• President Issues Highly Anticipated Cybersecurity Executive Order and Related Policy Directive
  • February 18, 2013 | Authors: C. Douglas Jarrett; Dawn Livingston; Tracy P. Marshall; Sheila A. Millar; Crystal N. Skelton
  • Law Firm: Keller and Heckman LLP - Washington Office
  • Introduction

    Following President Obama's State of the Union address on February 12, 2013, the White House released its much-anticipated cybersecurity executive order, Improving Critical Infrastructure Cybersecurity, ("Executive Order" or "EO"). The Executive Order is the Administration's initiative to address widely acknowledged cyber threats to domestic critical infrastructure. The Administration is also moving aggressively to clarify Executive Branch authority to respond fully to cyber-attacks by terrorist organizations or foreign powers, including recent intrusions into the computer networks of the New York Times, the Wall Street Journal, and the Washington Post.

    During his State of the Union address, the President recognized growing cybersecurity concerns, noting that "America must also face the rapidly growing threat from cyber-attacks. We know hackers steal people's identities and infiltrate private e-mail. We know foreign countries and companies swipe our corporate secrets. Now our enemies are also seeking the ability to sabotage our power grid, our financial institutions, and our air traffic control systems. We cannot look back years from now and wonder why we did nothing in the face of real threats to our security and our economy." The President called on Congress to pass legislation to protect the nation's critical infrastructure from cyber-attacks, recognizing that the Executive Order can only direct federal agencies to act.

    The EO includes four principal, inter-related components for addressing cybersecurity risks to critical infrastructure:

    1. U.S. intelligence agencies, Federal law enforcement agencies, and the Secretary of the Department of Homeland Security (the "DHS Secretary") are directed to design a process to share unclassified versions of cyber threat information with private sector entities and provide timely unclassified reports of cyber threats to specifically targeted entities. Additionally, the DHS Secretary is tasked with expanding the Enhanced Cybersecurity Service program to include additional critical infrastructure sectors in order to provide classified reports to targeted critical infrastructure companies with the requisite clearances.

    2. The DHS Secretary is responsible for (i) identifying critical infrastructure facilities where, if a cybersecurity incident were to succeed, a substantial adverse impact on national security, economic security or public health and safety would result, and (ii) conveying this assessment to the identified owners and operators of the critical infrastructure facilities on a confidential basis.

    3. The Director of the National Institute of Standards and Technology (the "NIST Director") is charged with developing a "Cybersecurity Framework" to create a set of standards and procedures for addressing cyber risks that align the various policy, business, and technological approaches. The Cybersecurity Framework is intended to provide "a prioritized, flexible, repeatable, performance-based, and cost effective approach, including information security measures and controls, to help owners and operators of critical infrastructure identify, assess, and manage cyber risk." The focus of the Cybersecurity Framework is identifying cross-sector security standards and guidelines for critical infrastructure.

    4. The DHS Secretary will create a program to promote voluntary adoption of the Cybersecurity Framework by critical infrastructure entities by offering benefits and incentives to entities adopting (apparently in some public or affirmative manner) the program. The program will include implementation guidance and supplements responding to sector-specific risks and differences in operating environments.

    To complement the cybersecurity Executive Order, the Administration also issued Presidential Policy Directive 21 ("PPD21") to establish a national policy on critical infrastructure security and resilience. The purpose is to allow the government to adjust to the new risk environment, take into consideration key lessons learned from recent cyber-attacks, and drive the government and private sector toward more enhanced capabilities.

    In addition to the EO and PPD21, Chairman Mike Rogers (R-MI) and Ranking Member C.A. Dutch Ruppersberger (D-MD) of the House Permanent Select Committee on Intelligence reintroduced the "Cyber Intelligence Sharing and Protection Act," or "CISPA" (H.R. 624) on February 13, 2013. The House of Representatives initially passed CISPA in April 2012. The Senate, however, did not take up the CISPA-version of the cybersecurity legislation and instead attempted to pass the "Cybersecurity Act of 2012" (S. 3414). The Senate failed both in August and November 2012 to obtain enough votes to move the bill forward. Cybersecurity legislation will attempt to fill in the gaps to encourage companies and government to share information collected on the Internet to prevent electronic attacks from cybercriminals, foreign governments, and terrorists and will provide liability for companies that fail to do so. Unlike CISPA, the Executive Order only addresses the sharing of information from the government to critical infrastructure entities, not vice-versa, which has appeased some privacy advocates.

    Below we provide a section-by-section analysis of the Executive Order, an assessment and implications of major components of the Executive Order, and an overview of the PPD21.

    I. Section-by-Section Review of the Executive Order

    Section 1. Policy. In light of repeated cyber intrusions into critical infrastructure and the far reaching consequences these intrusions could have, a coordinated, proactive response to cyber security risks by the Federal government and owners and operators of critical infrastructure is warranted.

    Section 2. Critical Infrastructure. The EO defines "critical infrastructure" as:

    [S]ystems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.

    This definition can be construed reasonably to encompass major telecommunications networks, interstate pipelines (crude, product and natural gas), electric, water and natural gas delivery companies, electric power generation facilities, regional transmission organizations (RTOs), major refinery complexes, port operations, major financial institutions, and potentially facilities that manufacture defense weapons and technology.

    Section 3. Policy Coordination. Inter-agency policy coordination with regard to the Cyber Framework is governed by the Presidential Directive-1 of February 13, 2009, (Organization of the National Security Council System).

    Section 4. Cybersecurity Information Sharing. The national intelligence agencies, law enforcement agencies under the Attorney General, and the DHS Secretary are directed to issue instructions for producing "unclassified reports" of cyber threats that identify a "specific targeted entity" within the next 120 days (i.e., by June 12, 2013). These agencies are also responsible for establishing a process to rapidly disseminate these unclassified reports to the owners and operators of the specifically targeted entities.

    The DHS Secretary, in collaboration with the Secretary of Defense, is directed to expand the Enhanced Cybersecurity Services program to include additional critical infrastructure sectors. This program provides a mechanism for the government to share classified cyber threat and technical information to eligible critical infrastructure with the requisite security clearance and their security service providers.

    To assist in the dissemination of classified information, the DHS Secretary is directed to expedite security clearances for personnel employed by owners and operators of critical infrastructure in order to receive the (1) cyber threat information described in this Section 4, and (2) notices from the DHS Secretary advising the owner/operator that a cybersecurity incident at its facility would pose a substantial risk to security, safety or economic well-being, as provided under Section 9, below.

    Section 5. Privacy and Civil Liberties Protections. The Department of Homeland Security is directed to take steps to assess and minimize the privacy and civil liberties' risks associated with the actions undertaken pursuant to the EO, and agencies are directed to consider those assessments and recommendations in implementing privacy and civil liberties protections for their activities. The Executive Order notes that any "information submitted voluntarily in accordance with 6 U.S.C. 133 by privacy entities under this order shall be protected from disclosure to the fullest extent permitted by law."

    Section 6. Consultative Process. This provision expands the scope of activities within the purview of the Critical Infrastructure Partnership Advisory Council ("CIPAC") (an interagency group) to include cybersecurity and to facilitate discussions/consultations among the Federal government, critical infrastructure owners and operators, multiple non-Federal government stakeholders and cybersecurity experts.

    Section 7. Cybersecurity Framework. The NIST Director is charged with coordinating the development of the Cybersecurity Framework to reduce cyber risks to critical infrastructure. This framework shall include "a set of standards, methodologies, procedures and processes to address cyber risks" at critical infrastructure facilities, incorporating "existing consensus-based standards and industry best practices to the fullest extent possible." To develop the Cybersecurity Framework, the NIST Director will follow an open review and comment period from the public as well as all interested government agencies.

    A preliminary version of the Cybersecurity Framework must be published within 240 days (i.e., by October 10, 2013), with a final version to be published no later than one-year, or February 12, 2014. The NIST Director will coordinate periodic reviews of the final Cybersecurity Framework by industry and government stakeholders and issue updates as appropriate.

    Section 8. Voluntary Critical Infrastructure Cybersecurity Program. The DHS Secretary will establish a voluntary program to support adoption and implementation of the Cybersecurity Framework by owners and operators of critical infrastructure and other interested entities (the "Program"). This is seen by some commentators as an accommodation to Republican opposition that arose last year against Democratic legislation imposing mandatory cybersecurity compliance obligations on critical infrastructure owners and operators. The Program will include a set of incentives and benefits for critical infrastructure entities participating in the program.

    Sector-Specific Agencies (federal agencies responsible for infrastructure protection activities in a designated sector or key resource category) will review the Cybersecurity Framework for the purpose of tailoring the Framework to address sector-specific risks and operating environments. The EO directs DOD and GSA to determine if existing law allows them to grant procurement preferences to critical infrastructure owners and operators that comply with Cybersecurity Framework.

    Section 9. Identification of Critical Infrastructure at Greatest Risk. Within 150 days (i.e., by July 12, 2013), the DHS Secretary "shall use a risk-based approach to identify critical infrastructure where a cybersecurity incident could reasonably result in catastrophic regional or national effects on public health or safety, economic security or national security." The list of identified critical infrastructure will be provided to the President. The DHS Secretary and Sector-Specific Agencies shall confidentially notify owners and operators of these that their critical infrastructure facilities have been identified as high risk facilities, and provide relevant threat information to these owners and operators.

    Section 10. Adoption of Framework. Agencies with responsibility for regulating the security of critical infrastructure shall consult with DHS, OMB, and National Security staff to review the preliminary Cybersecurity Framework developed under Section 7 to determine whether their respective current cybersecurity regulatory authority is sufficient given current and projected risks. Within 90 days of publication of the preliminary Cybersecurity Framework, the Agencies shall submit a report to the President and others within the Executive Branch whether the agencies have "clear authority" to establish requirements based on the Cybersecurity Framework "to sufficiently address current and projected cyber risks to critical infrastructure."

    Independent regulatory agencies are encouraged to engage in a consultative process with DHS Secretary and affected parties to consider actions to mitigate risks to critical infrastructure facilities or owners and operators subject to their jurisdiction.

    Section 11. Definitions. A series of statutory definitions relevant to the EO are included.

    Section 12. General Provisions. The EO shall be implemented consistent with applicable law and subject to the availability of appropriations.

    II. Assessment of Major Components of the Executive Order on Cybersecurity

    The implications raised by the Executive Order are significant for owners and operators of critical infrastructure facilities.

    • The EO does not create mandatory reporting requirements for critical infrastructure entities to provide information to the government on the company's cyber risks and cyber threats. Disagreement over voluntary standards versus mandatory reporting requirements for private entities was a major stumbling block to enacting legislation during the last Congressional term. The EO is expected to be a starting point for cybersecurity legislation, such as CISPA, this term.

    • Even though critical infrastructure entities likely know when they are subject to cyber-attacks, owners and operators likely would benefit from the government sharing information about targeted cyber threats and a formal acknowledgement by the government that a cyber-attack on the entity's critical infrastructure could have significant adverse effects.

    • The best practices, analytical tools, and implementation guidance developed under the Cybersecurity Framework are intended to enhance the ability of owners and operators of critical infrastructure entities to address cybersecurity risks or gaps in their data networks and security procedures. However, in such a dynamic area, flexibility and innovation will be necessary to keep up with a landscape that involves ever-changing threats of increasing sophistication.

    • One concern related to the non-classified summaries of cyber threats to targeted facilities under Section 4 is the extent of redactions necessary to convert the reports to "unclassified." Entities may want to designate officers to secure the necessary security clearance in order to receive the classified reports. As a practical matter, the process to obtain appropriate clearances may result in considerable delay which could undermine the effectiveness of the concept.

    • Many companies hold data subject to state privacy and breach notification laws, but the unauthorized access or disclosure of this information is not going to undermine national security or the national or regional economy. This information does not appear to be the focus of this EO.

    • There is a serious disconnect or tension between the confidential nature of the notices provided to owners and operators of critical infrastructure under Sections 4 and 9 on the one hand, and efforts to encourage voluntary adoption of the Cybersecurity Framework under Section 8, on the other, particularly by offering government procurement preferences to entities adopting the Framework. Participation entails some level of public disclosure which appears to be problematic.

    • The EO does not provide liability protection for companies providing voluntary information to the government. A limitation on liability can only be achieved through legislative action, resulting in concern about whether participation and ultimate public disclosures could engender additional liability exposure. Companies are, however, provided protection from disclosure of information that is voluntarily submitted to the government.

    III. Overview of Presidential Policy Directive 21

    The PPD21 would update the national approach from Homeland Security Presidential Directive 7, issued in 2003. Specifically, the PPD21: (1) directs the government to refine and clarify the functional relationships across government's departments related to critical infrastructure and work to improve the effectiveness of existing public-private partnerships; (2) directs the government to establish greater and more efficient information sharing between all levels of government and critical infrastructure owners and operators, including the sharing of intelligence information; (3) calls for the implementation of an integration and analysis function for critical infrastructure that includes operational and strategic analysis on incidents, threats, and emerging risks; and (4) calls for a comprehensive research and development plan for critical infrastructure to guide the government's effort to enhance and encourage market-based innovation.

    The PPD21 identifies 16 critical infrastructure sectors and designates associated Federal sector-specific agencies. The 16 critical infrastructure sectors include the following general sectors: chemical; commercial facilities; communications; critical manufacturing; dams; defense industrial base; emergency services; energy; financial services; food and agriculture; government facilities; healthcare and public health; information technology; nuclear reactors, materials, and waste; transportation systems; and water and wastewater systems. These likely will be the same or similar sectors identified by the Department of Homeland Security pursuant to its mandate to identify critical infrastructure where a cybersecurity incident could reasonably occur under Section 9(a) of the Executive Order.

    In addition, PPD21 directs the Secretary of Homeland Security to implement these policies by:

    • Developing a description of the functional relationships within DHS and across the Federal Government related to critical infrastructure security and resilience;

    • Evaluating the existing public-private partnership model and recommending options for improving the effectiveness of the partnership in both the physical and cyber space;

    • Convening a team of experts to identify baseline data and systems requirements to enable the efficient exchange of information and intelligence relevant to strengthening the security and resilience of critical infrastructure;

    • Developing a near real-time situational awareness capability for critical infrastructure;

    • Updating the National Infrastructure Protection Plan; and

    • Providing the President, within 2 years, a National Critical Infrastructure Security and Resilience Research and Development Plan that takes into account the evolving threat landscape, annual metrics, and other relevant information to identify priorities and guide R&D requirements and investments.