Yesterday, President Obama issued an Executive Order to improve critical infrastructure cybersecurity in the United States. The Order attempts to facilitate sharing of important information between the federal government and certain critical infrastructure in an effort to protect that infrastructure against cyber intrusions. The Order, which was formally announced and became effective during the President’s State of the Union address, requires the following:
- Within 120 days, the Attorney General, the Secretary of Homeland Security (Secretary), and the Director of National Intelligence must each issue instructions to ensure the timely production and rapid dissemination of unclassified reports of cyber threats to the U.S. homeland that identify a specific targeted entity.
- Within 120 days, the Secretary shall establish procedures to expand the Enhanced Cybersecurity Services program to all critical infrastructure sectors. This voluntary information sharing program will provide classified cyber threat and technical information from the government to eligible critical infrastructure companies or commercial service providers that offer security services to critical infrastructure.
- Define and identify critical infrastructure, within 150 days, where a cybersecurity incident could reasonably result in catastrophic regional or national effects on public health or safety, economic security, or national security.
- The Secretary must expedite the processing of security clearances to appropriate personnel employed by critical infrastructure owners and operators.
- The Secretary shall expand the use of programs that bring private sector subject-matter experts into federal service on a temporary basis, so that those individuals can provide advice regarding the content, structure, and types of information most useful to critical infrastructure owners and operators in reducing and mitigating cyber risks.
- Establish certain privacy and civil liberties protections, requiring that agencies and the Department of Homeland Security coordinate activities under the Order to ensure that privacy and civil liberties protections are incorporated into their activities.
- Information submitted voluntarily by private entities under the Order must be protected from disclosure.
- The Secretary must establish a consultative process to coordinate improvements to the cybersecurity of critical infrastructure.
Within 240 days, the National Institute of Standards and Technology will publish a framework to reduce cyber risks to critical infrastructure. By February 12, 2014, a final version of this framework shall be published. This framework must do the following:
- Include a set of standards, methodologies, procedures, and processes that align policy, business, and technological approaches to address cyber risks.
- Incorporate voluntary consensus standards and industry best practices to the fullest extent possible.
- Be consistent with voluntary international standards when such international standards will advance the objectives of the Order, and shall meet the requirements of certain federal legislation.
- Provide a prioritized, flexible, repeatable, performance-based, and cost-effective approach, including information security measures and controls, to help owners and operators of critical infrastructure identify, assess, and manage cyber risk.
- Focus on identifying cross-sector security standards and guidelines applicable to critical infrastructure.
- Identify areas for improvement that should be addressed through future collaboration with particular sectors and standards-developing organizations.
- Provide guidance that is technology neutral and that enables critical infrastructure sectors to benefit from a competitive market for products and services that meet the standards, methodologies, procedures, and processes developed to address cyber risks.
- Include guidance for measuring the performance of an entity in implementing the framework.
- Include methodologies to identify and mitigate impacts of the framework and associated information security measures or controls on business confidentiality, and to protect individual privacy and civil liberties.
- The Secretary must establish a Voluntary Critical Infrastructure Cybersecurity Program to support the adoption of this framework.
It will be interesting to see what standards are adopted by NIST as a result of this Order and how those standards are received by affected organizations; whether those security standards become the new method for measuring whether a company’s security measures are “reasonable”; and whether there will be any constitutional challenges to the order (i.e., that the Order is essentially legislation, within the purview of Congress, not the President).
DISCLAIMER: The opinions expressed here represent those of Al Saikali and not those of Shook, Hardy & Bacon, LLP or its clients. Similarly, the opinions expressed by those providing comments are theirs alone, and do not reflect the opinions of Al Saikali, Shook, Hardy & Bacon, or its clients. All of the data and information provided on this site is for informational purposes only. It is not legal advice nor should it be relied on as legal advice.