Protecting Critical Infrastructure From Cyberattack: Current Issues and Potential Solutions

Written by G. Andrew Ouellette, Class of 2022 

I. Introduction

On February 5, 2021, hackers gained unauthorized access to the control systems of a water treatment facility in Oldsmar, Florida.[1]  The Oldsmar facility, located about fifteen miles from Tampa, which hosted the Super Bowl the day before, provides water for businesses and over 15,000 residents.[2]  Once inside the computer system, the hackers were able to locate the software function controlling the levels of sodium hydroxide, commonly known as lye, that is added to the water. They proceeded to raise the levels of sodium hydroxide by more than 110 times the standard level, a level that could potentially be fatal to humans if ingested.[3]  Luckily, this crisis was averted thanks to the watchful eye of a plant operator who was able to return the levels to normal before any of the changes could take effect.[4]

Though no casualties were suffered as a result of the Oldsmar attack, the incident highlights a significant and growing threat to national security, a threat that the United States is increasingly unprepared to defend against. This is just one example in a long string of cyberattacks on infrastructure in recent years. According to the FBI, cyberattacks resulted in over $3.5 billion in financial losses reported in 2019 alone,[5] and experts estimate that this could reach $10.5 trillion globally by the year 2025.[6]  Generally, when people think of cyberattacks, they think of data breaches and theft of personal information due to the numerous cases affecting high-profile companies in recent years.[7]  However, more serious cyber threats exist, namely cyberattacks that target our nation’s critical infrastructure. Critical infrastructure (CI) is becoming an increasingly attractive target for terrorists and hackers due to both the strategic importance of CI and the “numerous vulnerabilities found within these assets and systems.”[8]  Experts have noted that “as industries become more digitally connected, we will continue to see more states and criminals target these sites for the impact they have on society.”[9]  A recent report distributed to the Senate Select Committee on Intelligence noted that China, Iran, and Russia all have the ability to launch disruptive cyberattacks on the U.S.’s critical infrastructure, including gas pipelines and electrical grids.[10]  Additionally, former Director of National Intelligence Dan Coats has warned that “Moscow is mapping our critical infrastructure with the long-term goal of being able to cause substantial damage.”[11]

While the concept of the federal government playing a significant role in protecting CI from attack is not a new one, the increasing interconnectivity of CI to the internet has brought a host of new challenges. Prior to the cyber-era, “the government’s role in protecting infrastructures was relatively justifiable and straightforward, as risks both originated and materialized in the kinetic realm.”[12]  However, risks have multiplied due to an increasing dependence on the internet, as well as the internet itself being classified as CI.[13]  The Covid-19 pandemic has only increased vulnerability with thousands of employees connecting to systems remotely, often with inadequate protection in place.

Rapid development, increasing complexity, and argument over the appropriate approach have led to a lag in policy addressing security regulations in the area. The United States, along with other countries, has so far been hesitant to impose strict regulations, instead opting for a “voluntary participation” based approach.[14] Not only have recent attacks and an increased reliance on remote connectivity laid bare the shortcomings of the current approach to protecting CI, but they have shown that it is time for the adoption of stricter regulation to protect against far more serious attacks.

This paper seeks to highlight some of the issues arising out of the current policy approach to protecting CI from cyberattack and propose recommendations in several key areas. Section II will begin by presenting an overview of relevant background information, including how critical infrastructure is categorized, the current landscape of the CI sectors, as well as current vulnerabilities to cyberattack. Next, Section III will briefly cover the policy history of CI protection in the United States with a focus on major developments to highlight how this policy has evolved as well as recent developments in this area. Section IV will explore the current policy approach as well as some of the significant benefits and drawbacks in key areas.

Section V will conclude by building on the topics discussed in the previous sections and present several proposals, including strengthening incentives for companies to build and maintain robust cybersecurity, furthering public-private information sharing, as well as creating a standardized federal cybersecurity requirement for CI sectors.

Continue reading

Ongoing Threat to Children’s Data in the American Education System

Written by Julie Libby, Class of 2022 

Introduction

Privacy regulations have been strengthening worldwide in recent years, but regulations continue to fall short regarding children’s data in K-12 education, specifically in the United States. Under current federal law, children’s privacy receives only face-level protections by not requiring protective measures to defend the mass collection of this class of vulnerable and valuable data. Future student privacy regulations are possible by creating a reliable structure to minimize threats experienced by students nationwide through evaluating leading federal and state laws, perceived inadequacies in recommended minimums, and developing trends at the state level. In the end, Congress bears the responsibility to enact mandatory minimum protections that effectively assume that even if a breach occurs, it was not due to the lack of sufficient protection.

Continue reading

Alexa, I’m Home! – The Risks & Regulation of the Internet of Things

Written by, Nora Hanson, Chris Knight, Blake McCartney & Dale Rappaneau, Class of 2022

I. Introduction

There are a variety of definitions of the “Internet of Things” (“IoT”). IoT has been described as “the concept of . . . connecting any device with an on and off switch to the Internet” and/or to another device.[1] It may also be explained as “[t]he interconnection via the Internet of computing devices embedded in everyday objects, enabling them to send and receive data.”[2] The concept of IoT encompasses many types of devices, including home technologies, wearable devices, and technology used by countless industries such as farming, manufacturing, transportation, and oil and gas.

This paper focuses on IoT in the consumer’s home, a space ripe with privacy considerations. First, this paper considers IoT in the home and the corresponding privacy risks. Next, this piece explains the manner in which the United States currently regulates IoT. Finally, this paper considers how the United States will regulate IoT moving forward.

Continue reading

The Legal Footholds of Three States and the District of Columbia Against a Technological Goliath

Written by Hannah G. Babinski, Class of 2024 

I. Introduction

To no one’s surprise, Big Tech is in trouble yet again for attempting to overstep the boundaries of consumer privacy. From the notorious Facebook controversy involving Cambridge Analytica in 2018 to the most recent ballad of chronic misinformation stemming from Spotify’s perpetuation of Joe Rogan’s podcast, it seems that Big Tech’s complacency or even compliance with problematic practices connected to its online presence consistently leaves many Americans scratching their heads. Google is the latest tech conglomerate to stumble in the public arena.

This is not a historic moment for the California-based tech giant whose business model is heavily dependent on its prolific digital advertising, collection, surveillance, and auction of user data, including location tracking which alone earned the company an estimated $150 billion dollars in 2020.[1] In October 2020, the U.S. Justice Department and eleven states sued Google in federal court, alleging that Google abused its dominance over the search engine market—comprising 90% of web searches globally—and online advertising.[2] Then, in December of 2020, ten states separately sued Google in federal court on the grounds of alleged anti-competitive conduct.[3] Undoubtedly, Google’s utter electronic control over the online market is equally as impressive as it is troubling—a sentiment resounded by the bombardment of state-instigated suits—but it pales in comparison to the basis of the most recent lawsuit.

Continue reading

Cyber Harassment: A Global Issue Within Evolving Technology

Written by Roosevelt Bishop, Devon Draker, Shelbie Mora, and Gabrielle Schwartz as a final paper for the Fall 2021 session of Information Privacy Law

Introduction

Cyber harassment “involves threats of violence, privacy invasions, reputation-harming lies, calls for strangers to physically harm victims, and technological attacks.”[1] Though all of these elements fall under harassment or abuse, online harms can be divided into different mediums and subsections. The various types of cyber harassment “capture the different ways[s] the Internet exacerbates the injuries suffered . . . by extend[ing] the life of destructive posts.”[2] This paper addresses evolution and increased incidences of cyber-harassment such as revenge porn, cyberstalking, Zoom-bombing, and doxxing, and the need for a federal legal solution. Congress must address this harm by enacting a comprehensive cyber-harassment legislation containing the elements detailed below.

Continue reading

How China is Weaponizing Privacy

Written by Noah Katz, Ohio State University Moritz College of Law

What is China’s new privacy law?

The Personal Information Protection Law (PIPL), which took effect in November 2021, is China’s first comprehensive data privacy law.[1] The PIPL’s impact is immense given that China is home to almost one billion internet users.[2] The new legislation provides a clear framework for regulating the use of personal data, but, if violated, businesses could face massive fines and may even be blacklisted by the Chinese government.[3]

  Continue reading

The Internet of Things – A Brief Exploration of Emerging Technology and the Status of American Privacy Regulations Developing Around It

 Written by Chris McGhee, Jason Meuse, Christa Vo, & Kelsey Kenny as a final paper for the Fall 2021 session of Information Privacy Law 

A. Introduction

The Internet of Things is a term that describes the network of sensors embedded in otherwise mundane consumer products which collect data and connect to the internet.1 The capabilities of this technology range from offering simple conveniences to consumers, such as a light that turns on or off at the sound of clapping, to life-saving services like real-time blood sugar monitoring and insulin administration for diabetics or instant notice to emergency responders when a car accident occurs.2 To function properly, these devices rely on constant data input and network connectivity to trigger a mechanical function, or to teach an algorithm how to tailor its functions more succinctly to suit the needs of the individual consumer.3 Whether we are aware of it or not, the use of connected devices in our day-to-day lives is growing increasingly common; several sources predict that the world will have approximately 64 billion Internet of Things, “IoT,” devices by 2025.4 The era of digital commerce has incentivized the rapid development of invasive hardware and data analytics tools because, in the world of IoT, aggregate data is incredibly valuable,5 and consumers are “data goldmine[s].”6 Continue reading

Words of Wisdom from the Young Privacy Professionals Panel: Highlights and Takeaways 

KELSEY KENNY, Class of 2023

The evening of Thursday, November 4th, Maine Law’s Information Privacy Association, in collaboration with the Mortiz College of Law’s Data Privacy and Cyber Security Club, hosted an informal discussion panel to facilitate a dialogue between law students with an interest in information privacy and six professionals who have had success navigating the early stages of their evolving and dynamic careers in the field. Craig Carpenter, Caroline Hopland, Casey Waughn, Kenesa Ahmad, Lee Matheson, and Scott Bloomberg graciously contributed their time and insights to the forum. Continue reading

Predicting Drug Diversion: The Use of Data Analytics in Prescription Drug Monitoring

CATHLEEN LONDON, MD CIPP/US, Class of 2022

Equifax just completed the acquisition of Appriss Insights,[1] who is rebranding as Bamboo Health.[2] How much data sharing goes on between the entities? Just as Appriss’ NarxCare score[3] is a black box[4], never subjected to peer review or outside scrutiny[5], this reorganization seems designed to hide data sharing. Continue reading