By Paul Rosenzweig
As Rafaella reported last night, President Obama went “all-in” on cybersecurity last night, marrying a substantive mention of cyber in his State of the Union address (I’m bitter about that — I bet against it, which shows you how valuable my predictions are J) with the issuance of both an Executive Order and a Presidential Policy Directive. In this first post, I want to focus on the Executive Order and provide some analysis of its content. I’ll turn to the PPD in a later post, as time permits.
For those who want their bottom line up front, I think the results are pretty clear on the substance of the EO, though less clear politically. With the usual caveats that it is “too soon to tell” before a policy is implemented, I think that the substance of the EO will turn out to be less than meets the eye. Though the Administration clearly wanted to press forward as hard as they could, most of the new Order’s directives are hortatory and voluntary in nature – my guess is that they will have only modest practical impact. Only if the regulatory provisions in section 10 become reality will the EO have real effect. And, as I discuss below, the political impact of the EO may be equally insignificant, though I’m less confident in that judgment.
The Substance of the Order
Defining Critical Infrastructure — After an obligatory nod to the policy necessity of the EO, the Order begins with a broad (indeed sweeping) effort to define its scope and effect. Readers will recall that much of the debate last year over cyber legislation involved a discussion of how broadly to define covered infrastructure. The broader the definition, the more comprehensive the program to be implement.
The EO goes big. Very big. In section 2, it defines critical infrastructure to mean “systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.” Taken literally, it is hard to imagine which industrial sectors would be excluded from the definition. To be sure, smaller systems and assets within larger sectors might not meet the definition – but at least in theory any large significant system or group of systems is covered. This may even include areas thought outside of the general ambit of cyber infrastructure like the agriculture sector. Perhaps in implementation this will be narrowed, but on its face it’s a pretty comprehensive assertion of coverage.
Information Sharing – The aggressive definitional start in section 2 of the EO immediately runs into the shoals of reality when the information sharing program is advanced in section 4. As I read the EO, it simply directs DHS, DOJ and DoD to do a better job of sharing information they already have. Without additional statutory authority (the EO leans on 6 USC 143, an authorization from the original DHS authorization act) the EO amounts to little more than a direction to expedite existing actions.
More importantly (and demonstrating the relative weakness of the EO), section 4 focuses exclusively on more sharing of information from the government to the private sector. To be sure, that is a fundamentally good idea – but many, including me, think that a more comprehensive set of authorizations (private-to-government and private-to-private) are necessary. The EO is silent on those topics. It’s silence is understandable – that type of sharing requires legislative authorization and the granting of liability protection to be effective – but its indicative of the limited impact this aspect of the EO will have.
Privacy and Civil Liberties – Likewise the privacy protections in section 5 of the EO will strike many as weak tea. At bottom they are nothing more than a direction to agency heads that they consult their privacy officers in implementing cybersecurity (something they assuredly are doing already) and that the Chief Privacy Officer and Chief Civil Liberties Officer of DHS issue a report on implementation.
For my own part, I like this – for me process protections of privacy are superior to substantive mandates. But most in the privacy community will see this as the bare minimum (or less) of what the President should have done.
Standard Setting – The most ambitious aspect of the EO is its decision to try and use the National Institute of Standards and Technology to develop a “set of standards, methodologies, procedures, and processes that align policy, business, and technological approaches to address cyber risks.” It calls this the “Cybersecurity Framework.” The idea appears to be to collect in a single place current voluntary consensus standards of conduct and best cybersecurity practices.
I think that the Framework is a heroic task – by which I mean one that only a true hero would undertake. NIST has 240 days (!) to conduct an open process of consultation and produce a preliminary version of the Framework. The Framework itself is going to be comprehensive. It will
provide a prioritized, flexible, repeatable, performance-based, and cost-effective approach, including information security measures and controls, to help owners and operators of critical infrastructure identify, assess, and manage cyber risk. The Cybersecurity Framework shall focus on identifying cross-sector security standards and guidelines applicable to critical infrastructure. The Cybersecurity Framework will also identify areas for improvement that should be addressed through future collaboration with particular sectors and standards-developing organizations. To enable technical innovation and account for organizational differences, the Cybersecurity Framework will provide guidance that is technology neutral and that enables critical infrastructure sectors to benefit from a competitive market for products and services that meet the standards, methodologies, procedures, and processes developed to address cyber risks. The Cybersecurity Framework shall include guidance for measuring the performance of an entity in implementing the Cybersecurity Framework.
Anyone who thinks that 240 days is sufficient time for this task is an unfettered optimist.
But, let’s leave that aside. At some point a Framework will appear. What then? Under section 8 of the EO, they become part of a voluntary program for cybersecurity. Sector-specific agencies will help out by providing sector-specific guidance on how to implement the Framework. [In other words, FERC will tell the energy community how the Framework applies to, say, electricity generators.] Meanwhile the government will be examining what, if any, incentives it can give to private industry to adopt the standards.
Of course, those “incentives” are undefined by the EO. And that’s where the rubber will meet the road – if strong incentives (say procurement preferences as suggested in section 8(e)) can be adopted administratively, the Framework might have some real teeth and significant persuasive effect. The incentives will need, of course, to provide benefits that outweigh the costs of implementation to industry, but in theory that’s not impossible.
I have to wonder, however, how that will turn out in practice. If strong incentives were possible without new legislation, I have to think that they might have been fronted here in the EO. Recall that an earlier draft of the EO also mentioned the DoD procurement issue. If DoD hasn’t figured out a way to make procurement preferences effective since September 2012, I suspect another 120 days to think about it (the time the EO gives them) won’t change the result.
And, finally, of course, we don’t know what the Framework will actually say. If it recommends that the private sector do what it already is doing, it will be an anodyne bit of fluff. If it has new recommendations and directives I suspect they will only be implemented if they are truly “good ideas” and that the incentive program to be developed will have little practical impact.
Regulations – The real sting, if any, will come from Section 10. This section directs all the sector-specific agencies to take the voluntary Framework and make it mandatory for their sectors. If they can do it with existing rules, they should. If they need to propose new rules through notice and comment rulemaking they should do that.
This is where all the action really will be. Look for agencies to have a bit more understanding of industry complaints than the Administration overall, or DHS, might have had. And look for the regulated community to use the administrative process to delay and challenge any rules they don’t like. In the end, we may be several years (at a guess 4-6 years) before we see mandatory regulations – by which time the Framework and the regulations are likely to be outdated.
Who knows? Maybe I’ll be surprised. But this doesn’t seem a formula for effective action to me.
Confidential Identification – The EO has one true innovation in it – a confidential naming program that will identify the critical cyber infrastructure “where a cybersecurity incident could reasonably result in catastrophic regional or national effects on public health or safety, economic security, or national security.” This is a subset, of course, of the earlier broader definition.
Infrastructure owners who are identified as operating cyber critical infrastructure will be notified of that fact (and entitled to challenge the notification). After they are notified …. Nothing more happens!
And that’s pretty subtle. I’d hate to get one of those notices and not respond by implementing the Framework! What if, later, something did happen, and, of course, at that time the government would be free to say “we told you so.” Boy that would be a job killer. The in terroem effect of this “secret designation” is going to be pretty powerful.
I have to think about its legality of course – it will need a FOIA exemption for instance, and it might be unduly coercive – but you do have to admire the way in which this aspect of the program will box some folks in.