Executive Order on Cyber: What it Means to You
Improving Critical Infrastructure Cybersecurity Executive Order: Impact on Corporate America
By Brian Finch, Partner, Dickstein Shapiro LLP
Released during President Obama’s State of the Union Address, the long-awaited Executive Order (EO) addressing the federal government’s response to the ongoing menace of cyber attacks has made its formal appearance. The EO contains many ideas that had been previewed in previous drafts, as well as some interesting new twists that should have an immediate impact on corporate America and the nation as a whole. More than anything else, the EO represents another step in the U.S. government’s ongoing response to the ever more extensive and expensive threat posed by cyber attacks.Below are seven key takeaways for businesses, followed by an in-depth analysis of the EO which addresses these key points and identifies next steps to be taken by the parties involved.
Key Takeaways: What’s in the EO, What’s Missing, and What’s Next?
1) The EO dramatically expands existing information sharing programs and provides mechanisms for sharing of unclassified threat data. But will the information be useful to many companies, will it be provided in a timely manner, and most importantly will companies have liability protection for sharing information or choosing not to act on information provided to it?
2) How quickly will the National Institutes of Standards and Technology (NIST) develop the “Cybersecurity Framework”? And will it be able to adequately tailor a framework that accounts for the great variability amongst the yet-to-be-defined “critical infrastructure” facilities?
3) What will be deemed “critical infrastructure” and what won’t be? The nation has been through this exercise many times before, and it has yet to go smoothly. And will it be easy to seek a redetermination of whether a facility constitutes critical infrastructure?
4) Will the “voluntary” cybersecurity program actually be voluntary? History has shown that such programs either (a) are dramatically underutilized or (b) are a precursor to mandatory regulations.
5) What incentives will be recommended for participation in the voluntary cybersecurity program? Will the government promote only those incentives and discourage the use of incentives that are not tied to the voluntary program (for example Terrorism Reinsurance Act (TRIA) coverage or the SAFETY Act?)
6) The portion of the EO that is the most immediate and has the greatest impact is also the simplest to implement – procurement reform. One can easily anticipate that government contractors will soon face much stricter cybersecurity requirements as a result of the EO. What will this look like? Will it mirror the Defense Department’s new breach notification requirements? Will it cover only contractors working on classified or sensitive programs, or will it touch on almost every procurement?
7) The EO sets in motion a formal review of existing cybersecurity authorities to see what additional legislation is needed. This is yet another signal that cybersecurity legislation will be a top priority for the President and the Congress over the next two years.
“Critical Infrastructure”
The eight-page EO contains some themes that are familiar to cyber watchers. First, the EO is in large part limited to “critical infrastructure.” As defined in Section 2 of the EO, that means “systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health and safety, or any combination of those matters.” Not surprisingly, many of those terms (“vital,” “debilitating,” “national economic security”) are undefined, meaning that much of the spade work on identifying “critical infrastructure”-or in some cases arguing that a system or asset is NOT critical infrastructure, is yet to be done. The debate over what is defined as “critical infrastructure” is certain to be significant, and based on past experience with efforts to define “critical infrastructure,” it is likely to be a lengthy process rife with errors and confusion.
Cyber Information-Sharing Program Expanded
Section 4 sets forth an expanded cyber information-sharing program. The goal of Section 4 is to set up a framework that allows for the “timely production” of unclassified reports of cyber threats to an entity that has been specifically targeted. In addition, Section 4 also gives the Secretary of Homeland Security, the Attorney General, and the Director of National Intelligence the ability to share classified information in certain circumstances. Perhaps most striking is that Section 4 of the EO directs the Secretary of Defense to establish a process by which its Enhanced Cybersecurity Services program (an existing cyber threat information sharing program) can be dramatically enhanced to allow any entity in “critical infrastructure sectors” to join that program. This represents a dramatic expansion of a program that heretofore was limited to specific companies in the so-called “Defense Industrial Base.”
The question remains, however, whether the information shared as part of this program will actually be useful and timely. Such information often is transmitted weeks after malware is discovered and the harm has been done, creating a situation akin to reading in the newspaper that your house is on fire. The EO also leaves unanswered whether liability protection will be available to participants in the information-sharing program. Liability protections are critical because, without them, many companies will not participate in information-sharing programs for fear of exposing themselves to liability.
Impact on Corporate America
Sections 7 and 8 of the EO may give many in the private sector pause, as they direct portions of the U.S. government to establish baselines to reduce cyber risks and create voluntary critical infrastructure protection programs. These sections could be worrisome, as some will argue that they will lead to regulation at a later date.
I. New Cybersecurity Framework
Section 7 gives the Secretary of Commerce, through the Director of the National Institutes of Standards and Technology, approximately one year to develop a framework to reduce cyber risks (the so-called “Cybersecurity Framework.”) That Framework is to include a set of standards, methodologies, procedures, and processes designed to address cyber risks. The Cybersecurity Framework is supposed to incorporate voluntary consensus standards and industry best practices “to the fullest extent possible.” The goal is to create a framework that is “prioritized, flexible, repeatable, performance-based, and cost-effective” that will help owners and operators of critical infrastructure identify, assess, and manage cyber risk. Areas of improvement are to be identified, the framework is supposed to be “technology neutral,” and it is supposed to include guidance for measuring performance in implementing the framework. All of this is also to be done using an open public review along with operational feedback from actual owners and operators of critical infrastructure. It remains to be seen if NIST can meet those timelines, and whether the framework established will be flexible enough to address the varied cyber security needs of the vastly different “critical infrastructure” sectors.
II. Voluntary Support Program
In conjunction with the Cybersecurity Framework, the Secretary of Homeland Security is directed in Section 8 of the EO to establish a “voluntary program” to support the adoption of the framework by owners of critical infrastructure owners and operations and, interestingly, “any other interested entities.” The U.S. Department of Homeland Security (DHS) will work with other federal agencies to review the framework and, “if necessary,” develop implementation guidance and supplemental materials to address sector-specific risks and operating environments. The various federal agencies are also required to report to the President annually on the extent to which specific critical infrastructure owners and operators are participating in the “voluntary” program. Just how “voluntary” this program is remains to be determined. These “voluntary” programs often become de facto mandatory programs as companies feel compelled to participate lest they open themselves to litigation for not taking identified security measures. This has led to many voluntary infrastructure programs either being severely delayed in their deployment or being dramatically underutilized by the private sector.
Section 8 also directs the Secretary of Homeland Security to coordinate the establishment of “incentives” designed to promote participation in the voluntary program. Such report is supposed to be made within 120 days of the issuance of the EO, and the Secretaries of Commerce and Treasury are required to submit their own reports on incentives. The report is to identify the relative benefits of identified incentives, and if additional legislation is needed to implement them. What these incentives will look like is unknown. Possible incentives could include greater use of the SAFETY Act (which offers liability protection), an expansion of the TRIA, or other novel ideas.
Another requirement of Section 8 of the EO is that within 120 days of its signature, the Secretary of Defense and the Administrator of the General Services Administration are to make recommendations on the “feasibility, security benefits, and relative merits of incorporating security standards into acquisition planning and contract administration.” In other words, a comprehensive review of existing procurement regulations will be conducted to see if cybersecurity requirements can be embedded therein.
This portion of the EO may indeed have the most immediate impact on cybersecurity. One can easily anticipate that government contractors will soon face much stricter cyber security requirements as a result of the EO. These requirements could take any number of forms, including minimum security standards and data breach notification requirements. It also remains to be seen whether these requirements will cover only contractors working on classified or sensitive programs, or if they will touch almost every government vendor. It is certain that government contractors should be prepared for increased cybersecurity requirements and should be proactive in discussing what requirements are realistic.
Critical Infrastructure Identification
Interestingly, Section 9 takes the identification of “critical infrastructure” a step further by directing that within 150 days “critical infrastructure” must be identified by the Secretary of Homeland Security using a “risk-based” approach. This list is supposed to be developed using a “consultative process” and is to use “consistent, objective” criteria. The list is to be reviewed and updated annually and (somewhat unusually) is to include a process by which identified “critical infrastructure” entities may request reconsideration of such a determination. The ease or difficulty of successfully appealing a “critical infrastructure” designation remains to be seen.
Cybersecurity Framework Final Approval
Section 10 is the catch-all of the EO, stating that once the Cybersecurity Framework has been preliminarily finalized, the Secretary of Homeland Security in consultation with the Office of Management and Budget and the National Security Staff shall review it to determine if current cybersecurity regulatory requirements are sufficient given current and projected risks. Those entities are then directed to submit a report to the President stating whether clear authority to establish requirements based on the Cybersecurity Framework exists and any additional authority required.
Summary and Conclusion
So what does all of this mean? In its simplest form, the EO is a data collection exercise and a blueprint for legislative and regulatory cybersecurity mandates. As has been done in the past, the federal government will now go about identifying what it considers to be “critical infrastructure” and then will prepare for those entities (and others) “voluntary” measures it believes will help increase security. Moreover, the EO explicitly directs the U.S. government to begin planning for the determination that a voluntary program is insufficient, and thus that existing regulatory authority plus new statutory authority will be used to implement mandatory cybersecurity measures. Of course, that is all aspirational and assumes that Congress will grant the Executive Branch the authority to carry out such mandatory programs, which is far from certain.
It seems that the portion of the EO with the greatest impact is the one section that is easy to overlook-the section requiring incorporation of security standards into federal procurements. Considering the volume of business conducted by the federal government, it is easy to foresee that mandatory cybersecurity requirements for entities contracting with the federal government will have be quickly implemented, causing a radical shift in the cybersecurity posture of large portions of the U.S. economy.
It is quite clear from the EO that legislation is still a vital part of this process. Many of the aspirational elements of the EO cannot happen without congressional action, and specific issues such as liability protection were left relatively unaddressed by the EO. Therefore, Congress will continue to play a critical role in how exactly the nation addresses cybersecurity going forward.
Overall, the CyberSecurity EO is the starting signal for a long race involving multiple administrative processes, any of which could result in genuine improvement in the nation’s cybersecurity posture, or something akin to large game of cybersecurity theater, where seemingly powerful directives and plans result in little actual benefit. It is another critical milestone in the ongoing and increasingly complex effort to combat cyber threats. We will continue to monitor the progress of this initiative and provide key updates and analysis of its impacts on the business sector as developments occur.
Brian Finch is a partner at Dickstein Shapiro LLP, where he heads the firm’s Global Security Practice. He can be reached at [email protected] or 202-420-4823.
