On February 12th, President Obama issued an Executive Order (“Order”) initiating a number of Executive Branch actions to improve critical infrastructure cybersecurity. Critical infrastructure is described in the Order as systems and assets so vital to the United State that their incapacity or destruction would be debilitating to national security, the U.S. economy, and/or national health and safety.
The Order implements primarily information sharing and collaboration activities among various agencies to identify cyber threats to critical infrastructure and the critical infrastructure at greatest risk; coordinate responses to these threats; and develop a baseline framework to reduce cyber risks to critical infrastructure.
A summary of key elements of the Order follows.
Cybersecurity Information Sharing
Within 120 days of the date of the Order, the Attorney General, the Secretary of the Department of Homeland Security (“DHS”), and the National Director of Intelligence are required to issue instructions to ensure the timely production of unclassified reports of cyber threats that identify a specific targeted entity and develop a process to rapidly disseminate the reports to the targeted entity and other critical infrastructure entities authorized to received them. During the same timeframe, the Secretary of Defense is required to establish procedures to expand the Enhanced Cybersecurity Services program to all critical infrastructure sectors. This voluntary program will provide classified cyber threat and technical information to eligible critical infrastructure companies and to companies that provide security services to critical infrastructure.
Baseline Framework to Reduce Cyber Risk to Critical Infrastructure
The President directs the National Institute of Standards and Technology (“NIST”) to develop a Cybersecurity Framework that includes a set of standards, methodologies, procedures, and processes that align policy, business and technological approaches to address cyber risks. The Cybersecurity Framework is intended to be technology neutral and incorporate voluntary industry standards and best practices to provide a prioritized, flexible, repeatable, performance-based, and cost-effective approach to enable critical infrastructure owners to identify, assess, and manage cyber risk. NIST is required to publish a “preliminary” version of the Cybersecurity Framework within 240 days of the date of the Order and a final Cybersecurity Framework within one year of the date of the Order.
Voluntary Critical Infrastructure Cybersecurity Program
DHS, in coordination with other agencies, is required to develop a voluntary program, that includes incentives to promote participation, to support adoption of the Cybersecurity Framework by owners and operators of critical infrastructure. Within 120 days of the date of the Order, DHS will provide an analysis of the benefits and relative effectiveness of the incentives and whether the incentives require legislation or can be implemented under existing law. DHS is also required, within 120 days after the date of the Order, to provide recommendations on the feasibility, security benefits and relative merits of incorporating security standards into acquisition planning and contract administration.
Identification of Critical Infrastructure at Greatest Risk
Within 150 days after the date of the Order DHS is required to identify, through consultation with other agencies, state, local, territorial and tribal governments, and other experts, critical infrastructure where a cybersecurity incident could result in catastrophic regional or national effects on public health or safety, national security, or the economy. Upon completion of this analysis, DHS is required to confidentially notify owners and operators of the identified critical infrastructure.
Adoption of Framework
Agencies with responsibility for critical infrastructure are required to review the Preliminary Framework established under the Order and determine whether existing cybersecurity regulatory requirements are sufficient to address current and projected risks. Within 90 days after publication of the Preliminary Framework, these agencies must submit a report to the President that states whether the agency has clear authority to establish requirements based on the Framework to address current and projected risks to critical infrastructure. If current regulations are found to be insufficient, the agencies are require to propose, within 90 days after publication of the Final Framework, prioritized, risk-based, efficient and coordinated actions to mitigate cyber risk.
Privacy and Civil Liberties
The Order directs all agencies, and their respective senior officials for privacy and civil liberties, to ensure that appropriate protections of privacy and civil liberties are incorporated into all activities conducted pursuant to the Order. In addition, the chief privacy/civil liberties officials at DHS are directed to assess the potential risks to privacy and civil rights of activities undertaken by DHS and other agencies, and within one year, provide recommendations in a public report of ways to minimize those risks.
Should you have any questions regarding the Executive Order or cybersecurity issues in general, please contact the primary Attorney assigned to your account.