February 14, 2013
On February 12, 2013, the President of the United States, just before his State of the Union speech, signed an executive order requiring federal agencies to share cyber threat information with private companies and to create a cybersecurity framework focused on reducing cybersecurity risks to companies providing critical infrastructure to an acceptable level. “Critical infrastructure” means “systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on [national] security, national economic security, national public health or safety, or any combination [thereof].”1 While the cybersecurity framework is intended to be voluntary, the executive order also requires federal agencies overseeing critical infrastructure to identify the operators and industries most at risk and to explore whether the government can require those companies to adopt the framework.
The long-expected order follows failed attempts in 2012 by the U.S. Congress to pass a law to confront continuing electronic attacks on the networks of U.S. companies and government agencies. The executive order is available at www.whitehouse.gov/the-pressoffice/2013/02/12/executive-order-improving-critical-infrastructure-cybersecurity.
Scope of the Order
The executive order states that “it is the policy of the United States to enhance the security and resilience of … critical infrastructure and to maintain a cyber environment that encourages efficiency, innovation, and economic prosperity while promoting safety, security, business confidentiality, privacy, and civil liberties.” To achieve this demanding goal, the order further states that “a partnership with … owners and operators of critical infrastructure to improve cybersecurity information sharing and collaboratively develop and implement risk-based standards” is needed. It directs government officials, led by the Secretary of Homeland Security, in the next year to create standards to reduce cybersecurity risks to critical infrastructure. In doing so, the secretary is required to consult with and seek the advice of others, as discussed further below, including other agencies such as the Departments of Justice, Treasury and Commerce.
1See http://www.dhs.gov/critical-infrastructure-sectors where the Department of Homeland Security has identified 18 critical infrastructure sectors: food and agriculture; banking and finance; chemical; commercial facilities; communications; critical manufacturing; dams; defense industrial base; emergency services; energy; governmental facilities; healthcare and public health; information technology; national monuments and icons; nuclear reactors, materials and waste; postal and shipping; transportation systems; and water.
Within 150 days of the date of the President’s order, a risk-based approach is to be used to identify critical infrastructure where a cybersecurity incident could reasonably result in catastrophic regional or national effects on public health or safety, economic security, or national security. In identifying critical infrastructure for this purpose and with respect to all other considerations in developing the cybersecurity framework and executing the President’s executive order, the Secretary of Homeland Security is required to engage and consider the advice of the Critical Infrastructure Partnership Advisory Council; sector coordinating councils; critical infrastructure owners and operators; sector-specific agencies; other relevant agencies; independent regulatory agencies; state, local, territorial and tribal governments; universities; and outside experts. Because of the expansive swath of sectors identified as “critical infrastructure sectors,”2 this requirement is very broad and clearly involves many government agencies, including but not limited to the Departments of Justice, Treasury and Commerce.
The importance of involving sector-specific agencies cannot be overstated. To illustrate, the banking industry's top trade group welcomed the President’s executive order but stressed that financial firms have long worked with regulators to combat the risk of cyber attacks. The chief executive of the American Bankers Association is reported to have stated earlier this week that the order "recognizes the value of leveraging existing expertise within sector-specific agencies … to the greatest extent possible as the administration evaluates the need for enhanced standards."3
The various government agencies will focus on critical infrastructure “where a cybersecurity incident could reasonably result in a catastrophic regional or national [impact].” These systems and assets include the country's: dams and water supply facilities; electricity generation, transmission and distribution facilities comprising the power grid; oil and gas production, transportation and distribution facilities; financial networks; cable, wireless and other telecommunication operators; air-traffic control systems; and public health systems, among many others.
Development and Adoption of a Cybersecurity Framework
The order, which does not have the same force as law and therefore is lacking in legal enforcement power, directs federal authorities to improve information sharing on cyber threats – including some that may be classified – with companies that provide or support critical infrastructure. The order tasks the U.S. National Institute of Standards and Technology (NIST) to lead in the creation of a cybersecurity framework for operators of critical infrastructure. This framework will be based on "voluntary consensus standards and industry best practices." The Department of Homeland Security, the Attorney General, the Director of National Intelligence and the Secretary of Defense will have input during the development process.
Once the framework is developed, its adoption will be voluntary. To that end, the government will offer incentives to encourage companies to adopt it. The order directs the Secretary of Homeland Security to establish incentives to promote participation in this program and, within 120 days of the order, the Secretaries of Homeland Security, Commerce and Treasury to each make recommendations separately to the President analyzing the benefits, relative effectiveness and legality of the incentives. These incentives may include tax breaks, subsidies and other programs. No doubt, Treasury’s focus will include the financial services industry.
2See Footnote 1 for 18 sectors identified by Homeland Security.
3“Financial Industry Gives Obama's Cybersecurity Order Mostly Good Reviews,” American Banker, Brian Browdie, February 13, 2013.
According to the order, the framework will provide “a prioritized, flexible, repeatable, performance-based, and cost-effective approach, including information security measures and controls, to help owners and operators of critical infrastructure identify, assess, and manage cyber risk.” More specifically, it will:
- Focus on identifying cross-sector security standards and guidelines applicable to critical infrastructure and include a set of standards, methodologies, procedures and processes that align policy, business and technological approaches to address cyber risks.
- Identify areas for improvement that should be addressed through future collaboration with particular sectors and standards-developing organizations and include recommendations that companies should follow to prevent attacks.
- Provide guidance that is technology-neutral and enables critical infrastructure sectors to benefit from a competitive market for products and services that meet the standards, methodologies, procedures and processes developed to address cyber risks, enable technological innovation and account for organizational differences.
- Include (a) guidance for measuring the performance of an entity in implementing the framework, (b) methodologies to identify and mitigate impacts of the framework, (c) associated information security measures or controls on business confidentiality, and (d) measures for protecting individual privacy and civil liberties.
- More clearly define the responsibilities for different parts of the government that play a role in cybersecurity and incorporate voluntary consensus standards and industry best practices to the fullest extent possible.
- Be consistent with voluntary international standards when such standards will advance the objectives of the President’s order.
While the executive order carries no power to compel companies to reciprocate or to exchange cybersecurity information, the framework will be developed through an open public review and comment process. Within 240 days of the date of the President’s order, a preliminary version of the framework will be published and, within one year of the date of the order, a final version of the framework will be published. Within two years after publication of the final framework, agencies with responsibility for regulating the security of critical infrastructure must report to the Office of Management and Budget on any critical infrastructure subject to ineffective, conflicting or excessively burdensome cybersecurity requirements. This report must describe efforts made by agencies, and make recommendations for further actions, to minimize or eliminate such requirements.
Legislation May Be Needed to Give Teeth to this Program
An important immediate impetus for the executive order is the Congressional gridlock over cybersecurity legislation, largely attributable to controversy over expanding federal regulations setting more cybersecurity standards for critical infrastructure and protecting private information during the process of sharing private data with the appropriate government agencies. While leaders in the previous Congress indicated that cybersecurity legislation would be a high priority, omnibus legislation was blocked twice in the Senate and never reached the floor in the House.
In the face of increased cyber risk and gridlock on the Hill, the President has used existing authorities to advance the goal of increased critical infrastructure cybersecurity. That said, the issuance of this executive order may have the effect of reducing Congressional urgency to enact broad cybersecurity legislation and could spawn piecemeal legislative efforts. For example, legislation could focus on enhancing information-sharing both within the private sector and between the private sector and the government.
What Happens Next – The Timetable
To increase the volume, timeliness and quality of cyber threat information shared with U.S. private sector entities so that these entities may better protect and defend themselves against cyber threats, the Attorney General, the Secretary of Homeland Security and the Director of National Intelligence are required by the President’s order to each issue instructions consistent with their authorities within 120 days of the date of the order to ensure the timely production of unclassified reports of cyber threats to the U.S. homeland that identify specific targets. The instructions must address the protection of intelligence and law enforcement sources, methods, operations and investigations. As noted earlier, they must consult with others, including the Treasury and Commerce departments.
In coordination with the Director of National Intelligence, the Secretary of Homeland Security and the Attorney General are required by the order to establish a process that rapidly disseminates reports to targeted entities and establishes a system for tracking their production, dissemination and disposition. To assist owners and operators of critical infrastructure in protecting their systems from unauthorized access, exploitation or harm, the Homeland Security Secretary, in collaboration with the Secretary of Defense, shall, within 120 days of the date of the order, establish procedures to expand the Enhanced Cybersecurity Services program to all critical infrastructure sectors. This voluntary information-sharing program will provide classified cyber threat and technical information from the government to eligible critical infrastructure companies or commercial service providers that offer security services to critical infrastructure.
As noted earlier, legislation may be considered. Some view the President’s order as a meaningful step forward to comprehensive cyber security legislation built on the foundation of a partnership between the public and private sectors. Others seek a balanced approach that positively enhances the country’s cybersecurity without burdensome regulations that could discourage innovation and set back the economic recovery. For example, at issue is how much authority to grant Homeland Security to oversee certain critical computer networks. Finally, still others believe that the minimum requirements for how crucial infrastructure should be protected were not addressed in the order and that these requirements necessitate Congressional approval. For example, equipment used by companies overseas is outdated and insecure because it was not designed to mitigate the risk of a serious cyber attack. Bottom line, information sharing does not correct the problem created by insecure systems.
There will likely be pressure on critical infrastructure owners and operators to adopt the new voluntary cybersecurity standards created by NIST. For example, sector-specific agencies may propose additional mandatory cybersecurity regulations based on the NIST standards within a year or so after the standards are published. Among the sectors mostly likely to see new mandatory regulations are the electric grid, natural gas, transportation, chemicals, nuclear power, financial networks and ports, because agencies in these sectors appear to have existing statutory authority and industry standards are viewed by some as not being strong enough.
Government contractors may also face new cybersecurity mandates. Within 120 days of the order, the Secretary of Defense and the Administrator of General Services, in consultation with the Federal Acquisition Regulatory Council, will make recommendations to the President on the feasibility, security benefits and relative merits of incorporating security standards into acquisition planning and contract administration. This will not necessarily be new to federal procurement, as the Department of Defense and General Services Administration, for example, have already implemented cybersecurity standards for certain types of procurements. Further, the 2013 National Defense Authorization Act requires certain cybersecurity actions by defense contractors.
As new cybersecurity standards are established in accordance with the President’s executive order, affected public companies will need to evaluate the adequacy of their disclosures in public reports. We have discussed this issue in a prior Flash Report. As fresh cybersecurity risks arise, material expenditures are incurred by the company and/or management agrees to voluntarily adopt the new standards, public disclosures may require updating in accordance with the requirements of the Securities and Exchange Commission4
The executive order provided a weakened alternative to legislation the White House had hoped Congress would pass in 2012. Obama administration officials emphasize that the order does not replace legislation that Congress could once again undertake this year. As one senior administration official noted, "[This is] not an end of the conversation and in fact it's just a continuation of it."5
According to a December report issued by the Department of Homeland Security, intrusions into oil pipelines and electric power organizations have occurred “at an alarming rate.” Almost 200 reported attacks on the nation’s critical infrastructure systems were reported to the agency in 2012, a 52 percent increase over the prior year. Of greater concern, several of these attacks were successful. For example, hackers breached the computer systems of several natural gas pipelines last year and stole data that could be used to facilitate remote unauthorized operations.6
The Chairman of the House Intelligence Committee is reported to have stated that “the recent spike in advanced cyber attacks against the banks and newspapers makes [it] crystal clear. American businesses are under siege.” Therefore, there is a sense of urgency to provide American companies the information they need to better protect their networks. For example, the U.S. Federal Reserve Bank recently confirmed that an internal database of U.S. bank contacts was hacked just days after the names, addresses and other personal information of around 4,000 bank executives were leaked.7
While the President’s executive order leaves much to be ironed out through the regulatory process, it is clear that cybersecurity regulation is here to stay and it is reasonable to surmise that policy will evolve over time. Two parallel tracks are likely to unfold in this regard. On the one hand, federal agencies will seek to implement the President’s directive by issuing new rules and policies, most of which will be subject to public due process, review and comment. On the other hand, Congress will likely pursue some form of cybersecurity legislation. In this respect, the President’s executive order is only the starting point in the development of a comprehensive national cybersecurity framework. Clearly, more is to come.
4See Protiviti’s SEC Flash Report, “SEC Staff Provides Guidance on Public Companies' Disclosure Obligations Relating to Cybersecurity Risks and Cyber Incidents,” issued October 17, 2011, and available at www.protiviti.com.
5“Obama Executive Order Seeks Better Defense against Cyber Attacks,” Alina Selyukh, Reuters, February 12, 2013.
6“Obama Order Gives Firms Cyber Threat Information,” Michael S. Schmidt and Nicole Perlroth, New York Times, February 12, 2013. 7 “Financial industry welcomes Obama cybersecurity plans,” Finextra, February 14, 2013.
7“Financial industry welcomes Obama cybersecurity plans,” Finextra, February 14, 2013.
For these reasons, companies that are owners and operators of critical infrastructure should position themselves as players in the process and participate in the dialogue with other owners and operators in their industry. As the voluntary regulation unfolds, they should be aware of the new standards and framework. In addition, they should:
- Understand the information they currently have on cybersecurity issues,
- Make cybersecurity an enterprise imperative by involving senior stakeholders responsible for aspects of the business that manage critical enterprise assets and information,
- Apply a methodology for rating the susceptibility to cyber attack of the company’s critical assets and information, and (4) Take the necessary steps to implement measures that reduce the identified cybersecurity risks to an acceptable level.
Once the cybersecurity framework is completed in accordance with the President’s order, companies should adapt it to their specific requirements and culture.
The message is clear: Now, not later, is the time to participate and seek to influence policy development positively as well as take the necessary steps to understand cybersecurity risks and mitigate those risks.
Protiviti (www.protiviti.com) is a global consulting firm that helps companies solve problems in finance, technology, operations, governance, risk and internal audit. Through our network of more than 70 offices in over 20 countries, we have served more than 35 percent of FORTUNE® 1000 and Global 500 companies. We also work with smaller, growing companies, including those looking to go public, as well as with government agencies. Protiviti is a wholly owned subsidiary of Robert Half International Inc. (NYSE: RHI). Founded in 1948, Robert Half International is a member of the S&P 500 index.