President Obama on Tuesday signed a highly anticipated executive order that lays out the administration’s cybersecurity plans to protect the nation’s critical infrastructure. Portions of the order would be welcomed by the energy sector, but others raised potential concerns, experts said.
The eight-page order titled " Improving Critical Infrastructure Cybersercurity " directs federal agencies to use their existing authorities to provide better cybersecurity for the nation through increased collaboration with the private sector. It essentially addresses three areas, calling for information sharing, creating a flexible risk-based framework of core practices based on existing standards, and incorporating privacy protections.
Critically, it requires federal agencies to produce unclassified reports of threats to U.S. companies and requires the reports to be shared in a timely manner. The order also expands the Enhanced Cybersecurity Services program, enabling near real-time sharing of cyber threat information to assist participating critical infrastructure companies in their cyber protection efforts.
In addition, it directs the National Institute of Standards and Technology (NIST), in collaboration with industry, to lead the development of a framework of cybersecurity practices to reduce cyber risks to critical infrastructure. "The framework does not dictate ‘one-size fits all’ technological solutions," the White House said. It instead promotes a "collaborative approach" to encourage innovation and recognize the differing needs among critical infrastructure sectors. One benefit is that “organizations who want to upgrade their cybersecurity will have the flexibility to decide how best to do so using a wide range of available products and services,” it said.
Finally, the order directs departments and agencies to incorporate privacy and civil liberties protections into cybersecurity activities based upon widely accepted Fair Information Practice Principles and other applicable privacy and civil liberties frameworks and polices. It also requires regular privacy assessments and public reporting of any privacy and civil liberties impacts.
More Action Needed
The White House said it continues to believe that legislation is needed to fully address cybersecurity threats to infrastructure, saying the "Executive Order ensures that federal agencies and departments take steps to secure our critical infrastructure from cyber-attack, as a down-payment on expected further legislative action."
The proposed Cyber Intelligence Sharing and Protection Act (CISPA) last year passed the U.S. House but failed to gain traction in the Senate. The bipartisan Cybersecurity Act of 2012, another bill that contained some of the executive order’s measures, was later voted down by Senate Republicans who cited concerns that it would burden businesses with unnecessary regulations.
A Bittersweet Order for the Energy Sector
The prospect of expanded sharing of cyber threat information in Tuesday’s executive order would be "welcome news" for the energy industry, said lawyers from Sutherland Asbill & Brennan LLP. But the order also raised several areas of potential concern, including its broad definition of the term “critical infrastructure” to cover facilities that could have a “debilitating impact on national security, the economy, or public health or safety.” The lawyers said that language may include facilities not traditionally regulated at the federal level, such as intrastate pipelines and electric distribution facilities.
Then, there are vague referrals to "voluntary” guidelines. "The [Department of Homeland Security (DHS)] will identify high risk critical infrastructure and confidentially notify owners and operators of the identified critical infrastructure. Beyond receiving this notification, it is unclear to what extent these owners and operators will need to comply with ‘voluntary’ guidelines developed through the Executive Order’s consultative processes," the firm said.
Another major stumbling block may be the absence of liability protection for those who voluntarily share cyber threat and vulnerability information. "[T]he Executive Order does not provide any liability protection for those who participate in the information sharing and other programs authorized by the Executive Order, such as the Framework. In the absence of additional legislative authority, the President cannot issue directives providing such protection. But the lack of protection may prove problematic and may discourage program participation," the firm said.
Meanwhile, the order would likely result in a host of new cybersecurity regulations applicable to critical infrastructure, including natural gas and oil pipelines, storage, and other facilities, it claimed.
"The electricity sector also may see an expansion of cybersecurity regulation of electric generation, transmission and distribution facilities. Although Congress has not enacted any new legislation in this area, the Executive Order still carries the force of law. Energy industry participants should engage in and monitor the expected new rulemakings and other processes outlined in the Executive Order."
Sources: POWERnews, The White House, Sutherland Asbill & Brennan LLP
—Sonal Patel, Senior Writer (@POWERmagazine)