Benchmarking, critical infrastructure security, and the regulatory war on terror

The legal commentary surrounding terrorism, concerned with pressing constitutional questions, has to date largely ignored the role that regulatory agencies can play in reducing terrorism risks. This gap in the literature is peculiar because regulatory agencies have long assumed primary responsibility within the government for assessing and managing abstract risks and are therefore remarkably well-positioned to shore up our vulnerabilities against terrorist strikes. In an effort to turn the academic discussion to the regulatory aspects of the war on terror this Article assesses the federal government's incipient regulatory effort to reduce terrorism risks to the nation's critical infrastructure. After concluding that the cornerstone of this administration's risk-reduction approach, the Critical Infrastructure Information Act of 2002, will fail to ensure that the government has adequate information to serve as a foundation for a coherent regulatory response, the Article proposes an alternative strategy based on a practice known as benchmarking. Under this approach, independent auditors would inspect high-risk firms within an industry and publicly rank those firms against each other according to their relative security vulnerabilities. Armed with this information, both the public and government regulators could bring continuous pressure to bear on private firms to reduce their vulnerabilities where most appropriate. Although a benchmarking approach would be plagued with some predictable weaknesses, the Article concludes that it nevertheless could prove to be an important feature of a comprehensive regulatory strategy to secure our critical infrastructure.