The long-awaited executive order entitled “Improving Critical Infrastructure Cybersecurity” was issued on Tuesday, along with a companion Presidential Policy Directive and mention by the President in the State of the Union address. The order is similar in content and organization to the November 2012 draft which was previously discussed here. As before, the Executive Order contains the following elements: improvements in information sharing between the public and private sectors; application by implementing agencies of the Fair Information Practice Principles; development by the National Institute of Standards and Technology of a “Cybersecurity Framework” of standards, methodologies and processes that are consistent with voluntary international standards; an invitation to the private sector to participate in a voluntary critical infrastructure Cybersecurity Program; and identification of critical infrastructure at greatest risk. Private sector participation in the “voluntary” program will be driven through unspecified incentives and the possibility that security standards will be incorporated into government acquisition planning and contract administration. Sharing of classified information may also be increased through wider participation in the Enhanced Cybersecurity Services program, which was previously available only to the Defense Industrial Base.
The final version of the order differs from its predecessor in several ways. The Cybersecurity Framework (i.e. the “voluntary standards” that are of concern to the private sector) will now be developed through an “open public review and comment.” Previously, a preliminary version was to be published by NIST and then coordinated through public consultation. This could be interpreted as an intent to include all interested stakeholders and participants in the initial stages of development. For the first time, the National Security Agency is included in this process. Participation in the Enhanced Cybersecurity Services program will now be available not only to “eligible critical infrastructure companies” but also “commercial service providers that offer security services to critical infrastructure.” Also, the identification of “critical infrastructure at greatest risk” will still exclude “commercial information technology products,” but now also excludes “consumer information technology services.” It would appear that, unlike the recently announced European Union cybersecurity directive, Google and other search engines or social media sites will not be brought under the ambit of critical infrastructure. Finally, while intelligence sources and methods will continue to be protected under the order, law enforcement sources, activities and associations will also now be protected.
The practical effect of the order will be seen in the extent to which the government (including the intelligence community) makes sensitive and useful information available to the private sector, the nature and scope of voluntary participation by the private sector in standard-setting and information sharing, the emergence of new regulations or more assertive enforcement of existing guidance, and the creation of valuable incentives or coercive acquisition requirements. Given that one of the “strategic imperatives” of the companion Presidential Policy Directive is the clarification of functional relationships within the federal government for critical infrastructure and resilience - an effort that one would have thought was well underway by now – it remains to be seen how quickly and effectively the order will be implemented. For example, the order does not include independent regulatory agencies, such as FERC, which have a role in cybersecurity and are only encouraged to collaborate with DHS.
The executive order reflects a sense of urgency and recognition by the Administration that some immediate steps are essential to address the cyber threat. This view is shared by Congress and business executives, as was apparent during testimony on Thursday at a hearing on “Advanced Cyber Threats Facing Our Nation” held by the House Permanent Select Committee on Intelligence. The witnesses included representatives of a business executives trade association, the financial services and energy industries and a well-known security services firm, all of whom supported the Cyber Intelligence Sharing and Protection Act (CISPA) that was introduced earlier this week by Representatives Rogers and Ruppersberger as H.R. 624. While a similar bill was passed out of the House last year, the Senate focused on the legislation introduced by Senator Lieberman, which ultimately failed to gain sufficient support. As its name suggests, CISPA focuses solely on information sharing. It contains liability and other protections and limitations on use or dissemination for information shared by the private sector and eases some of the restrictions on sharing sensitive or classified government information. To address the concerns expressed last year by privacy advocates, the current version narrows the definition of what information will be covered and affords the protections only to that information that is provided by private sector entities in good faith. One central theme of the hearing was that information sharing is an important step, but just one part of the national response to the cyber threat, and that such sharing includes very little personal information. Additional steps, such as minimization, would further enhance the protection of any personal information. The second theme was that non-attribution of the threat data to a specific company, and protection of the “victim” company from liability for having disclosed the information, will significantly enhance the sharing of information by the private sector.
This action by the Administration and Congress is based on the reality that national assets in the form of business information, personal data and intellectual property are increasingly subject to loss, compromise or contamination. A recent National Intelligence Estimate reportedly describes a massive, sustained cyber-espionage campaign. Financial institutions have repeatedly been the targets of sophisticated and persistent Distributed Denial of Service attacks and industrial control systems have been compromised. Secretary Panetta and General Alexander have described the risks to all sectors of the national infrastructure in public speeches and business executives have acknowledged the need to place greater emphasis on cybersecurity.
Most statutes and their implementing regulations that focus on data security and privacy in a given industry are risk-based (e.g. Gramm-Leach-Bliley section 501b). By all indications, the risks to corporate data are only growing and must be included in corporate planning and oversight. However, those same security risks which should be considered by corporate security executives, risk officers and boards of directors also provide the opportunity to engage in, or benefit from, the national cybersecurity conversation. Regardless of whether all goals of the executive order are attained or what the language of any cybersecurity legislation ends up saying, companies in all sectors and industries can and should prudently engage relevant government agencies to obtain information and support for their data security efforts and influence the development of information sharing or standard-setting efforts.