In his State of the Union message on Tuesday, President Obama announced that he had signed an Executive Order addressing the cybersecurity of critical infrastructure. President Obama emphasized that in the face of threats to corporate secrets, the power grid, and financial institutions, among others, “We cannot look back years from now and wonder why we did nothing in the face of real threats to our security and our economy.”
The Executive Order follows legislative efforts in the last Congress to pass comprehensive cybersecurity bills. After the Cybersecurity Act of 2012 (S. 3414) failed to pass in August 2012, Deputy National Security Adviser John Brennan mentioned in an appearance at the Council on Foreign Relations that the President was considering issuing an Executive Order to implement portions of the cybersecurity legislation. In the subsequent months, the White House sought industry input on the Order.
The Order has two main components: increasing information sharing from the government to the private sector and establishing a Cybersecurity Framework to buttress the security of critical infrastructure.
Section 4 of the Order addresses information sharing and aims to “increase the volume, timeliness, and quality of cyber threat information shared with U.S. private sector entities.” The Order directs the Attorney General, Secretary of Homeland Security, and Director of National Intelligence to issue instructions to “ensure the timely production of unclassified reports of cyber threats to the U.S. homeland that identify a specific targeted entity.” The officials are also charged with establishing a process to disseminate classified reports to critical infrastructure entities with the requisite security clearances. In support of this direction, the Order directs the Secretary of Homeland Security to expedite security clearances for personnel employed by critical infrastructure owners and operators. In addition, Section 4 directs the Secretary of Homeland Security, in coordination with the Secretary of Defense, to “establish procedures to expand the Enhanced Cybersecurity Services program to all critical infrastructure sectors” within 120 days of the Order’s issuance. The program “will provide classified cyber threat and technical information from the Government to eligible critical infrastructure companies or commercial service providers that offer security services to critical infrastructure.”
Section 7 of the Order turns to the Cybersecurity Framework. Section 7 requires the Director of the National Institute of Standards and Technology to lead the development of a Cybersecurity Framework “to reduce cyber risks to critical infrastructure.” The Framework will include “a set of standards, methodologies, procedures and processes that align policy, business, and technological approaches to address cyber risks” and “shall incorporate voluntary consensus standards and industry best practices to the fullest extent possible.” The Framework’s guidance to critical infrastructure owners and operators will be “technology neutral” and preserve “a competitive market for products and services that meet the standards, methodologies, procedures and processes developed to address cyber risks.” The Framework will be subject to “an open public review and comment process,” with a preliminary version to be published within 240 days and a final version to be issued within one year of the Order.
Section 8 of the Order directs the Secretary of Homeland Security and sector-specific agencies to establish a “voluntary program to support the adoption of the Cybersecurity Framework by owners and operators of critical infrastructure.” The Secretary of Homeland Security is further directed to “coordinate establishment of a set of incentives” to promote participation by owners and operators of critical infrastructure in the Framework program.
The Order also contemplates regulation by sector-specific agencies based on the Cybersecurity Framework. Section 10 directs sector-specific agencies that regulate critical infrastructure to report to the President on “whether the agency has clear authority to establish requirements based upon the Cybersecurity Framework to sufficiently address current and projected cyber risks to critical infrastructure” and “any additional authority required.”
For additional details and analysis, please see our client alert on the Executive Order.