The Executive Order, “Improving Critical Infrastructure Cybersecurity,” and the Presidential Policy Directive (“PPD”), “Critical Infrastructure Security and Resilience,” signed by President Obama on February 12, 2013, raise the stakes in the national debate over cybersecurity requirements and seem likely, if not designed, to provoke a legislative response. Industry has good reason to pay attention.
Although worded in terms of “consultation” and “voluntary” adoption of a yet-to-be-developed cybersecurity framework, the Executive Order also calls for federal agencies to consider incentives, including changes to the federal acquisition regulations, for encouraging adoption of the framework. It requires agencies to report on the extent to which the private sector is complying with the framework. And, most significantly, the Executive Order directs agencies to “determine if current cybersecurity regulatory requirements are sufficient given current and projected risks;” to report on “whether or not the agency has clear authority to establish requirements based upon the Cybersecurity Framework to sufficiently address current and projected cyber risks to critical infrastructure, the existing authorities identified, and any additional authority required;” and, if current regulatory requirements are deemed to be “insufficient,” to “propose prioritized, risk-based, efficient, and coordinated actions . . . to mitigate cyber risk.”
This is a dramatic change from President Obama’s first pronouncement on cybersecurity just five months after taking office. On May 29, 2009, the President promised to avoid security regulations even though he acknowledged that “the vast majority of our critical information infrastructure in the United States is owned and operated by the private sector.” Nevertheless, in 2009 he was adamant that his administration would “collaborate with industry to find technology solutions,” rather than “dictate security standards for private companies.” Following President Obama’s announcement at that time, some business leaders celebrated having “dodged the bullet” of new regulation, but after four years of increasing vulnerabilities and successful attacks against some of the United States’ largest and most tech-savvy companies, it is clear that regulation is back on the table after the release of the Executive Order.
Of course, it is not clear that the Administration can go far down the road of imposing cybersecurity requirements on industry without legislation. In repeated statements over the past five months, Administration spokespeople and cybersecurity experts have argued that congressional action was necessary. In last Tuesday’s State of the Union address, the President himself called on Congress to “act . . . by passing legislation to give our government a greater capacity to secure our networks and deter attacks.” It remains to be seen whether Congress will take up the invitation, but it is hard to imagine that it will leave a topic as important and as headline-worthy to the administration alone. After all, no elected official wants to appear weak on security.
A second interesting feature of the Executive Order and PPD are their continuing focus on “critical infrastructure” and the integration of physical and cyber security concepts. This aspect of the Executive Order represents a clear update to the previous approach to critical infrastructure identification, prioritization and protection set forth in the Bush Administration’s Homeland Security Presidential Directive 7, published in 2003. As detailed in the PPD accompanying the Executive Order, “critical infrastructure” includes virtually the entire economic infrastructure of the United States (the PPD lists: Chemical, Commercial Facilities, Communications, Critical Manufacturing, Dams, Defense Industrial Base, Emergency Services, Energy, Financial Services, Food and Agriculture, Government Facilities, Healthcare and Public Health, Information Technology, Nuclear Reactors, Materials, and Waste, Transportation Systems, and Water and Wastewater Systems). The breadth of the critical infrastructure concept is intended to allow for companies with common infrastructure and security concerns to collaboration and coordinate with appropriate government organizations regarding cybersecurity issues. While a useful organizational construct, it will require further evaluation and update, as called for by the PPD.
Finally, the alphabet soup of agencies in the Executive Order and PPD again raise the troubling question of who is in charge when it comes to cybersecurity in the federal government. The two documents give responsibilities to all of the federal cabinet agencies and other specialized agencies, with surprisingly no mention of the White House Cybersecurity Coordinator, a position the Administration created less than four years ago. The Department of Homeland Security (“DHS”) seems to be given the greatest number of new tasks and responsibilities, but there has been no public discussion of budget or personnel to carry out those tasks—at DHS or elsewhere, which is an issue that clearly will need to involve Congress.