On February 12, President Obama signed a much-anticipated cybersecurity executive order intended to “enhance the security and resilience” of U.S. critical infrastructure. The executive order is very similar to a draft leaked last November. The order requires executive officials and agencies to take specific actions to improve information sharing with and among the owners and operators of critical infrastructure, create a voluntary cybersecurity framework, encourage private sector implementation of that framework, and evaluate the adequacy of current regulations and regulatory authority in light of cybersecurity threats.
Sharing Information About Cyber Threats
In order to ensure owners and operators of critical infrastructure are apprised of cyber threats, the U.S. Attorney General, the Secretary of Homeland Security, and the Director of National Intelligence will establish processes that will produce reports on unclassified cyber threats that identify a specific targeted entity. The Secretary and the Attorney General (in coordination with the Director of National Intelligence) will also establish a process that will rapidly disseminate these reports to targeted entities. The executive order also mandates the expansion of the Enhanced Cybersecurity Services Program so that it is available to all critical infrastructure sectors. The Enhanced Cybersecurity Services Program is a public–private partnership designed to allow “near real time” sharing of cyber threat information; previously, it operated largely in the defense sector.
The administration’s cybersecurity order attempts to balance private-sector concerns over increased regulation with the need for improved critical infrastructure cybersecurity. The executive order requires the National Institute of Standards and Technology (NIST) to develop a “Cybersecurity Framework” that will produce “standards, methodologies, procedures, and processes” designed to protect against cyber risks. The Secretary of Homeland Security will establish a “voluntary critical infrastructure cybersecurity program” (Cybersecurity Program), which will support the adoption of the Cybersecurity Framework by owners and operators of critical infrastructure. The Cybersecurity Program will be organized according to sectors of critical infrastructure, and the order envisions heavy private-sector involvement. While the executive order generally leaves it to executive agencies to develop participation incentives, the order explicitly contemplates incorporating security standards into federal acquisition planning and contract administration, implying that implementation of the Framework will be a prerequisite for government contractors.
The executive order also requires the Secretary of Homeland Security to designate certain critical infrastructure as “critical infrastructure at greatest risk” (CIGR) and notify the owners and operators of this designation. The Secretary will review and update the CIGR list and transmit it to the President on an annual basis. Owners and operators will be able to challenge the CIGR designation, and may choose to do so since the CIGR designation will bring increased scrutiny. The executive order directs the Secretary to establish additional “performance goals” for CIGR infrastructure and directs agencies to report annually to the Department of Homeland Security and the President on CIGR designees’ participation in the “voluntary” program for Framework adoption.
Potential for Regulation and Legislation
The executive order contains several features designed to assuage private-sector concerns over increased regulation, the most prominent of which is the voluntary nature of the Cybersecurity Framework and Cybersecurity Program. NIST also must consult with the private sector and other stakeholders in developing the Framework and leveraging industry standards, keep the Framework “technology neutral” and “flexible,” and submit the Framework to a public review and comment process prior to final publication.
On the other hand, the executive order leaves open the possibility of additional executive agency regulations and encourages new legislation. The order requires the Department of Homeland Security, the Office of Management and Budget, and the National Security Staff to review the preliminary Cybersecurity Framework and “determine if current cybersecurity regulatory requirements are sufficient given current and projected risks.” These agencies must report to the President on whether they have the authority to establish mandatory requirements based on the Cybersecurity Framework to sufficiently address cyber risks to critical infrastructure. This process could result in some of the voluntary cybersecurity standards being converted into mandatory requirements. The report to the President will likely be used to encourage Congress to pass legislation that will provide the executive branch with additional authority to create mandatory regulations and offer information-sharing and Cybersecurity Framework participation incentives to the private sector.
Organizations that would like to participate in information sharing should be sure to keep possible liability and confidentiality issues in mind. Only Congress can provide immunity from civil liability; therefore, the executive order lacks the immunity provisions that were contained in the proposed Cybersecurity Act of 2012, which died in the Senate last year after failing to receive an up-or-down vote. There are, however, some current statutory protections in place designed to prevent disclosure of information that is voluntarily submitted to certain federal agencies, such as Freedom of Information Act exemptions. The executive order provides that information voluntarily submitted through proper channels will be “protected from disclosure to the fullest extent permitted by law.” Due to the lack of immunity provisions and limitations on confidentiality, organizations should carefully consider how and whether to share information if they participate in information sharing programs.
What It Means For You
Much of the executive order is directed to government agencies, so no obvious next steps are included for organizations, such as companies that own and operate critical infrastructure. We suggest organizations pursue the following actions in order to be prepared for coming developments:
Determine your organization’s critical infrastructure sector. If you have not already done so, determine which critical infrastructure sector (or sectors) may include your organization. Refer to the Department of Homeland Security’s list of Critical Infrastructure Sectors to learn more.
Develop a strategy to combat reported threats. Federal officials must develop the processes for producing unclassified reports on cyber threats to specific targets within 120 days—which is well before the Cybersecurity Framework will be established. These cyber threat reports raise important questions for owners and operators of critical infrastructure, such as whether the failure to act on a report can increase an organization’s exposure to liability. Owners and operators of critical infrastructure should be prepared to act on the reports before the 120-day time period ends.
Consider participating in the process. Organizations should consider whether they want to participate in the development of the Cybersecurity Framework or engage in the formal comment period that will follow publication of the preliminary Framework. Participating may give an organization the opportunity to shape the resulting standards. Think fast, though, because drafting will start soon. The preliminary version of the Framework is required to be published within 240 days, and the final version must be published within 1 year. NIST recently released a draft guidance document, Security and Privacy Controls for Federal Information Systems and Organizations, containing a catalogue of security safeguards and countermeasures that federal agencies use to protect their information and information systems. NIST is unlikely to reinvent the wheel when formulating the Cybersecurity Framework, which is a significant task. We expect NIST will borrow heavily from this guidance document, so organizations may want to review and consider commenting on the draft in the event that it forms the basis for the Framework.
Consider implementing the Framework. In addition to the incentives, such as government procurement preferences, meeting the Framework’s security standards may prove to be a useful evaluation tool for auditors, clients, and insurers to assess security and risk mitigation.
Stay on top of developments. It remains to be seen how executive agencies will implement the broad requirements in the President’s executive order, so the private sector, and especially owners and operators of critical infrastructure, should keep a close eye on developments. Organizations should also be prepared for the possibility of cybersecurity legislation that may complement or override the President’s approach. For example, the Cyber Intelligence Sharing and Protection Act, which passed in the House but failed to pass in the Senate last year, was reintroduced in the House on February 13. Just a few days before that, the European Commission published a proposed cybersecurity directive that includes breach notification obligations. We will publish additional updates on cybersecurity matters as developments occur—click here to sign up for alerts.