On February 12, 2013, President Obama signed an executive order for "Improving Critical Infrastructure Cybersecurity" (the "Executive Order").1 The Executive Order seeks to promote information sharing between the government and private companies regarding cyber threats, and directs a number of federal agencies to develop and implement voluntary cybersecurity standards.2 As part of that program, these federal agencies are tasked with developing ways to incentivize private businesses to voluntarily participate in a cybersecurity framework, which as of the date of this posting has yet to be fully developed.3 These voluntary standards would apply to private companies that run "critical infrastructure," defined as physical or virtual systems and assets that are so vital to the U.S. that their incapacity or destruction would have a debilitating impact on security, national economic security, national public health or safety.4
The Executive Order reflects increased concern about the security of the nation's infrastructure. President Obama, in his State of the Union Address, stressed the need for such cybersecurity protections, citing "the rapidly growing threat from cyber-attacks" and "real threats to our security and our economy."5 Accordingly, the Executive Order outlines the White House's commitment to increasing cybersecurity and data protections related to America's critical infrastructure.
The Executive Order requires the appointed federal agencies to collaborate with the private sector to (i) establish standard best practices, (ii) determine how best practices should be enforced, and (iii) determine the best way for the government to securely share information with the private sector.
The Director of the National Institute of Standards and Technology (the "NIST") is tasked with developing a "Cybersecurity Framework," which will be finalized within one-year of the Executive Order's issuance.6 The Cybersecurity Framework will incorporate a set of voluntary best practices standards, and will focus on methodologies, procedures and processes that "align policy, business and technological approaches to cyber risks."7 The Secretary of Homeland Security, in coordination with sector-specific agencies, is required to establish a voluntary program to support the adoption of the Cybersecurity Framework (the "Program"), which is also targeted to be finalized within one year of the Executive Order's issuance.8 This Program will include a set of incentives designed to promote the participation of private businesses.9 The Attorney General, Secretary of Homeland Security and Director of National Intelligence are all responsible for establishing a voluntary information sharing program to rapidly provide information regarding cyber threats to entities that are likely targets.10
The Executive Order highlights the fact that Congress has failed to pass privacy legislation in recent years, despite several attempts to do so.11 This week's announcement has also rekindled discussion relating to the Cyber Intelligence Sharing and Protection Act ("CISPA"), a bill that was proposed last year but ultimately not enacted into law.12 CISPA dealt with the sharing of cybersecurity information between the government and private businesses, but was criticized for not expressly addressing individual privacy and civil liberties concerns.13 A competing bill introduced by Senator Lieberman, the Cybersecurity Act of 2012, focused on cybersecurity as well, however, unlike CISPA, it factored in additional considerations for privacy and civil liberties.14 The Cybersecurity Act of 2012 was supported by the White House15 and has many similarities to the principles set forth in the Executive Order; however, it too did not pass.16 CISPA was reintroduced into the House of Representatives this week, reigniting many of the same debates from a year ago.17
1 - Exec. Order, Improving Critical Infrastructure Cybersecurity (February 12, 2013), available here.
2 - Id.
3 - Id. at Sec. 8(d).
4 - Id. at Sec. 2.
5 - President Barack Obama, State of the Union Address (February 13, 2013), transcript available here.
6 - Exec. Order, Improving Critical Infrastructure Cybersecurity (February 12, 2013), at Sec 7(e).
7 - Id. at Sec. 7(a).
8 - Id. at Sec. 8(a).
9 - Id. at Sec. 8(d).
10 - Id. at Sec. 4. Dissemination of classified information will be shared with entities authorized to receive such information, but any such disclosure will be limited by national security, intelligence and law enforcement considerations.
11 - See e.g. id. at Sec. 1. See also, Senate Republicans Introduce a New Data Privacy Bill: Data Security and Breach Notification Act of 2012, Daren M. Orzechowski and Allison Dodd, available here; Developments in Data Privacy Legislation, Daren M. Orzechowski, Allison Dodd, Imtiaz Yakub, available here.
12 - Press Release, Rogers and Ruppersberger Reintroduce Cybersecurity Bill to Protect the American Economic (February 13, 2013), available here and here.
13 - Cyber Intelligence Sharing and Protection Act, H.R. 3523, 112th Cong. (2012).
14 - Cybersecurity Act of 2012, S.2105, 112th Cong. (2012).
15 - President Barack Obama, Taking the Cyberattack Threat Seriously (July 20, 2012), available here.
16 - Statement by the Press Secretary on Cybersecurity Legislation Vote (August 2, 2012), available here.
17 - Press Release, Rogers and Ruppersberger Reintroduce Cybersecurity Bill to Protect the American Economic (February 13, 2013), available here and here.