New Executive Order Focuses on Enhancing Critical Infrastructure Cybersecurity
March 14, 2013
President Obama recently issued an Executive Order on Improving Critical Infrastructure Cybersecurity that focuses on information sharing and collaboration “to maintain a cyber environment that encourages efficiency, innovation, and economic prosperity while promoting safety, security, business confidentiality, privacy, and civil liberties.” The Order also establishes a volunteer program for the owners and operators of critical infrastructure – which includes many energy and chemical firms – and instructs the Treasury and Energy Departments to review current regulations to assess whether they adequately address and mitigate risks. This Executive Order is just the first step in the Administration’s goal to improve cybersecurity and will likely lead to new regulatory requirements in the not-too-distant future.
The Order’s main objectives fall into four main categories. First, the Executive Order directs the U.S. Attorney General, the Secretary of Homeland Security, and the Director of National Intelligence to begin timely sharing of unclassified and classified reports of cyber threats and technical information to eligible critical infrastructure companies or commercial services providers that offer security services to critical infrastructure. The Order also requires expediting the process for issuing security clearances to the appropriate personnel of critical infrastructure owners and operators. Notably, however, the Order does not require the private critical infrastructure companies to provide information to the Government, which has been a concern that many privacy groups and the American Civil Liberties Union have had with other cybersecurity proposals.
Second, the Order directs the Secretary of Commerce and the Director of the National Institute of Standards and Technology (“NIST”) to develop a framework to reduce cyber risks to critical infrastructure, known as the Cybersecurity Framework. The Cybersecurity Framework will include standards, methodologies, procedures, and processes that align policy, business, and technological approaches to address cyber risks. The Framework will be developed through cross-sector collaboration, as well as public review and comments. It will also establish guidelines for measuring entities’ performance of an entity in implementing the Framework.
Third, the Order establishes a volunteer program to support the adoption of the Cybersecurity Framework by owners and operators of critical infrastructure and any other interested parties. The Order directs the Secretary of Homeland Security to develop incentives to promote participation in the Program.
Finally, the Order instructs the Secretary of Homeland Security to identify the greatest risks for a cyberattack. Then, the agencies responsible for regulating the security of critical infrastructure are to determine whether the current regulatory requirements are sufficient given the current and potential risks identified by the Cybersecurity Framework. If the regulations are insufficient, these agencies are directed to propose new risk-based requirements to mitigate cyber risks.
The Order is likely to have far-reaching effects because it broadly defines “critical infrastructure” to mean “systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.”
The Administration is also working with Congressional committees to draft legislation implementing similar policies regarding cybersecurity for critical infrastructure. However, Congress has twice tried and failed to pass other legislation aimed at cybersecurity. In any event, the Federal Government’s ongoing efforts to develop responses to cyber risks are far from over. Stay tuned.
Katie Calogero is the attorney responsible for the content of this article.