructure. He was surprised to find that federal-state tensions reach such a sensitive area as cyber security.
I was born in Leeds, and people in Yorkshire are apt to complain about how “they” do things differently in London and particularly in Westminster, the seat of the national government. And there are real regional-national differences here in the UK, some healthy, but some not so healthy.
However, I wasn’t quite prepared for the stark federal-state differences I found on a two-week trip late last year to the United States as a delegate on the International Visitor Leadership Program, a US State Department-sponsored initiative, which focused on one of my specialty fields, cyber security of critical national infrastructure. I was joined in Washington DC, Austin and Dallas in Texas, and Pittsburgh by about a dozen others from the UK, including representatives of the civil service, National Cyber Security Centre, the Royal Institute of International Affairs (Chatham House), oil giant BP and telecoms company BT.
While the UK may have strong regional diversity, it is relatively compact when compared to other nations, so while Yorkshire may be distinct in culture, history and geography, the county of my birth doesn’t go its own way when it comes to issues like computer hacking, malware and protection of personal data. Despite the image of the stubborn Yorkshireman, most people there seem to accept that policies on such a serious issue belong at the national level.
So, what really struck me when we arrived in Texas, our next stop after a few days in Washington DC (where we met with the Department for Homeland Security, National Security Council, Department of Energy and other agencies) was just how much power resides at the state level rather than the federal level – and therefore how difficult it can be to govern such a huge country as the US. While Texas may have a particularly independent streak (and not be wholly representative of all states), we found that “states’ rights” there often manifest in disapproval or distrust towards the federal government and this even stretched to cyber security issues.
One example we saw was in energy. We were briefed by a big electric utility on their industrial control systems in order to understand their defence capabilities and how they manage malicious threats to their activities. We were surprised to find that one of their biggest fears is not hackers stealing key data from the utility company itself – but rather government regulators taking their data for regulatory purposes, and then these regulatory bodies being hacked by malicious actors. I rather jokingly asked an official of a regional electric grid why they do not interconnect with any others in the US, wondering if this was because Texas – which declared independence from Mexico in 1836, and was the sovereign Republic of Texas before becoming a US state in 1845 – was still vying for independence. His response was that as it didn’t cross state lines, the Texas grid did not trigger federal regulation and scrutiny, including environmental laws. So, while this is not quite as dramatic as a new War of Texas Independence, you kind of get the idea of the dynamic between the state and federal level.
Perhaps the most surprising moment was when a Republican Texas state representative discussed with us recent Texas legislation that allows certain companies and agencies undergoing cyber-attack to be allowed to “hack back” against malicious actors in order to protect the rights and property of utilities, especially for communications and electricity companies. Officials in Washington raised concern about this issue generally (not about Texas in particular), expressing alarm that such hacking back could cause small-scale local incidents to be escalated into international crises – in part because of the sheer difficulty in accurately identifying the true source of a sophisticated cyber attack.
Yet officials we met in Washington told us several times about their limited powers to force states to do certain things due to constitutional restrictions, including on cyber security – so the federal approach has mostly focused on encouraging “information sharing” between companies in order to more efficiently combat cyber threats.
While the US is advanced in many ways, after the two-week programme I’m not convinced that the federal system provides best practice for the huge and growing problem of cyber security of critical national infrastructure. The sheer size and complexity of the United States, coupled with state-federal fragmentation, constrains the development of a coherent policy to effectively combat persistent cyber threats to the key infrastructure services we rely on daily – from energy to telecoms to health.
I know that “independence” issues have flared up in the UK in the past few years, including in the referendums on Scotland and Brexit, while assemblies in Scotland, Wales and Northern Ireland have won devolved powers on issues like health, education and housing. Yet when dealing with a highly technical issue such as cyber security, the UK’s relatively centralised approach via the National Cyber Security Centre may be better equipped to deal with such a complex issue as it pools the best expertise into a single organisation.
Edward Oughton is a Research Associate in Technology Modeling at the Centre for Risk Studies at Cambridge Judge Business School, University of Cambridge. He holds an MPhil and PhD from the University of Cambridge. His published research includes papers on the economics of upcoming 5G telecoms infrastructure, the impact of severe space weather on electricity infrastructure, and a strategic look at national infrastructure in the UK.