Duty of assistance
Critical infrastructure — systems and assets, physical or virtual, so vital that their incapacity or destruction would have a debilitating impact on national defence, economic security, public health and safety, or any combination of these matters
One of the key questions confronting policy-makers is whether and how the government should draw upon public resources to assist an attacked private-sector organization. Clearly defining and circumscribing the public sector’s duty to assist is an important and difficult policy topic. The public’s resources to assist in a cyber emergency are finite and bounded. These valuable capabilities may exceed what is available in the private sector. As such, it is imperative to employ those resources judiciously and consistently. Within the context of the prior discussion on national information security roles, this policy model helps illustrate the key considerations to take into account when delegating responsibilities for resilience.
To help frame the policy discussion, it is helpful to think about the government’s duty of assistance as contingent on two factors: the alleged identity of the adversary and the degree of risk. Additionally, it is worth noting that a duty can manifest in at least three behaviours by the government: no duty — in which the public sector is not obliged to offer assistance; an affirmative duty — in which the public sector is obliged to offer assistance without any obligation on the part of the organization to accept that assistance; and a mandate for an organization to accept public-sector assistance. To be sure, the provision of assistance may vary between national and subnational government based on national context, and may involve some form of public-private partnership:
- As the identity of the adversary triggering a duty of assistance may potentially impact a country’s sovereign responsibilities, it is necessary for the government to be prepared to provide a more forceful response. For example, a government may choose to establish a legal duty for organizations to accept assistance, regardless of the potential damages observed, if they suspect that a nation-state actor was the originating source of the intrusion.
- The extensiveness of potential damages is a second key factor that should drive the forcefulness of the government’s response. The consideration of risk (in the form of potential damages) here, as opposed to realized damages, reflects an important difference between the profile of cyberattacks versus other sorts of emergencies or disasters. Cyberdamages do not escalate linearly as a function of time — attacks moving at network speed may cause rapid stepwise increases in damages. One helpful example of the importance of thinking in terms of potential damage is the recent uptick in malware targeting critical infrastructure and, in particular, the electric grid.
Significant trade-offs are associated with assigning government a duty to assist “earlier” (in the case of smaller potential damages and less worrisome adversaries) or “later” (in the case of greater potential damages and more worrisome adversaries):
- The greater the scope of government duty, the greater the costs that must be borne to assist the private sector.
- One corollary to a more expansive government duty is that presumably adversaries will perceive a greater risk and thus be deterred.
- One additional consideration (discussed in greater depth in the context of liability thresholds) is that establishing a duty to assist may result in the private sector having diminished economic incentives to invest in its own emergency responsiveness.
Policy model: Duty of assistance
Key values trade-offs created by duty of assistance policy choices
Short term negative correlation between economic value and security as more expansive government duty will be costly capability; longer term reduced cyber incident damages should pay
Case study: Defining critical infrastructure policy
Defining critical infrastructure is a key part of national policy that helps determine when a government’s duty to assist ought to begin. The exercise of defining critical infrastructure is also important to help narrow the threat surface in scope and prioritize national assets for cybersecurity. However, defining critical infrastructure is fundamentally a context-specific exercise for any given country. In defining critical infrastructure, policy-makers should take into account a few important questions:
What attributes (and companies) qualify as critical infrastructure?
In the United States, for example, the Department of Homeland Security has outlined 16 sectors. Singapore has defined 11 critical information infrastructure sectors. Even within critical infrastructure, it may be valuable to prioritize sectors that may be more crucial to national security and economic well-being than others.
What elements of critical infrastructure policy are publicized?
Governments may choose to retain some level of ambiguity in disclosing how their duty of assistance is triggered. For example, most countries do not publicly disclose a list of companies that qualify as critical infrastructure. In so doing, governments are tacitly acknowledging that the value of “security by obscurity” is greater than the security potentially derived through deterring would-be adversaries.
How does government police the natural inclination to define critical infrastructure more broadly over time?
Governments may seek to define critical infrastructure more broadly to extend the umbrella of protection and to induce the private sector to upgrade its security. The private sector may also insist on inclusion as part of critical infrastructure. However, the extent to which government can serve its duty to assist is finite and mechanisms are essential to ensure that the duty is firmly circumscribed in scope and time.
One potentially useful policy analogy for critical infrastructure policy is financial regulation and crisis response. In the wake of the global financial crisis, countries went about balancing many of the aforementioned dynamics:
- Who should qualify for financial assistance? As part of the initial response to the financial crisis in the United States, the government mandated that financially “healthy” and “unhealthy” institutions accept capital injections to avoid the potential risk of “unhealthy” institutions being exposed to the financial strain of market participants’ distrust. One analogue to critical infrastructure policy is not only offering assistance to attacked institutions but mandating it for a class of institutions to avoid scrutiny by adversaries. In the cyber context, assistance would have to be more tailored than a capital injection given the unique security requirements of each organization, but a similar policy intuition applies.
- Who should qualify for an outstanding government duty to assist? Again, in the United States, the government designated certain institutions to be “systemically important financial institutions”. In so doing, the government attached certain demands to ensure that these institutions did not lose the economic incentive to mitigate their own risks (e.g. so-called “living wills” to ensure orderly bankruptcy). An analogue here could be to combine critical infrastructure status with exceedingly stringent security mandates (which already exist in some circumstances by virtue of certain critical infrastructure sectors generally being already heavily regulated).
Connecting policy to values
The extent to which the public sector’s assistance is extended to the private sector raises sharp trade-offs between security, economic value, accountability and fairness:
- Provided the public sector has the effective capability, an increased duty of assistance to the private sector will likely result in greater security through a few key mechanisms. First, during a cyberincident, the public sector may provide effective incident response services. Immediately following a cyberincident, the public sector may provide resources and expertise allowing an organization to securely continue functioning. Finally, a greater duty of assistance may deter would-be adversaries.
- Owing to that greater security, the economic value of a greater duty of assistance would be positive in the long run. Many forms of cybercapabilities, particularly incident response, are exceedingly expensive to develop in terms of human capital. While this may result in some costs in the short run for a given country, the long-run benefit of effective incident response capabilities will outweigh the costs borne, at least in the present context where it is widely agreed that many organizations lack sufficient incident response capabilities.
- An increased duty of assistance for the public sector will also increase public sector accountability, but perhaps at the cost of the private sector’s accountability.
- To the extent that the government extends its capabilities more broadly, such a policy would promote greater fairness — organizations that are less capable of responding to cyberincidents owing to context or resource constraints would be on a more level playing field with organizations that have developed or contracted for incident response capabilities.