Every time a piece of critical infrastructure is stressed by a cyber incident, the public conversation inevitably includes some discussion of the need for a public-private partnership in defending the domain. In the aftermath of the Colonial Pipeline ransomware incident, that discussion has popped up, among other places, in the New York Times reporting on the incident and the Biden administration’s possible response.
Buried in the Times story is the commonplace assertion that public-private coordination is necessary because 85 percent of the nation’s critical infrastructure is owned by the private sector. The Times isn’t unique in its reliance on this data point as a guide to policymaking—leaders like FBI Director Christopher Wray and Sen. Angus King have also publicly referred to it in recent days. It’s not clear exactly why the Times invoked the figure, but presumably this statistic is offered to contrast the American reality with that of other nations. All of the critical infrastructure in, China, for example, is controlled by the state; and it seems plausible (given the generally greater state role in the economy) to believe that even in other Western democracies, such as France or Germany, the state has direct control over a greater portion of the national infrastructure than it does here in the United States.
The difference matters. Form follows function, and the structure of the laws, regulations, and guidance a country puts in place will depend greatly on how researchers think the market is structured. Focus on the private sector is at the heart of the reported decision of the Biden administration to focus some of its forthcoming executive order on setting regulatory standards or guidelines for private-sector cyberdefense.
But policy is only as good as the data you have. And for years, I have been wondering—is it really the case that 85 percent of the critical infrastructure in America is controlled by the private sector? Some quick research suggests the figure has no clear factual grounding, despite the frequency with which it is cited.
As a descriptive matter, I confess that the number seems high to me. Much of the U.S. transportation sector is in government hands, as is much of the energy sector (though obviously not all of it). Dams, wastewater treatment facilities, nuclear waste and government facilities are all to greater or lesser degrees under government control. To be sure, other sectors, such as agriculture and health care, are predominantly private in nature. But still, my instinct is that the estimate of 85 percent is near the top end of reality.
Yet the 85 percent statistic is a commonplace, repeated regularly and canonically in news reports, congressional findings and the like. So, I set out to find out the source of this factoid. The results are less than clear.
In 2010, looking at the problem, I wrote the following: “Typical is the statement of Senator Diane Feinstein at a Senate Judiciary Committee Hearing in 2004: ‘I would also note that 85 to 90 percent of our nation’s cyber-infrastructure remains under the control of the private sector.’ Likewise, Mishel Kwon, the former Director of the US Computer Emergency Response Team (US-CERT) noted in a 2010 interview ‘the high level of private ownership of critical infrastructure (between 85-90 percent).’” (The source citations in the original link to reports that, as seems typical for the transient nature of the internet, no longer exist on the web.)
If you dig deeper into the origins of the statistic, the answer is sort of a self-licking ice cream cone of self-reference. For example, this Federal Emergency Management Agency (FEMA) report from 2011 cites the 85 percent figure and footnotes a Government Accountability Office (GAO) report from 2009. That seems promising, but the GAO report itself quotes the figure of 85 percent without citation and with only the preamble “[a]ccording to DHS,” so the 2011 FEMA report is, in effect, the Department of Homeland Security citing its own prior assertions as fact. One can find a 2006 report from the GAO that says “the private sector owns approximately 85 percent of the nation’s critical infrastructure[,]” but again the report offers no data or citation for the conclusion—just the bald statement of fact without a source.
Other sources similarly don’t offer any definitive hint of where the statistic came from. You cannot, for example, find this data in the report of the President’s Commission on Critical Infrastructure Protection. Released in 1997, the report was more or less the foundational start of the U.S. assessment of infrastructure vulnerabilities in the information age. (For those who want to be depressed at how little progress has been made, going back and reading its recommendations is sobering.) For what it’s worth, the earliest citation I can personally find is a 2003 report from the Heritage Foundation, authored by Larry Wortzel. I know Wortzel to be a careful researcher, so he must have had a basis for the assertion, but he offers no source for the data point. Given the timing of the report’s 2003 release, the Heritage Report is perhaps where Sen. Feinstein got the figure. Without any real sense of where the figure came from, the 85 percent number has become widely accepted. Today, nearly 20 years later, it is “widely understood” that 85 percent is the correct figure, so much so that the U.S. Chamber of Commerce reports that figure as gospel.
But as far as I can tell, there is no “there” there. The figure doesn’t appear to be grounded in any real data—no survey, no census, nothing. I would be happy to be corrected if I’m wrong. Because making policy based on a myth is not a satisfactory way of managing the nation’s infrastructure.