The US approach to offline and online threats and attacks on critical infrastructure by non-state actors
Updated on 12 December 2022
The US government has increasingly identified critical infrastructure as a particularly attractive target for criminal and terrorist groups that seek to injure the state’s interests and capabilities. But what is critical infrastructure?
In Section 5195c of Title 42 of the United States Code, it is defined as:
systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters
The Cybersecurity and Infrastructure Security Agency (CISA) in the US government covers 16 critical infrastructure sectors: chemicals; communications; dams; emergency services; financial services; government facilities; information technology; transportation; commercial facilities; critical manufacturing; the defence industrial base; energy; food and agriculture; healthcare and public health; nuclear reactors, materials and waste; and waste and wastewater systems. This list is comprehensive but it may of course differ from country to country depending on local circumstances and priorities.
Responding to online and offline threats to critical infrastructure
The Presidential Policy Directive on Critical Infrastructure Security and Resilience (PPD-21) outlines measures for prevention and awareness-raising relating to ‘physical and cyber threats’ to critical infrastructure.
The identification of critical infrastructure as a potential target of criminal activities raises the issue of prevention and enforcement. Computer crimes involving critical infrastructure are punished under Section 1030 of Title 18 of the US Code, which covers ‘fraud and related activity involving computers;. In particular, crimes committed with computers, which threaten public health or safety, could be punished with up to five years in prison under Section 1030(c)(4)(A)(i)(IV). The Executive Office for United States Attorneys in the U.S. Department of Justice (DOJ) asserts that this section effectively covers computer crimes that could threaten public health or safety by having an impact on critical infrastructure, due to the computer networks involved in running them. In other words, if a hacker disrupts a computer network protecting, for example, a nuclear power plant’s perimeter, he could face prison time under Section 1030 for threatening public health or safety.
What about an offline criminal act, for example, a group of terrorists breaches the perimeter of the plant and damages it once the hacker has demobilised the facility’s security? This could be prosecuted and punished, for example, under Section 831 of Title 18 of the US Code, which prohibits and punishes, inter alia, illegal removal, dispersal, or use of nuclear material, or Section 2332i, which punishes damaging a nuclear facility to release radioactive material. A crime can thus involve several prosecutable infractions, whether offline or online or both.
Therefore, an online hack to disable a nuclear facility’s security perimeter, in addition to an offline attack on the facility by a terrorist group (to steal nuclear material or damage the facility to release radiation) once the perimeter is no longer secured, are all related to a coordinated attack with the impact of threatening public health or safety.
Responding to offences committed in other countries
There was one gaping hole, however, in the US strategy to respond to the kind of scenario described above. What if the hacker is not located in the United States but coordinated with the terrorist group on his computer or device outside the USA? In other words, how could the Department of Justice effectively coordinate with authorities in other countries to seek evidence or extradition if a hacker helps a group of terrorists attack a nuclear facility in the USA by disabling its security perimeter?
To address this gap, in 2018, the US Congress adopted the so-called CLOUD (Clarifying Lawful Overseas Use of Data) Act which, inter alia, added Section 2713 to Title 18 of the United States Code. Under this section, a remote communication or computing service would have to provide information if requested by governmental entities, regardless of whether the data was stored in the USA or not, if there was some nexus with an enforcement action, such as an investigation in the USA. In the scenario above, a provider hosting information related to the hacker’s activities outside the USA would therefore, in principle, be compelled to provide information to the US authorities requesting it.
In summary, online and offline activities are increasingly bundled together in concepts of prevention, awareness-raising, and enforcement in US policy with the overall objective of protecting critical infrastructure from threats and attacks and prosecuting and punishing perpetrators when they occur.
Scott Spence is an expert with the Security Council Committee established pursuant to resolution 1540 (2004) (this post was written in his personal capacity). Scott previously worked at VERTIC, INTERPOL, the Organisation for the Prohibition of Chemical Weapons and Freshfields Bruckhaus Deringer. He has recently received an Advanced Diploma in Internet Governance from Diplo.
Browse through our alumni blog posts at Diplo Alumni Blog.