On February 12, 2013, President Obama issued an executive order (the Order) intended to improve the cybersecurity of “critical infrastructure” in the United States. The Order seeks to build a public-private partnership with the owners and operators of critical infrastructure, to improve information sharing, and to collaboratively establish risk-based cybersecurity standards.
The Order mandates a number of agency actions to achieve these goals, and will impact private companies that oversee infrastructure including transportation systems, dams, electrical grids and financial institutions. Key highlights of the Order are discussed below.
The definition of “critical infrastructure” is broad and includes “systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.” The President would have substantial authority to determine what infrastructure is included in this definition.
The Order promotes information sharing by expanding the Enhanced Cybersecurity Services program and providing both classified reports on cyber threats to authorized entities and unclassified reports to other entities. However, the Order provides neither an exemption from certain privacy laws—such as the Electronic Communications Privacy Act—that serve as an impediment to information sharing nor liability protection to private sector entities for information sharing-related activities.
The Order tasks the National Institute of Standards (NIST) with developing a Cybersecurity Framework (the Framework), which “shall include a set of standards, methodologies, procedures, and processes that align policy, business, and technological approaches to address cyber risks.” The Order only directs the Framework to “incorporate voluntary consensus standards and industry best practices to the fullest extent possible.” Thus, the Framework will not necessarily incorporate voluntary consensus standards and industry best practices.
The Framework will also incorporate “guidance” for performance metrics to assess implementation by private entities. NIST is required to publish a preliminary version of the Framework within 240 days of the Order, and the final version will be published within one year of the Order.
Private Participation in “Framework” Program
The Order tasks the Secretary of Commerce, in coordination with sector-specific agencies, with establishing “a voluntary program to support the adoption of the Cybersecurity Framework by owners and operators of critical infrastructure and any other interested entities” (the Program). In addition, the Secretary of Commerce is required to “coordinate establishment of a set of incentives designed to promote participation in the Program.” These “incentives” have the potential to make it very difficult for owners and operators of critical infrastructure not to participate in the Program.
Other Significant Agency Actions
The Order requires agencies with authority for regulating the security of critical infrastructure to determine the adequacy of current cybersecurity regulations, in light of the preliminary Framework. If current regulations are deemed inadequate, within 90 days of publication of the final Framework, these agencies must propose proper actions to “mitigate cyber risk.” The Order encourages independent regulatory agencies with the same authority “to consider prioritized actions to mitigate cyber risks,” in consultation with relevant agencies and “other affected parties.”
The Order provides for a number of agency actions that must be taken within a specified timeline. These actions may result in new cybersecurity regulations that could require owners and operators of critical infrastructure to change the policies, procedures, technologies, and equipment through which they identify cyber-threats and prevent or mitigate cyber-attacks. The Order does not, however, obviate the need for legislation, especially as the federal government seeks to facilitate increased cyber-threat information sharing by private companies, which will require changes to certain private statutes and liability protection for information sharing-related activities.
For more information about the Order or any other matter raised in this Legal Update, please contact Howard W. Waltzman at +1 202 263 3848.