I’ve had a chance to read the draft Executive Order on cybersecurity now and several thoughts spring to mind.
For those who like the bottom line up front: I am, honestly, of two minds about this effort. On the one hand, it pushes pretty far toward a voluntary standard setting model backed by existing regulatory authority. On the other hand, the scope of the existing regulatory authority is pretty ambiguous and subject to dispute – that’s why the legislation was thought necessary in the first place. And without liability protection (which, the EO candidly notes, can only be granted legislatively) the incentives to join the voluntary program are pretty thin (unless, as we note at the bottom, the Administration can offer a Federal contracting preference, which would be huge). So this may amount in the end to a great deal of sound and fury signifying nothing. Or it might be a really big deal. We can’t really be sure.
Preliminary Process Notes
Let me start with four preliminary process points before turning to the merits.
First, and foremost, this appears to be the most current version of the EO. This EO addresses the regulatory program that might be developed. And, as several recent press reports have suggested the draft EO also addresses information sharing and contains some privacy protective limits on information sharing that were added to mollify Senate Democrats. Those too are in the draft we have – ergo, the draft is relatively recent and up to date. On the other hand, we can’t be sure – it is, after all, more than a month old. Further changes might have occurred. But it does look relatively complete.
Second, I find it quite remarkable that this is styled as a “Paper Deputies Committee” meeting. For those outside Washington that may not have significance, so here’s a short primer. The Deputies Committee (or DC) is a committee comprised, as its name suggests, of all the Deputy Secretaries of the Agencies and Departments of the United States. Not every Deputy Secretary attends every DC – they will attend only ones related to issues within their purview. In 95%+ of all cases, the DC is the last formal approval mechanism for a new policy – the Deputies are all senior leaders who speak for their Cabinet departments and who are expected to reach compromise and decision. Only rarely will a new policy question be elevated to the Cabinet level and/or to the President.
For questions that are considered warranting discussion, the DC meets in person for an exchange of views. The DC meets on “paper” for more ministerial matters where approval and moving forward is presumed to be the default result. Thus, when this EO comes out as a “paper” DC the suggestion is that there is uniform agreement within the Administration as to how to proceed. As I said, that’s pretty remarkable because it suggests that there was no voice at the table who was (at least in September) opposing the EO with any real vigor.
Third, note that the discussion paper calls for a response by October 5. That’s almost a month ago now. Usually those deadlines are pretty firm. So either there was, in fact, some internal dissent causing delay OR the EO was finalized but delayed in release for extraneous reasons. The evidence of course cuts both ways – the addition of information sharing that has been reported suggests real substantive changes may be happening. On the other hand, releasing this in the run-up to the election might have been thought incautious by the President’s political advisors.
Finally, note who is the point of contact at the NSC for this effort – Rob Knake. I think pretty highly of Rob. He is, most notably, the co-author of Richard Clarke’s book on Cyber War, so he certainly is part of the group who sees significant cyber threats. So his involvement is both unsurprising for this Administration and may tell us something about the final results that will come out.
But enough preliminaries. What of the substance?
The EO begins by requiring the Secretary of DHS to using existing structures (the Critical Infrastructure Partnership Advisory Council and the various Sector Coordinating Councils) to create a consultative process that will undergird much of what is to happen. In coordination with this consultative group and based on information from the various Sector-Specific Agencies (e.g. FERC for energy; DOT for transportation; etc.) the Secretary will have just 150 days to identify critical infrastructure where a cyber incident “could reasonably result in a debilitating impact on national security, national economic security, or national public health and safety.”
Let’s pause a second and consider that phrase, for it is the definitional phrase that delimits the scope of what is to follow. Frankly, I don’t know what is intended by “debilitating.” Most of the legislative efforts have used the phrase “catastrophic” or “extraordinary” to suggest the scope of harm that is to be avoided. Both those seem to me narrower than “debilitating” in what they connote. My OED, for example defines debilitating as “to render weak; weaken; enfeeble.” That seems short of catastrophic or extraordinary to me.
On the standard-setting side of the equation, the EO directs the Director of NIST to create something it calls the Cybersecurity Framework. This is a pretty canny move – NIST is both highly regarded and has amble standard setting authority already. On the other hand, the Framework described has a bit of “all things to all people” nature to it. It will be a “flexible and repeatable” approach intended to “help owners and operators of critical infrastructure identify, assess, and manage cyber risk and to protect privacy and civil liberties.” That’s broad enough to encompass almost anything that NIST decides it wants to put in (after, of course, consultation with the private sector and the Secretary of DHS and the Sector-Specific Agencies). About the only thing that won’t be in the standards is a particular technological solution – this carries forward the regulatory nod toward technological flexibility that was also a theme of the Lieberman-Collins bill. Oh, and did I mention that NIST has all of 180 days to publish a preliminary draft with a final draft due to the Federal Register in a year? That’s not a job I would want to have!
It is in the next couple of steps that the rubber, as they say, actually meets the road. After all, identifying critical infrastructure and standards is all well and good – but what if nobody follows the Federal lead? The EO takes two steps on this issue.
First the Secretary of DHS will create a voluntary program to encourage the adoption of the Framework by critical infrastructure owners. Exactly what that will entail (what incentives, say, for joining) is completely undefined and left to the Secretary. All we know is that the EO has acknowledge that it can’t provide the one thing that private industry most wants – protection against liability if they suffer a cyber loss notwithstanding the adoption of the Framework.
The second part of the effort looks to have more teeth. Each sector-specific agency is required to report to the President within 120 days on the extent of its existing regulatory authority to mandate cybersecurity for the industry for which it is responsible. The EO then says that within 1 year of the order being issued agencies are “encouraged” to propose regulations to mitigate cybersecurity risks. I find this puzzling of course – why would the President only “encourage” regulation, when he could, naturally, require it (at least as to non-independent agencies)?
Perhaps it is just to make it seem as if the regulatory issue hasn’t been decided. Or perhaps it reflects some deeper conflict within the regulatory agencies about how much authority they actually have and/or how advisable the costly regulations might be. One part of me suspects that the sector-specific agencies may actually be a bit more understanding of industry complaints than the Administration overall, or DHS, might have been.
Information Sharing and Privacy/Civil Liberties
The EO begins, simply by requiring the Secretary of DHS (working with the DNI, the NSA and the AG) to establish a “real time” information sharing system to provide government derived security information to critical infrastructure operators. I guess my reaction to that is either “its about time” or “we don’t do that already?” – but either way it’s a good thing. The EO also requires the DNI to provide tearline information about threats that identify a target or victim and to expedite security clearances for crititical infrastructure operators.
Perhaps somewhat wishfully, the EO also suggests that the Secretary “request” critical infrastructure owners to share information about threats and incidents with DHS and to develp a method of sharing that shared information with other agencies. Notably the information will NOT, apparently, be shared with other private sector actors and the information sharing will only receive as much protection as DHS can currently offer against further use under 6 USC 133. That protection may be pretty substantial. It contains a FOIA exemption and protections for proprietary information as well as a prohibition on the use of the information for regulatory purposes. Here at least perhaps the Administration has found a way to ameliorate the concerns private industry will have from sharing information with the government.
Finally, the EO tasks the DHS Privacy Officer and Civil Rights/Civil Liberties Officer with conducting a privacy and civil liberties assessment of the risks that arise from the new programs described. Perhaps most notably the privacy aspects shall be evaluated against the Fair Information Practice Principles which will have a tendency to protect privacy at the expense of information sharing. The implementing Departments and Agencies are obliged to incorporate appropriate privacy protections in the activities. Here, again, the EO seems to be rather indefinite as to what will actually happen – but I suspect it is a significant victory for the privacy and civil liberties community to even have this called out as a separate requirement.
Buried at the end of the EO is, I suspect, the single piece of news that is likely to be the most effective part of the EO. Within 90 days the Secretary of Defense and the Director of GSA are to report to the President on whether or not a Federal Acquisition preference can be granted to vendors who meet cybersecurity standards (presumably this means the Framework). I don’t know anything about the Federal Acquisition Regulations, so I have no idea if this is really feasible, but if it is, it would be a huge carrot to incentivize voluntary compliance. Likewise the idea that the Departments of Commerce and Treasury might be able to provide incentives to CI owners who participate in the DHS cybersecurity program (through grants? Tax credits? Who knows?) would also be a big incentive. The question, I suppose is whether this can happen or not – and clearly the Administration isn’t really sure or they would have authorized the incentives directly instead of sending the departments out on a fact-finding mission. Stay tuned.