The Latest Cybersecurity Draft EO

There is another reported draft of a cybersecurity executive order floating around the internet; this one dated 11-21-12. The version that I have comes from Paul Rosenzweig’s  Lawfare Blog site. Since there is no way of telling for sure if this is really from the White House, or what changes might be made to it if it is, I’m not going to do a real detailed look at its provisions. There are, however, some things of interest that bear discussion.

Definitions

The key to the extent that a cybersecurity executive order will affect any particular facility is the definition that is used for ‘critical infrastructure’. There are a number of official definitions from various pieces of legislation adopted over the years and this draft {§2} uses one of the more expansive definitions taken from 42 USC 5195c(e). That definition reads:

“In this section, the term ‘‘critical infrastructure’’ means systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.” (pg 5507)

Since the terms ‘incapacity’ and ‘debilitating impact’ are undefined this definition allows a great deal of leeway for the DHS Secretary to use in determining which facilities or systems are to be considered critical infrastructure.

The other interesting definition is the one that is quite obviously absent. There is no definition of cyber anything. Again, if the covered cyber-systems are not restrictively defined, and no definition is the least restrictive definition, then it is completely up to the Secretary what should be covered. Furthermore, there is no inherent reason for internal consistency in that decision.

Selection of ‘at Greatest Risk’ Facilities or Systems

Section 9 of the draft EO requires the Secretary to “identify critical infrastructure where a cybersecurity incident could reasonably result in catastrophic regional or national effects on public health or safety, economic security, or national security”. This identification is supposed to take place within 150 days of the publication of the EO. Fortunately a classified list of presumptive candidates for this list is already being maintained by DHS under provisions of 6 USC 124l.

That section requires that the Secretary maintain “maintain a single classified prioritized list of systems and assets… that the Secretary determines would, if destroyed or disrupted, cause national or regional catastrophic effects [emphasis added]” {6 USC 124l(a)(2)}. All the Secretary has to determine is which ones would remain on that list because of a cybersecurity incident. Again, since ‘cybersecurity incident’ is not defined in the EO this determination can be somewhat arbitrary.

It appears that the sole reason for establishing this list of ‘at greatest risk’ facilities is to allow the Secretary to prioritize the issuance of security clearances to “appropriate personnel employed by critical infrastructure owners and operators” {§4(d)}. This would, of course, allow for the sharing of classified intelligence information with those personnel. What this ignores is that there is a lot more to sharing classified information than just having a security clearance.

Information Sharing

This version of the draft EO has the most comprehensive requirements for the federal government to share information with the private sector that I have seen to date. Section 4 of the EO separately requires the Director of National Intelligence, the Attorney General and the Secretary of DHS to prepare within 120 days instructions to their subordinate agencies to “ensure the timely production of unclassified versions of all reports of cyber threats to the U.S. homeland that identify a specific targeted entity [emphasis added]” {§4(a)}. It then directs the Secretary to establish a coordinated process that “rapidly disseminates” such reports to the “U.S. targeted entity” {§4(b)}. Of course, this does not address cyber-intelligence that does not identify a specific targeted entity.

There is nothing in this draft EO that requires, suggests or even hints that the private sector should share cybersecurity information with the Federal government. There are a couple of mentions of 6 USC 133 which deals with the government sharing of voluntarily shared critical infrastructure information, but they are just reminders of what information provided by the private sector can be shared outside of the government without specific permission.

Security Guidelines

Section 7 deals with the development of a ‘baseline framework to reduce cyber risk to critical infrastructure’ (NOTE to EO drafters: you’ve got to come up with a better name that has a memorable acronym; it’s a requirement of the OMB style manual.) The Director of NIST is required to develop a ‘Cybersecurity Framework’ that includes “a set of standards, methodologies, procedures and processes that align policy, business, and technological approaches to address cyber risks” {§7(a)}.

A preliminary version of the Cybersecurity Framework will be ready within 240 days. There are, of course no penalties assigned for missing this time frame. That is a good thing as any number of standards organizations have been working for years to come up with their particular piece of just this type of framework. Then, one year after the EO is signed the Director, after engaging in an “open public review and comment process” {§7(e)} will publish a final version of the Framework.

To make things a tad bit more confusing, while the Framework was being developed in a consultive (okay the word was made up, but it sounds appropriately bureaucratic) environment, the Sector-Specific [Federal] Agencies in further consultation with their [Private] Sector Coordinating Councils are encouraged to “develop implementing guidance or supplemental materials to address sector-specific risks and operating environments” {§8(b)}.

Voluntary Program

Section 8 requires the DHS Secretary to “establish a voluntary program to support the adoption of the Cybersecurity Framework by owners and operators of critical infrastructure and any other interested parties” {§8(a)}. The Secretaries of Commerce and Treasury will identify incentives that can be given to encourage participation under current law and to suggest new legislation to further enhance those incentives.

In addition to those carrots there are at least two sticks included in this draft EO that will be used to encourage participation. The gentlest is the provision requiring Sector Specific Agencies to report annually “on the extent to which owners and operators notified under section 9 [the ‘at greatest risk’ list, see above] of this order are participating in the Program” {§8(c)}. Presumably there could be some Presidential arm twisting as a result.

The potentially more serious stick is regulatory action. Section 10 requires Federal agencies (but not independent regulatory agencies, they are not under the direction of the President) responsible for regulating the security of critical infrastructure to review the Cybersecurity Framework and determine if they have “clear regulatory authority to establish requirements based upon the Cybersecurity Framework” {§10(a)} and identify any additional authority needed. Agencies would then have 60-days to “propose prioritized, risk-based, efficient, and coordinated actions” {§10(b)} to mitigate cyber-risk consistent with the Cybersecurity Framework.

The CFATS program, for instance, should have no legal problem adding the Cybersecurity Framework to its regulatory scheme as long as the requirements were risk-based performance standards and not specific security requirements.

Moving Forward

Now all of the above is predicated on the ‘fact’ that this ‘draft EO’ is legitimately a working draft. Even if it is, we have no idea of what changes might be made to it before it is published in its final form. Realistically, we’ll just have to wait and see what comes out of the Oval Office.