By Misty Blair and Ken Wilton
It is in this spirit that, just Tuesday, President Obama signed the long-awaited Executive Order on “Improving Critical Infrastructure Cybersecurity” and devoted a portion of his State of the Union address to the topic:
America must also face the rapidly growing threat from cyber-attacks. We know hackers steal people’s identities and infiltrate private e-mail. We know foreign countries and companies swipe our corporate secrets. Now our enemies are also seeking the ability to sabotage our power grid, our financial institutions, and our air traffic control systems. We cannot look back years from now and wonder why we did nothing in the face of real threats to our security and our economy.
That’s why, earlier today, I signed a new executive order that will strengthen our cyber defenses by increasing information sharing, and developing standards to protect our national security, our jobs, and our privacy. Now, Congress must act as well, by passing legislation to give our government a greater capacity to secure our networks and deter attacks.
In the Executive Order, President Obama uses his powers to direct the manner in which the federal agencies interact with the industries they regulate, and with one another, for the protection of the “Nation’s critical infrastructure.” At its core, the Executive Order is based on the assumption that the more a critical infrastructure provider knows about the current threats to their systems the better and more robust the response will be. As a result, like its predecessor failed legislation, the Executive Order is intended to encourage the sharing of information regarding cyber threats among those providers.
The Executive Order defines “critical infrastructure” as those “systems and assets, whether physical or virtual, so vital to the United States that [their] incapacity or destruction… would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.”
American companies should carefully consider whether they are likely to fall under the designation of “critical infrastructure,” or whether they otherwise provide goods or services to companies likely to fall under that designation, and are thus likely to be impacted by the Executive Order. Even if they do not, they may want to consider the incentives provided for participation in the voluntary information sharing programs established by the Executive Order.
The Executive Order relies on a multi-prong approach to orchestrate the actions and interactions of the subject agencies. It is made up of a dozen individual sections, including sections:
- Directing the Department of Homeland Security (DHS), the Attorney General (AG) and the Office of the Director of National Intelligence (DNI) to work together to create a “Cybersecurity Information Sharing” program, under which these agencies will issue unclassified reports regarding specific threats and, where necessary, issue classified reports to authorized critical infrastructure entities; to expand the Enhanced Cybersecurity Services Program for voluntary information sharing among participating critical infrastructure entities and their private sector security providers; and to expedite the processing of security clearances for certain personnel of critical infrastructure entities.
- Directing federal agencies carrying out the President’s directives under the Executive Order to “ensure that privacy and civil liberties protections are incorporated into such activities”; to consider reports, issued by the DHS Privacy Officer and the DHS Officer for Civil Rights and Civil Liberties, regarding the risks to privacy and civil liberties from the agencies’ actions; and to protect information submitted by private entities “to the fullest extent permitted by law.”
- Directing the National Institute of Standards and Technology (NIST) and the Secretary of Commerce to develop a “Baseline Framework,” or “Cybersecurity Framework,” for the reduction of risks to critical infrastructure; to incorporate standards and procedures into the framework that are voluntary, proven, cost-effective, measurable, technology-neutral, adaptable to a competitive market, and applicable across sectors; to address impacts of the framework on business confidentiality, individual privacy, and civil liberties; to engage in a “Consultative Process” with other federal agencies and the public in the development of “preliminary” and “final” versions of the framework; and to update the framework as needed.
- Directing DHS and “Sector-Specific Agencies” (SSA) to establish a “Voluntary Critical Infrastructure Cybersecurity Program,” under which the owners and operators of critical infrastructure and “any other interested entities” are encouraged to adopt the Cybersecurity Framework; to coordinate establishment of incentives for participation in the program; and to report to the President regarding the benefits and effectiveness of such incentives, along with any legislation that may be required for such incentives.
- Directing DHS and SSA to identify and designate entities for which “a cybersecurity incident could reasonably result in catastrophic regional or national effects on public health or safety, economic security, or national security” (excluding “commercial information technology products” and “consumer information technology services”); to engage in a “Consultative Process” with other federal agencies regarding information necessary for the designations; to allow “other relevant stakeholders” to submit information to assist in making the designations; and to confidentially notify the owners and operators of those entities designated as critical infrastructure, with a process by which the owners and operators may challenge the designation.
- Directing federal agencies responsible for regulating the security of critical infrastructure entities to engage in a “Consultative Process” with DHS and others to determine whether current cybersecurity regulations are sufficient for their agency-specific needs; to report to the President whether the agency believes it “has clear authority” to establish cybersecurity requirements; to propose actions to mitigate cyber risk if current requirements are deemed to be insufficient; and to consult with owners and operators regarding ineffective or overly burdensome requirements.
In his State of the Union address, President Obama made clear that the Executive Order is not a substitute for comprehensive cybersecurity legislation, but is instead a sort of stopgap measure designed to address the immediate threats faced by the Nation’s most important institutions. Congress continues its long and tortured attempts at passing such legislation, as the House revisits the Cyber Intelligence Sharing and Protection Act (CISPA, re-introduced Wednesday) and the Senate considers the Cybersecurity and American Cyber Competitiveness Act of 2013 (introduced in January).
Some argue that only legislation can offer the civil liability protections and other key components necessary for a successful national cybersecurity scheme. Regardless, the President has used the powers within his grasp to start putting the scheme in place. We will continue to monitor developments as the Executive Order is implemented and legislation is debated.