Keywords: Obama, cybersecurity standards, executive order,
On February 12, 2013, President Obama issued an executive order (the Order) intended to improve the cybersecurity of "critical infrastructure" in the United States. The Order seeks to build a public-private partnership with the owners and operators of critical infrastructure, to improve information sharing, and to collaboratively establish risk-based cybersecurity standards.
The Order mandates a number of agency actions to achieve these goals, and will impact private companies that oversee infrastructure including transportation systems, dams, electrical grids and financial institutions. Key highlights of the Order are discussed below.
Critical Infrastructure
The definition of "critical infrastructure" is broad and includes "systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters." The President would have substantial authority to determine what infrastructure is included in this definition.
Information Sharing
The Order promotes information sharing by expanding the Enhanced Cybersecurity Services program and providing both classified reports on cyber threats to authorized entities and unclassified reports to other entities. However, the Order provides neither an exemption from certain privacy laws 'such as the Electronic Communications Privacy Act 'that serve as an impediment to information sharing nor liability protection to private sector entities for information sharing-related activities.
Cybersecurity Framework
The Order tasks the National Institute of Standards (NIST) with developing a Cybersecurity Framework (the Framework), which "shall include a set of standards, methodologies, procedures, and processes that align policy, business, and technological approaches to address cyber risks." The Order only directs the Framework to "incorporate voluntary consensus standards and industry best practices to the fullest extent possible." Thus, the Framework will not necessarily incorporate voluntary consensus standards and industry best practices.
The Framework will also incorporate "guidance" for performance metrics to assess implementation by private entities. NIST is required to publish a preliminary version of the Framework within 240 days of the Order, and the final version will be published within one year of the Order.
Private Participation in "Framework" Program
The Order tasks the Secretary of Commerce, in coordination with sector-specific agencies, with establishing "a voluntary program to support the adoption of the Cybersecurity Framework by owners and operators of critical infrastructure and any other interested entities" (the Program). In addition, the Secretary of Commerce is required to "coordinate establishment of a set of incentives designed to promote participation in the Program." These "incentives" have the potential to make it very difficult for owners and operators of critical infrastructure not to participate in the Program.
Other Significant Agency Actions
The Order requires agencies with authority for regulating the security of critical infrastructure to determine the adequacy of current cybersecurity regulations, in light of the preliminary Framework. If current regulations are deemed inadequate, within 90 days of publication of the final Framework, these agencies must propose proper actions to "mitigate cyber risk." The Order encourages independent regulatory agencies with the same authority "to consider prioritized actions to mitigate cyber risks," in consultation with relevant agencies and "other affected parties."
The Order provides for a number of agency actions that must be taken within a specified timeline. These actions may result in new cybersecurity regulations that could require owners and operators of critical infrastructure to change the policies, procedures, technologies, and equipment through which they identify cyber-threats and prevent or mitigate cyber-attacks. The Order does not, however, obviate the need for legislation, especially as the federal government seeks to facilitate increased cyber-threat information sharing by private companies, which will require changes to certain private statutes and liability protection for information sharing-related activities.
Learn more about our Privacy & Security and Intellectual Property practices.
Originally published on February 13, 2013.
Visit us at mayerbrown.com
Mayer Brown is a global legal services provider comprising legal practices that are separate entities (the "Mayer Brown Practices"). The Mayer Brown Practices are: Mayer Brown LLP and Mayer Brown Europe – Brussels LLP, both limited liability partnerships established in Illinois USA; Mayer Brown International LLP, a limited liability partnership incorporated in England and Wales (authorized and regulated by the Solicitors Regulation Authority and registered in England and Wales number OC 303359); Mayer Brown, a SELAS established in France; Mayer Brown JSM, a Hong Kong partnership and its associated entities in Asia; and Tauil & Chequer Advogados, a Brazilian law partnership with which Mayer Brown is associated. "Mayer Brown" and the Mayer Brown logo are the trademarks of the Mayer Brown Practices in their respective jurisdictions.
© Copyright 2013. The Mayer Brown Practices. All rights reserved.
This Mayer Brown article provides information and comments on legal issues and developments of interest. The foregoing is not a comprehensive treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek specific legal advice before taking any action with respect to the matters discussed herein.
