THE PRESIDENT’S EXECUTIVE ORDER, “IMPROVING CRITICAL INFRASTRUCTURE SECURITY”. . . WHAT DOES IT MEAN FOR YOU?

On February 12, 2013, President Obama, dissatisfied with Congress’ failure to pass legislation to protect the infrastructure that is critical to the Country’s operation, signed an Executive Order (EO) titled, “Improving Critical Infrastructure Cyber Security.”  The immediate questions that pop into the brain trust of many companies are, “Does this apply to us?” and “Do we have to do anything?”

Let me outline the answers to these, and other, important questions:

1) Why now? – The Cyber Intelligence Sharing and Protection Act (CISPA) passed the House of Representatives, but stalled in the Senate in 2012 amid privacy concerns.  The President has expressed concern about the slow steps being taken to protect our critical infrastructure from cyber threats.  The President still expects Congress to pass cyber security legislation, and in his State of the Union address last week, called upon Congress to do so.  The very next day, CISPA was re-introduced in the House.

2) Does the Executive Order apply to my company? – The EO applies to you if your company is part of the country’s critical infrastructure.  This begs the question, what is included as “critical infrastructure”?  While critical infrastructure has been thought to include transportation, energy, defense, communications, finance or banking, public works, and certain industries necessary for running the economy, the EO does not define critical infrastructure so clearly.  The EO defines critical infrastructure as “[S]ystems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.”

The EO directs that within 150 days of February 12, 2013, the Secretary of Homeland Security shall “use a risk-based approach to identify critical infrastructure where a cyber security incident could reasonably result in catastrophic regional or national effects on public health or safety, economic security, or national security.”  The Secretary shall consult with other agencies, industries, state, local, territorial, and tribal governments, universities and outside experts in identifying critical infrastructure.  Specifically excluded from the definition of critical infrastructure is “any commercial information technology products [and] consumer information technology services.”  This would seem to exclude companies such as Microsoft, Apple, Google, Facebook, and the like.

The definition of critical infrastructure leaves many questions unanswered.  For example, while the banking industry is thought to be within the definition of critical infrastructure, will this definition include only major financial institution, or will it extend to the local community bank in a small town?

3) If my company is included as part of the critical infrastructure, will we have to do anything? – In short, there is not much to do for now, other than monitor the development of regulations under the EO.  The EO places the burden on the government to provide information to US private sector entities to better protect themselves from the cyber threats.  Private entities will be able to participate in a, “voluntary critical infrastructure cyber security program.”  (More on this below.)

4) If my company does not have to do anything, how does the whole thing work? –
The EO requires the coordination of cyber security information among government agencies, with this information then being shared with private sector entities so that “these entities may better protect and defend themselves against cyber threats.” Within 120 days of February 12, 2013, the Attorney General, the Secretary of Homeland Security, and the Director of National Intelligence, will ensure the production of unclassified reports of cyber threats that identify a specific targeted entity. They will also establish a process to rapidly disseminate classified and unclassified reports to critical infrastructure entities.

The EO also requires the Secretary of Commerce to direct the Director of the National Institute of Standards and Technology to develop a “Cyber Security Framework” to reduce cyber risks to critical infrastructure.  This Framework “shall include a set of standards, methodologies, procedures, and processes that align policy, business, and technological approaches to address cyber risks.”  One of the purposes of the Framework is to provide information security measures and controls to help critical infrastructure entities identify, assess, and manage cyber risk.

5) What is the “Voluntary Critical Infrastructure Program”? – The EO does not define this Program.  It simply states that the Secretary of Homeland Security and other agencies “shall establish a voluntary program to support the adoption of the Cyber Security Framework by owners and operations of critical infrastructure and any other interested entities.”  The Secretary shall establish incentives to promote participation in the program.

I anticipate that one of the incentives will be that participation in the program will be a requirement for entities that wish to procure government contracts.  It is not known if participation in this voluntary program will require disclosure of certain information by the participants.

6) Should critical infrastructure companies be concerned about privacy? – This is something to keep an eye on, but is not an issue right now.  The EO is directed toward the government sharing information with private entities, rather than vice versa.  The EO states, “It is the policy of the United States Government to increase the volume, timeliness, and quality of cyber threat information shared with US private sector entities so that these entities may better protect and defend themselves against cyber threats.”  This would seem to alleviate some of the privacy concerns raised by CISPA, which calls for private entities to share more information with the government.

That being said, the lack of specificity in the EO, the vagueness of certain definitions, and the grant of powers to the heads of certain governmental agencies, certainly leaves the door open to privacy abuses.

Any more questions?  Feel free to contact me directly.