On February 12, 2013, after months of speculation and leaked
drafts, President Obama signed an Executive Order on Improving Critical
Infrastructure Cybersecurity (EO). The EO represents the
White House’s response to Congress’s failure last year
to pass the Cybersecurity Act of 2012 (S. 2105). As such, the
EO puts in place measures aimed at replicating key provisions of
the failed bill, in particular, measures to encourage information
sharing between the government and private industry, as well as
measures to put in place “voluntary” cybersecurity
standards for critical infrastructure.
Without a congressional enactment, the EO relies on existing
authorizations. As explained below, the result is
mixed. The EO puts in place limited information sharing
measures that will expand on existing pilot efforts to share
classified cyberthreat information generated by the government with
industry, but these measures do not expand private entities’
ability to share their own information with the government.
(Notably, Congress is currently considering a bill, the Cyber
Intelligence and Information Sharing and Protection Act (CISPA)
that would address this limitation.) On the other hand, the
EO puts in place what could be a fairly muscular program to
encourage the adoption of the voluntary cybersecurity standards by
critical infrastructure owners. This program, which is nearly
as strong as the measures proposed in the final version of the
ill-fated Cybersecurity Act of 2012, employs a number of different
incentives to encourage adoption of higher standards that may make
the program more mandatory than it appears. A key question,
however, will be how stringent the actual cybersecurity standards
that get adopted will be.
Information Sharing
One of the few areas of agreement during last year’s
cybersecurity legislative debate was that more information sharing
was needed to ensure that both private and government actors had
the latest available cyberthreat information. Current
cybersecurity technology relies largely on using
“signatures” of known attacks to filter out malware
before it enters IT systems. The challenge with such
technology is ensuring that when new attacks are discovered,
information about them is rapidly disseminated so that other
entities can protect themselves. Up until now, concerns about
the security of classified information has limited the amount of
information the government was willing to share with industry to a
narrow pilot program aimed at defense contractors called the
Defense Industrial Base Enhanced Cybersecurity Services
program. And privacy laws, in particular those related to
wiretaps, have made it difficult without legislative action for
some companies to share information with the government.
The EO primarily addresses the former issue by making it easier for
the government to share information with the private sector:
- It provides for the creation of “unclassified reports of cyber threats to the US homeland that identify a specific targeted entity” and for the creation of a process to disseminate these reports to those entities. The Secretary of Homeland Security (Secretary), the Attorney General, and the Director of National Intelligence are required to issue instructions for the creation of these unclassified reports within 120 days of the order.
- It requires the expansion of the Enhanced Cybersecurity Services (ECS) program from just focusing on defense contractors to now providing classified cyberthreat indicators to critical infrastructure companies and their service providers. White House talking points regarding the EO indicate that this will be aimed at creating "real time information sharing." Again, the procedures for expanding this program have to be established within 120 days of the date of the order, and the EO further provides for expedited processing of security clearances for critical infrastructure employees to ensure that these entities can participate in ECS.
- Finally, in order to provide the government better insight into the cyberthreat information needs of critical infrastructure owners, the EO also provides for the expansion of programs to bring private sector subject matter experts into the government. This is one of the few measures that will allow the private sector to share its knowledge with the government. But this appears to be aimed more at helping the government strengthen its own sharing systems than it appears likely to result in the dissemination of actionable cyberthreat information to the government.
In recognition of continuing potential legal barriers to voluntary sharing of information by the private sector to the government, Representatives Mike Rogers (R-MI) and Dutch Ruppersberger (D-MD) reintroduced CISPA on February 13, 2013. CISPA, which passed the House of Representatives in 2012, would create an exception to federal and state wiretap and other laws to allow for the sharing by private companies of cyberthreat information. The bill, however, was criticized by some last year because of privacy concerns, and the White House threatened to veto it.
Voluntary Critical Infrastructure Cybersecurity Program
The second major component of the EO is a set of measures aimed
at creating voluntary cybersecurity standards for private critical
infrastructure owners. During the 2012 legislative debates,
opposition by industry first led to the Senate dropping proposed
mandatory regulation of critical infrastructure in favor of
voluntary standards and then caused even that watered down proposal
to be defeated by a filibuster. While the President may lack
the legislative authority to explicitly impose regulatory
requirements, the EO puts in place a voluntary scheme, similar to
last year’s legislative proposal for voluntary measures, that
is likely to have some teeth. The EO requires the creation of
a “framework to reduce cyber risks to critical
infrastructure” and then it includes a number of measures to
encourage the adoption of this framework.
As to the framework itself, the EO requires the National Institute
of Standards and Technology (NIST) to lead its development in
consultation with the National Security Agency, agencies
responsible for regulating particular critical infrastructure
sectors, other government agencies, like OMB, and industry.
The EO requires that the framework “include a set of
standards, methodologies, procedures, and processes that align
policy, business, and technological approaches to address cyber
risks,” and that the framework “incorporate voluntary
consensus standards and industry best practices to the fullest
extent possible.”
NIST will be required to publish a preliminary version of the
framework within 240 days for comment, and then the final version
will be published within a year, with NIST regularly reviewing and
updating it as necessary. The major question to watch for
with this framework is how stringent the actual requirements will
be. Given that the EO has been issued after industry
opposition blocked legislation to do the same thing, and also given
the fact that NIST will be working on a relatively tight deadline
to produce the framework, the chances seem good that the process of
developing it will be a contentious one that might lead to only a
bare minimum set of standards. Another issue to watch will be
how effectively the ultimate framework addresses technological
change. Critics have raised concerns that the framework would
be ineffective if all it does is lock in existing standards that
may soon be out of date.
The EO also contains a number of measures aimed at encouraging
adoption of the framework by critical infrastructure owners.
While these provisions have been touted publicly as
"voluntary,” the EO in a number of places requires the
use of existing legislative authority to urge compliance with
them. Perhaps more significantly, the framework is likely to
go a long way in establishing a standard of care for cybersecurity
among at least critical infrastructure owners. Thus, if in
the future a critical infrastructure owner suffers a breach,
prospective plaintiffs—including people harmed by the breach
as well as shareholders—may ask whether the owner complied
with the framework. As a result, mandatory or not, companies
may feel compelled to comply with them.
The measures include:
- Within 150 days, the identification through a consultative process by DHS of critical infrastructure that is at the greatest risk. The EO includes a broad definition of critical infrastructure. Section 2 of the EO defines critical infrastructure as “systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.” The E.O, however, explicitly states that the Secretary may not identify commercial IT products or consumer IT services as critical infrastructure. Once they have been identified, owners and operators of critical infrastructure are to be confidentially notified of their status and given an opportunity request reconsideration of the designation.
- The creation of a voluntary program to support the adoption of the framework by “owners and operators of critical infrastructure and any other interested entities.” The EO instructs sector-specific agencies, consulting with other government agencies and in coordination with relevant Sector Coordinating Councils “to review the Cybersecurity Framework and, if necessary, develop implementation guidance or supplemental materials to address sector-specific risks and operating environments.” The EO also includes several possible ways of encouraging adoption of the framework. First, it employs “name and shame” tactics, requiring sector-specific agencies to report annually to the President on the extent to which identified infrastructure has adopted the framework. Second, the EO requires the Secretary, working with the Treasury and Commerce Departments, to propose a set of incentives for parties to adopt the framework within 120 days of the signing of the EO. Finally, it requires the Department of Defense and the General Services Administration to make recommendations to the President within 120 days on the feasibility of incorporating cybersecurity requirements into acquisition planning and contract administration.
- A requirement that government agencies that regulate critical infrastructure sectors review the framework “and determine if current cybersecurity regulatory requirements are sufficient given current and projected risks.” Agencies will be required to publish a preliminary assessment of existing regulations 90 days after the preliminary version of the framework is published that takes into account whether or not the agency has clear regulatory authority to put in place standards based on the framework and any additional authority that might be required. To the extent that agencies determine that their regulatory requirements are insufficient, they will be required, 90 days after the publication of the final framework, to propose prioritized, risk-based actions to improve cybersecurity in the critical infrastructure sectors that they regulate.
Conclusion
Much of the impact of the EO will likely turn on how stringent
the voluntary cybersecurity standards that it creates will
be. As noted, there are many reasons to believe that, at
least in its first iteration, the voluntary framework will aim for
the lowest common denominator in cybersecurity standards.
Nonetheless, the EO may impact a number of industries.
Regulated entities and government contractors will particularly
need to watch and see whether the voluntary framework will lead to
mandatory requirements for them. Entities ultimately
identified as critical infrastructure will also need to consider
carefully the incentives and disincentives for complying with the
EO. It is worth noting in this context that the EO does not
appear to create a mechanism for monitoring industry
compliance. Finally, companies not directly affected by the
EO will need to consider the extent to which the voluntary
framework will create a standard of care within their own
industry.
Given the tight deadlines within the EO, we understand that its
implementation is likely to occupy a number of policymakers’
and regulators’ attention this year, particularly at the
Department of Homeland Security. This will be an
important space to watch.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.