1. Please assume you have been appointed by the President of the United States and the Prime Minister of Canada to advise them on the laws needed in order to protect the jointly-held areas of infrastructure (IT and other) between the two countries.
You may use the Case Study provided or any other resources of your choice.
2. The minimum word count shall be not less than 500 words.
Note- Student provides an accurate report to the President of the United States and the Prime Minister of Canada on internet and infrastructure legal needs. Please substantiate your findings with references.
61Shackelford & Bohm – Securing North American Critical Infrastructure
Securing North American Critical
Infrastructure:
A Comparative Case Study in
Cybersecurity Regulation
Scott J. Shackelford, J.D., Ph.D. * & Zachery Bohm**
Abstract: The United States and Canada are interdependent along a number of
dimensions, such as their mutual reliance on shared critical infrastructure. As a result,
regulatory efforts aimed at securing critical infrastructure in one nation impact the other,
including in the cybersecurity context. This article explores one such innovation in the
form o f the 2014 National Institute for Standards and Technology (“NIST”)
Cybersecurity Framework. It reviews the evolution o f the NIST Framework, comparing
and contrasting it with ongoing Canadian efforts to secure vulnerable critical
infrastructure against cyber threats. Its purpose is to discover North American governance
trends that could impact wider debates about the appropriate role o f the public and private
sectors in enhancing cybersecurity.
T a b l e o f C o n t e n t s
I. Introduction…………………………………………………………………………………………….. 61
II. Unpacking the Cyber Threat Affecting North American Critical
Infrastructure……………………………………………………………………………………………… 63
III. U.S. Approaches to Securing Critical Infrastructure: Enter the NIST
Framework………………………………………………………………………………………………… 65
IV. An Introduction to Canadian Critical Infrastructure Cybersecurity Law
and Policy………………………………………………………………………………………………….. 66
V. Conclusion…………………………………………………………………………………………….. 69
I. In t r o d u c t i o n
Neither the United States nor Canada is a stranger to cyber attacks. These
have increasingly targeted both the private and public sectors to steal valuable
intellectual property, such as state and trade secrets. In one instance, the
Canadian government reported a major cyber attack in 2011 that forced the
Finance Department and Treasury Board, Canada’s main economic agencies, to
disconnect from the Internet.1 Hundreds o f systems within the United States
* Assistant Professor of Business Law and Ethics, Indiana University; Senior Fellow, Indiana
University Center for Applied Cybersecurity Research; W. Glenn Campbell and Rita Ricardo-
Campbell National Fellow, Stanford University Hoover Institution.
** Senior, Indiana University School of Public and Environmental Affairs.
62 CANADA-UNITED STATES LAW JOURNAL [Vol. 40, 2016]
Department of Commerce have similarly been forced offline due to cyber attacks
in recent years.” In total, more than 40 million global cyber attacks were reported
in 2014, representing a nearly 50% increase over 2013/
In response to this wave of cyber attacks, the U.S. and Canadian
governments have created a number of national and bilateral initiatives to
enhance North American cyber security. This includes the 2012 Cybersecurity
Action Plan Between Public Safety Canada and the Department of Homeland
Security.1 * 3 4 5 Such collaborative actions reflect the fact that the United States and
Canada are interdependent along a number of dimensions, including the two
nations’ mutual reliance on shared critical infrastructure (“Cl”). For example, in
2012, electricity exports from Canada to the United States totaled nearly 60
million megawatt-hours, or roughly 1% to 2% of total U.S. consumption. Certain
regions, such as the U.S. Northeast and Midwest are particularly dependent upon
Canadian power supplies.3 As a result of this interdependence, regulatory efforts
aimed at security Cl in one nation impact the other, even in the cybersecurity
context.
This article explores one such innovation, the 2014 National Institute for
Standards and Technology Cybersecurity Framework (“NIST Framework”).6 It
briefly reviews the evolution of the NIST Framework, comparing and contrasting
it with ongoing Canadian efforts to secure vulnerable Cl against cyber threats. Its
purpose is to discover North American governance trends that may impact wider
debates about the appropriate role of the public and private sectors in enhancing
Cl for cyber security.
The article proceeds as follows. Part I unpacks the multifaceted cyber threat
facing North American Cl operators. Part II then delves into regulatory efforts
1 Ctr for Strategic & In t’l Studies, Significant Cyber Incidents Since 2006 (Mar.
10, 2014), http://csis.org/files/publication/140310_Significant_Cyber_Incidents_Since_2006.
pdf.
See Gregg Keizer, Chinese Hackers Hit Commerce Department, In f o . W k . (Oct. 6,
2006), http://www.informationweek.eom/chinese-hackers-hit-commerce-department/d/d-id/10
47684.
3 See Samantha White, Global Cyber-Attacks Up 48% in 2014, CGMA Magazine (Oct.
8, 2014), http://www.cgma.org/Magazine/News/Pages/201411089.aspx?TestCookiesEnabled=
redirect. Blit see, e.g., Peter Maass & Megha Rajagopalan, Does Cybercrime Really Cost SI
Trillion?, ProPublica (Aug. 1, 2012), http://www.propublica.org/article/does-cybercrime-
really-cost-l-trillion (noting that such surveys should be accepted with caution).
4 See generally Pub. Safety Can. and U.S. Dep’t. of Homeland Sec., Cybersecurity
Action Plan Between Public Safety Canada and the Department of Homeland
Security (2012), http://www.publicsafety.gc.ca/cnt/rsrcs/pblctns/cybrscrt-ctn-plan/cybrscrt-
ctn-plan-eng .
5 See North American Energy Infrastructure Act Will Bolster U.S.-Canada Electricity
Relationship, U.S. Energy & Commerce Comm. (May 7, 2014), http://energycommerce.house
.gov/press-release/north-american-energy-infrastructure-act-will-bolster-
us%E2%80%93canada-electricity#sthash. VKtC9JA 1 .dpuf.
6 See Executive Order on Improving Critical Infrastructure Cybersecurity, W hite House
Press Sec’y (Feb. 12, 2013), http://www.whitehouse.gov/the-press-office/2013/02/12/
executive-order-improving-critical-infrastructure-cybersecurity-O; see also Mark Clayton, Why
Obama’s Executive Order on Cybersecurity Doesn’t Satisfy Most Experts, CHRISTIAN SCI.
Monitor (Feb. 13, 2013), http://www.csmonitor.com/USA/Politics/2013/0213/Why-Obama-s-
executive-order-on-cybersecurity-doesn-t-satisfy-most-experts.
http://csis.org/files/publication/140310_Significant_Cyber_Incidents_Since_2006
http://www.informationweek.eom/chinese-hackers-hit-commerce-department/d/d-id/10
http://www.cgma.org/Magazine/News/Pages/201411089.aspx?TestCookiesEnabled=
http://www.propublica.org/article/does-cybercrime-really-cost-l-trillion
http://www.propublica.org/article/does-cybercrime-really-cost-l-trillion
http://www.publicsafety.gc.ca/cnt/rsrcs/pblctns/cybrscrt-ctn-plan/cybrscrt-ctn-plan-eng
http://www.publicsafety.gc.ca/cnt/rsrcs/pblctns/cybrscrt-ctn-plan/cybrscrt-ctn-plan-eng
http://energycommerce.house
http://www.whitehouse.gov/the-press-office/2013/02/12/
http://www.csmonitor.com/USA/Politics/2013/0213/Why-Obama-s-executive-order-on-cybersecurity-doesn-t-satisfy-most-experts
http://www.csmonitor.com/USA/Politics/2013/0213/Why-Obama-s-executive-order-on-cybersecurity-doesn-t-satisfy-most-experts
Shackelford & Bohm – Securing North American Critical Infrastructure 63
aimed at enhancing U.S. Cl cyber security, focusing on the NIST Framework.
Part III investigates Canadian Cl regulation, with a special emphasis on the
government’s reception to the NIST Framework. We conclude by couching this
investigation within the wider debate surrounding international Cl protection,
including the emergence o f cybersecurity norms in this space.
II. U n p a c k i n g t h e C y b e r T h r e a t A f f e c t i n g N o r t h A m e r i c a n
C r i t i c a l In f r a s t r u c t u r e
It is notoriously difficult to find verifiable data on the number, type, and
severity of cyber attacks afflicting various nations and regions around the world.7
Without clear definitions, shared and meaningful values, or reliable data,
information about cyber attacks that impact North American Cl remains limited
and unsophisticated. That said, more than one-third o f Canadian firms have
reported being victims o f cyber attacks.8 In a 2015 survey done by Kaspersky
Labs, Canada was named the tenth most-attacked nation in the world.9 The
Kaspersky survey also notes that the United States is third most-attacked nation
as of March 2015.10 Also, from 2000 to 2008, U.S. cybersecurity surveys found
that the proportion of organizations reporting cyber attacks ranged from forty-
three percent to seventy percent.* 11
In 2010, seventy-five percent of surveyed IT executives in twenty-seven
countries stated that they had detected one or more attacks and forty-one percent
characterized such attacks as “somewhat or highly effective.”12 Verizon’s 2012
Data Breach Investigations Report found that “ 174 million records were
compromised in 2011, the second-highest total since the company began tracking
breaches in 2004.” 13 Even that figure was surpassed in 2013.14
Yet, despite this multifaceted and growing threat, the Canadian government
audits noted an absence of action plans, the slow pace of private-sector Cl
partnership building, and the lack o f timeliness and completion of monitoring
7 See Scott J. Shackelford, Managing Cyber Attacks in International Law,
Business, and Relations: In Search of Cyber P eace (2014).
8 See David Paddon, Cyber Attacks Have Hit 36 Per Cent o f Canadian Businesses, Study
Says, Globe & Mail (Aug. 18, 2014), http://www.theglobeandmail.com/report-on-business/
cyber-attacks-have-hit-36-per-cent-of-canadian-businesses-study-says/article20096066/.
9 See Cyberthreat Real-Time Map, Kaspersky, http://cybermap.kaspersky.com/ (last
visited Mar. 10, 2015).
10 See id.
11 See Robert Richardson, Computer Sec. Inst., CSI Computer Crime & Security
Survey 13 (2008), available at http://ixmpnet.com/v2.gocsi.com/pdf/CSIsurvey2008 .
12 See Symantec, State of Enterprise Security Study 7 (2010), https://www.
symantec.com/content/en/us/about/presskits/SES_report_Feb2010 .
13 Joel Griffin, Report Sheds Light on Intellectual Property Theft, Sec. Infowatch (Oct.
24, 2012), http://www.securityinfowatch.com/article/10819280/report-sheds-light-on-
intellectual-property-theft.
14 See Hadley Malcolm, Target: Data Stolen fro m up to 70 Million Customers, USA
Today (Jan. 10, 2014), http://www.usatoday.com/story/money/business/2014/01/10/target-
customers-data-breach/4404467/.
http://www.theglobeandmail.com/report-on-business/
http://cybermap.kaspersky.com/
http://ixmpnet.com/v2.gocsi.com/pdf/CSIsurvey2008
https://www
http://www.securityinfowatch.com/article/10819280/report-sheds-light-on-
http://www.usatoday.com/story/money/business/2014/01/10/target-customers-data-breach/4404467/
http://www.usatoday.com/story/money/business/2014/01/10/target-customers-data-breach/4404467/
64 CANADA-UNITED STATES LA W JOURNAL [Vol. 40, 2016]
programs that protect Cl from cyber threats.13 What is more, a 2012 report from
the Auditor General of Canada noted that the Canadian government appropriated
only 780 million dollars in funding to improve security for Canada’s critical
infrastructure and less than this total was directed toward enhancing
cybersecurity.16
Other data points support the need for reform. As noted by the Canadian
Security Intelligence Service:
The speed of evolving new cyber threats, the lack o f geographic
boundaries and the problem of determining attribution impede efforts to
counter attacks on information systems. Obstacles include not only
domestic jurisdictional barriers to effective regulation, legislation and
information-sharing but also the fragmented ownership and regulatory
control of 1CT infrastructure, which represents a major challenge at the
global level… Accordingly, it would seem appropriate that the costs of
protecting critical infrastructure against certain threats to national
security be borne in a proportionate manner by all those who
benefit…17
However, Canada is far from alone in its struggle to fight the evolving cyber
threat to Cl. According to a McAfee survey, Cl owners and operators from the
United States reported that their high-level adversaries, such as foreign
governments, repeatedly cyber attacked their networks and control systems.18
The consequences of such attacks are potentially devastating. In fact, the U.S.
Cyber Consequences Unit estimates losses from a major attack on U.S. Cl at
roughly 700 billion U.S. dollars.19 Congress, however, has been slow to meet this
challenge, which has prompted executive action. As such, what follows is the
analysis of the current U.S. approach to changing the unsustainable cybersecurity
status quo. Then, we take a comparative look at some of Canada’s Cl
cybersecurity reform efforts.
15 Office of the Auditor Gen. of Can., Report of the Auditor General of Canada –
Fall 2012: Chapter 3 (2012), available at http://www.oag-bvg.gc.ca/intemet/docs/parl_oag_
201210_03_e .
16 Angela G endron & Martin Rudner, Can. Sec. Intelligence Serv., Assessing
Cyber Threats to Canadian Infrastructure (Mar., 2012), https://www.csis.gc.ca/pblctns/
ccsnlpprs/CyberTrheats_AO_Booklet_ENG .
17 Id.
18 Stewart Baker, Shaun Waterman & G eorge Ivanov, McA fee, In the Crossfire:
Critical Infrastructure in the Age of Cyber War 1 (2010), available at
http://img.en25.com/Web/McAfee/NA_CIP_RPT_REG_2840 .
19 See Jayson M. Spade, Information as Power: China’s Cyber Power and America’s
National Security 26 (Jeffrey L. Caton ed., 2012) (citing Eugene Habiger, Cyber Secure
Inst., Cyberwarfare and Cyberterrorism: T he Need for a N ew U.S. Strategic
Approach 15-17 (2010), available at
http://nsarchive.gwu.edu/NSAEBB/NSAEBB424/docs/Cyber-072 ).
http://www.oag-bvg.gc.ca/intemet/docs/parl_oag_
https://www.csis.gc.ca/pblctns/
http://img.en25.com/Web/McAfee/NA_CIP_RPT_REG_2840
http://nsarchive.gwu.edu/NSAEBB/NSAEBB424/docs/Cyber-072
Shackelford & Bohm – Securing North American Critical Infrastructure 65
III. U.S. A p p r o a c h e s t o S e c u r i n g C r i t i c a l In f r a s t r u c t u r e : E n t e r t h e
NIST F r a m e w o r k
President Obama issued an executive order in 2013 that expanded public-
private information sharing and tasked NIST with establishing the NIST
Framework to better secure critical infrastructure.20 Version 1.0, Framework fo r
Improving Critical Infrastructure Cybersecurity, was released in February
2014.”‘ This was designed to harmonize consensus standards and industry best
practices. Its proponents argue that it provided a flexible and cost-effective
approach to enhancing cybersecurity.22
The NIST Framework does not create any binding obligations for private
sector actors and has no means of enforcement for those that choose to adopt it.23
Nonetheless, its widespread implementation may establish a cybersecurity
standard of care in the United States, even without Congressional action.24 This
holds the potential to spill over beyond traditional Cl sectors into the private
sector in the United States. Indeed, the White House announced that, as of
February 2015, Intel, Apple, and Walgreens have incorporated the NIST
Framework into their cybersecurity efforts. 2:1 Actually, even Bank of America
now requires its use by vendors.26
With a deep degree of private-sector participation, the NIST Framework’s
basic structure divides cybersecurity into five broad functions.27 These include:
identify, protect, detect, respond, and recover.28 Notably, the NIST Framework
also provides a series of steps for organizations to follow to assess and address
their cyber risk exposure.”4 This permits firms to incorporate cyber risk
management in a manner that is consistent with their overarching business goals
and financial capabilities. Though it is premature to predict the permanence of
the NIST Framework, its inherent flexibility has proven attractive to Cl operators
20 See White House Press Sec’y, supra note 6; see also Mark Clayton, supra note 6.
21 White House Press Sec’y , supra note 6, at 1.
22 Improving Critical Infrastructure Cybersecurity, 78 Fed. Reg. 11739,11741 (February
19,2013).
23 See White House Press Sec’y, supra note 6
24 See, e.g., N IST’s Voluntary Cybersecurity Framework May Be Regarded as De Facto
Mandatory, Homeland Sec. News Wire (Mar. 4, 2014), http://www.homelandsecurity
newswire.com/dr20140303-nist-s-voluntary-cybersecurity-framework-may-be-regarded-as-de-
facto-mandatory (stating that experts have warned that many of the recommendations in the
framework “may be used by courts, regulators, and even consumers to hold institutions
accountable for failures that could have been prevented if the cybersecurity framework had
been fully implemented by the respective institution”).
25 See White House Press Sec’y , Fact Sheet: White House Summit on
Cybersecurity and Consumer Protection (Feb. 13, 2015), http://rn.whitehouse.gov/the-
press-office/2015/02/13/fact-sheet-white-house-summit-cybersecurity-and-consumer-
protection.
26 See id.
21 W hite House Press Sec’y, supra note 6, at 7.
28 Id.
29 Nati’l Inst of Standards and Tech, Framework for Improving Critical
Infrastructure Cyber Security Version 1.0 (Feb. 12, 2014), http://www.nist.gov/
cyberframework/upload/cybersecurity-framework-021214 at 13-14.
http://www.homelandsecurity
http://rn.whitehouse.gov/the-press-office/2015/02/13/fact-sheet-white-house-summit-cybersecurity-and-consumer-protection
http://rn.whitehouse.gov/the-press-office/2015/02/13/fact-sheet-white-house-summit-cybersecurity-and-consumer-protection
http://rn.whitehouse.gov/the-press-office/2015/02/13/fact-sheet-white-house-summit-cybersecurity-and-consumer-protection
http://www.nist.gov/
66 CANADA-UNITED STA TES LAW JOURNAL [Vol. 40, 2016]
and policymakers alike. Already, cyber security consultants are advising private-
sector clients that “the ‘standard’ for ‘due diligence’ was now the NIST
Cybersecurity Framework. ” 30
Over time, the NIST Framework has both the potential to shape a standard of
care for domestic Cl organizations and the capability to help harmonize global
cybersecurity best practices for the private sector. This is particularly true given
the active NIST Framework collaborations that have begun to occur between a
number of nations, including the United Kingdom, Japan, Korea, Estonia, Israel,
Germany, and Australia. ’ 1 The question considered below is what impact, if any,
this initiative has had on reshaping Canada’s cybersecurity policymaking
landscape.
IV. A n In t r o d u c t i o n t o C a n a d i a n C r i t i c a l In f r a s t r u c t u r e
C y b e r s e c u r i t y L a w a n d P o l i c y
The Canadian government has established various cyber security
frameworks that manage the cyber threats facing North American C l.32 Before
diving into this issue, however, the context will first be briefly summarized. Both
Canada and the United States have numerous agencies charged with enhancing
national cyber security.33 Much of Canada’s cyber security policymaking
authority resides in the Department o f Public Safety and Emergency
Preparedness Canada (“PSEPC” ) . 34 This agency is similar to the U.S.
Department of Homeland Security (“USDHS”). Like USDHS, PSEPC is
responsible for ensuring that the cyber security of civilian government networks
and private industry networks related to CL35
j0 John Verry, Why the NIST Cybersecurity Framework Isn ’t Really Voluntary,
PivotPoint Sec.: Info. Sec. Blog (Feb. 25, 2014), http://www.pivotpointsecurity.com/risky-
business/nist-cybersecurity-framework.
31 Gerald Ferguson, NIST Cybersecurity Framework: Don’t Underestimate It, INFO. Wk.
(Dec. 9, 2013), http://www.informationweek.com/govemment/cybersecurity/nist-cybersecurity
-framework-dont-underestimate-it/d/d-id/1112978 (noting that some stakeholders have already
argued that “any time a company’s cybersecurity practices are questioned during a regulatory
investigation and litigation, the baseline for what’s considered commercially reasonable is
likely to become the… Cybersecurity Framework”); Nat’l Inst, of Standards and Tech.,
Update on the Cybersecurity Framework (July 31, 2014), http://nist.gov/cyberframework/
upload/NIST-Cybersecurity-Framework-update-073114 (“NIST and other U.S.
government officials have had discussions about the Framework with multiple foreign
governments and regional representatives including organizations throughout the world,
including – but not limited to – the United Kingdom (UK), Japan, Korea, Estonia, Israel,
Germany, and Australia.”).
j2 See generally Cyber Security: A Shared Responsibility, Pub. Safety Can. (Apr. 3,
2014), http://www.publicsafety.gc.ca/cnt/ntnl-scrt/cbr-scrt/index-eng.aspx.
33 See Gordon M. Snow., Statement Before the Senate Judiciary Committee,
Subcommittee on Crime and Investigation, The Fed. Bureau of Investigation (Apr. 12,
2011), https://www.fbi.gov/news/testimony/cybersecurity-responding-to-the-threat-of-cyber-
crime-and-terrorism.
34 See Cyber Security: A Shared Responsibility, supra note 32.
35 See U.S. Dep’t Homeland Sec., Safeguard and Secure Cyberspace (Nov. 2, 2012),
available at http://www.dhs.gov/safeguard-and-secure-cyberspace.
http://www.pivotpointsecurity.com/risky-business/nist-cybersecurity-framework
http://www.pivotpointsecurity.com/risky-business/nist-cybersecurity-framework
http://www.informationweek.com/govemment/cybersecurity/nist-cybersecurity
http://nist.gov/cyberframework/
http://www.publicsafety.gc.ca/cnt/ntnl-scrt/cbr-scrt/index-eng.aspx
https://www.fbi.gov/news/testimony/cybersecurity-responding-to-the-threat-of-cyber-crime-and-terrorism
https://www.fbi.gov/news/testimony/cybersecurity-responding-to-the-threat-of-cyber-crime-and-terrorism
http://www.dhs.gov/safeguard-and-secure-cyberspace
Shackelford & Bohm – Securing North American Critical Infrastructure 67
In 2005, the Canadian government created the Canadian Cyber Incident
Response Center (“CCIRC”) within PSEPC.36 CCIRC monitors the cyber
security of both public- and private-sector networks including Cl. Thus, it is
charged with leading the government’s response to and recovery from cyber
attacks.37 The manner in which CCIRC achieves this is threefold: (1) it advises
the government and private sector how to prepare for and mitigate cyber threats;
(2) it provides technical expertise, i.e., forensic cyber analysis; and (3) acts as a
framework where experts may share and collaborate their ideas that help support
critical Canadian Cl.
CCIRC is Canada’s version of the U.S. Computer Emergency Readiness
Team (“US-CERT”). US-CERT was established in 2003 and is under the
jurisdiction of the USDHS.39 Thus, both CCIRC and US-CERT provide their
government and private sectors with the tools and information necessary to
mitigate the effects of cyber attacks. These also identify and share cyber security
best practices and threat information.40
In February 2014, the Canadian government announced the Cyber Security
Cooperation Program (“CSCP”), which is administered by PSEPC.41 The CSCP
is a five-year, 1.5 million Canadian dollars grant initiative that funds research
and projects created to improve Canada’s “vital cyber systems” security.42
Specifically, CSCP identifies programs and research that improve best practices,
standards, operational methodologies and cyber assessment tools for critical
cyber systems and Cl.43
Over the past decade PSEPC has published a number of notable reports
related to Cl cyber security. These reports detail how the Canadian government
and private sectors should improve Cl cyber security.44 In 2010, PSEPC
published the National Strategy fo r Critical Infrastructure (“National Strategy”)
and the Action Plan for Critical Infrastructure (“Action Plan”) reports, which
address vital infrastructure safety and security issues.45
36 See Steven Ballew, U.S. Can Learn from Canadian Cybersecurity Shortcomings, Daily
Signal (Nov. 5,2012),
http://dailysignal.eom/2012/l 1/05/u-s-can-leam-from-canadian-cybersecurity-shortcomings/.
37 See id.
38 See Canadian Cyber Incident Response Centre (CCIRC), Pub. Safety Can. (Dec. 12,
2014) , http://www.publicsafety.gc.ca/cnt/ntnl-scrt/cbr-scrt/ccirc-ccric-eng.aspx.
39 See 44 U.S.C. § 3546 (Federal Information Security Incident Center).
40 See Cyber Incident Response Centre (CCIRC) Partners, PUB. SAFETY Can (Feb. 24,
2015) , http://www.publicsafety.gc.ca/cnt/ntnl-scrt/cbr-scrt/ccirc-ccric-prtnrs-eng.aspx.
41 See Cyber Security Cooperation Program, Pub. Safety Can (Feb. 6, 2015) http://
www.publicsafety.gc.ca/cnt/ntnl-scrt/cbr-scrt/cprtn-prgrm/index-eng.aspx.
42 Id.
43 See Research Themes, Pub. Safety Can (Feb. 6, 2015), http://www.publicsafety.gc.ca/
cnt/ntnl-scrt/cbr-scrt/cprtn-prgrm/rsrch-thms-eng.aspx.
44 See Publications and Reports, Pub. Safety Can (Jan. 23, 2015), https://www.public
safety.gc.ca/cnt/rsrcs/pblctns/index-eng.aspx.
45 See Critical Infrastructure Pub. Safety Can (March 20, 2014), http://www.
publicsafety.gc.ca/cnt/ntnl-scrt/crtcl-nfrstrctr/index-eng.aspx.
http://dailysignal.eom/2012/l
http://www.publicsafety.gc.ca/cnt/ntnl-scrt/cbr-scrt/ccirc-ccric-eng.aspx
http://www.publicsafety.gc.ca/cnt/ntnl-scrt/cbr-scrt/ccirc-ccric-prtnrs-eng.aspx
http://www.publicsafety.gc.ca/cnt/ntnl-scrt/cbr-scrt/cprtn-prgrm/index-eng.aspx
http://www.publicsafety.gc.ca/
https://www.public
http://www
68 CANADA-UNITED STATES LA W JOURNAL [Vol. 40, 2016]
The National Strategy outlines ten Cl areas vulnerable to cyber attacks and
addresses how these areas should be strengthened.46 The report rationalizes that
local owners and operators are ultimately responsible for securing Cl.47 It then
describes how the government plans to share important information and address
the challenges faced by local owners and operators of diverse Cl assets.
The PSEPC also published Canada’s Cyber Security Strategy in 2010.48 This
describes the three main objectives of Canadian national cyber security strategy
including: securing government systems, working with the private sector to
ensure secure nongovernment systems, and helping the Canadian public safely
browse the internet.46 Subsequently, the government published Action Plan 2010
– 2015 fo r Canada’s Cyber Security in 2013 to help flesh out the cyber security
strategy report. Specifically, this report details what actions different
stakeholders should undertake to achieve identified cyber security goals.50
The above-mentioned 2010 Action Plan was recently updated to reflect vital
infrastructure protection for the years 2014 – 2017. The revised Action Plan
details how cyber security has increasingly become an important aspect of Cl
protection and calls for improving public-private partnerships, assessing critical
infrastructure risks more effectively, and strengthening critical infrastructure
resilience.51
Many objectives in the revised Action Plan are similar to those mentioned in
the NIST Framework, such as the objective that identifies the areas of high cyber
risk and ways to mitigate this risk.52 In addition, both the revised Action Plan and
the NIST Framework greatly emphasize increasing the communication between
the stakeholders of vital Cl.
While the NIST Framework does not outline the stakeholders responsible for
individual activities related to cyber security, it does provide information on the
organization and categorization of various activities related to ensuring cyber
46 N ational Strategy for C ritical Infrastructure 2 (2010), http://www.publicsafety
.gc.ca/cnt/rsrcs/pblctns/srtg-crtcl-nfrstrctr/srtg-crtcl-nfrstrctr-eng (listing energy and
utilities, finance, food, transportation, government, information and communication
technology, health, water, safety, and manufacturing); see also What is Critical
Infrastructure, DHS, http://www.dhs.gov/what-critical-inffastructure (last visited Jan. 16,
2014); What is the ICS-CERT M ission?, http://ics-cert.us-cert.gov/Frequently-Asked-
Questions (last visited Jan. 17, 2014) (The U.S. Cyber Emergency Response Team, which is
part of DHS, identifies sixteen critical infrastructure sectors consistent with Homeland
Security Presidential Directive 7, including: agriculture, banking and finance, chemical,
commercial facilities, dams, defense industrial base, drinking water and water treatment
systems, emergency systems, energy, government facilities, information technology, nuclear
systems, public health and healthcare, telecommunications, and transportation systems).
47 N ational Strategy for Critical Infrastructure 2 (2009),
http://www.publicsafety.gc.ca/cnt/rsrcs/pblctns/srtg-crtcl-nfrstrctr/srtg-crtcl-nfrstrctr-eng .
48 Id. at 3.
49 Canada’s Cyber Security Strategy 7 (2010), http://www.publicsafety.gc.ca/cnt/
rsrcs/pblctns/cbr-scrt-strtgy/cbr-scrt-strtgy-eng .
50 A ction Plan 2010 – 2015 for Canada’s Cyber Security Strategy 3 -4 (2013),
http://www.publicsafety.gc.ca/cnt/rsrcs/pblctns/ctn-pln-cbr-scrt/ctn-pln-cbr-scrt-eng .
51 See id.
Id. at 7-8.52
http://www.publicsafety
http://www.dhs.gov/what-critical-inffastructure
http://ics-cert.us-cert.gov/Frequently-Asked-Questions
http://ics-cert.us-cert.gov/Frequently-Asked-Questions
http://www.publicsafety.gc.ca/cnt/rsrcs/pblctns/srtg-crtcl-nfrstrctr/srtg-crtcl-nfrstrctr-eng
http://www.publicsafety.gc.ca/cnt/
http://www.publicsafety.gc.ca/cnt/rsrcs/pblctns/ctn-pln-cbr-scrt/ctn-pln-cbr-scrt-eng
Shackelford & Bohm – Securing North American Critical Infrastructure 69
security.53 Indeed, the NIST Framework received much attention from Canadian
policymakers, as it has with an array of North American industries from the
energy, IT, manufacturing, retailing, and other sectors.54
This process is now playing out beyond North America’s borders. Indeed,
the Information Technology Industry Council (“ITI”) explained that it recently
visited Japan and South Korea, where it shared “the benefits of a public-private
partnership-based approach to developing globally workable cyber security
policies.” 5 Moreover, “ITI highlighted the [NIST Framework] as an example of
an effective policy” that “reflects] global standards and industry-driven
practices.”56
Time will tell whether this model of a “voluntary” bottom-up cyber security
framework will effectively meet the multifaceted cyber threat. Flowever, given
the evolving problem and reluctance by U.S. and Canadian lawmakers to pass
binding measures, this may currently be the best available option. As such, U.S.
and Canadian public and private sectors should collaborate to expand on the
2012 U.S.-Canadian Cybersecurity Action Plan to include cross-border and
cross-sector information sharing along with active engagement on updating the
NIST Framework beginning with version 2.0. Without such bilateral
cooperation, progress made in one nation will still leave the other open to cyber
attacks that may have been prevented.
V . C o n c l u s i o n
In a special report on North America, the Council on Foreign Relations
(“CFR”) noted the interconnection between the North American economies
stating, “[c]yber failures in one country could have ripple effects on neighbors
and cross-border production” and recommended “that the United States, Canada,
and Mexico set baseline standards for cyber protection.”57 The NIST Framework
is not the only candidate for the undertaking.58 Notably, the CFR Task Force
53 W hite H ouse P ress Se c’y , supra note 6, at 19.
54 See, e.g., INFORMATION SYSTEMS AUDIT AND CONTROL ASSOCIATION, INC New US
Cybersecurity Framework Developed by NIST Features COBIT 5 in the Core, ISACA (Feb.
14, 2014), available at http://www.isaca.org/About-ISACA/Press-room/News-Releases/2014/
Pages/New-US-Cybersecurity-Framework-Developed-by-NIST-Features-COBIT-5-in-the-Cor
e.aspx; Ann M. Beauchesne, Administration Sends cybersecurity Stakeholders a Positive
Message: The N IST Framework Should be Voluntary, Flexible, and Collaborative, U.S.
C ham ber of C omm erce (June 11, 2014), https://www.uschamber.com/administration-sends-
cybersecurity-stakeholders-positive-message-nist-framework-should-be-voluntary.
55 Email from Information Technology Industry Council, to Diane Honeycutt (October,
2014) (on file with author), available at http://www.itic.org/dotAsset/f/9/f9ef5fS0-ffc5-4035-
b274-87489605ab6e .
56 Beauchesne, supra note 54.
57 David H. Patraeus et. a l., Council on F oreign Rela tion s, In c ., N orth A m erica:
T ime for a N ew Focus, Independent T ask Force Re p . N o . 71 80 (2015), available at
https://www.google.ch/url?sa=t&rct=j&q=&esrc=s&source=web&cd=2&ved=0CCUQFjABa
hUKEwi4mNKwq7jIAhWHtBoKHQJlAmA&url=http%3A%2F%2Fi.cfr.org%2Fcontent%2F
publications%2Fattachments%2FTFR71_North_America &usg=AFQjCNFGbAgj8mSpT-
_MWC3aCI4Tti5xEA&sig2=Ra0Hirvj2q3A36aqSKZHXA&cad=rja.
58 Petraeus, supra note 57, at 80.
http://www.isaca.org/About-ISACA/Press-room/News-Releases/2014/
https://www.uschamber.com/administration-sends-cybersecurity-stakeholders-positive-message-nist-framework-should-be-voluntary
https://www.uschamber.com/administration-sends-cybersecurity-stakeholders-positive-message-nist-framework-should-be-voluntary
http://www.itic.org/dotAsset/f/9/f9ef5fS0-ffc5-4035-b274-87489605ab6e
http://www.itic.org/dotAsset/f/9/f9ef5fS0-ffc5-4035-b274-87489605ab6e
https://www.google.ch/url?sa=t&rct=j&q=&esrc=s&source=web&cd=2&ved=0CCUQFjABa
70 CANADA-UNITED STATES LA W JOURNAL [Vol.40, 2016]
recommended joint cyber security frameworks drawn from the Critical Security
Controls and the USDHS Continuous Diagnostics and Mitigation Program to
promote “cyber hygiene. ’0 4
Moreover, CFR recommended several of the measures, including deeper
integration of national CERTs and robust international public-private
information sharing.61’ Indeed, these conclusions build from the U.S.-Canadian
Cybersecurity Action Plan, which deepens cooperation between U.S. and
Canadian cyber emergency response teams, provides for more robust private-
sector information sharing, and promotes better “public awareness” of the
multifaceted cyber threat.6 Over time, such efforts may form a combined North
American CERT and Information Sharing and Analysis Organization.
Leveraging the resources available in the United States and Canada allows both
nations to more effectively meet the evolving cyber threat, help secure North
American Cl, and contribute to global cyber peace.
59 Id.
60 Id.
61 PUB. SAFETY CAN. AND U.S. DEP ‘T. OF HOMELAND SEC., supra note 4, at 2-4.
Copyright of Canada-United States Law Journal is the property of Case Western Reserve
University School of Law and its content may not be copied or emailed to multiple sites or
posted to a listserv without the copyright holder’s express written permission. However, users
may print, download, or email articles for individual use.
Order an Essay Now & Get These Features For Free:
Turnitin Report
Formatting
Title Page
Citation
Outline
