President Obama’s Cybersecurity Executive Order and What it Means For Your Organization

by Poyner Spruill LLP
Contact

On February 12, President Obama signed a much-anticipated cybersecurity executive order intended to “enhance the security and resilience” of U.S. critical infrastructure. The executive order is very similar to a draft leaked last November. The order requires executive officials and agencies to take specific actions to improve information sharing with and among the owners and operators of critical infrastructure, create a voluntary cybersecurity framework, encourage private sector implementation of that framework, and evaluate the adequacy of current regulations and regulatory authority in light of cybersecurity threats.

Sharing Information About Cyber Threats

In order to ensure owners and operators of critical infrastructure are apprised of cyber threats, the U.S. Attorney General, the Secretary of Homeland Security, and the Director of National Intelligence will establish processes that will produce reports on unclassified cyber threats that identify a specific targeted entity. The Secretary and the Attorney General (in coordination with the Director of National Intelligence) will also establish a process that will rapidly disseminate these reports to targeted entities. The executive order also mandates the expansion of the Enhanced Cybersecurity Services Program so that it is available to all critical infrastructure sectors. The Enhanced Cybersecurity Services Program is a public–private partnership designed to allow “near real time” sharing of cyber threat information; previously, it operated largely in the defense sector.

Enhancing Security

The administration’s cybersecurity order attempts to balance private-sector concerns over increased regulation with the need for improved critical infrastructure cybersecurity. The executive order requires the National Institute of Standards and Technology (NIST) to develop a “Cybersecurity Framework” that will produce “standards, methodologies, procedures, and processes” designed to protect against cyber risks. The Secretary of Homeland Security will establish a “voluntary critical infrastructure cybersecurity program” (Cybersecurity Program), which will support the adoption of the Cybersecurity Framework by owners and operators of critical infrastructure. The Cybersecurity Program will be organized according to sectors of critical infrastructure, and the order envisions heavy private-sector involvement. While the executive order generally leaves it to executive agencies to develop participation incentives, the order explicitly contemplates incorporating security standards into federal acquisition planning and contract administration, implying that implementation of the Framework will be a prerequisite for government contractors.

The executive order also requires the Secretary of Homeland Security to designate certain critical infrastructure as “critical infrastructure at greatest risk” (CIGR) and notify the owners and operators of this designation. The Secretary will review and update the CIGR list and transmit it to the President on an annual basis. Owners and operators will be able to challenge the CIGR designation, and may choose to do so since the CIGR designation will bring increased scrutiny. The executive order directs the Secretary to establish additional “performance goals” for CIGR infrastructure and directs agencies to report annually to the Department of Homeland Security and the President on CIGR designees’ participation in the “voluntary” program for Framework adoption.

Potential for Regulation and Legislation

The executive order contains several features designed to assuage private-sector concerns over increased regulation, the most prominent of which is the voluntary nature of the Cybersecurity Framework and Cybersecurity Program. NIST also must consult with the private sector and other stakeholders in developing the Framework and leveraging industry standards, keep the Framework “technology neutral” and “flexible,” and submit the Framework to a public review and comment process prior to final publication.

On the other hand, the executive order leaves open the possibility of additional executive agency regulations and encourages new legislation. The order requires the Department of Homeland Security, the Office of Management and Budget, and the National Security Staff to review the preliminary Cybersecurity Framework and “determine if current cybersecurity regulatory requirements are sufficient given current and projected risks.” These agencies must report to the President on whether they have the authority to establish mandatory requirements based on the Cybersecurity Framework to sufficiently address cyber risks to critical infrastructure. This process could result in some of the voluntary cybersecurity standards being converted into mandatory requirements. The report to the President will likely be used to encourage Congress to pass legislation that will provide the executive branch with additional authority to create mandatory regulations and offer information-sharing and Cybersecurity Framework participation incentives to the private sector.

Potential Liability

Organizations that would like to participate in information sharing should be sure to keep possible liability and confidentiality issues in mind. Only Congress can provide immunity from civil liability; therefore, the executive order lacks the immunity provisions that were contained in the proposed Cybersecurity Act of 2012, which died in the Senate last year after failing to receive an up-or-down vote. There are, however, some current statutory protections in place designed to prevent disclosure of information that is voluntarily submitted to certain federal agencies, such as Freedom of Information Act exemptions. The executive order provides that information voluntarily submitted through proper channels will be “protected from disclosure to the fullest extent permitted by law.” Due to the lack of immunity provisions and limitations on confidentiality, organizations should carefully consider how and whether to share information if they participate in information sharing programs.

What It Means For You

Much of the executive order is directed to government agencies, so no obvious next steps are included for organizations, such as companies that own and operate critical infrastructure. We suggest organizations pursue the following actions in order to be prepared for coming developments:

  • Determine your organization’s critical infrastructure sector. If you have not already done so, determine which critical infrastructure sector (or sectors) may include your organization. Refer to the Department of Homeland Security’s list of Critical Infrastructure Sectors to learn more.
  • Develop a strategy to combat reported threats. Federal officials must develop the processes for producing unclassified reports on cyber threats to specific targets within 120 days—which is well before the Cybersecurity Framework will be established. These cyber threat reports raise important questions for owners and operators of critical infrastructure, such as whether the failure to act on a report can increase an organization’s exposure to liability. Owners and operators of critical infrastructure should be prepared to act on the reports before the 120-day time period ends.
  • Consider participating in the process. Organizations should consider whether they want to participate in the development of the Cybersecurity Framework or engage in the formal comment period that will follow publication of the preliminary Framework. Participating may give an organization the opportunity to shape the resulting standards. Think fast, though, because drafting will start soon. The preliminary version of the Framework is required to be published within 240 days, and the final version must be published within 1 year. NIST recently released a draft guidance document, Security and Privacy Controls for Federal Information Systems and Organizations, containing a catalogue of security safeguards and countermeasures that federal agencies use to protect their information and information systems. NIST is unlikely to reinvent the wheel when formulating the Cybersecurity Framework, which is a significant task. We expect NIST will borrow heavily from this guidance document, so organizations may want to review and consider commenting on the draft in the event that it forms the basis for the Framework.
  • Consider implementing the Framework. In addition to the incentives, such as government procurement preferences, meeting the Framework’s security standards may prove to be a useful evaluation tool for auditors, clients, and insurers to assess security and risk mitigation.
  • Stay on top of developments. It remains to be seen how executive agencies will implement the broad requirements in the President’s executive order, so the private sector, and especially owners and operators of critical infrastructure, should keep a close eye on developments. Organizations should also be prepared for the possibility of cybersecurity legislation that may complement or override the President’s approach. For example, the Cyber Intelligence Sharing and Protection Act, which passed in the House but failed to pass in the Senate last year, was reintroduced in the House on February 13. Just a few days before that, the European Commission published a proposed cybersecurity directive that includes breach notification obligations. We will publish additional updates on cybersecurity matters as developments occur—click here to sign up for alerts.

 

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Poyner Spruill LLP | Attorney Advertising

Written by:

Poyner Spruill LLP
Contact
more
less

Poyner Spruill LLP on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Privacy Policy (Updated: October 8, 2015):
hide

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.

Security

JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at info@jdsupra.com. In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at: info@jdsupra.com.

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.
Feedback? Tell us what you think of the new jdsupra.com!