On February 12, 2013, following Congress’ failure to enact cybersecurity legislation, the Administration issues an executive order — entitled “Improving Critical Infrastructure Cybersecurity” — that seeks to move forward the effort to comprehensively address the cybersecurity of the country’s critical assets.
The White House observed that “the cyber threat to critical infrastructure continues to grow and represents one of the most serious national security challenges” that must be confronted.
The order seeks to improve cybersecurity threat information sharing between government agencies and private industry and to bring together government and private entities to develop and implement a framework of practices that will strengthen the cybersecurity of critical infrastructure.
The Secretary of Homeland Security will lead the effort to identify the country’s critical infrastructure — “infrastructure where a cybersecurity incident could reasonably result in catastrophic regional or national effects on public health or safety, economic security, or national security.” The Secretary has 150 days for the initial determination and will update the list annually.
Cybersecurity Order Requirements
The principal provisions of the order:
- Require the Attorney General, the Secretary of Homeland Security and the Director of National Intelligence to share non-classified cyber threat information with private targets and, to the extent necessary, facilitate sharing of classified information with targeted entities by expediting the process of granting security clearances to appropriate personnel within critical infrastructure organizations
- Enhance private-public partnership by bringing private industry subject matter experts into Federal services on a temporary basis to help steer the cybersecurity effort
- Seek to conduct initial and periodic privacy and civil liberties assessments of the programs and activities arising out of the order; and ensure that such programs and activities operate consistently with the Fair Information Practice Principles
- Will establish a consultative process by which the Secretary of Homeland Security will coordinate enhancements to the security of critical infrastructure
- Will launch the development of a cybersecurity framework “to reduce cyber risks to critical infrastructure” – this effort will likely be led by NIST
- The order envisions a cybersecurity framework that will:
- Include “standards, methodologies, procedures, and processes that align policy, business, and technological approaches to address cyber risks”
- Provide a “prioritized, flexible, repeatable, performance-based, and cost-effective approach, including information security measures and controls, to help owners and operators of critical infrastructure identify, assess, and manage cyber risk”
- Provide technology neutral guidance
- Include guidance for measuring the performance of an entity in implementing the cybersecurity framework
- Include methodologies to protect business confidentiality, individual privacy and civil liberties
- Issue in a preliminary draft within 240 days and final draft within 1 year of the date of the order – February 12, 2014.
- Implement a voluntary program to support the “adoption of the cybersecurity framework by owners and operators of critical infrastructure….” The Administration is seeking to incentivize the adoption of cybersecurity framework by relevant industries.
The order articulates an ambitious and fast-paced plan to shape up the nation’s cybersecurity protections. It envisions an inclusive process, a partnership between public and private sectors, to develop a risk-based framework for protecting critical assets. Although the list of owners and operators of critical infrastructure is yet to be determined, organizations that are likely to be on the list, such as those in financial, energy and utility sectors, should seek to engage early in the collaboration process that the order envisions. Engagement and collaboration will allow these organizations to have their voices heard in the development of the cybersecurity framework, whether or not they ultimately choose to follow it.
As often the case with agency-sponsored guidance programs (e.g., FTC Online Behavioral Advertizing Guidance), industry, regulatory, advocacy group, media and consumer pressure may deem compliance with the framework essentially obligatory, as a practical matter, for owners and operators of critical infrastructure. These organizations are well-advised to begin assessing their security controls in the near term and benchmarking them against existing industry standards to help ensure that the organizations will be prepared for the development and adoption of the cybersecurity framework the order envisions.
The order envisions a cybersecurity framework that will: