Ben Lane, CIPRNA event manager, met Terence Check, a Senior Counsel for Infrastructure Security in the U.S. Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) Office of Chief Counsel.
In this role, Terence manages CISA’s repository of legal authorities and advises on constitutional and national security law issues in support to CISA’s critical infrastructure security mission, particularly on information-sharing, data protection, school safety, and counter-terrorism issues. Terence holds an LL.M, J.D., and B.A., teaches homeland security law, and writes frequently about cyber and national security issues.
The following is a transcription of their conversation.
Ben Lane:
Can you tell us, broadly, about your career to date and why you decided to embark on this career?
Terence Check:
Growing up in the Midwest in a diasporic community of Hungarian immigrants who had fled war, violence, and political oppression, I was acutely aware of history, geography, and civics issues at a young age. This grew into a keen interest in international affairs, national security, which naturally led me to a career with the federal government. After obtaining my J.D. and an LL.M in National Security Law and Policy, I have worked with the U.S. Department of Homeland Security since 2015. DHS has a fascinating, broad, and varied mission that touches everything from counterterrorism to cybersecurity to emergency management. Every day provides the possibility of working on a new or different national security problem.
Ben Lane:
Can you outline your present role as Senior Counsel for Infrastructure Security in the U.S. Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) Office of Chief Counsel and your position as “advisor on constitutional and national security law issues in support to CISA’s critical infrastructure security mission”.
Terence Check:
At its core, my practice involves the study of the Constitution, an enduring framework for organizing our government in times of fair weather or foul (quite literally). Mainly, I advise CISA’s Executive Assistant Director for Infrastructure Security, his Deputy, and his senior staff on legal issues that arise during their daily operations with an emphasis on the statutory contours of their legal authorities. This makes my practice as wide as CISA’s mission, so on a given day, I might analyze legal issues spanning from school safety to cyber information sharing to disaster planning and response.
Ben Lane:
In your abstract and a topic for your presentation at CIPRNA 2024 (www.ciprna-expo.com) you say: “see something, say something” but many owners and operators of critical infrastructure might hesitate to share information with the federal government. Can you expand on what you mean and provide a short case study?
Terence Check:
In the United States, much of our critical infrastructure is owned by private or non-federal entities. As I said before, national security law is mainly the study of our Constitution, and our Constitutional framework makes federal authority one of limited scope. But many owners and operators interact with federal regulatory agencies, and many understandably struggle with sharing threat information when doing so might lead to legal or economic consequences.
Consider a scenario where a manufacturer of heavy machinery discovers a vulnerability in their custom software: warning their customers and the government might help prevent a major security incident. But sharing this information might expose proprietary details or create some reputational risks. Luckily, CISA oversees a couple of legal regimes that help to reconcile these at-times competing considerations. These regimes include PCII and CISA 2015, you can read more about them at https://www.cisa.gov/topics/cyber-threats-and-advisories/information-sharing.
Ben Lane:
How do you see legislation changing that might include operators to be ‘forced’ to share information, or meet minimum standards of security?
Terence Check:
To this point, the United States has employed a largely voluntarily approach to sharing cyber and other types of threat information. Though there are several new regulatory developments in the field of cybersecurity (for example, the enactment of the Cyber Incident Reporting for Critical Infrastructure Act), I, myself, feel that legislative development should come alongside a growth in corporate responsibility in cybersecurity. Director Easterly has spoken about this at length, and I share her views that we largely need a cultural change: where cybersecurity is considered a niche IT issue, and to get to the point where ensuring good cybersecurity and data management practices becomes a core business issue.
Ben Lane:
Briefly explain the work of your department in reducing risk and its importance to overall CI strategies.
Terence Check:
CISA truly has a wide range of service and informational offerings that can assist stakeholders as large as Fortune 500 companies or as local as your neighborhood elementary school—and everywhere in between. Our recent efforts have focused on assisting sectors that are highly attractive targets to cyber bad actors but lack many of the resources, capabilities or investments needed to achieve the necessary level of cybersecurity. Healthcare, water systems, and educational institutions have become a particular area of focus. As the national coordinator for infrastructure security, CISA works closely with “sector risk management agencies”, which are parts of the federal government that have particular expertise and capability to help reduce risk to a particular sector or sub-sector of our economy.
Ben Lane:
What keeps you awake at night?
Terence Check:
We have a good understanding of known national security risks such as terrorism and cyber-attacks. These kinds of risks have led to the creation of CISA and the Department of Homeland Security. I worry about mid or far future risks or risks that have no kind of predictability. I would like to see new legal and policy work that gives DHS the authority to address these kinds of challenges.
Ben Lane:
Thank you and we look forward to your presentation at CIPRNA 2024 on the panel: Collaboration, Information Sharing and Enhancing PPPs https://ciprna-expo.com/session/collaboration-information-sharing-and-enhancing-ppps/
Terence Check:
Thank you, and so do I!