After proponents of cybersecurity legislation were unable to reach consensus on a bill during the 112th Congress, President Barack Obama, on February 12, issued a cybersecurity Executive Order (the Executive Order or EO) to enhance the security and resilience of the country’s critical infrastructure (CI). The EO is available here.
This Alert provides a preliminary assessment of the cybersecurity Executive Order and observations that may be helpful in considering how new standards may affect your company.
The Executive Order requires federal agencies to improve two-way information sharing about cyber threats and to work collaboratively with the private sector to develop a cybersecurity framework (the Cybersecurity Framework or Framework) for the protection of CI from cyber threats. The Framework will apply to owners and operators of critical infrastructure who voluntarily participate and other entities that may voluntarily participate. The Executive Order requires federal agencies to develop incentives for private sector adoption of the Cybersecurity Framework. Federal agencies with sufficient regulatory authority may impose regulations implementing the Framework. Furthermore, even where federal agencies lack the regulatory authority to impose the cybersecurity standards included in the Framework, the standards are likely to be influential, in that following the Framework as it applies in a company’s sector would provide strong evidence that the company was exercising a duty of care to prevent harm from a cyber attack.
Current critical infrastructure sectors affected by this order include energy, agriculture/food, information technology, banking/finance, telecommunications/broadcasting, commercial services (such as hotels and sports arenas), defense industrial base, chemical, dams, health care, water, nuclear, critical manufacturing, transportation; and postal/shipping. These sectors have been identified by DHS pursuant to Presidential Policy Directive #7, which established US cybersecurity policy in 2003. In conjunction with the EO, the President also issued an update to Directive #7, Presidential Policy Directive #21, which we will address in a future client alert. The Directive is available here.
As explained in more detail below, the Executive Order requires the Department of Homeland Security (DHS) to work with the Department of Commerce, the Department of Defense, the Director of National Intelligence (DNI), sector-specific agencies, and agencies with regulatory authority over CI sectors, to analyze current cybersecurity risks to CI and develop a national cybersecurity framework and adapt the framework for individual sectors.
If your company operates in a critical infrastructure sector, then you may want to understand the extent to which the agency or agencies with regulatory authority over your industry has statutory authority to impose, either directly or indirectly, new cybersecurity requirements on your company.
If you expect to be covered, consider participating in proceedings and government-private sector discussions regarding the Framework, either directly or through a trade association.
Even if your industry is already subject to federal cybersecurity related requirements, the Executive Order leaves plenty of room for imposing additional security requirements and other compliance obligations. And, finally, even if you believe your company is unaffected because it operates outside a critical infrastructure sector, it is worth considering the extent to which the Cybersecurity Framework and impending guidelines may create de facto cyber standards that will ultimately affect your company anyway.
Action items to consider
If you wish to participate directly in the establishment of the Framework through NIST, we recommend starting to identify key issues now so as to be prepared when NIST initiates the comment process.
If you are in a CI sector, establish a process to receive information from the government including designating an employee or employees with security clearance to receive classified information.
If you are in a CI sector or a service provider to a CI sector, be prepared for the Framework to result in increased operational costs. The Framework is to be finalized by February 12, 2014.
If you receive notice of a new designation as CI and you opt to participate in the Framework, establish an internal process to ensure compliance with new guidelines and regulations.
More generally, if you have not already done so, establish a governance structure led by representatives of senior management, to address cybersecurity and information management issues that your organization faces.
Executive Order and what to expect going forward
The Executive Order includes a number of favorable changes for the private sector in response to feedback provided by stakeholders in meetings with the White House staff. It reflects a greater recognition of existing public-private partnerships that are already working, including one involving the electricity industry.
The Order emphasizes a risk-based and cost-based approach to improving cybersecurity. In this vein, the Department of Energy is currently working on an initiative (the Electricity Sector Cybersecurity Capability Maturity Model) that provides companies with a self-evaluation survey to help them assess vulnerabilities and implement changes to address those risks. The model helps companies figure out where they need to focus resources in order to maximize cybersecurity improvements. The Administration plans to translate this model for use in other CI sectors during implementation of the Executive Order.
However, the Executive Order could still produce problematic results for affected companies because it offers significant discretion to DHS, DOD and agencies with regulatory authority over CI sectors to issue new regulations applicable to those sectors, and it may establish de facto standards that affect industries not explicitly subject to the framework.
Identification of critical infrastructure at greatest risk and IT carve-out
The Executive Order requires the Secretary of Homeland Security (the Secretary) to use a risk-based approach with objective criteria to identify CI for which a cybersecurity incident could result in catastrophic regional or national effects on public health or safety, economic security or national security. The Secretary also is required to use the consultative process established under the Executive Order and draw upon the expertise of Sector Specific Agencies and other agencies with responsibility for regulating the security of CI.
The Executive Order, however, prohibits, the Secretary from identifying “any commercial information technology products or consumer information technology services” under this process. This carve-out was not included in the early drafts of the Executive Order and is similar to language that was added to the final version of the Lieberman-Collins cybersecurity bill that was not passed by the Senate. The final language was expanded also to cover “consumer information technology services.”
The Secretary, in coordination with sector-specific agencies, is required confidentially to notify owners and operators of CI identified through the process described above and provide them with the basis for the determination. The Secretary also must establish a process by which owners and operators can request reconsideration of an identification. Finally, the Secretary is required to review and update the list of critical infrastructure on an annual basis.
The Order takes steps to improve government sharing of cybersecurity threat information with private sector entities. However, it does not address sharing between the private sector and the government or between private sector entities. The Executive Order instructs the DNI, the US Attorney General and the Secretary to issue instructions consistent with their authorities, to:
ensure timely production of unclassified reports on cyber threats to the US homeland that identify specific targeted entities
ensure timely production of classified reports to authorized critical infrastructure entities
create a process that rapidly disseminates the reports to the particular targeted entities and
establish a system for tracking the dissemination of these reports.
To facilitate the sharing of cybersecurity risk information and to assist owners and operators of CI in protecting their systems from unauthorized access or harm, the Secretary has been instructed to:
expedite the provision of security clearances for personnel of owners and operators of CI, giving priority to personnel employed by owners of critical infrastructure identified by the Secretary as Critical Infrastructure at Greatest Risk and
expand the use of programs that bring private sector experts into federal service on a temporary basis to provide advice regarding the types of information most useful to CI owners and operators and
establish procedures, in collaboration with the Secretary of Defense, to expand the Enhanced Cybersecurity Services program to all critical infrastructure companies by June 12, 2013, which enables critical infrastructure companies and their commercial security service providers to receive classified and unclassified cyber threat and technical information under this voluntary program.
The Executive Order also recognizes that the national security interests in protecting critical infrastructure must be carefully balanced with fundamental principles of privacy and civil liberties. In furtherance of this balancing act, the Executive Order requires:
information shared by private entities to be protected from disclosure upon request by a private entity pursuant to existing law on critical infrastructure information
agencies to coordinate their activities with the appropriate senior officials for privacy and civil liberties and ensure that such protections are incorporated into the Agencies’ implementation of the Executive Order and
the Chief Privacy Officer and Officer for Civil Rights and Civil Liberties of DHS to provide recommendations to the Secretary based upon the Fair Information Practices Principles and other agency privacy frameworks, on ways to minimize privacy and civil liberties risks, which will be issued in a publicly available report coordinated with OMB and the Privacy and Civil Liberties Oversight Board within one year, and annually thereafter as necessary.
The Executive Order requires the Director of NIST to direct the National Institute of Standards and Technology (NIST) to coordinate the development of a framework to reduce cyber risks to critical infrastructure. The Framework must:
include a set of standards, methodologies, procedures, and processes that align policy, business, and technological approaches to address cyber risks
incorporate existing consensus-based standards and industry best practices to the fullest extent possible
be consistent with voluntary international standards when such standards advance the objectives of the Executive Order
focus on identifying cross-sector security standards and guidelines applicable to CI, such as the electricity sector model discussed above
provide a prioritized, flexible, repeatable, performance-based, and cost-effective approach, including information security measures and controls
identify gaps that should be addressed through collaboration with particular sectors and industry-led standards organizations
be technologically neutral and enable CI sectors to benefit from a competitive market for products and services that meet the standards and methodologies developed to address cyber risks
include guidance on measuring the performance of an entity in implementing the Framework and
include methodologies to identify and mitigate impacts on business confidentiality and individual privacy and civil liberties.
In providing guidance for measuring the performance of an entity, careful consideration must be given to providing adequate protections for maintaining confidentiality for the entity for both competitive and security reasons.
Process for Framework development and adoption
NIST is required to lead the development of the Framework in consultation with NSA, sector-specific agencies and other interested agencies, OMB, owners and operators of CI and other stakeholders. NIST must engage in an open public review and comment process in developing the Framework. In parallel, the Secretary is required to establish performance goals for the Framework. The Deputy Secretary of Commerce has pledged to consult widely in developing these standards and companies may wish to engage actively in this process either directly or through trade associations.
The Secretary is required to establish a consultative process to coordinate improvements to the cybersecurity of CI. The process is to engage and consider input from NSA, the DNI, sector- specific agencies, other relevant agencies, owners and operators of CI and other stakeholders using the existing Critical Infrastructure Partnership Advisory Council (CIPAC). Agencies with regulatory authority over CI are required to review the preliminary Framework to determine if current cybersecurity regulatory requirements are sufficient given current and projected risks. Most importantly for CI owners and operators, the agencies must report to the President on whether the agency has sufficient authority to establish requirements pursuant to the Framework and whether new or additional authority is required.
Once the Framework is final, the Director of NIST is to ensure the Framework is reviewed and updated as necessary, taking into account changes in technology, input from critical infrastructure owners and operators, and other relevant factors. Within two years of publication of the final Framework, these agencies must consult with owners and operators of CI and report to OMB on whether the Framework would result in ineffective, conflicting or excessively burdensome requirements and efforts to minimize or eliminate such requirements by the agency. Although this language provides some protection for the private sector, it still allows significant agency discretion in making these evaluations.
Voluntary program for adoption of framework by private sector and the federal acquisition process
The Executive Order requires the Secretary, in coordination with sector-specific agencies, to establish a voluntary program to support the adoption of the Framework by owners and operators of CI and other interested entities. The Executive Order requires:
sector-specific agencies to coordinate with the sector coordinating councils to review the Framework and develop implementation guidance that will address sector-specific risks and operating environments and report to the President annually on the extent to which CI owners and operators are participating in the program
the Secretary to coordinate a set of incentives to promote participation in the program. However, the Executive Order and subsequent implementation cannot offer the liability protection that the industry has sought
the Secretary and the Secretaries of Treasury and Commerce to provide the President with separate recommendations on incentives, including which ones could be implemented under existing law and which ones require legislation, and
the Secretary of Defense and the Administrator of GSA, in consultation with the Secretary and the Federal Acquisition Regulatory Council, and using the consultation process set forth in the Executive Order, to provide the President with recommendations on incorporating cybersecurity standards into acquisition planning and contract administration and how to harmonize these changes with existing procurement regulations.
The potential incorporation of cybersecurity standards into the federal acquisition process may set the stage for the establishment of guidelines that create preferences for vendors who meet certain cyber standards. If this were to occur, it could provide a back door around the technology-neutral requirements of the Executive Order.
The Executive Order has the following key deadlines:
- June 12, 2013 – The AG, the Secretary and the DNI shall establish a process for timely dissemination of unclassified and classified reports to critical infrastructure entities.
- June 12, 2013 – The Secretary in collaboration with the Secretary of Defense shall expand the voluntary Enhanced Cybersecurity Services information sharing program to all critical infrastructure.
- June 12, 2013 – The Secretary and the Secretaries of Treasury and Commerce each are required to provide the President with separate recommendations on incentives: including which ones could be implemented under existing law and which ones require legislation.
- June 12, 2013 – The Secretary of Defense and the Administrator of GSA, in consultation with the Secretary and the Federal Acquisition Regulatory Council, and using the consultation process set forth in the Executive Order, must provide the President with recommendations on incorporating cybersecurity standards into acquisition planning and contract administration and how to harmonize these changes with existing procurement regulations.
- July 12, 2013 – The Secretary shall identify critical infrastructure where a cybersecurity incident could have a catastrophic effect.
- October 12, 2013 – The Director of NIST shall publish a preliminary version of the Framework.
- May 13, 2013 – Agencies that regulate critical infrastructure security shall report to the President on agency authority to implement the Framework and any additional authority required.
- February 12, 2014 – The Director of NIST shall publish the final version of the Framework.
- May 13, 2014 – If current cybersecurity regulatory requirements are insufficient, agencies that regulate critical infrastructure security shall propose requirements to mitigate cyber risk.
The Executive Order provides for a new policy coordination and dispute resolution role for the interagency process of the National Security Council.
The Executive Order states that nothing in the Order is be construed to provide authority to an agency greater than existing law. The Order shall be implemented consistent with international obligations. The Order is not intended to create any rights of any party against the federal government.
The issue of the role of private sector entities in defending themselves offensively against attacks from nation-states and hackers has also come up during White House staff meetings with industry representatives. The Administration has indicated that it continues to examine this issue.
The President signed a classified Policy Directive (#20) in October 2012 that set new rules of engagement for offensive and defensive cyber actions by the military. Under the Directive, traditional network defense activities and law enforcement will remain the first options rather than military cyber unit action. The Directive also establishes a broad set of standards for federal agencies facing cyber threats. Finally, the Directive provides a vetting process for operations outside of government and defense networks in response to cyber attacks and will insure that the privacy and data of US citizens and that of US allies are protected and international laws of war are followed.
One further consideration is the language included in the Continuing Resolution for FY 2013 funding the government through March. The House and Senate Appropriations Committees effectively restricted the use of funds by DHS for implementation of an Executive Order. It is unclear how this language will impact DHS implementation in the near term and whether the Congressional Appropriations Committees will include similar language in the next Continuing Resolution.
Cybersecurity information sharing legislation and its prospects in 2013
During the 112th Congress, the House of Representatives passed a cybersecurity bill, H.R. 3523, the Cybersecurity Intelligence Sharing and Protection Act (CISPA), which had broad bipartisan support and focused on information sharing between intelligence agencies or other appropriate federal agencies or departments, and certified private sector entities with the requisite security clearance.i This week, CISPA’s sponsors reintroduced an identical bill (H.R. 624, available here). The bill authorizes the use of cyber information by private sector entities in a manner that prevents unauthorized disclosure. Unlike the Executive Order, this bill also provides liability protections for private sector entities sharing information or for making decisions based on cyber threat information identified, obtained or shared. The bill does not include controversial provisions related to the regulation of critical infrastructure as did the Senate Lieberman-Collins bill and, therefore, is opposed by the Administration and some Congressional Democrats. Prior to its passage last Congress, the bill’s sponsors made significant changes to the legislation in order to address the concerns of privacy and civil liberties groups. However, despite these changes, these groups have continued to oppose the bill – first, because of the scope of information covered and second because it allows information sharing with NSA.
Because information sharing is only minimally addressed in the Executive Order, we anticipate continued momentum for legislation in this area to promote information sharing by the government and by the private sector with the government and other private sector entities.
Information sharing and liability protections have been and remain the top cybersecurity priority of the private sector. Although Congressional action on information sharing during the 112th Congress continued to reflect philosophical divisions among Democrats on Capitol Hill, we anticipate that the House will again pass bipartisan legislation, which may have a greater chance of passage in the Senate following the release of the Executive Order.
Once the other Congressional committees with jurisdiction over cybersecurity have had time to digest the EO, we anticipate legislation from the House and Senate Homeland Security Committees, among others.
The Executive Order has potentially sweeping implications not only for CI owners and operators but for most companies. We already have experienced federally mandated security requirements imposed upon the financial services and health care sectors and have seen the financial sector requirements in many cases extended to non-regulated sectors through Federal Trade Commission enforcement standards.
The implementation and adoption of the Framework by companies likely will extend to all aspects of a company’s ecosystem, including outsourced service providers and companies within the supply chain. The cost implications for implementing the Framework, and the ensuing potential economic impact on the costs of delivering goods and services, remain uncertain. We only can be sure that more change is yet to come.
For more information about the Framework, please contact:
Sydney M. White
Steven R. Phillips
FROM THE ARCHIVE
EU releases cybersecurity strategy
Federal agencies, Congress accelerate defense against cyber attacks – every private company will be affected
i The House also passed a package of less controversial cybersecurity bills on R&D, training and reforming the Federal Information System Management Act (FISMA).