Asaf Lubin

Publication Date



The May 2021 ransomware attack on Colonial Pipeline was a wake-up call for a federal administration slow to realize the dangers that cybersecurity threats pose to our critical national infrastructure. The attack forced hundreds of thousands of Americans along the east coast to stand in endless lines for gas, spiking both prices and public fears. These stressors on our economy and supply chains triggered emergency proclamations in four states, including Georgia. That a single cyberattack could lead to a national emergency of this magnitude was seen by many as proof of even more crippling threats to come. Executive Director of the Cybersecurity and Infrastructure Security Agency (CISA), Brandon Wales, went on to describe the incident as a “galvanizing event for the country.”

This Article challenges this characterization, suggesting instead that little has changed in terms of regulation, enforcement, or liability and that, as a result, another cyber incident targeting our critical infrastructure is, quite frankly, a matter of when and not if. The Article explores a set of kneejerk legal processes—litigatory, regulatory, and legislative—which were set in motion in the wake of the Colonial Pipeline incident. For each these processes the Article highlights points of failure in generating positive long-term effects aimed at increasing broader cybersecurity. Relying on insights from Daniel Solove and Woody Hartzog’s recent book Breached!, this Article treats the Colonial Pipeline incident as a microcosm through which to understand our broader regulatory deficits in critical infrastructure cybersecurity. Against this backdrop, the Article offers the first scholarly examination of a new and innovative blueprint developed by the Biden Administration to promote holistic regulations as part of a National Cybersecurity Strategy. The Article highlights both the promises and pitfalls of this Strategy on future regulation of critical infrastructures.

Included in

Law Commons