President Obama issued – on 12 February 2013 – the long-awaited Executive Order entitled ‘Improving Infrastructure Cybersecurity’ (the Order), alongside Presidential Policy Directive/PPD 21, to establish a nation-wide ‘Cybersecurity Framework’ and ‘enhance the security and resilience of the Nation’s critical infrastructure’.
The Order proposes an extensive data sharing mechanism with the private sector whereby the US Government will disclose unclassified reports on cyber threats so that private entities ‘may better protect and defend themselves’. By 12 June 2013, the Secretary of Homeland Security is directed to establish procedures to allow the US Government to share classified cyber threats and technical information to eligible entities in all critical infrastructure sectors.
In particular, the Order prioritises privacy safeguards by directing the Chief Privacy Officer of the Department of Homeland Security and other agencies to ‘assess the privacy […] risks of the functions and programs […] and recommend to the Secretary [of Homeland Security] ways to minimize or mitigate such risks, in a publicly available report, to be released [by 12 February 2014]‘.
Cynthia J. Larose, Chair of the Mintz Levin’s Privacy & Security Practice, told DataGuidance: “Companies in any of the targeted industries will need to be aware of potential obligations arising out of data sharing. Work should be undertaken now to review customer-facing privacy policies and procedures to determine what representations are made to customers relating to information-sharing and how the [Order] might affect that. In-house counsel or government affairs offices at critical infrastructure companies should consider providing input into the regulatory process in order to shape the prospective new regulatory regime. It also represents an opportunity for critical infrastructure businesses to learn much more about the network threat environment and how to potentially contain the threats to their own business.”
The Order also directs the Secretary of Homeland Security to establish, in coordination with sector-specific agencies, a voluntary program ‘to support the adoption of the Cybersecurity Framework by owners and operators of critical infrastructure’, and to ‘coordinate establishment of a set of incentives to promote participation in the program’.
The Cybersecurity Framework and voluntary program would apply only to public and private entities that form part of the critical infrastructure of the US. The Order defines critical infrastructure as ‘systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters’. However, entities that fall outside the scope of the critical infrastructure may still be affected.
The National Institute of Standards and Technology (NIST), an agency of the US Department of Commerce, will lead the development of the Cybersecurity Framework. The Order requires NIST to publish a preliminary version of the Framework by 10 October 2013, and a final version by 12 February 2014. NIST stated that ‘the Framework will not dictate ‘one-size-fits-all’ solutions’.
NIST will request organisations to share their current risk management practices; use of frameworks, standards guidelines and best practices; and other industry practices. “The process for developing the [Cybersecurity Framework] reflects a core component of NIST’s work, bringing together various stakeholders to address a technical challenge”, said Patrick Gallagher, Under Secretary of Commerce for Standards and Technology and NIST Director. “By collaborating with industry to develop the framework, we will better protect our nation from the cybersecurity threat while enhancing America’s ability to innovate and compete in a global market.”
“Right now, there is a lack of immunity provisions for disclosure of information – only Congress can provide immunity from civil liability”, said Larose. “In the absence of legislative action, businesses should carefully consider how and whether to share information if they participate in these voluntary information sharing programs. Some suggested actions: (a) determine your organization’s critical infrastructure sector; (b) develop a strategy to combat reported threats – will the failure to act on reports produced by federal officials increase an organization’s exposure to liability? and (c) review policies and procedures for handling network threats.”