On February 12, 2013, the US President released the long-awaited Executive Order on cybersecurity (the "EO"), which is nearly identical to the draft version that was leaked at the end of November 2012. The EO establishes a voluntary program to support the adoption of cybersecurity standards (called a "Cybersecurity Framework") by owners and operators of critical infrastructure. "Critical infrastructure" for the purposes of the EO will be identified using a risk-based approach by the Department of Homeland Security. The EO tasks the National Institute of Standards and Technology (NIST), within the Department of Commerce, to develop a baseline Cybersecurity Framework that sector-specific agencies would rely upon to establish a voluntary critical infrastructure cybersecurity program. The EO permits agencies to:
- Add supplemental materials as necessary to address risks that are specific to its sector;
- Use existing statutory authority to regulate the cybersecurity of critical infrastructure;
- Identify additional authority necessary to enhance the cybersecurity of critical infrastructure.
The EO also seeks to improve Government information sharing with the private sector by increasing the volume, timeliness and quality of information about cyber threats. However, it is unclear whether private entities would share information with other entities and the government as envisioned by the EO until Congress adopts antitrust exemptions and additional liability protections for this type of information sharing.
Congressional reaction to the EO likely will depend upon how the sector-specific agencies use their existing authorities to regulate cybersecurity best practices or implement the voluntary cybersecurity program. Republicans in Congress, as well as the U.S. Chamber of Commerce, have expressed concern that, while ostensibly voluntary, the cybersecurity program could result in new and unnecessary regulations for the private sector.
In the House, Intelligence Committee Chairman Mike Rogers (R-MI) and Committee Ranking Member Dutch Ruppersberger (D-MD) re-introduced the bi-partisan Cyber Intelligence Sharing Protection Act (CISPA), which is designed to help businesses protect against cyber attacks thorough information sharing. This legislation does not grant federal agencies any new regulatory authority over critical infrastructure. In the Senate, the new Homeland Security and Government Affairs Committee Chairman, Tom Carper (D-DE), along with Senators Jay Rockefeller (D-WV), Diane Feinstein (D-CA) and Carl Levin (D-MI) are widely expected soon to introduce comprehensive cybersecurity legislation designed to strengthen and enhance the voluntary cybersecurity program contained in the EO. This legislation will likely be similar to the Cybersecurity Act of 2012, which the Senate Republicans firmly rejected based on their concern about it leading to new regulations on the private sector by the Department of Homeland Security. In order to foster support from the private sector for a stronger federal cybersecurity program with more authority for federal agencies, Senate Democrats will likely offer liability protections and antitrust exemptions for information sharing. Senate Republicans, as well as business interests such as the U.S. Chamber of Commerce, have expressed a desire to pass legislation to improve information sharing, but they insist that they will oppose any legislation that gives the federal government new regulatory authority over critical infrastructure.
Summary of Executive Order Key Provisions
The EO defines "critical infrastructure" as "systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters."
The EO tasks the Secretary of Homeland Security, the Attorney General and the Director of National Intelligence with establishing a process to share unclassified cyber threat information with targeted entities. Classified reports would be shared with entities authorized to receive them. The inclusion of the Attorney General was not in previously leaked versions.
Privacy and Civil Liberties Protections
The EO requires agencies to ensure that privacy and civil liberties protections are incorporated into the activities carried out in this order, and to ensure that information submitted voluntarily by the private sector is protected to the fullest extent permitted by law.
The EO requires NIST to develop baseline Cybersecurity Framework standards. This framework would be developed in an open public comment and review process and would be developed in consultation with other federal agencies and the private sector.
Voluntary Critical Infrastructure Cybersecurity Program
The EO requires the Secretary of Homeland Security to establish a voluntary program to support the adoption of the framework by owners and operators of critical infrastructure. It also allows sector-specific agencies, in consultation with the Secretary of Homeland Security and other interested agencies, to develop additional guidance for sector-specific risks.
The EO also requires the development of incentives for the private sector to participate in the voluntary program, and tasks Secretaries of Commerce and Treasury to report on the effectiveness of such incentives and whether legislation is needed for further incentives.
Identification of Critical Infrastructure
The EO requires the Secretary of Homeland Security, in consultation with sector-specific agencies, to identify critical infrastructure. Critical infrastructure would not include commercial information technology products or services.
Adoption of Cybersecurity Framework
The EO requires sector-specific agencies to determine whether the Cybersecurity Framework and current regulatory requirements are sufficient to protect against the current and projected cyber threat risks. If the agency does not have clear authority to establish requirements under the Cybersecurity Framework, they must report to the President on any additional authority required.
Sector Specific Agencies
Along with the EO, the President issued Policy Directive-21 to designate Critical Infrastructure Sectors and the Sector-Specific Agencies responsible for each Sector as follows:
- Chemical: Department of Homeland Security
- Commercial Facilities: Department of Homeland Security
- Communications: Department of Homeland Security
- Critical Manufacturing: Department of Homeland Security
- Dams: Department of Homeland Security
- Defense Industrial Base: Department of Defense
- Emergency Services: Department of Homeland Security
- Energy: Department of Energy
- Financial Services: Department of the Treasury
- Food and Agriculture: U.S. Department of Agriculture and Department of Health and Human Services
- Government Facilities: Department of Homeland Security and General Services Administration
- Healthcare and Public Health: Department of Health and Human Services
- Information Technology: Department of Homeland Security
- Nuclear Reactors, Materials, and Waste: Department of Homeland Security
- Transportation Systems: Department of Homeland Security and Department of Transportation
- Water and Wastewater Systems: Environmental Protection Agency
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.