On February 12th, President Obama issued an Executive Order on Cybersecurity that seeks to improve critical infrastructure cybersecurity in the United States by encouraging sharing of important cybersecurity information between the government and owners and operators of critical infrastructure. “Critical infrastructure” means systems and assets so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters. Examples can be found here.
To establish this partnership between the government and the private sector, the Order requires that: (1) the Department of Homeland Security (DHS) must identify critical infrastructure; (2) the National Institute of Standards and Technology (NIST) must develop a framework of standards and procedures to help owners and operators of critical infrastructure identify, assess, and manage cyber risks; and (3) the DHS must work with sector-specific agencies to promote voluntary adoption of the Framework.
Now, pursuant to the Executive Order, private entities affected by the Order are being given an opportunity to have their say in what the standards, procedures, and incentives created by the governmental entities implementing the Order should look like. The Department of Commerce and NIST have published two documents seeking input from operators and owners of critical infrastructure (and the private sector, generally) on how to develop a cybersecurity framework and promote incentives to improve critical infrastructure cybersecurity.
NIST Request for Information
On February 26th, NIST issued a request for information from the public (particularly critical infrastructure owners and operators) in an effort to start developing the framework of standards, processes, procedures, and methodologies necessary to reduce cyber risks to critical infrastructure. The request for information “is looking for current adoption rates and related information for particular standards, guidelines, best practices, and frameworks to determine applicability throughout the critical infrastructure sectors. The [request] asks for stakeholders to submit ideas, based on their experience and mission/business needs, to assist in prioritizing the work of the Framework, as well as highlighting relevant performance needs of their respective sectors.”
The request includes thirty-three questions in three different subject areas: current risk management practices; use of frameworks, standards, guidelines, and best practices; and, specific industry practices. The questions seek opinions on issues like the greatest challenges in improving cybersecurity, the role of national and international standards in critical infrastructure cybersecurity, the use of specific security safeguards, and the existence of current governmental and private security standards.
Comments in response to this request for information are due by April 8th. Companies seeking to respond should keep in mind that the responses are a matter of public record, so confidential business or personal information should not be included.
Department of Commerce’s Notice of Inquiry
The Executive Order required the Department of Commerce to recommend incentives designed to promote participation in the voluntary cybersecurity program. On March 28th, in an effort to improve its recommendations, the Department of Commerce published a notice of inquiry seeking input from stakeholders on twenty different issues relating to current incentives to strengthen cybersecurity and ways in which those incentives can be improved. Significantly, responses to this notice will also be used to develop a broader set of recommendations that apply to U.S. industry as a whole, not just critical infrastructure operators and owners. Some of the issues raised in the notice include the best ways to encourage businesses to invest in cybersecurity; any existing barriers or disincentives that inhibit cybersecurity investments; the differences in incentives for small businesses; how liability structures can be used as incentives; and how to keep incentives updated.
Comments to this response are due by April 29th. Companies that respond should be aware that their responses are a matter of public record, so comments should not include confidential, proprietary, or business sensitive information.
The Takeaway
The standards/procedures/incentives that will be implemented as a result of the Executive Order on Cybersecurity will be, for the time being, voluntary and limited to critical infrastructure. Over time, however, we can expect to see “standards creep.” The standards may be applied to companies that are not owners and operators of critical infrastructure. Also, the standards will likely become the yardstick by which the reasonableness of a company’s actions to limit cybersecurity risks will be measured, so if the standards do not become legislatively mandatory, they could become mandatory by practice. The private sector and other organizations that will be affected by these standards, procedures, and incentives have a rare opportunity now to help shape them. Everyone will benefit from corporate participation in responding to some or all of the questions in these notices.
DISCLAIMER: The opinions expressed here represent those of Al Saikali and not those of Shook, Hardy & Bacon, LLP or its clients. Similarly, the opinions expressed by those providing comments are theirs alone, and do not reflect the opinions of Al Saikali, Shook, Hardy & Bacon, or its clients. All of the data and information provided on this site is for informational purposes only. It is not legal advice nor should it be relied on as legal advice.