PROTIVITI FLASH REPORTPresident Obama Signs Executive Order to Take Initial Steps toImprove Critical Infrastructure CybersecurityFebruary 14, 2013On February 12, 2013, the President of the United States, just before his State of the Unionspeech, signed an executive order requiring federal agencies to share cyber threatinformation with private companies and to create a cybersecurity framework focused onreducing cybersecurity risks to companies providing critical infrastructure to an acceptablelevel. “Critical infrastructure” means “systems and assets, whether physical or virtual, so vitalto the United States that the incapacity or destruction of such systems and assets would havea debilitating impact on [national] security, national economic security, national public healthor safety, or any combination [thereof].” 1 While the cybersecurity framework is intended to bevoluntary, the executive order also requires federal agencies overseeing critical infrastructureto identify the operators and industries most at risk and to explore whether the governmentcan require those companies to adopt the framework.The long-expected order follows failed attempts in 2012 by the U.S. Congress to pass a lawto confront continuing electronic attacks on the networks of U.S. companies and governmentagencies. The executive order is available at www.whitehouse.gov/the-press-office/2013/02/12/executive-order-improving-critical-infrastructure-cybersecurity.Scope of the OrderThe executive order states that “it is the policy of the United States to enhance the security andresilience of … critical infrastructure and to maintain a cyber environment that encouragesefficiency, innovation, and economic prosperity while promoting safety, security, businessconfidentiality, privacy, and civil liberties.” To achieve this demanding goal, the order furtherstates that “a partnership with … owners and operators of critical infrastructure to improvecybersecurity information sharing and collaboratively develop and implement risk-basedstandards” is needed. It directs government officials, led by the Secretary of Homeland Security,in the next year to create standards to reduce cybersecurity risks to critical infrastructure. Indoing so, the secretary is required to consult with and seek the advice of others, as discussedfurther below, including other agencies such as the Departments of Justice, Treasury andCommerce.1 See http://www.dhs.gov/critical-infrastructure-sectors where the Department of Homeland Security has identified 18critical infrastructure sectors: food and agriculture; banking and finance; chemical; commercial facilities;communications; critical manufacturing; dams; defense industrial base; emergency services; energy; governmentalfacilities; healthcare and public health; information technology; national monuments and icons; nuclear reactors,materials and waste; postal and shipping; transportation systems; and water.
Within 150 days of the date of the President’s order, a risk-based approach is to be used toidentify critical infrastructure where a cybersecurity incident could reasonably result incatastrophic regional or national effects on public health or safety, economic security, ornational security. In identifying critical infrastructure for this purpose and with respect to all otherconsiderations in developing the cybersecurity framework and executing the President’sexecutive order, the Secretary of Homeland Security is required to engage and consider theadvice of the Critical Infrastructure Partnership Advisory Council; sector coordinating councils;critical infrastructure owners and operators; sector-specific agencies; other relevant agencies;independent regulatory agencies; state, local, territorial and tribal governments; universities; andoutside experts. Because of the expansive swath of sectors identified as “critical infrastructuresectors,” 2 this requirement is very broad and clearly involves many government agencies,including but not limited to the Departments of Justice, Treasury and Commerce.The importance of involving sector-specific agencies cannot be overstated. To illustrate, thebanking industrys top trade group welcomed the President’s executive order but stressed thatfinancial firms have long worked with regulators to combat the risk of cyber attacks. The chiefexecutive of the American Bankers Association is reported to have stated earlier this week thatthe order "recognizes the value of leveraging existing expertise within sector-specific agencies… to the greatest extent possible as the administration evaluates the need for enhancedstandards." 3The various government agencies will focus on critical infrastructure “where a cybersecurityincident could reasonably result in a catastrophic regional or national [impact].” These systemsand assets include the countrys: dams and water supply facilities; electricity generation,transmission and distribution facilities comprising the power grid; oil and gas production,transportation and distribution facilities; financial networks; cable, wireless and othertelecommunication operators; air-traffic control systems; and public health systems, amongmany others.Development and Adoption of a Cybersecurity FrameworkThe order, which does not have the same force as law and therefore is lacking in legalenforcement power, directs federal authorities to improve information sharing on cyber threats –including some that may be classified – with companies that provide or support criticalinfrastructure. The order tasks the U.S. National Institute of Standards and Technology (NIST)to lead in the creation of a cybersecurity framework for operators of critical infrastructure. Thisframework will be based on "voluntary consensus standards and industry best practices." TheDepartment of Homeland Security, the Attorney General, the Director of National Intelligenceand the Secretary of Defense will have input during the development process.Once the framework is developed, its adoption will be voluntary. To that end, the governmentwill offer incentives to encourage companies to adopt it. The order directs the Secretary ofHomeland Security to establish incentives to promote participation in this program and, within120 days of the order, the Secretaries of Homeland Security, Commerce and Treasury to eachmake recommendations separately to the President analyzing the benefits, relativeeffectiveness and legality of the incentives. These incentives may include tax breaks, subsidiesand other programs. No doubt, Treasury’s focus will include the financial services industry.According to the order, the framework will provide “a prioritized, flexible, repeatable,performance-based, and cost-effective approach, including information security measures and2 See Footnote 1 for 18 sectors identified by Homeland Security.3 “Financial Industry Gives Obamas Cybersecurity Order Mostly Good Reviews,” American Banker, Brian Browdie,February 13, 2013. Protiviti | 2
controls, to help owners and operators of critical infrastructure identify, assess, and managecyber risk.” More specifically, it will: • Focus on identifying cross-sector security standards and guidelines applicable to critical infrastructure and include a set of standards, methodologies, procedures and processes that align policy, business and technological approaches to address cyber risks. • Identify areas for improvement that should be addressed through future collaboration with particular sectors and standards-developing organizations and include recommendations that companies should follow to prevent attacks. • Provide guidance that is technology-neutral and enables critical infrastructure sectors to benefit from a competitive market for products and services that meet the standards, methodologies, procedures and processes developed to address cyber risks, enable technological innovation and account for organizational differences. • Include (a) guidance for measuring the performance of an entity in implementing the framework, (b) methodologies to identify and mitigate impacts of the framework, (c) associated information security measures or controls on business confidentiality, and (d) measures for protecting individual privacy and civil liberties. • More clearly define the responsibilities for different parts of the government that play a role in cybersecurity and incorporate voluntary consensus standards and industry best practices to the fullest extent possible. • Be consistent with voluntary international standards when such standards will advance the objectives of the President’s order.While the executive order carries no power to compel companies to reciprocate or to exchangecybersecurity information, the framework will be developed through an open public review andcomment process. Within 240 days of the date of the President’s order, a preliminary version ofthe framework will be published and, within one year of the date of the order, a final version ofthe framework will be published. Within two years after publication of the final framework,agencies with responsibility for regulating the security of critical infrastructure must report tothe Office of Management and Budget on any critical infrastructure subject to ineffective,conflicting or excessively burdensome cybersecurity requirements. This report mustdescribe efforts made by agencies, and make recommendations for further actions, tominimize or eliminate such requirements.Legislation May Be Needed to Give Teeth to this ProgramAn important immediate impetus for the executive order is the Congressional gridlock overcybersecurity legislation, largely attributable to controversy over expanding federal regulationssetting more cybersecurity standards for critical infrastructure and protecting private informationduring the process of sharing private data with the appropriate government agencies. Whileleaders in the previous Congress indicated that cybersecurity legislation would be a highpriority, omnibus legislation was blocked twice in the Senate and never reached the floor in theHouse.In the face of increased cyber risk and gridlock on the Hill, the President has used existingauthorities to advance the goal of increased critical infrastructure cybersecurity. That said, theissuance of this executive order may have the effect of reducing Congressional urgency toenact broad cybersecurity legislation and could spawn piecemeal legislative efforts. Forexample, legislation could focus on enhancing information-sharing both within the private sectorand between the private sector and the government. Protiviti | 3
What Happens Next – The TimetableTo increase the volume, timeliness and quality of cyber threat information shared with U.S.private sector entities so that these entities may better protect and defend themselves againstcyber threats, the Attorney General, the Secretary of Homeland Security and the Director ofNational Intelligence are required by the President’s order to each issue instructions consistentwith their authorities within 120 days of the date of the order to ensure the timely production ofunclassified reports of cyber threats to the U.S. homeland that identify specific targets. Theinstructions must address the protection of intelligence and law enforcement sources, methods,operations and investigations. As noted earlier, they must consult with others, including theTreasury and Commerce departments.In coordination with the Director of National Intelligence, the Secretary of Homeland Securityand the Attorney General are required by the order to establish a process that rapidlydisseminates reports to targeted entities and establishes a system for tracking their production,dissemination and disposition. To assist owners and operators of critical infrastructure inprotecting their systems from unauthorized access, exploitation or harm, the Homeland SecuritySecretary, in collaboration with the Secretary of Defense, shall, within 120 days of the date ofthe order, establish procedures to expand the Enhanced Cybersecurity Services program to allcritical infrastructure sectors. This voluntary information-sharing program will provide classifiedcyber threat and technical information from the government to eligible critical infrastructurecompanies or commercial service providers that offer security services to critical infrastructure.As noted earlier, legislation may be considered. Some view the President’s order as ameaningful step forward to comprehensive cyber security legislation built on the foundation of apartnership between the public and private sectors. Others seek a balanced approach thatpositively enhances the country’s cybersecurity without burdensome regulations that coulddiscourage innovation and set back the economic recovery. For example, at issue is how muchauthority to grant Homeland Security to oversee certain critical computer networks. Finally, stillothers believe that the minimum requirements for how crucial infrastructure should be protectedwere not addressed in the order and that these requirements necessitate Congressionalapproval. For example, equipment used by companies overseas is outdated and insecurebecause it was not designed to mitigate the risk of a serious cyber attack. Bottom line,information sharing does not correct the problem created by insecure systems.There will likely be pressure on critical infrastructure owners and operators to adopt the newvoluntary cybersecurity standards created by NIST. For example, sector-specific agencies maypropose additional mandatory cybersecurity regulations based on the NIST standards within ayear or so after the standards are published. Among the sectors mostly likely to see newmandatory regulations are the electric grid, natural gas, transportation, chemicals, nuclearpower, financial networks and ports, because agencies in these sectors appear to have existingstatutory authority and industry standards are viewed by some as not being strong enough.Government contractors may also face new cybersecurity mandates. Within 120 days of theorder, the Secretary of Defense and the Administrator of General Services, in consultation withthe Federal Acquisition Regulatory Council, will make recommendations to the President on thefeasibility, security benefits and relative merits of incorporating security standards intoacquisition planning and contract administration. This will not necessarily be new to federalprocurement, as the Department of Defense and General Services Administration, forexample, have already implemented cybersecurity standards for certain types of procurements.Further, the 2013 National Defense Authorization Act requires certain cybersecurity actions bydefense contractors. Protiviti | 4
As new cybersecurity standards are established in accordance with the President’s executiveorder, affected public companies will need to evaluate the adequacy of their disclosures inpublic reports. We have discussed this issue in a prior Flash Report. As fresh cybersecurityrisks arise, material expenditures are incurred by the company and/or management agrees tovoluntarily adopt the new standards, public disclosures may require updating in accordance withthe requirements of the Securities and Exchange Commission. 4SummaryThe executive order provided a weakened alternative to legislation the White House had hopedCongress would pass in 2012. Obama administration officials emphasize that the order does notreplace legislation that Congress could once again undertake this year. As one senioradministration official noted, "[This is] not an end of the conversation and in fact its just acontinuation of it." 5According to a December report issued by the Department of Homeland Security, intrusions intooil pipelines and electric power organizations have occurred “at an alarming rate.” Almost 200reported attacks on the nation’s critical infrastructure systems were reported to the agency in2012, a 52 percent increase over the prior year. Of greater concern, several of these attackswere successful. For example, hackers breached the computer systems of several natural gaspipelines last year and stole data that could be used to facilitate remote unauthorizedoperations. 6The Chairman of the House Intelligence Committee is reported to have stated that “the recentspike in advanced cyber attacks against the banks and newspapers makes [it] crystal clear.American businesses are under siege.” Therefore, there is a sense of urgency to provideAmerican companies the information they need to better protect their networks. For example,the U.S. Federal Reserve Bank recently confirmed that an internal database of U.S. bankcontacts was hacked just days after the names, addresses and other personal information ofaround 4,000 bank executives were leaked. 7While the President’s executive order leaves much to be ironed out through the regulatoryprocess, it is clear that cybersecurity regulation is here to stay and it is reasonable to surmisethat policy will evolve over time. Two parallel tracks are likely to unfold in this regard. On the onehand, federal agencies will seek to implement the President’s directive by issuing new rules andpolicies, most of which will be subject to public due process, review and comment. On the otherhand, Congress will likely pursue some form of cybersecurity legislation. In this respect, thePresident’s executive order is only the starting point in the development of a comprehensivenational cybersecurity framework. Clearly, more is to come.For these reasons, companies that are owners and operators of critical infrastructure shouldposition themselves as players in the process and participate in the dialogue with other ownersand operators in their industry. As the voluntary regulation unfolds, they should be aware of thenew standards and framework. In addition, they should:4 See Protiviti’s SEC Flash Report, “SEC Staff Provides Guidance on Public Companies Disclosure ObligationsRelating to Cybersecurity Risks and Cyber Incidents,” issued October 17, 2011, and available at www.protiviti.com.5 “Obama Executive Order Seeks Better Defense against Cyber Attacks,” Alina Selyukh, Reuters, February 12, 2013.6 “Obama Order Gives Firms Cyber Threat Information,” Michael S. Schmidt and Nicole Perlroth, New York Times,February 12, 2013.7 “Financial industry welcomes Obama cybersecurity plans,” Finextra, February 14, 2013. Protiviti | 5