As President Obama delivered his fifth State of the Union speech to Congress on February 12, 2013, he simultaneously issued a highly anticipated Executive Order (“the Order”) focused on improving cybersecurity in the United States for the country’s critical infrastructure. Pursuant to the Order, a draft framework will be developed within 240 days that will allow the federal government to share intelligence on cyber attacks and threats with privately owned, critical national infrastructure companies so that they can better protect themselves, the economy and the American populace.
The Order contains some important takeaways for company executives and business owners.
First, the Order’s definition of “critical infrastructure” is far broader than what many understand that term to be. The Order states that “[c]ritical infrastructure means systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.” Under this expansive definition, which could encompass a range of sectors from energy networks to telecommunications providers to cloud-based services, many businesses may be surprised to learn that the “critical infrastructure” label, and thus the Order, may apply to them.
The Order tasks the Department of Homeland Security (DHS) with “identify[ing] critical infrastructure where a cybersecurity incident could reasonably result in catastrophic regional or national effects on public health or safety, economic security, or national security” within 150 days. The owners of businesses identified as critical infrastructure will be notified that they have been deemed as such and will have the opportunity to ask for reconsideration of their designation.
The second important takeaway from the Order is that the federal government will be taking a more active role in ensuring that companies designated as “critical infrastructure” are more aware of cybersecurity via information sharing and development of best practices. For example, the Order directs the National Institute of Standards and Technology (NIST), a branch of the Department of Commerce, to work with companies that operate critical infrastructure to develop a framework of cybersecurity best practices. In addition, the Order gives DHS a lead role in establishing a voluntary program that encourages critical infrastructure operators to adopt the NIST and industry-developed cybersecurity framework. DHS will work with agencies, such as the Department of Energy, and industry councils to implement the cybersecurity best practices laid out in the framework, as well as identifying possible ways to entice companies to join the voluntary program.
Notably, the Order seeks to ensure cybersecurity is promoted, at little to no expense, to citizen privacy—an aspect of the Order praised by privacy proponents who have criticized Congress’ proposed Cyber Intelligence Sharing and Protection Act (CISPA) for its lack of privacy protections. Nevertheless, businesses should be aware that their potential inclusion as “critical infrastructure” under the Order may increase both financial and administrative burdens in complying with the increased cybersecurity measures set forth in the Order.
Until further details are promulgated regarding the proposed framework and the companies constituting critical infrastructure are identified, executives and business owners would be well advised to identify the key actors within their organization that manage sensitive and confidential information and ensure their business has a robust internal framework to handle the increased threat of cyber attacks.