Every time a piece of critical infrastructure is stressed by a cyber incident, the public conversation inevitably includes some discussion of the need for a public-private partnership in defending the domain. In the aftermath of the Colonial Pipeline ransomware incident, that discussion has popped up, among other places, in the New York Times reporting on the incident and the Biden administration’s possible response.
Buried in the Times story is the commonplace assertion that public-private coordination is necessary because 85 percent of the nation’s critical infrastructure is owned by the private sector. The Times isn’t unique in its reliance on this data point as a guide to policymaking—leaders like FBI Director Christopher Wray and Sen. Angus King have also publicly referred to it in recent days. It’s not clear exactly why the Times invoked the figure, but presumably this statistic is offered to contrast the American reality with that of other nations. All of the critical infrastructure in, China, for example, is controlled by the state; and it seems plausible (given the generally greater state role in the economy) to believe that even in other Western democracies, such as France or Germany, the state has direct control over a greater portion of the national infrastructure than it does here in the United States.
The difference matters. Form follows function, and the structure of the laws, regulations, and guidance a country puts in place will depend greatly on how researchers think the market is structured. Focus on the private sector is at the heart of the reported decision of the Biden administration to focus some of its forthcoming executive order on setting regulatory standards or guidelines for private-sector cyberdefense.
But policy is only as good as the data you have. And for years, I have been wondering—is it really the case that 85 percent of the critical infrastructure in America is controlled by the private sector? Some quick research suggests the figure has no clear factual grounding, despite the frequency with which it is cited.
As a descriptive matter, I confess that the number seems high to me. Much of the U.S. transportation sector is in government hands, as is much of the energy sector (though obviously not all of it). Dams, wastewater treatment facilities, nuclear waste and government facilities are all to greater or lesser degrees under government control. To be sure, other sectors, such as agriculture and health care, are predominantly private in nature. But still, my instinct is that the estimate of 85 percent is near the top end of reality.
Yet the 85 percent statistic is a commonplace, repeated regularly and canonically in news reports, congressional findings and the like. So, I set out to find out the source of this factoid. The results are less than clear.
In 2010, looking at the problem, I wrote the following: “Typical is the statement of Senator Diane Feinstein at a Senate Judiciary Committee Hearing in 2004: ‘I would also note that 85 to 90 percent of our nation’s cyber-infrastructure remains under the control of the private sector.’ Likewise, Mishel Kwon, the former Director of the US Computer Emergency Response Team (US-CERT) noted in a 2010 interview ‘the high level of private ownership of critical infrastructure (between 85-90 percent).’” (The source citations in the original link to reports that, as seems typical for the transient nature of the internet, no longer exist on the web.)
If you dig deeper into the origins of the statistic, the answer is sort of a self-licking ice cream cone of self-reference. For example, this Federal Emergency Management Agency (FEMA) report from 2011 cites the 85 percent figure and footnotes a Government Accountability Office (GAO) report from 2009. That seems promising, but the GAO report itself quotes the figure of 85 percent without citation and with only the preamble “[a]ccording to DHS,” so the 2011 FEMA report is, in effect, the Department of Homeland Security citing its own prior assertions as fact. One can find a 2006 report from the GAO that says “the private sector owns approximately 85 percent of the nation’s critical infrastructure[,]” but again the report offers no data or citation for the conclusion—just the bald statement of fact without a source.
Other sources similarly don’t offer any definitive hint of where the statistic came from. You cannot, for example, find this data in the report of the President’s Commission on Critical Infrastructure Protection. Released in 1997, the report was more or less the foundational start of the U.S. assessment of infrastructure vulnerabilities in the information age. (For those who want to be depressed at how little progress has been made, going back and reading its recommendations is sobering.) For what it’s worth, the earliest citation I can personally find is a 2003 report from the Heritage Foundation, authored by Larry Wortzel. I know Wortzel to be a careful researcher, so he must have had a basis for the assertion, but he offers no source for the data point. Given the timing of the report’s 2003 release, the Heritage Report is perhaps where Sen. Feinstein got the figure. Without any real sense of where the figure came from, the 85 percent number has become widely accepted. Today, nearly 20 years later, it is “widely understood” that 85 percent is the correct figure, so much so that the U.S. Chamber of Commerce reports that figure as gospel.
But as far as I can tell, there is no “there” there. The figure doesn’t appear to be grounded in any real data—no survey, no census, nothing. I would be happy to be corrected if I’m wrong. Because making policy based on a myth is not a satisfactory way of managing the nation’s infrastructure.
ADDENDUM: This article received many responses, from which I learned a great deal. Three points, in particular, seem worth adding as a formal addendum to the original post:
1) I was unaware of this by Christopher Bellavita from 2009 -- "85% of what you know about homeland security is probably wrong" -- when I wrote in 2010 and yesterday. It makes much the same point and this is a good example of "great minds think alike." I wanted to acknowledge his parallel thinking.
2) My friend Christian Beckner from CNAS points me to the 2002 National Strategy for Homeland Security as an earlier source of the 85% statistic. It, too, is asserted without citation but given its prominence we can reasonably surmise that it was the source for both Wortzel's 2003 article and Senator Feinstein's speech in 2004. Beckner also notes that the statistic does NOT appear in the January 2001 report of the President to Congress on the Status of Federal Critical Infrastruction Protection Activities. Like the Presidential Commission report from 1997 that I noted earlier, this is the sort of comprehensive analysis that would be the source for such an assertion, if the data to back it up existed. The omission of this statistic from these earlier reports, and its appearance in an official strategy just 18 months later (and just 10 months after the 9/11 attacks) suggests to me that its citation in the strategy was just an estimate (no doubt made in good faith) for which no real data exists.
3) Finally, another colleague pointed out to me that the 85% statistic was deliberately =left out= of the Quadrennial Homeland Security Review precisely because it has no factual grounding. That leaders of such stature as Director Wray and Senator King continue to repeat the point as a "fact" when it is no such thing shows how hard it is to unwide a myth once it is entrenched. Will this have grave effects? Probably not. But if it is frustrating to try to make policy without data, it is even more frustrating to try to make it when the data you rely on is wrong.