RESEARCH ARTICLE
An Improvised Patchwork: Success and Failure in Cybersecurity Policy for Critical Infrastructure
Sean Atkins,
Chappell Lawson,
Corresponding Author
Sean Atkins
Massachusetts Institute of Technology
Search for more papers by this authorSean Atkins,
Chappell Lawson,
Corresponding Author
Sean Atkins
Massachusetts Institute of Technology
Search for more papers by this authorFirst published: 31 October 2020
Citations: 16
Abstract
The last two decades have revealed the vulnerability of privately owned “critical infrastructure”—the power grid, pipelines, financial networks, and other vital systems—to cyberattack. The central U.S. response to this challenge has been a series of sectoral “partnerships” with private owner-operators of critical infrastructure, involving varying degrees of regulation. Qualitative analysis based on in-depth interviews with over 40 policymakers and senior private sector managers, as well as public documents, reveals considerable variation in how well this approach has worked in practice. The main predictors of policy success appear to be (a) the nature of the cyber threat to firms’ operations and (b) regulatory pressure on firms. However, other factors—such as the nature of intra-industry competition—also affect how well the current regime works in specific sectors. Our findings have implications for public administration on civilian cybersecurity, as well as ramifications for regulation in other policy domains.
References
- Aghion, P., and J. Tirole. 1997. Formal and Real Authority in Organizations. Journal of Political Economy 105(1): 1–29.
- Alcaraz, Cristina, and Sherali Zeadally. 2015. Critical Infrastructure Protection: Requirements and Challenges for the 21st Century. International Journal of Critical Infrastructure Protection 8: 53–66.
- American Nuclear Society (Center for Nuclear Science and Technology Information). 2018. Nuclear Power Plant Cyber Security: Highly Controlled, Fully Protected. [accessed July 31, 2019]. http://nuclearconnect.org/know-nuclear/talking-nuclear/nuclear-power-plant-cyber-security.
- Angle, M.G., S. Madnick, and J.L. Kirtley Jr. 2019. Identifying and Anticipating Cyber Attacks That Could Cause Physical Damage to Industrial Control Systems. Working Paper CISL#2017-14. [accessed July 29, 2019]. bit.ly/madnick-cyber-attacks.
-
Appan, Radha, and Dinko Bačić. 2016. Impact of Information Technology (IT) Security Information Sharing among Competing IT Firms on Firm's Financial Performance: An Empirical Investigation. Communications of the Association for Information Systems 39(12): 214–41.
10.17705/1CAIS.03912 Google Scholar
- AWIA (America's Water Infrastructure Act of 2018). 2018. S. 3021, Pub.L. 115–270.
- Bing, Chris. 2018. Inside ‘Project Indigo,’ the Quiet Info-Sharing Program between Banks and U.S. Cyber Command. Cyberscoop. May 21. [accessed July 19, 2019]. https://www.cyberscoop.com/project-indigo-fs-isac-cyber-command-information-sharing-dhs/.
- Bolton, Alexander, Rachel Augustine Potter, and Sharece Thrower. 2016. Organizational Capacity, Regulatory Review, and the Limits of Political Control. The Journal of Law, Economics, and Organization 32(2): 242–71.
- Brenner, Joel. 2013. Glass Houses: Privacy, Secrecy, and Cyber Security in a Transparent World. New York: Penguin Books.
- Bronk, C. and E. Tikk-Ringas. 2013. The Cyber Attack on Saudi Aramco. Survival: Global Politics and Strategy, pp. 81–96.
- Brown, Jeff, and J.R. Williamson. 2016. Cybersecurity and the Defense Industrial Base. In The Cybersecurity Social Contract: Implementing a Market-Based Model for Cybersecurity, edited by Larry Clinton and David Perera, 49–62. Arlington: Internet Security Alliance.
- Carlin, John P. 2020. Cybersecurity. In Beyond 9/11: Homeland Security for the 21st Century, edited by Chappell Lawson, Alan Bersin, and Juliette Kayyem. Cambridge: MIT Press.
- Carmichael, D.B., M.N. Kutz, and D. M. 2003. “Captured?” Is the Federal Aviation Administration Subject to “Capture” by the Aviation Industry? Collegiate Aviation Review: 9–17.
- D. Carpenter, and D.A. Moss, eds. 2014. Preventing Regulatory Capture: Special Interest Influence, and how to Limit It. New York: Cambridge University Press.
- Carr, Madeline. 2016. Public–Private Partnerships in National Cyber-Security Strategies. International Affairs 92: 43–62.
- Center for Strategic and International Studies (CSIS). 2013. Public-Private Partnerships for Critical Infrastructure Protection. Report August 19. [accessed September 5, 2019]. https://www.csis.org/analysis/public-private-partnerships-critical-infrastructure-protection-0
- Center of Internet Security. 2019. CIS Cybersecurity Controls. [accessed July 27, 2019] https://www.cisecurity.org/controls/.
- Chertoff, Michael and Frank Cilluffo. A Strategy of Cyber Deterrence. Choosing to Lead: American Foreign Policy for a Disordered World, John Hay Initiative. (2015). [accessed July 25. 2019]. http://www.choosingtolead.net/a-strategy-of-cyber-deterrence.
- Chung, John. 2018. Critical Infrastructure, Cybersecurity, and Market Failure. Oregon Law Review 96: 441–76.
- Cimpanu, Catalin. 2019. Only Six TSA Staffers Are Overseeing US Oil & Gas Pipeline Security: GAO Report Highlight Lack of Oil & Gas Security Staff, Outdated Cyber-Security Risk Assessment Methodologies. ZDNet. [accessed September 11, 2019]. https://www.zdnet.com/article/only-six-tsa-staffers-are-overseeing-us-oil-gas-pipeline-security/.
- CIPA (Critical Infrastructures Protection Act of 2001). 2001. 42 U.S. Code § 5195c.
- CISA (Cybersecurity and Infrastructure Security Agency). 2018. Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. March 16. [accessed July 31, 2019]. https://www.us-cert.gov/ncas/alerts/TA18-074A.
- CISA (Cybersecurity Information Sharing Act of 2015). 2015. December. S.754 114th Congress.
- Clayton, B. and A. Segal. 2013. Addressing Cyber Threats to Oil and Gas Suppliers. Energy Brief (June).
-
Clinton, Larry. 2015. Best Practices for Operating Government-Industry Partnerships in Cyber Security. Journal of Strategic Security 8(4): 53–68.
10.5038/1944-0472.8.4.1456 Google Scholar
- Clinton, Larry. 2016. A Brief History of the Cybersecurity Problem and Policies That Have Attempted to Address It. In The Cybersecurity Social Contract: Implementing a Market-Based Model for Cybersecurity, edited by Larry Clinton and David Perera, 3–19. Arlington: Internet Security Alliance.
- Larry Clinton, and David Perera, eds. 2016. The Cybersecurity Social Contract: Implementing a Market-Based Model for Cybersecurity. Arlington: Internet Security Alliance.
- Coats, Daniel. 2019. Statement for the Record: Worldwide Threat Assessment of the U.S. Intelligence Community. Senate Select Committee on Intelligence. January 29. [accessed August 23, 2019]. https://www.intelligence.senate.gov/sites/default/files/documents/os-dcoats-012919.pdf.
- Coglianese, C., J. Nash, and T. Olmstead. 2003. Performance-Based Regulation: Prospects and Limitations in Health, Safety, and Environmental Protection. Administrative Law Review 55(4): 705–29.
- Coglianese, Cary, and David Lazer. 2003. Management-Based Regulation: Prescribing Private Management to Achieve Public Goals. Law & Society Review 37(4): 691–730.
- Cordesman, Anthony H., and Justin G. Cordesman. 2002. Cyber-Threats, Information Warfare, and Critical Infrastructure Protection 2002. Westport, CT: CSIS/Praeger.
- Coviello, Art, Jr. 2016. Cybersecurity and the Information Technology Industry. In The Cybersecurity Social Contract: Implementing a Market-Based Model for Cybersecurity, edited by Larry Clinton and David Perera, 113–32. Arlington: Internet Security Alliance.
- Crisp, Daniel, Larry Trittschuh, and Gary Alum. 2016. Cybersecurity in the Banking and Financial Sector. In The Cybersecurity Social Contract: Implementing a Market-Based Model for Cybersecurity, edited by Larry Clinton and David Perera, 82–99. Arlington: Internet Security Alliance.
- CRS (Congressional Research Service). 2013. The Federal Rulemaking Process: An Overview. Maeve P. Carey, Coordinator, RL32240. June 17. [accessed July 31, 2019]. https://fas.org/sgp/crs/misc/RL32240.pdf,.
- CRS (Congressional Research Service). 2018. Electricity Grid Cybersecurity. R45312. September. [accessed July 29, 2019]. https://fas.org/sgp/crs/homesec/R45312.pdf.
- CRS (Congressional Research Service). 2019. Critical Infrastructure: Emerging Trends and Policy Considerations for Congress. R45809. Brian E. Humphreys. July 8.
- Dal Bó, E. 2006. Regulatory Capture: A Review. Oxford Review of Economic Policy 22(2): 203–25.
- Dana, David, and Susan Koniak. 1999. Bargaining in the Shadow of Democracy. University of Pennsylvania Law Review 148: 473–97.
- DePasquale, Scott. 2016. Cybersecurity and the Power Utility Sector. In The Cybersecurity Social Contract: Implementing a Market-Based Model for Cybersecurity, edited by Larry Clinton and David Perera, 100–12. Arlington: Internet Security Alliance.
- DHS (Department of Homeland Security). 2018. National Strategy to Secure Cyberspace. [accessed September 2, 2019]. https://assets.documentcloud.org/documents/4916949/National-Cyber-Strategy.pdf.
- DHS (Department of Homeland Security). 2019. Critical Infrastructure Sectors. [accessed June 11, 2019]. https://www.dhs.gov/cisa/critical-infrastructure-sectors.
- DOD (Department of Defense). 2018. Department of Defense Cyber Strategy. Summary, September. [accessed 8 June, 2019]. https://media.defense.gov/2018/Sep/18/2002041658/-1/-1/1/CYBER_STRATEGY_SUMMARY_FINAL.PDF
- DOE (Department of Energy). 2018. Department of Energy Invests $28 Million to Advance Cybersecurity of the Nation's Critical Energy Infrastructure. Press Release, October 1. [accessed 8 June, 2019]. https://www.energy.gov/articles/department-energy-invests-28-million-advance-cybersecurity-nation-s-critical-energy.
- Durkovich, Caitlin. 2020. Protecting Critical Infrastructure. In Beyond 9/11: Homeland Security in the 21st Century, edited by Chappell Lawson, Alan Bersin, and Juliette Kayyem. Cambridge: MIT Press.
- EO-13010 (Executive Order 13010). 1996. Critical Infrastructure Protection. Federal Register, July 17, 1996, 61 (138): 37347.
- EO-13636 (Executive Order 13636). 2013. Improving Critical Infrastructure Cyber Security. February. [accessed June 8, 2019]. https://obamawhitehouse.archives.gov/the-press-office/2013/02/12/executive-order-improving-critical-infrastructure-cybersecurity.
- FAA OIG (Federal Aviation Administration, Office of the Inspector General). 2019. FAA Has Made Progress but Additional Actions Remain to Implement Congressionally Mandated Cyber Initiatives, Report No. AV201902, March 20. [accessed July 29, 2019]. https://www.oig.dot.gov/sites/default/files/FAA%20Cybersecurity%20Program%20Final%20Report%5E03.20.19.pdf.
- FDA (Food and Drug Administration), Center for Devices and Radiological Health. 2018. Content of Premarket Submissions for Management of Cybersecurity in Medical Devices Guidance for Industry and Food and Drug Administration Staff. FDA-2018-D-3443 (October).
- FERC (Federal Energy Regulatory Commission) 2019. [accessed July 25, 2019]. https://ferc.gov/industries/electric/indus-act/reliability/cybersecurity.asp.
- Financial Services Information Sharing and Analysis Center. 2016. FS-ISAC Announces the Formation of the Financial Systemic Analysis & Resilience Center (FSARC) [Press Release]. October 24. [accessed July 19, 2019]. http://www.prnewswire.com/news-releases/fs-isac-announces-the-formation-of-the-financial-systemic-analysis-resilience-center-fsarc-300349678.html.
- GAO (Government Accountability Office). 2006. Critical Infrastructure Protection: Progress Coordinating Government and Private Sector Efforts Varies by Sectors’ Characteristics. GAO-18-613T: September 13, 2006.
- GAO (Government Accountability Office). 2014. Critical Infrastructure Protection: Observations on Key Factors in DHS's Implementation of Its Partnership Approach, GAO-14-464T. March 26, 2014.
- GAO (Government Accountability Office). 2015. Critical Infrastructure Protection: Cybersecurity of the Nation's Electricity Grid Requires Continued Attention. GAO-16-174T. October 21, 2015.
- GAO (Government Accountability Office). 2019. Critical Infrastructure Protection: Actions Needed to Address Weaknesses in TSA's Pipeline Security Program Management, GAO-19-542T: May 1.
- Gate 15. 2019. Security Spotlight: An Interview with NH-ISAC President Denise Anderson. July 16. [accessed August 23, 2019]. https://gate15.global/security-spotlight-an-interview-with-nh-isac-president-denise-anderson/.
- Gestel, Van, Joris Voets Kit, Joris, and Koen Verhoest. 2012. How Governance of Complex PPPs Affects Performance. Public Administration Quarterly 36(2): 140–88.
-
Goertz, Gary, and James Mahoney. 2012a. Causal Models. In Chapter 4 in A Tale of Two Cultures: Qualitative and Quantitative Research in the Social Sciences. Princeton: Princeton University Press.
10.23943/princeton/9780691149707.003.0004 Google Scholar
-
Goertz, Gary, and James Mahoney. 2012b. Causal Mechanisms and Process Tracing. In Chapter 8 in A Tale of Two Cultures: Qualitative and Quantitative Research in the Social Sciences. Princeton: Princeton University Press.
10.23943/princeton/9780691149707.003.0008 Google Scholar
- Goldsmith, Jack. 2012. Response to Paul on Cyber-Regulation for Critical Infrastructure. Lawfare Blog. May 21. [accessed July 25, 2019]. https://www.lawfareblog.com/response-paul-cyber-regulation-critical-infrastructure.
-
Gow, Gordon A. 2019. Policymaking for Critical Infrastructure: A Case Study on Strategic Interventions in Public Safety Telecommunications. Boulder: Routledge.
10.4324/9781351151603 Google Scholar
- Greenberg, Andy. 2019. New Clues Show how Russia's Grid Hackers Aimed for Physical Destruction. ars technica. September 12. [accessed September 17, 2019]. https://www.wired.com/story/russia-ukraine-cyberattack-power-grid-blackout-destruction/.
- Sheltered Harbor. 2019. What is Sheltered Harbor? [accessed July 19, 2019]. https://shelteredharbor.org/.
- Harknett, Richard J., and James A. Stever. 2009. The Cybersecurity Triad: Government, Private Sector Partners, and the Engaged Cybersecurity Citizen. Journal of Homeland Security and Emergency Management 6(1).
- Harknett, Richard J., and James A. Stever. 2011. The New World of Cybersecurity. Public Administration Review: 455–60.
- Hayes, James K., and Charles K. Ebinger. 2011. The Private Sector and the Role of Risk and Responsibility in Securing the Nation's Infrastructure. Journal of Homeland Security and Emergency Management 8(1).
- Healey, Jason, Patricia Mosser, Katheryn Rosen, and Adriana Tache. 2018. The Future of Financial Stability and Cyber Risk. The Brookings Institution October 10. [accessed July 19, 2019]. https://www.brookings.edu/wp-content/uploads/2018/10/Healey-et-al_Financial-Stability-and-Cyber-Risk.pdf.
- HIPAA (Health Insurance Portability and Accountability Act of 1996), 1996 45 CFR Part 160 and Subparts A and E of Part 164, as modified in 2002. (a.k.a., the HIPAA Privacy Rule). [accessed July 26, 2019]. https://www.hhs.gov/hipaa/for-professionals/privacy/index.html.
- House Committee on Energy and Commerce. 2019. [accessed September 17, 2019]. https://energycommerce.house.gov/committee-activity/hearings/hearing-on-the-state-of-pipeline-safety-and-security-in-america.
- HSPD-7 (Homeland Security Policy Directive 7). 2003. The National Strategy for the Physical Protection of Critical Infrastructures and Key Assets. HSPD 7, December 17.
-
Johnson, Thomas A. 2015. Cybersecurity: Protecting Critical Infrastructures from Cyber Attack and Cyber Warfare. Boca Raton: CRC Press.
10.1201/b18335 Google Scholar
- Khan, S, S. Madnick, and A. Moulton. 2018. Cybersafety Analysis of Industrial Control System for Gas Turbines. Working Paper CISL#2018-12. [accessed July 29, 2019]. bit.ly/madnick-turbine-analysis,.
- Koski, Chris. 2011. Committed to Protection? Partnerships in Critical Infrastructure Protection. Journal of Homeland Security and Emergency Management 8(1): Article 25.
- Koski, Chris. 2015. Does a Partnership Need Partners? Assessing Partnerships for Critical Infrastructure Protection. American Review of Public Administration 45(3): 327–42.
- Kramer, D.B., M. Baker, B. Ransford, A. Molina-Markham, Q. Stewart, K. Fu, et al. 2012. Security and Privacy Qualities of Medical Devices: An Analysis of FDA Postmarket Surveillance. PLoS One 7(7): e40200.
- Kramer, D.B., and K. Fu. 2017. Cybersecurity Concerns and Medical Devices: Lessons from a Pacemaker Advisory. JAMA 318(21): 2077–8.
- Kramer, Franklin D. and Robert J. Butler. 2019. Cybersecurity: Changing the Model. Atlantic Council, Scowcroft Center for Strategy and Security. April. [accessed August 23, 2019]. https://www.atlanticcouncil.org/images/publications/Cybersecurity-Changing_the_Model.pdf.
- Kruse, Clemens Scott, Benjamin Frederick, Taylor Jacobson, and D. Kyle Monticone. 2017. Cybersecurity in Healthcare: A Systematic Review of Modern Threats and Trends. Technology and Health Care 25(1): 1–10.
- Lee, Robert M., Michael J. Assante, and Tim Conway. 2016. Analysis of the Cyber Attack on the Ukrainian Power Grid. SANS Industrial Control System and the Electricity Information Sharing and Analysis Center. [accessed 8 June, 2019]. https://ics.sans.org/media/E-ISAC_SANS_Ukraine_DUC_5.pdf.
- Levine, M.E., and J.L. Forrence. 1990. Regulatory Capture, Public Interest, and the Public Agenda: Toward a Synthesis. Journal of Law, Economics, and Organization 6: 167–98.
- Lewis, James A. 2018. Written Statement before the Senate Judiciary Committee Subcommittee on Crime and Terrorism, Cyber Threats to Our Nation's Critical Infrastructure 226. Washington, DC: Dirksen Senate Office Building.
- Lochbaum, Dave. 2017. Nuclear Plant Cyber Security. Blog: All Things Nuclear. Union of Concerned Scientists. July 24. [accessed July 31, 2019]. https://allthingsnuclear.org/dlochbaum/nuclear-plant-cyber-security.
- Mather, Tim. 2018. Is Trust Breaking out? patternex. June 12. [accessed August 23, 2019]. https://www.patternex.com/blog/is-trust-breaking-out.
- May, Peter J. 2007. Regulatory Regimes and Accountability. Regulation & Governance 1: 8–26.
- May, Peter J., Chris Koski, and N. Stramp. 2016. Issue Expertise in Policymaking. Journal of Public Policy 36(2): 195–218.
- McCray, Lawrence E., Kenneth A. Oye, and Arthur C. Petersen. 2010. Planned Adaptation in Risk Regulation: An Initial Survey of US Environmental, Health, and Safety Regulation. Technological Forecasting and Social Change 77(6): 951–9.
- McCray, Lawrence and Kenneth A. Oye. 2007. Adaptation and Anticipation: Learning from Policy Experience. A Working Paper of the Political Economy and Technology Policy Program, Center for International Studies, Massachusetts Institute of Technology. [accessed September 18, 2019]. https://www.files.ethz.ch/isn/93715/mccrayoye-petpworking.pdf.
- Newmann, William. 2002. Reorganizing for National Security and Homeland Security. Public Administration Review 62: 126–37.
- Niles, Mark C. 2002. On the Hijacking of Agencies (and Airplanes): The Federal Aviation Administration, Agency Capture, and Airline Security. American University Journal of Gender, Social Policy & the Law 10(2).
- NIPP (National Infrastructure Protection Plan, Department of Homeland Security). 2009. National Infrastructure Protection Plan: Partnering to Enhance Security and Resilience. https://www.dhs.gov/xlibrary/assets/NIPP_Plan.pdf.
- NIPP (National Infrastructure Protection Plan, Department of Homeland Security). 2013. National Infrastructure Protection Plan: Partnering for Critical Infrastructure Security and Resilience. https://www.dhs.gov/sites/default/files/publications/national-infrastructure-protection-plan-2013-508.pdf.
- NIST (National Institute of Standards and Technology). 2016. Framework for Improving Critical Infrastructure Cybersecurity. April 16. [accessed July 25, 2019]. https://www.nist.gov/cyberframework/framework; https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf.
- NIST (National Institute of Standards and Technology). 2019. National Vulnerability Database. [accessed October 28, 2019]. https://nvd.nist.gov.
- Norris, Donald, Laura Mateczun, Anupam Joshi, and Tim Finin. 2019. Cyberattacks at the Grass Roots: American Local Governments and the Need for High Levels of Cybersecurity. Public Administration Review: 895–904.
- Nourian, A., and S. Madnick. 2018. A Systems Theoretic Approach to the Security Threats in Cyber Physical Systems Applied to Stuxnet. IEEE Transactions on Dependable and Secure Computing 15(1): 2–13.
- NRC (Nuclear Regulatory Commission). 2014. The U.S. Nuclear Regulatory Commission's Cyber Security Regulatory Framework for Nuclear Power Reactors, NUREG/CR-7141, September. [accessed July 31, 2019]. https://adamswebsearch2.nrc.gov/webSearch2/main.jsp?AccessionNumber=ML14323A203.
- NRC (Nuclear Regulatory Commission). 2019. Backgrounder: Cybersecurity. Office of Public Affairs. [accessed July 31, 2019]. https://www.nrc.gov/reading-rm/doc-collections/fact-sheets/cyber-security-bg.html.
- NRC OIG (Nuclear Regulatory Commission, Office of the Inspector General) and Defense Nuclear Facilities Safety Board. 2019. Audit of NRC's Cyber Security Inspections at Nuclear Power Plants. OIG-19-A-13, June 4. [accessed July 31, 2019]. https://www.oversight.gov/sites/default/files/oig-reports/OIG-19-A-13-Audit%20of%20NRC%27s%20Cyber%20Security%20Inspections%20at%20Nuclear%20Power%20Plants%20Final%20Report%28BXK%29.pdf.
- Nuclear Energy Institute. 2015. Safety: The Nuclear Energy Industry's Highest Priority. June. [accessed July 31, 2019]. https://www.nei.org/resources/fact-sheets/safety-nuclear-energy-industry-highest-priority.
- OECD (Organization for Economic Cooperation and Development). 2019. Good Governance for Critical Infrastructure Resilience. Paris: OECD Reviews of Risk Management Policies.
-
Onyeji, Ijeoma, Morgan Bazilian, and Chris Bronk. 2014. Cyber Security and Critical Energy Infrastructure. The Electricity Journal 27(2): 52–60.
10.1016/j.tej.2014.01.011 Google Scholar
- PDD-63 (Presidential Decision Directive/NSC-63). 1998. Critical Infrastructure Protection. May 22. [accessed July 23, 2018]. https://fas.org/irp/offdocs/pdd/pdd-63.htm.
- Perlroth, Nicole. 2017. Hackers Are Targeting Nuclear Facilities, Homeland Security Dept. and F.B.I. Say. New York Times. July 6. [accessed July 31, 2019]. https://www.nytimes.com/2017/07/06/technology/nuclear-plant-hack-report.html.
- Poresky, Christopher, Charalampos Andreades, James Kendrick, and Per Peterson. 2017. Cyber Security in Nuclear Power Plants: Insights for Advanced Nuclear Technologies. Department of Nuclear Engineering, University of California at Berkeley (September). 10.13140/RG.2.2.34430.69449. [accessed July 31, 2019]. https://www.researchgate.net/publication/321443750_Cyber_Security_in_Nuclear_Power_Plants_Insights_for_Advanced_Nuclear_Technologies.
- PPD-21 (Presidential Policy Directive 21). 2013. Critical Infrastructure Security and Resilience. February 12, 2013 https://obamawhitehouse.archives.gov/the-press-office/2013/02/12/executive-order-improving-critical-infrastructure-cybersecurity.
- Raymond, Brian. 2016. Cybersecurity in the Manufacturing Sector. In The Cybersecurity Social Contract: Implementing a Market-Based Model for Cybersecurity, edited by Larry Clinton and David Perera, 155–62. Arlington: Internet Security Alliance.
-
Rees, Joseph V. 1994. Hostages of each Other: The Transformation of Nuclear Safety since Three-Mile Island. Chicago: University of Chicago Press.
10.7208/chicago/9780226706894.001.0001 Google Scholar
- Roose, Kevin. 2018. Social Media's Forever War. The New York Times. December 17. [accessed October 2, 2019]. https://www.nytimes.com/2018/12/17/technology/social-media-russia-interference.html.
- Rosenzweig, Paul. 2011. Cybersecurity and Public Goods. [accessed July 24, 2019]. http://media.hoover.org/sites/default/files/documents/EmergingThreats_Rosenzweig.pdf.
- Rosenzweig, Paul. 2012a. The Unpersuasiveness of the Case for Cybersecurity Regulation – An Introduction. Lawfare Blog. May 17. [accessed July 24, 2019]. https://www.lawfareblog.com/unpersuasiveness-case-cybersecurity-regulation-%E2%80%93-introduction.
- Rosenzweig, Paul. 2012b. Thoughts about the Revised Lieberman-Collins Cybersecurity Bill. Lawfare Blog. [accessed July 24, 2019]. https://www.lawfareblog.com/thoughts-about-revised-lieberman-collins-cybersecurity-bill.
- Senate Committee on Commerce, Science, & Transportation, Subcommittee on Aviation and Space on the State of Airline Safety: Federal Oversight of Commercial Aviation. March 27, 2019.
- Slayton, R., and A. Clark-Ginsberg. 2018. Beyond Regulatory Capture: Coproducing Expertise for Critical Infrastructure Protection. Regulation & Governance 12: 115–30.
- Slayton, Rebecca, and Brian Clarke. 2020. Trusting Infrastructure: The Emergence of Computer Security Incident Response, 1989–2005. Technology and Culture 61(1): 173–206.
- Sowell, Jesse. 2015. Finding Order in a Contentious Internet. Massachusetts Institute of Technology, PhD dissertation.
- Speake, Graham. 2015. The Proliferation of Cyber Threats to Water and Wastewater. Water Online. [accessed June 27, 2019]. https://www.wateronline.com/doc/the-proliferation-of-cyber-threats-to-water-wastewater-0001.
- Spearman, Richard. 2016. Cybersecurity in Telecommunications. In The Cybersecurity Social Contract: Implementing a Market-Based Model for Cybersecurity, edited by Larry Clinton and David Perera, 133–41. Arlington: Internet Security Alliance.
- Stigler, G.J. 1971. The Theory of Economic Regulation. The Bell Journal of Economics and Management Science 2(1): 3–21.
- Straw, Joseph. 2008. Food Sector Abandons its ISAC. Security Management (a publication of ASIS International). [accessed July 31, 2019]. https://sm.asisonline.org/Pages/Food-Sector-Abandons-Its-ISAC.aspx.
- Tansey, O. 2007. Process Tracing and Elite Interviewing: A Case for Non-probability Sampling. PS: Political Science & Politics 40(4): 765–72.
- van Dine, Alexandra, Michael Assante, and Page Stoutland. 2016. Outpacing Cyber Threats: Priorities for Cybersecurity at Nuclear Facilities. Nuclear Threat Initiative (NTI). December 7.
- Waldner, David. 2015. Process Tracing and Qualitative Causal Inference. Security Studies 24(2): 239–50.
- Wilcox, Dustin. 2016. Cybersecurity in the Healthcare Industry. In The Cybersecurity Social Contract: Implementing a Market-Based Model for Cybersecurity, edited by Larry Clinton and David Perera, 63–81. Arlington: Internet Security Alliance.
- Wilson, James Q. 1980. The Politics of Regulation. New York: Basic Books.
- Wilson, James Q. 1989. Bureaucracy: What Government Agencies Do and why they Do it. New York: Basic Books.
- Wise, Charles. 2002. Organizing for Homeland Security. Public Administration Review 62: 131–44.
- Wise, Charles, and Rania Nader. 2002. Organizing the Federal System for Homeland Security: Problems, Issues, and Dilemmas. Public Administration Review: 44–57.
- World Economic Forum. 2014. Insight Report: Risk and Responsibility in a Hyperconnected World. January, 2014.
- Zandoli, Robert. 2016. Cybersecurity in the Food and Agriculture Sector. In The Cybersecurity Social Contract: Implementing a Market-Based Model for Cybersecurity, edited by Larry Clinton and David Perera, 163–74. Arlington: Internet Security Alliance.
