The New Cybersecurity Executive Order – Unfunded Mandate or Toothless?
By John B. Wood
The need to beef up America’s cybersecurity -- especially the protection of U.S. critical infrastructure -- got a very strong shout-out in the President’s State of the Union Address on February 12th. This is a huge and long-overdue public recognition of the cyber threat we face.
After stating the threat in stark terms, President Obama also announced he had that day signed a long-anticipated cybersecurity executive order intended to increase information sharing and develop standards and a framework – in cooperation with the private sector – to “protect our national security, our jobs, and our privacy.”
But what will be the real impact of this executive order? Drafted after the last Congress was unable to agree on any cybersecurity legislation, the order appears designed to get the ball rolling on cybersecurity, while encouraging legislators to do their part. In summary, the executive order:
1.) Expands an existing voluntary defense industrial base cyber threat information sharing program, opening it up to other sectors including critical infrastructure; but participation is still voluntary.
2.) Directs NIST to take the lead in working with critical infrastructure stakeholders to develop a “Cybersecurity Framework” that would be based “to the fullest extent possible” on existing international standards, voluntary consensus standards and industry best practices that have proven effective. Participation by the private sector in this effort to develop the framework and in the framework itself would also be voluntary (although they are looking to develop “incentives” for companies to adopt the eventual framework).
3.) Charges regulatory agencies with using the Cybersecurity Framework, once in place, to assess their existing cybersecurity regulations to determine if they are sufficient or are no longer effective and can be replaced by new, cost-effective regulations based upon the Cybersecurity Framework and developed “in consultation with their regulated companies.”
4.) Requires the Department of Homeland Security to:
a.) “Identify critical infrastructure where a cybersecurity incident could reasonably result in catastrophic regional or national effects on public health or safety, economic security, or national security,”
b.) Review and update this information on an annual basis,
c.) Confidentially notify owners and operators of critical infrastructure identified as at risk and provide them with the basis of such designation, and
d.) Allow such companies to submit information in response and request reconsideration of this designation.
For months some have feared that this executive order would be another unfunded mandate on the private sector. But as issued on February 12th, it is so voluntary in nature and so narrow in scope, it begs the question of whether it is toothless to the point of being ineffective.
Last year the Senate debated -- but was unable to pass -- a cybersecurity bill opposed by many in the private sector. That bill was both comprehensive in scope and mandatory in its approach. This executive order is neither, and unless critical infrastructure companies agree of their own volition to participate, the executive order’s impact will be extremely limited.