Last night, President Obama signed a long-anticipated Executive Order, "Improving Critical Infrastructure Cybersecurity," which directs the federal government to share cyberthreat information with the owners of systems that are critical to the country's infrastructure. The order also requires government to work with businesses to develop baseline cybersecurity best practices that private industry may voluntarily adopt.
While the Executive Order is not geared toward general commercial enterprises, private industry will be affected. Within 150 days of the release of the Executive Order, the Homeland Security Secretary shall use a risk-based approach to identify critical infrastructure—even infrastructure owned by private industry—where a cybersecurity disruption could reasonably result in "catastrophic regional or national effects on public health or safety, economic security or national security."
The financial services sector is specifically mentioned in this Executive Order in several sections. The Executive Order designates the Treasury Department as the industry's sector-specific agency "responsible for providing institutional knowledge and specialized expertise as well as leading, facilitating, or supporting the security and resilience programs and associated activities" of this sector. The industry lobbied for the Treasury Department, instead of the Department of Homeland Security, to fulfill this function, given Treasury's existing financial services knowledge base.
The industry appears to be encouraged by both the federal government information-sharing network and the "voluntary" standards development process. But the Executive Order lacks incentives for widespread adoption by private industry, due to the jurisdictional limitations of the Executive Branch. The Executive Branch cannot rewrite existing law or appropriate funds. For example, there are no specific liability protections for information sharing by private industry.
Private lawsuit and government regulatory action liability will be a heavy concern and a disincentive for industry to share voluntarily any threat information with the government and other businesses. For now, it is anticipated that the Executive Order will only facilitate "one-way" information sharing from the government to private industry. Moreover, there is no funding for research and development or other incentives to encourage adoption by private industry. Recognizing the limitations on Executive Branch jurisdiction, in last night's State of the Union address, President Obama called for Congress to pass comprehensive cybersecurity legislation.
Stay tuned. Tomorrow, members of the House of Representatives are expected to reintroduce the Cyber Intelligence Sharing and Protection Act (CISPA), which largely focuses on information sharing. The legislation is heavily supported by industry. Likewise, we expect the Senate to reintroduce cybersecurity legislation sponsored by Senator Jay Rockefeller (D-WV) and now-retired Senator Joe Lieberman (I-CT) in the 112th Congress.
Ballard Spahr's Privacy and Data Security Group helps clients navigate the many laws designed to safeguard health, financial, and other private information. The Group focuses on financial privacy and security by design—evaluating new products and services and communications channels to ensure that financial institutions are meeting their privacy and data security obligations. For more information on the Executive Order, please contact Mercedes Kelley Tunstall at 202.661.2221 or firstname.lastname@example.org, or Amy S. Mushahwar at 202.661.7644 or email@example.com.