In President Obama’s 2013 State of the Union Address, the president included announcement of a long-expected Executive Order as well as a Presidential Policy Directive focusing on the need for better cybersecurity coordination and defense. This comes on the heels of a classified National Intelligence Estimate reported first by The Washington Post which “identifies China as the country most aggressively seeking to penetrate the computer systems of American businesses and institutions to gain access to data that could be used for economic gain.” The report ties directly into the focus of the Executive Order, emphasizing the risk both to critical infrastructure and to industry.
At the heart of the Executive Order are voluntary efforts on the part of industry and the role of the Federal Government in increasing coordination. “The Cybersecurity Framework shall incorporate voluntary consensus standards and industry best practices to the fullest extent possible.” NIST is authorized to create a preliminary Cybersecurity Framework within 240 days. Compliance incentives will be developed to encourage voluntary compliance. As these standards gain adoption, they will set a new reasonableness standard, pulling the more reluctant companies up because of the risk of negligence and loss.
But the real action of the Executive Order is Section 10 which provides that each regulatory agency must report if the agency has the regulatory scope to implement the Cybersecurity Framework. If it does, presumably it will use those regulatory powers to transform the voluntary program into a regulatory one; if it does not, the agency will be expected to engage in the necessary rulemaking to do so.
The Executive Order defines critical infrastructure very broadly to mean “systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.” The Policy Directive provides specific guidance to the Office of Homeland Security and to the other federal agencies targeted with enforcing protections of critical infrastructure and regulatory compliance.
Neither order is overwhelming on its face, but the message is clear. The Federal Government will take an aggressive approach to cybersecurity and will use the broader regulatory authority at its disposal to do so. Though it has been invited to pass legislation, Congress does not need to act because every industry sector has some regulatory oversight and cybersecurity will soon be layered on top of the existing regulations. An excerpt from the Policy Directive highlights the expansionist approach:
Additional roles and responsibilities for the Secretary of Homeland Security include:
Identify and prioritize critical infrastructure, considering physical and cyber threats, vulnerabilities, and consequences, in coordination with SSAs and other Federal departments and agencies;
Maintain national critical infrastructure centers that shall provide a situational awareness capability that includes integrated, actionable information about emerging trends, imminent threats, and the status of incidents that may impact critical infrastructure;
In coordination with SSAs and other Federal departments and agencies, provide analysis, expertise, and other technical assistance to critical infrastructure owners and operators and facilitate access to and exchange of information and intelligence necessary to strengthen the security and resilience of critical infrastructure;
Conduct comprehensive assessments of the vulnerabilities of the Nation’s critical infrastructure in coordination with the SSAs and in collaboration with SLTT entities and critical infrastructure owners and operators;
Coordinate Federal Government responses to significant cyber or physical incidents affecting critical infrastructure consistent with statutory authorities;
Support the Attorney General and law enforcement agencies with their responsibilities to investigate and prosecute threats to and attacks against critical infrastructure;
Coordinate with and utilize the expertise of SSAs and other appropriate Federal departments and agencies to map geospatially, image, analyze, and sort critical infrastructure by employing commercial satellite and airborne systems, as well as existing capabilities within other departments and agencies; and
Report annually on the status of national critical infrastructure efforts as required by statute.
When combined with the additional power of regulation across the spectrum of energy, finance, communications, health, agriculture, information technology and other sectors, the reach is broad enough to rewrite the regulatory landscape much as the USA Patriot Act did in the wake of 9/11.
Privacy may well be another of the casualties of this war. The Executive Order adds that “[a]gencies shall consider the assessments and recommendations of the report in implementing privacy and civil liberties protections for agency activities,” but asks for little more than an annual report. In contrast, corporate reporting is singled out. “Information submitted voluntarily in accordance with 6 U.S.C. 133 by private entities under this order shall be protected from disclosure to the fullest extent permitted by law.” This has been the case with the Patriot Act and the President’s policies give little comfort.
Confidentiality, rather than privacy, is part of the new regime. Paul Rosenzweig, writing the Lawfare blog from Brookings highlights the importance of the short-list: a subset of critical infrastructure organizations within the identified industry which make up the heart of each industry and will be singled out for heightened cybersecurity engagement.
Confidential Identification – The EO has one true innovation in it – a confidential naming program that will identify the critical cyber infrastructure “where a cybersecurity incident could reasonably result in catastrophic regional or national effects on public health or safety, economic security, or national security.” This is a subset, of course, of the earlier broader definition.
Being an identified company may bring greater security obligations or improved resources or no change at all. Only time will tell. The impact will vary tremendously depending of the existing preparedness of each company.
The National Intelligence Estimate on cybersecurity risk makes clear that the threat must be addressed.
The report, which represents the consensus view of the U.S. intelligence community, describes a wide range of sectors that have been the focus of hacking over the past five years, including energy, finance, information technology, aerospace and automotives, according to the individuals familiar with the report, who spoke on the condition of anonymity about the classified document.
The only question is the cost of the response. China, Russia, Iran, Israel, North Korea and other countries are known for releasing global cyber-attacks, some focused on military and political topics, while others highlight corporate espionage. Moreover, as I mentioned in an earlier post, the intruders use directed attacks on employees and independent contractors who open links, photos or already infected USB devices. Already behind firewalls, these tools install malignant code to glean passwords, open files and glean information which is sent back to the intruder. Some of these attacks are directly at U.S. infrastructure, others at economic targets, while many others affect U.S. interests only as collateral damage to regional conflicts which do not involve U.S. participants.
Nonetheless, the risks are increasing. After the President’s speech one thing is clear. Using the State of the Union as the basis for the announcement of the Cybersecurity Executive Order and Policy Directive has placed this topic near the top of the national agenda.
- President Barack Obama delivers the State of the Union address in the House Chamber at the U.S. Capitol in Washington, D.C., Feb. 12, 2013. (Official White House Photo by Chuck Kennedy)