Note: This is a cross-post on http://ewhwblog.com/an-analysis-of-the-presidents-cybersecurity-executive-order/#sthash.lHZ6yVad.dpuf 

Overview

            On February 12, 2013, President Obama issued an Executive Order titled “Improving Critical Infrastructure Cybersecurity” (“EO”).  The EO was created in response to “repeated cyber intrusions into critical infrastructure.”[1] Army General Keith B. Alexander describes the EO as a step in the direction of hardening the nation’s networks across both the government and private sector.[2]  According to General Alexander, the fact that mostly private businesses own the nation’s infrastructure creates a crucial need to share data between the government agencies in a position to gather information on cyber threats and the private companies operating the infrastructure.[3]

The EO chiefly aims to do two things: (1) improve the information sharing facilities between government agencies and the operators of “critical infrastructure,”[4] and (2) create a voluntary “Cybersecurity Framework” for the operators of “critical infrastructure.”[5] 

Cybersecurity Information Sharing

            Section 4 of the EO requires that the Attorney General, the Secretary of Homeland Security, and the Director of National Intelligence provide the timely production of known cyber threats to specifically targeted entities.  Under some circumstances, those agency heads are also empowered to disclose classified reports to the targeted entities, so long as the disclosure is consistent with “the need to protect national security information.”  Finally, Section 4 expands the existing “Enhanced Cybersecurity Services” program to cover any “critical infrastructure sector” where, previously, it had been restricted to companies within the “Defense Industrial Base.”[6]

Cybersecurity Framework

            Section 7 of the EO provides that within one year, the Secretary of Commerce through the Director of the National Institutes of Standards and Technology (“NIST”) is directed to establish a “Cybersecurity Framework”  (“Framework”). This Framework is to be a set of “standards, methodologies, procedures, and processes” that in effect will work to reduce cyber threats.  To the “fullest extent possible,” the Framework shall incorporate voluntary consensus standards and industry best practices.  Among the industry standards and best practices that NIST is currently considering as part of the Framework are encryption and key management, asset identification and management, and security engineering practices.[7]

            The goal of the Framework is to provide operators of “critical infrastructure” with “prioritized, flexible, repeatable, performance-based, and cost-effective” approaches to identification and mitigation of cyber threats. The adoption of this framework will be subject to an open public review and comment process.

Who Is Affected?

            For the purposes of the EO, a “critical infrastructure” is a real or virtual asset that is so vital to the United States that impairment of the asset would have a “debilitating impact on security, national economic security, national public health, or safety.”  However, although the purpose of the Framework is that the operators of this infrastructure actually adopt it, according to Section 8, such adoption will be voluntary. 

It is important to note that the definition of  “critical infrastructure” reads quite broadly and could be construed to cover anything from an electricity utility to Google’s Gmail service.  Further, many of the important terms in the section are left undefined, and are ostensibly up to the discretion of the Director of NIST.  Notably among those undefined terms are “debilitating” and “economic security” – terms which once known could have dramatic effects on companies managing “critical infrastructures” that are seeking to be compliant with the Framework.

NIST has begun work on the Framework.  In a recent press release, NIST suggests that the sorts of “critical infrastructure” referred to are “power plants and financial, transportation and communications systems.”[8] Nonetheless, the actual interpretation of “critical infrastructure” will not be known until the Framework is finally implemented.

According to NIST, the Framework ultimately will “not dictate ‘one-size-fits-all’ solutions, but will instead enable innovation by providing guidance that is technology neutral and recognizes the different needs and challenges within and among critical infrastructure sectors.”[9]

[1] Executive Order: Improving Critical Infrastructure Cybersecurity (“EO”), Section 1.

[2] http://www.defense.gov/News/newsarticle.aspx?ID=119286

[3] Ibid.

[4] EO, Section 4.

[5] EO, Sections 7  & 8.

[6] See http://www.infosecisland.com/blogview/21317-Defense-Industrial-Base-Cyber-Security-Program.html.

[7] http://www.commerce.gov/news/press-releases/2013/02/13/national-institute-standards-and-technology-initiates-development-new

[8] http://www.commerce.gov/news/press-releases/2013/02/13/national-institute-standards-and-technology-initiates-development-new

[9] Ibid.