On February 12, President Obama signed an Executive Order on “Improving Critical Infrastructure Cybersecurity,” and then referenced the Order and the need for additional congressional action during the State of the Union address on the same day:
America must also face the rapidly growing threat from cyber-attacks. We know hackers steal people’s identities and infiltrate private e-mail. We know foreign countries and companies swipe our corporate secrets. Now our enemies are also seeking the ability to sabotage our power grid, our financial institutions, and our air traffic control systems. We cannot look back years from now and wonder why we did nothing in the face of real threats to our security and our economy.
That’s why, earlier today, I signed a new executive order that will strengthen our cyber defenses by increasing information sharing, and developing standards to protect our national security, our jobs, and our privacy. Now, Congress must act as well, by passing legislation to give our government a greater capacity to secure our networks and deter attacks.
Describing cybersecurity as “one of the most serious national security challenges” the United States must confront, the Executive Order directs federal agencies to engage with the private sector on a number of fronts, the most consequential of which for business are likely to involve:
- Information-Sharing. Enhanced efforts by government to share timely threat information via 1) additional notifications to a broader group of businesses (which will be expected to take action when provided with such information) and 2) expansion of an existing formal information-sharing program beyond its current defense-industry base. The expanded effort will be called “Enhanced Cybersecurity Services” and will seek to involve industry participation from critical infrastructure sectors such as utilities, telecommunications and financial services.
- Baseline Standards. Facilitated by NIST, which will seek public input, the federal government will develop and promote a new “Cybersecurity Framework” that likely will become a baseline against which corporate cybersecurity programs are measured.
- Public Procurement. The Executive Order directs agencies to continue to use government procurement processes to promote enhanced cybersecurity measures to be taken by businesses who want to sell to government.
The Executive Order requires agencies to prepare reports to Congress that will report on progress and will highlight the limitations of existing statutory authority, for example to require compliance with standards and to provide liability protection to companies who participate in information-sharing programs.
Our summary of the key elements of the Executive Order follows.
Cybersecurity Information Sharing
The Executive Order requires the US Attorney General, the Secretary of the Department of Homeland Security (the “Secretary”), and the Director of National Intelligence each to ensure the timely production of unclassified reports of cyber threats to the United States that identify a specific targeted entity. Such unclassified reports must be rapidly disseminated to the specifically targeted entities, with classified versions of the reports disseminated to authorized critical infrastructure entities.
The Secretary must also establish procedures, within 120 days of the date of the Executive Order, to expand the “Enhanced Cybersecurity Services”—a voluntary information sharing program wherein the government will provide classified cyber threat information to eligible critical infrastructure companies and/or the commercial service providers that offer security services to those companies—to all critical infrastructure sectors. Furthermore, the Secretary is tasked with expanding the use of programs that bring private-sector subject matter experts into federal service on a temporary basis in order to provide advice on the structure, content, and types of threat information that will be most helpful to critical infrastructure owners and operators in mitigating cyber threat risks.
Privacy and Civil Liberties Protections
The Executive Order explicitly acknowledges the need to address privacy and civil liberties and calls upon the involved agencies to incorporate fair information practices and other privacy principles and frameworks into their efforts. Additionally, the DHS Chief Privacy Officer and the DHS Officer for Civil Rights and Civil Liberties are tasked with creating a publicly available report—with input from the privacy and civil liberties officials at each participating agency and in coordination with Office of Management and Budget (OMB) and the Privacy and Civil Liberties Oversight Board (PCLOB)—that assesses the risks to privacy and civil liberties posed by the activities called for by the Executive Order and identifies ways to mitigate those risks. This report must be issued within one year of the date of the Executive Order, and will be reviewed and revised, as necessary, on an annual basis thereafter. The Executive Order directs agencies to consider the assessments and recommendations set forth by the report.
Protections for Shared Information
The Executive Order notes that all information shared through the voluntary program “shall be protected from disclosure to the fullest extent permitted by law.” The Executive Order invokes a statutory provision added by the Critical Infrastructure Act of 2002, which created a FOIA exemption and laid out various other protections against disclosure of critical infrastructure information. To enjoy these protections against disclosure, the entity submitting the information must include an explicit statement regarding the desire for protection.
Baseline Framework to Reduce Cyber Risk to Critical Infrastructure
Within a year of the date of the Executive Order, the National Institute of Standards and Technology (NIST) must publish a final version of a new Cybersecurity Framework. The Framework will include “a set of standards, methodologies, procedures, and processes that align policy, business, and technological approaches to address cyber risk.” The Framework will provide a “prioritized, flexible, repeatable, performance-based, and cost-effective approach, including information security measures and controls, to help owners and operators of critical infrastructure identify, assess, and manage cyber risk.” The Framework must be technology neutral, focused on cross-sector approaches, consistent with voluntary international standards where such standards advance the objectives of the Executive Order, and “incorporate voluntary consensus standards and industry best practices to the fullest extent possible.” And the Framework will include performance metrics for measuring an entity’s implementation of the Framework.
The Executive Order specifically requires that NIST include approaches to safeguard business confidentiality, as well as individual privacy and civil liberties.
The Executive Order instructs NIST to engage in an “open public review and comment process” during development of the Framework, as well as to engage the consultative process detailed below. NIST must release a preliminary version of the Framework within 240 days of the date of the Executive Order, then receive feedback from the Secretary and through the comment process before publishing the final version of the Framework.
Voluntary Critical Infrastructure Cybersecurity Program
The Executive Order instructs DHS to work with Sector-Specific Agencies to establish a voluntary program to encourage adoption of the Cybersecurity Framework. The Secretary must coordinate the creation of incentives to promote participation in the voluntary program. The Executive Order requires the Secretary and others to make recommendations to the President regarding the benefits and relative effectiveness of incentives are available under existing law, as well as those incentives that require legislation.
The Executive Order instructs the Secretary to establish a multistakeholder forum to advise on various cybersecurity efforts created by this Executive Order. The consultative process will provide input on the NIST Cybersecurity Framework and identification of the critical infrastructure at greatest risk.
The Executive Order requires recommendations from the Secretary and others “on the feasibility, security benefits, and relative merits of incorporating security standards into acquisition planning and contract administration.”
All recommendations under this section must be provided within 120 days of the date of the Executive Order.
Identification of Critical Infrastructure at Greatest Risk
Within 150 days of the date of the Executive Order, the Secretary is required to use the consultative process detailed above to identify critical infrastructure at greatest risk—defined as critical infrastructure “where a cybersecurity incident could reasonably result in catastrophic regional or national effects on public health or safety, economic security, or national security.” The Executive Order states that the Secretary must develop a process for “other relevant stakeholders” to submit information to assist in identifying critical infrastructure that is at greatest risk. Notably, under the terms of the Executive Order, neither commercial information technology products nor consumer information technology services may be identified as critical infrastructure at greatest risk.
Owners and operators of critical infrastructure identified as being at greatest risk shall be confidentially notified of such a designation and shall be provided with the basis for the determination. In addition, the Executive Order requires the Secretary to establish a process by which owners and operators of critical infrastructure may challenge the “greatest risk” designation.
Adoption of Framework
Agencies are required to engage in a consultative process with DHS, OMB, and the National Security Staff to determine if current cybersecurity regulatory requirements are sufficient, taking into consideration the critical infrastructure designated as being at greatest risk, and have 90 days from the publication of the preliminary Cybersecurity Framework to submit a report to the President that states, inter alia, whether they have “clear authority” to establish requirements based on the Framework to sufficiently address current and projected cyber risks to critical infrastructure, and, if not, what additional authority is required. To the extent current regulatory requirements are deemed to be insufficient, agencies are required to propose actions to mitigate cyber risk within 60 days of the publication of the final Framework.
Finally, the Executive Order requires agencies to consult with the owners and operators of critical infrastructure within two years of the publication of the final Framework to prepare a report that is to be delivered to OMB identifying any critical infrastructure subject to “ineffective, conflicting, or excessively burdensome” cybersecurity requirements.
Stating that cyber threats pose “one of the most serious national security challenges” the United States must confront, President Obama noted that this Executive Order is meant to fill a gap while Congress continues to pursue legislation.
As we noted previously, Sen. Rockefeller and other congressional leaders have already made known their intent to pursue legislation in this session of Congress. In January, Sen. Rockefeller and other Senate Democrats introduced the Cybersecurity and American Cyber Competitiveness Act of 2013 as a starting point for comprehensive cybersecurity legislation. In support of such legislation, Sen. Rockefeller released a staff memorandum presenting the responses his office received to his September 2012 letter to all Fortune 500 companies’ CEOs regarding cybersecurity practices.
Meanwhile in the House, the Cyber Intelligence Sharing and Information Act (CISPA), which passed the House in 2012, is slated to be reintroduced today. And other House leaders have indicated their intent to reintroduce cybersecurity legislation in the new Congress over the coming weeks.
Cybersecurity concerns have garnered international attention as well. The Executive Order follows closely on the heels of the EU’s release last week of its cybersecurity plan, which included a Cybersecurity Strategy and proposed Directive. The proposed EU Directive would establish a mandatory breach reporting regime and a cooperation network for information sharing, as well as mandate the adoption of appropriate security measures on the part of many businesses.
Paul Otto and Steve Spagnolo, associates in our Washington, D.C. office, contributed to this entry.