Cybersecurity is at the top of the US Government's agenda Ray49
In recent years the United States has witnessed a significant rise in the number of data breaches and cyber-attacks on government agencies, private citizens and critical infrastructure industries. Incidents such as “Stuxnet” and “Red October”, the network breach of The Wall Street Journal, and news of website breaches of American banks seem to occur with greater frequency. These attacks have led to heightened consideration by U.S. Government officials as well as members of Congress regarding the federal government’s role in addressing cybersecurity risks directed at the country’s critical infrastructure.In February 2013, President Obama issued a preliminary response to these growing concerns in his State of the Union address by announcing the White House Executive Order for “Improving Critical Infrastructure Cybersecurity” (the “EO”). President Obama further urged Congress to follow his lead and pass comprehensive cybersecurity legislation to “give our government a greater capacity to secure our networks and deter attacks." The EO tasked federal agencies to take immediate action to address cyber-threats on the country’s critical infrastructure.
With the EO’s anniversary approaching, it is a good time to evaluate the progress made toward meeting the President’s goals and to set expectations for 2014.
The Cybersecurity Executive Order
The intended purpose of the EO was to improve the security and resiliency of critical infrastructure industries (“CII”) by mobilizing federal agencies to increase information sharing and collaboration between the government and private owners and operators of CII. CII within this context is broadly defined as:
“systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.”
To achieve the goals increase information sharing and collaboration, these components required participation from a broad range of government agencies, including the Department of Homeland Security (“DHS”), Department of Commerce (“Commerce”), the National Institute of Science and Technology (“NIST”), Department of Treasury (“Treasury”) as well as other national security and sector-specific agencies.
Among the key EO components, DHS, the U.S. Attorney General, and the Director of National Intelligence together were tasked with disseminating unclassified reports on timely cyber-threat information to U.S. companies. Further, DHS is responsible for expanding the agency’s voluntary Enhanced Cybersecurity Service program, which will facilitate nearly real time sharing of cyber-threat information to assist participating CII. Finally, DHS is responsible for identifying CII that, in the event of a successful cybersecurity incident, would severely impact national security, economic security or public health and safety, and create a process to confidentially notify the owners and operators of the companies.
The National Protection and Programs Directorate (NPPD) within DHS is the leader in protecting the nation’s physical and cyber networks. In June 2013, NPPD reported to Congress that the agency has implemented “sharelines” to increase the volume, timeliness and quality of cyber-threat information shared with private sector companies. It was also reported DHS provided the list of CII to the White House as directed. This process has been confidential and little has been released publicly.
NIST Cybersecurity Framework
Perhaps the most important component of the EO, or at least the most widely reported component, is the National Institute of Standards and Technology’s (“NIST”) development of a voluntary Cybersecurity Framework. The Framework is a set of standards and procedures, based on existing industry guidelines and practices, to reduce cybersecurity risks to CII.
NIST embarked on a campaign to elicit public input on the Cybersecurity Framework. This included a formal Request for Information (RFI) process and a series of public workshops across the country consulting with over 3,000 individuals and members from CII, non-profit organizations, industry associations and government entities on how the Framework should be constructed. Following these extensive public sessions, NIST released the Preliminary Cybersecurity Framework on October 29, 2013.
The Framework identifies a “Framework Core” of five principles: Know, Prevent, Detect, Respond, and Recover, designed to focus on key functions of an organization’s approach to cybersecurity. It attempts to offer a common language and mechanism for CII to determine and define both their current position and their target state for cybersecurity. CII are expected to use the Framework to identify and prioritize opportunities for improvement within the context of risk management and to assess progress toward their goals. The Final Cybersecurity Framework is expected to be released by February 12, 2014.
NIST’s release of the Preliminary Framework has met with hesitation from some in the private sector that fear the voluntary framework will ultimately become a mandatory compliance program. The Framework has been created through broad public participation and Congress could take the finished product and create mandatory regulations. Many have raised concerns that while the process is strictly voluntary, the Framework will become the industry standard and CII choosing not to adopt the Framework would be opening themselves up to negligence claims and civil liability. The private sector continues to urge NIST to create a Framework focusing on company risk management rather than compliance based procedures since a risk based model would provide the flexibility to be applied across CII sectors, develop with advancements in technology and adjust to the continually changing threat landscape. In the meantime, private sector companies continue to adopt policies and procedures to address continuously evolving cybersecurity threats. These companies are also encouraged to participate in NIST’s continued review of the Framework.
CII Incentives for Voluntary Adoption of Framework
The NIST Framework is expected to operate as a voluntary set of best practices for the private sector. To assist NIST’s efforts, DHS is tasked with creating a program promoting voluntary adoption of the Framework through a series of benefits and incentives for CII choosing to adopt the Framework into the company’s cybersecurity practices. The incentives program is under development and is expected to take effect following the release of the final Framework.
On August 6, the White House released a summary of possible incentives for companies choosing to implement the Framework. The incentives are based on reports from the DHS, Commerce, and Treasury and include:
• lower rates for cybersecurity insurance,
• priority review for government grants and nonemergency technical assistance,
• protections such as reduced tort liability: limited indemnity, higher burdens of proof,
• the creation of a federal legal privilege that would preempt state disclosure requirements
• streamlining of Framework with existing regulations
• rate recovery for price regulated industries (e.g. utility rates)
Many incentives such as priority consideration for grants and public recognition could be implemented immediately without further regulation. Some incentives, such as liability protection, would require legislation before they may become legally effective.
Legislative efforts on Capitol Hill
Congress has attempted in recent years to issue major legislation to address the growing cybersecurity concerns, but has been unsuccessful. Cybersecurity legislation could serve to fill in gaps to encourage companies and government to share information to prevent electronic attacks from cybercriminals, foreign governments, and terrorists. The fear is that legislationlikely also will impose mandatory requirements and liability for companies that fail to comply.
Chairman Mike Rogers (R-MI) and Ranking Member C.A. Ruppersberger (D-MD) of the House of Representatives Permanent Select Committee on Intelligence reintroduced the “Cyber Intelligence Sharing and Protection Act,” or “CISPA” (H.R. 624) on February 13, 2013, following the release of the Executive Order. The House initially passed CISPA in April 2012. The 2012 version was sent to the Senate, who refused to take up the CISPA legislation. Instead, the Senate attempted to pass the “Cybersecurity Act of 2012” (S. 3414) but failed in its attempts to obtain enough votes to move the bill forward. The Senate similarly refused to take up the 2013 CISPA bill due to privacy concerns with the bill’s information sharing provisions.
In July 2013, the Senate Commerce, Science, and Transportation Committee unanimously approved a new bill, the Cybersecurity Act of 2013 (S. 1353), echoing the Executive Order and formalizing NIST’s role in developing the Framework to reduce cyber-attacks on critical infrastructure. The bill received support from key industry groups, partially because the bill excluded provisions to allow companies to share real-time cybersecurity information with the government. The bill was expected to bring certainty to the private sector of NIST’s non-regulatory role in cybersecurity. Despite apparent bipartisan support, the bill has remained dormant and there is no anticipated timeframe for its passage by the full Congress.
Reviewing the EO nearly a year after it took effect, it is clear that progress has been made. NIST appears on track to meet the February 2014 deadline for release of the final Cybersecurity Framework and other federal agencies are making strides to increase information sharing between the government and the private sector and create incentives for CII to adopt the Framework. However, it is clear that there is no easy fix for this issue and those in the private sector will need to remain vigilant in order to manage their cybersecurity risk.
Dawn Damschen practices in the area of telecommunications, assisting corporate clients and trade associations with various legal and regulatory matters including those before the Federal Communications Commission. She graduated from Concordia College-Moorhead in 2007 and received her J.D. from Catholic University Columbus School of Law in 2012. She can be contacted by email at Livingston@khlaw.com.