After months of speculation the White House has released its much-anticipated Executive Order (EO) pursuing comprehensive cybersecurity protection of public & private critical infrastructure. The timing of the EO coincides with the President’s State of the Union Address and as the House Intelligence Committee reintroduces the Cyber Intelligence Sharing and Protection Act (CISPA) that passed the House during the last Congress but died without an up-or-down vote in the Senate.
The Executive Order on Improving Critical Infrastructure Cybersecurity centers its efforts to strengthen cybersecurity critical infrastructure protection (CIP) through increased information sharing among industry and government and through standardized cybersecurity practices applicable across public and private infrastructures. Significant aspects include:
- Threat Information Sharing – The EO expands the sharing of both classified and unclassified cyber threat and attack information to companies by requiring federal agencies to produce and quickly share unclassified reports of threats to U.S. companies. The directive also expands the Defense Industrial Base (DIB) Enhanced Cybersecurity Services (DECS) program to stimulate near-real-time sharing of cyber threat information with participating critical infrastructure companies.
- Cybersecurity Framework – The Order gives the National Institute of Standards and Technology (NIST) the lead role in developing a Cybersecurity Framework of practices to reduce cybersecurity risks to critical infrastructure. This construct is to be built in collaboration with industry, leveraging existing and proven international standards, practices, and procedures. Further, the Framework is to be technology neutral to allow for innovation and competition among cyber products and services. The Department of Homeland Security (DHS) will promote the implementation of this Framework by industry through various sector-specific agencies like the Department of Energy and others.
- Privacy Protections –The mandate requires federal agencies to incorporate privacy and civil liberties safeguards into their activities, based upon the Fair Information Practice Principles (FIPPS) and other applicable privacy and civil liberties standards. Agencies are also required to conduct regular assessments of the privacy and civil liberties impacts of their activities and make these findings available to the public.
- Cybersecurity Regulation – The EO requires regulatory agencies to review existing cybersecurity regulations in light of the new Cybersecurity Framework to determine if current regulations are effective and sufficient, if any should be eliminated, or if new regulations are needed. Agencies will propose new, cost-effective regulations based upon the Framework to shore up existing regulations deemed ineffective or insufficient.
The White House considers this EO to be “a down-payment on expected further legislative action,” recognizing that certain executive actions require Congress to legislate such authorities. While we watch for those developments we can anticipate some potential implications for companies offering cybersecurity and other applicable solutions.
The broadened threat information sharing provision opens up participation in the DECS program which, according to media reports, has shown signs of languishing in recent months, while its parent program – the DIB Cyber Security / Information Assurance (DIB CS/IA) Program has grown. Depending on how things progress, this EO may breathe some new life into these programs and work toward broadening the sharing of threat information. A key element here is any costs incurred with the program. This EO provision comes on the heels of January’s 2013 National Defense Authorization Act which included several cybersecurity provisions, including requiring DoD contractors to report penetrations to their networks.
The new NIST-led Cybersecurity Framework development will present opportunities for industry to engage with policymakers and influence the future cyber policy. While the resulting Framework is intended to be technology-neutral, the ability to influence what elements constitute “secure” may drive future demand for certain technologies and services. Further, active engagement may place a firm’s solutions in the front of the mind of agency decision makers, producing a residual benefit.
The FIPPS privacy requirement may open doors for advisory services and training on FIPPS-related activities and assessments. As new regulations are developed agencies and industry will need help addressing new requirements and applying new approaches and technologies.
In the end, the new EO reignites the policy and legislative debate on federal cybersecurity as well as asserts broader federal influence over private critical infrastructure and networks.