White House Issues Executive Order on Improving Critical Infrastructure Cybersecurity

February 15, 2013

On February 12, 2013, after months of speculation and leaked drafts, President Obama signed an Executive Order on Improving Critical Infrastructure Cybersecurity (EO).  The EO represents the White House’s response to Congress’s failure last year to pass the Cybersecurity Act of 2012 (S. 2105).  As such, the EO puts in place measures aimed at replicating key provisions of the failed bill, in particular, measures to encourage information sharing between the government and private industry, as well as measures to put in place “voluntary” cybersecurity standards for critical infrastructure.  

Without a congressional enactment, the EO relies on existing authorizations.  As explained below, the result is mixed.  The EO puts in place limited information sharing measures that will expand on existing pilot efforts to share classified cyberthreat information generated by the government with industry, but these measures do not expand private entities’ ability to share their own information with the government.  (Notably, Congress is currently considering a bill, the Cyber Intelligence and Information Sharing and Protection Act (CISPA) that would address this limitation.)  On the other hand, the EO puts in place what could be a fairly muscular program to encourage the adoption of the voluntary cybersecurity standards by critical infrastructure owners.  This program, which is nearly as strong as the measures proposed in the final version of the ill-fated Cybersecurity Act of 2012, employs a number of different incentives to encourage adoption of higher standards that may make the program more mandatory than it appears.  A key question, however, will be how stringent the actual cybersecurity standards that get adopted will be.

Information Sharing

One of the few areas of agreement during last year’s cybersecurity legislative debate was that more information sharing was needed to ensure that both private and government actors had the latest available cyberthreat information.  Current cybersecurity technology relies largely on using “signatures” of known attacks to filter out malware before it enters IT systems.  The challenge with such technology is ensuring that when new attacks are discovered, information about them is rapidly disseminated so that other entities can protect themselves.  Up until now, concerns about the security of classified information has limited the amount of information the government was willing to share with industry to a narrow pilot program aimed at defense contractors called the Defense Industrial Base Enhanced Cybersecurity Services program.  And privacy laws, in particular those related to wiretaps, have made it difficult without legislative action for some companies to share information with the government.  

The EO primarily addresses the former issue by making it easier for the government to share information with the private sector:

  • It provides for the creation of “unclassified reports of cyber threats to the US homeland that identify a specific targeted entity” and for the creation of a process to disseminate these reports to those entities.  The Secretary of Homeland Security (Secretary), the Attorney General, and the Director of National Intelligence are required to issue instructions for the creation of these unclassified reports within 120 days of the order.
  • It requires the expansion of the Enhanced Cybersecurity Services (ECS) program from just focusing on defense contractors to now providing classified cyberthreat indicators to critical infrastructure companies and their service providers.  White House talking points regarding the EO indicate that this will be aimed at creating "real time information sharing."  Again, the procedures for expanding this program have to be established within 120 days of the date of the order, and the EO further provides for expedited processing of security clearances for critical infrastructure employees to ensure that these entities can participate in ECS.
  • Finally, in order to provide the government better insight into the cyberthreat information needs of critical infrastructure owners, the EO also provides for the expansion of programs to bring private sector subject matter experts into the government.  This is one of the few measures that will allow the private sector to share its knowledge with the government.  But this appears to be aimed more at helping the government strengthen its own sharing systems than it appears likely to result in the dissemination of actionable cyberthreat information to the government.

In recognition of continuing potential legal barriers to voluntary sharing of information by the private sector to the government, Representatives Mike Rogers (R-MI) and Dutch Ruppersberger (D-MD) reintroduced CISPA on February 13, 2013.  CISPA, which passed the House of Representatives in 2012, would create an exception to federal and state wiretap and other laws to allow for the sharing by private companies of cyberthreat information. The bill, however, was criticized by some last year because of privacy concerns, and the White House threatened to veto it.  

Voluntary Critical Infrastructure Cybersecurity Program

The second major component of the EO is a set of measures aimed at creating voluntary cybersecurity standards for private critical infrastructure owners.  During the 2012 legislative debates, opposition by industry first led to the Senate dropping proposed mandatory regulation of critical infrastructure in favor of voluntary standards and then caused even that watered down proposal to be defeated by a filibuster.  While the President may lack the legislative authority to explicitly impose regulatory requirements, the EO puts in place a voluntary scheme, similar to last year’s legislative proposal for voluntary measures, that is likely to have some teeth.  The EO requires the creation of a “framework to reduce cyber risks to critical infrastructure” and then it includes a number of measures to encourage the adoption of this framework.

As to the framework itself, the EO requires the National Institute of Standards and Technology (NIST) to lead its development in consultation with the National Security Agency, agencies responsible for regulating particular critical infrastructure sectors, other government agencies, like OMB, and industry.  The EO requires that the framework “include a set of standards, methodologies, procedures, and processes that align policy, business, and technological approaches to address cyber risks,” and that the framework “incorporate voluntary consensus standards and industry best practices to the fullest extent possible.”  

NIST will be required to publish a preliminary version of the framework within 240 days for comment, and then the final version will be published within a year, with NIST regularly reviewing and updating it as necessary.  The major question to watch for with this framework is how stringent the actual requirements will be.  Given that the EO has been issued after industry opposition blocked legislation to do the same thing, and also given the fact that NIST will be working on a relatively tight deadline to produce the framework, the chances seem good that the process of developing it will be a contentious one that might lead to only a bare minimum set of standards.  Another issue to watch will be how effectively the ultimate framework addresses technological change.  Critics have raised concerns that the framework would be ineffective if all it does is lock in existing standards that may soon be out of date.

The EO also contains a number of measures aimed at encouraging adoption of the framework by critical infrastructure owners.  While these provisions have been touted publicly as "voluntary,” the EO in a number of places requires the use of existing legislative authority to urge compliance with them.  Perhaps more significantly, the framework is likely to go a long way in establishing a standard of care for cybersecurity among at least critical infrastructure owners.  Thus, if in the future a critical infrastructure owner suffers a breach, prospective plaintiffs—including people harmed by the breach as well as shareholders—may ask whether the owner complied with the framework.  As a result, mandatory or not, companies may feel compelled to comply with them.

The measures include:

  • Within 150 days, the identification through a consultative process by DHS of critical infrastructure that is at the greatest risk.  The EO includes a broad definition of critical infrastructure.  Section 2 of the EO defines critical infrastructure as “systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.”  The E.O, however, explicitly states that the Secretary may not identify commercial IT products or consumer IT services as critical infrastructure.  Once they have been identified, owners and operators of critical infrastructure are to be confidentially notified of their status and given an opportunity request reconsideration of the designation.
  • The creation of a voluntary program to support the adoption of the framework by “owners and operators of critical infrastructure and any other interested entities.”  The EO instructs sector-specific agencies, consulting with other government agencies and in coordination with relevant Sector Coordinating Councils “to review the Cybersecurity Framework and, if necessary, develop implementation guidance or supplemental materials to address sector-specific risks and operating environments.”  The EO also includes several possible ways of encouraging adoption of the framework.  First, it employs “name and shame” tactics, requiring sector-specific agencies to report annually to the President on the extent to which identified infrastructure has adopted the framework.  Second, the EO requires the Secretary, working with the Treasury and Commerce Departments, to propose a set of incentives for parties to adopt the framework within 120 days of the signing of the EO.  Finally, it requires the Department of Defense and the General Services Administration to make recommendations to the President within 120 days on the feasibility of incorporating cybersecurity requirements into acquisition planning and contract administration.
  • A requirement that government agencies that regulate critical infrastructure sectors review the framework “and determine if current cybersecurity regulatory requirements are sufficient given current and projected risks.”  Agencies will be required to publish a preliminary assessment of existing regulations 90 days after the preliminary version of the framework is published that takes into account whether or not the agency has clear regulatory authority to put in place standards based on the framework and any additional authority that might be required.  To the extent that agencies determine that their regulatory requirements are insufficient, they will be required, 90 days after the publication of the final framework, to propose prioritized, risk-based actions to improve cybersecurity in the critical infrastructure sectors that they regulate.

Conclusion

Much of the impact of the EO will likely turn on how stringent the voluntary cybersecurity standards that it creates will be.  As noted, there are many reasons to believe that, at least in its first iteration, the voluntary framework will aim for the lowest common denominator in cybersecurity standards.  Nonetheless, the EO may impact a number of industries.  Regulated entities and government contractors will particularly need to watch and see whether the voluntary framework will lead to mandatory requirements for them.  Entities ultimately identified as critical infrastructure will also need to consider carefully the incentives and disincentives for complying with the EO.  It is worth noting in this context that the EO does not appear to create a mechanism for monitoring industry compliance.  Finally, companies not directly affected by the EO will need to consider the extent to which the voluntary framework will create a standard of care within their own industry.

Given the tight deadlines within the EO, we understand that its implementation is likely to occupy a number of policymakers’ and regulators’ attention this year, particularly at the Department of Homeland Security.   This will be an important space to watch.