Executive Order on Cyber Begins What Congress Should Finish

By David Beardwood

The Obama Administration’s Executive Order – Improving Critical Infrastructure Cybersecurity (EO) makes similar recommendations to the Bipartisan Policy Center’s (BPC) Cybersecurity Task Force, chaired by General Michael Hayden and Mort Zuckerman, report on Public-Private Information Sharing (July 2012). Though the EO makes progress towards these recommendations, they cannot be fully realized without further action from Congress. BPC welcomes efforts by Representatives Mike Rogers, Dutch Ruppersberger, Michael McCaul, Senator John Rockefeller and cosponsors on new versions of their respective bills in restarting the cybersecurity dialogue in Congress in recent weeks. It is our hope that both parties will find common ground to pass effective cybersecurity legislation.

Our report addresses and recommends the following measures, which are addressed by the executive order:

Provide actionable non-classified intelligence to private businesses, tailored by industry sector. (Pg. 7 of BPC report)

• The EO seeks to expand non-classified intelligence and integrate more private experts into cybersecurity analysis as we recommend. The administration should make sure to include actionable technical intelligence.
• Within 120 days of the date of this order, the Attorney General, the Secretary of Homeland Security (the “Secretary”), and the Director of National Intelligence shall each issue instructions consistent with their authorities and with the requirements of section 12(c) of this order to ensure the timely production of unclassified reports of cyber threats to the U.S. homeland that identify a specific targeted entity. (Sec. 4a)

Enhance the ability of critical infrastructure owners to access classified information. (Pg. 13)

• The EO mandates that key critical infrastructure personnel will be selected for expedited security clearances, enabling them to gain a more detailed understanding of wide cyber threats.
• The Secretary, as the Executive Agent for the Classified National Security Information Program created under Executive Order 13549 of August 18, 2010 (Classified National Security Information Program for State, Local, Tribal, and Private Sector Entities), shall expedite the processing of security clearances to appropriate personnel employed by critical infrastructure owners and operators, prioritizing the critical infrastructure identified in section 9 of this order. (Sec. 4d)

Ensure that personally-identifiable information (PII) is properly protected in the process of information sharing. (Pg. 7)

• There is sufficient executive authority to protect PII in the implementation of the EO.
• Agencies shall coordinate their activities under this order with their senior agency officials for privacy and civil liberties and ensure that privacy and civil liberties protections are incorporated into such activities. Such protections shall be based upon the Fair Information Practice Principles and other privacy and civil liberties policies, principles, and frameworks as they apply to each agency’s activities. (Sec. 5a)

Clarify industry safety standards so that companies are confident that they will not be punished by the Federal Trade Commission (FTC) for failing to meet minimum security standards, and will not be afraid to report security breaches or security information to the FTC out of fear of enforcement actions. (Pg. 15)

• The main purpose of the EO is to set safety standards for private industry in critical infrastructure, called the Cybersecurity Framework. Adopting the Cybersecurity Framework will be voluntary for industry, and adopting it will not guarantee legal protection against Federal Trade Commission enforcement actions if a company loses user information to a data breach. However, any business that complies with the Cybersecurity Framework and suffers a data breach should have a strong case that they acted in good faith to maintain adequate security, and should expect to be protected against enforcement actions by the FTC. Since the Cybersecurity Framework is not law, protection against enforcement actions will not be guaranteed, but adopting the Cybersecurity Framework should at least clarify federal expectations of adequate security standards to critical infrastructure. Since the Cybersecurity Framework will only address critical infrastructure, this benefit will not extend to other businesses under the EO.
• The Secretary of Commerce shall direct the Director of the National Institute of Standards and Technology (the “Director”) to lead the development of a framework to reduce cyber risks to critical infrastructure (the “Cybersecurity Framework”). The Cybersecurity Framework shall include a set of standards, methodologies, procedures, and processes that align policy, business, and technological approaches to address cyber risks. The Cybersecurity Framework shall incorporate voluntary consensus standards and industry best practices to the fullest extent possible. (Sec. 7a)

There are some issues that are not addressed in the EO at all and will require action by Congress. Our report makes the following recommendations, all of which are impossible to achieve without federal legislation:

Create a standard framework for protecting the vulnerability information of private companies provided to the government. (Pg. 9)

• If companies are going to share information with the government, they will want to know that any weaknesses they share are not stolen from government networks or made public. The Obama administration could create a standardized framework without legislation that enhances the security of vulnerability information, but cannot universally exempt this information from the public record without authority from Congress. The fear of public release will keep companies form sharing vulnerability information with the government, even if the information is kept secure otherwise.

Provide liability protection to private or government cybersecurity clearinghouses that identify harmful sites, IP addresses or individuals. (Pg. 9)

• If a cybersecurity clearinghouse unintentionally misidentifies a benign entity as something harmful, they should be protected from lawsuits so long as they provide appropriate appeal measures to the entity that was identified as a threat.

Create a single federal standard for consent to monitor communications. (Pg. 10)

• Due to the multitude of state monitoring standards, it is often difficult for communications companies to gain authority to monitor threatening communications even if one party to the communication is willing to allow monitoring. Our report recommends that a federal one-party consent standard be in place for monitoring communications when criminal activity is suspected and in sharing evidence of crimes with the government.

Identify a set of authorities the president can exercise in the event of a cyber emergency. (Pg. 12)

• The president does not currently have clear and sufficient authorities to carry out an effective response to a large-scale cybersecurity emergency. Clarifying the president’s authorities and ensuring that they exist within meaningful legal boundaries will reduce the chance of poor response or abuse of power in an emergency.

Create one federal data breach standard so that companies do not need to comply with a different standard in every state. (Pg. 15)

• Currently, each state sets its own standards for how a business must respond to a data breach where PII is compromised. The federal government should create a single standard so companies are not burdened with the cost of determining the appropriate response for every state where they do business.

David Beardwood serves as an intern for BPC’s Homeland Security Project.

---

Resources

• Executive Order- Improving Critical Infrastructure Cybersecurity
• Cybersecurity Task Force: Public-Private Information Sharing