Following his recent State of the Union address, President Obama issued an Executive Order entitled "Improving Critical Infrastructure Cybersecurity."
The Policy section of the Executive Order notes that repeated cyber intrusions into critical infrastructure demand improved cybersecurity. This section correctly points out that the threat to critical infrastructure "continues to grow and represents one of the most serious national security challenges we must confront."
Indeed, it is stated that the "national and economic security of the United States depends on the reliable functioning of the Nation's critical infrastructure in the face of such threats."
Accordingly, the Executive Order provides in no uncertain terms that "it is the policy of the United States to enhance the security and resilience of the Nation's critical infrastructure and to maintain a cyber environment that encourages efficiency, innovation, and economic prosperity while promoting safety, security, business confidentiality, privacy, and civil liberties." The Executive Order provides that these aspirations can be achieved by way of "a partnership with owners and operators of critical infrastructure to improve cybersecurity information sharing and collaboratively develop and implement risk-based standards."
The first major prong of the Executive Order calls for cybersecurity information sharing. Specifically, the U.S. government is "to increase the volume, timeliness, and quality of cyber threat information shared with U.S. private sector entities so that these entities may better protect and defend themselves against cyber threats." The Attorney General, the Secretary of Homeland Security, and the Director of National Intelligence are tasked with coming up with instructions to fulfill this goal.
The second significant prong of the Executive Order seeks to maintain privacy and civil liberties protections. Thus, federal agencies are directed to coordinate their activities pursuant to the Order with senior privacy and civil liberties agency officials to "ensure that privacy and civil liberties protections are incorporated into such activities."
The third important prong of the Executive Order demands a baseline framework to reduce cyber risks to critical infrastructure. The Secretary of Commerce is to direct the Director of the National Institute of Standards and Technology "to lead the development of a framework to reduce cyber risks to critical infrastructure."
The fourth key prong of the Executive Order calls for a voluntary critical infrastructure cybersecurity program. The Secretary of Homeland Security, in tandem with sector-specific agencies, is to set up a voluntary program to support the adoption of a cybersecurity framework by owners and operators of critical infrastructure along with other potential interested parties.
A fifth noteworthy prong of the Executive Order requires identification of critical infrastructure at greatest risk. The Secretary of Homeland Security is to implement a risk-based approach "to identify critical infrastructure where a cybersecurity incident could reasonably result in catastrophic regional or national effects on public health or safety, economic security, or national security."
President Obama is on the right track in proactively seeking to grapple with potential threats to critical infrastructure cybersecurity. But the devil can be in the details, and time will tell whether the instructions provided in the Executive Order will lead to the development of sufficient programs and protections.
This article is for general information and does not include full legal analysis of the matters presented. It should not be construed or relied upon as legal advice or legal opinion on any specific facts or circumstances. The description of the results of any specific case or transaction contained herein does not mean or suggest that similar results can or could be obtained in any other matter. Each legal matter should be considered to be unique and subject to varying results. The invitation to contact the authors or attorneys in our firm is not a solicitation to provide professional services and should not be construed as a statement as to any availability to perform legal services in any jurisdiction in which such attorney is not permitted to practice.
Duane Morris LLP, a full-service law firm with more than 700 attorneys in 24 offices in the United States and internationally, offers innovative solutions to the legal and business challenges presented by today's evolving global markets. Duane Morris LLP, a full-service law firm with more than 700 attorneys in 24 offices in the United States and internationally, offers innovative solutions to the legal and business challenges presented by today's evolving global markets. The Duane Morris Institute provides training workshops for HR professionals, in-house counsel, benefits administrators and senior managers.