Wednesday, February 13, 2013

Cybersecurity Executive Order

Well, President Obama finally signed the long promised Cybersecurity Executive Order. We don’t have an EO number yet, that will come in the next day or two when the EO is published in the Federal Register. In any case, what is posted on the White House web site is certainly good enough for us to start seeing what practical effect this EO will have on cybersecurity.

The Policy

We couldn’t even get started on this without looking at the basic policy statement included in §1:

“It is the policy of the United States to enhance the security and resilience of the Nation's critical infrastructure and to maintain a cyber environment that encourages efficiency, innovation, and economic prosperity while promoting safety, security, business confidentiality, privacy, and civil liberties.”

While this policy is supposed to be focused on ‘critical infrastructure’ it is clear that the focus of the cybersecurity effort is on information security. Control systems are addressed in passing (a single mention, safety, is specifically targeted at physical systems), but it is clear that this is mainly an IT policy.

Critical Infrastructure

Since this EO is targeted on protecting the cybersecurity of critical infrastructure it is important to understand what that term means. First in §2 we see a basic definition of the term:

“As used in this order, the term critical infrastructure means systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.”

The way this definition is constructed it is difficult to see any single facility or company that would qualify as ‘critical infrastructure’. This definition would only seem to apply to networks or organizations. For example, only the incapacity or destruction of the electric transmission network, the gasoline pipeline network or the financial network would have a truly debilitating impact on the ‘national economic security’ or ‘national public health’. It is hard to see how the destruction or incapacity of any single entity would meet the definition.

This definition is expanded somewhat in §9(a) where the Secretary of DHS is required to identify “critical infrastructure where a cybersecurity incident could reasonably result in catastrophic regional [emphasis added] or national effects on public health or safety, economic security, or national security”. The addition of a lower ‘regional’ impact standard will increase slightly the number of affected facilities. It would probably stretch to include major oil refineries for instance or regional power companies.

Now all of this certainly depends on how you define ‘debilitating impact’; a term carefully left undefined in this EO. The more broadly you define ‘debilitating’ the more inclusive the term ‘critical infrastructure’ becomes. Water it down enough and everything is critical infrastructure.

Information Sharing

The one thing that should be relatively easy to implement in this EO would be the information sharing provisions of §4. It shouldn’t take an EO, however, for the President to direct the intelligence agencies to produce unclassified reports on cybersecurity threats as is outlined in §4(a). The expansion of the sharing of classified intelligence as outline in §4(c) will be slow as the private sector will be slow to adopt the necessary security mechanisms required to handle classified documents.

The Cybersecurity Framework

Since there is no Congressional mandate or authority for the regulation of cybersecurity, the President has studiously avoided the use of the word ‘regulation’. Instead he has required the Director of the National Institute of Standards (NIST) to lead the development of “a framework to reduce cyber risks to critical infrastructure”. To ensure that everyone understands that these non-regulation are intended to behave like regulations, §7(a) goes on to explain that the framework “shall include a set of standards, methodologies, procedures, and processes that align policy, business, and technological approaches to address cyber risks”.

The semi-regulatory nature of the framework is further reinforced by the requirement in §7(d) that the Director shall “engage in an open public review and comment process”; the same type review process that is used for writing or revising regulations.

The one area where this EO has certainly taken an extreme leap of faith has been in the time frame set forth for the development of the Cybersecurity Framework. Section 7(e) of the order provides the Director 240 day to publish a preliminary version of the framework. Depending on how much of the work of developing the framework has already been done by NIST (and I would bet that they have been hard at work on this while the EO was being developed) this might actually be doable.

It will be nearly impossible, however, to have the final version of the framework published 125 days later (within one year of the official publication of this EO). This is because of the need to complete the comment and review process promised in §7(d). Anything less than a 90 day comment period will certainly end up in court and it will take a minimum of at least another 90 days for NIST to process and formulate responses to the huge number of comments that will inevitably result.

Since these are supposed to be consensus standards formulated in consultation with rest of the federal government, I will be very surprised if the draft version of the framework can be published within the one year time frame and it could be 2016 before the OMB approves the final version. And the OMB will be intimately involved in the publication of this document; see §12(b).

Voluntary Adoption of Framework

Section 8 of the EO clearly makes adoption of the framework by the private sector voluntary and there will be incentives developed {§8(d)} even before the draft framework is completed to encourage that voluntary participation in the program. The most important incentive is outlined in §8(e) where an attempt will be made (almost certainly successfully) to require adoption of the standards as part of the federal acquisition process. That is a fairly big carrot/stick that could be wielded far beyond the broadest possible definition of ‘critical infrastructure’.

The portion of the EO that will cause the most problems for the private sector is to be found in §10 where it spells out how agencies “with responsibility for regulating the security of critical infrastructure” will try to find existing authorities to require the implementation of the framework within the regulated community. Those agencies have 90 days from the publication of the preliminary framework to identify:

• If agency has clear authority to establish requirements based upon the Cybersecurity Framework to sufficiently address current and projected cyber risks to critical infrastructure;
• The existing authorities identified, and
• Any additional authority required.

It is likely that some agencies will be able to begin implementation of the framework requirements before the final framework is approved in the comment and response process. Even where clear authority exists, though, it will take regulatory changes (with the required comment and review process) to fully implement the final framework provisions.

The Legislative Process

 The one thing that this EO will certainly do is to aggravate the legislative process for the adoption of cybersecurity measures by Congress. The Republican controlled House is certain to start work on bills to limit the authority of the President to implement the framework even before the initial version is published. Those challenges will focus on the provisions of §8(e) and §10. That legislative work will certainly take away from efforts to produce a Republican consensus cybersecurity bill.

In the Senate, the amendment process on any cybersecurity legislation will be tied up in the processing of amendments to limit the implementation of this EO. The impossibility of getting the votes necessary to move past those amendments will kill any floor action on even the most agreeable cybersecurity legislation.


Finally, I am going to have to announce that this EO is stillborn. The Obama Administration has demonstrated a complete inability to implement any of the executive orders published to date. I find it hardly likely for them to be able to implement something as complex and controversial as this.

1 comment:

Jake Brodsky said...

I agree, Pat. I have been wondering who is feeding the Legislative and Executive branches the fodder they use to write this stuff. It appears the answer is Nobody that has any concept of what works.

I get the strong impression that instead of attempting to impose reporting requirements, on site documentation, recognized certificates, or anything of the sort, they're attempting to impose security in much the same way that the rest of the Federal Government has --and we see how well that's working for them.

Jake Brodsky

/* Use this with templates/template-twocol.html */