The Obama administration is getting ready to change the way the government handles cybersecurity.
The White House has drafted an executive order, a draft of which is currently circulating among federal agencies for approval, mirroring cyber legislation that recently failed to get through a Senate vote. Among other things, the order shunts much of the enforcement and management of cybersecurity issues to federal agencies. We understand that, contrary to some earlier news reports, the classified portion of the order does not contain significant new authorities but details those already existing.
According to a draft copy of the executive order obtained by our colleagues at Breaking Defense, the document sets out the rules and authorities that federal regulatory agencies have to enforce existing laws and requirements for cyber defense in different industrial sectors. The executive order is expected to be officially released soon after Thanksgiving.
At its heart, the executive order creates a “consultative process” led by the Secretary of Homeland Security Janet Napolitano. Under this process, the National Institute of Standards and Technology will develop a framework for reducing cyberrisks to critical infrastructure.
The order also requires Napolitano to work with agencies to create a voluntary program to get private industry to adopt the framework. Also, federal regulatory agencies must review the framework and voluntarily adopt it if current regulations are deemed insufficient. Many Republican lawmakers and business interests objected to even the voluntary membership plan as a back door to introducing additional regulation.
The White House says its executive order meets the main goals of the stymied Lieberman-Collins bill. It differs from that legislative proposal in three ways:
- The legislation called for the DHS to develop the framework for addressing cybersecurity risks, but the executive order will instead use NIST’s existing processes in cooperation with the DHS and the private sector.
- Under the bill, DHS had the authority to regulate all critical infrastructure, with exemptions if there already were sufficient regulations in place. The executive order can’t extend new regulatory authority and relies on agencies’ existing authorities. “As a result, the executive order may not be able to cover all critical infrastructure sectors,” the draft said.
- The legislation would have required owners and operators to develop cybersecurity plans and created a process for the DHS to evaluate how those plans were being implemented. The executive order leaves the details of the voluntary program up to the DHS to develop and regulatory agencies to manage the details of any regulatory programs.
The order sets deadlines. DHS has 150 days to identify any critical infrastructure where a cyber attack could result in “a debilitating impact on national security, national economic security, or national public health or safety.”
After the 120-day mark, agencies responsible for regulating the security of critical infrastructure will submit reports to the White House detailing their authority to regulate the cybersecurity of critical infrastructure, what infrastructure is covered, whether existing regulations are in place and the agencies’ assessment of the adequacy of those regulations.
About 270 days after the order’s release, DHS, working with the Office of Management and Budget, will review the reports and identify and recommend to the agencies “a prioritized, risk based, efficient and coordinated set of actions to mitigate or remediate identified cybersecurity risks to critical infrastructure.” The agencies are then “encouraged” to propose regulations to mitigate any risks within a year of the order.
The executive order also calls for the creation of a near real time information sharing program.
This program will be set up in coordination with the Secretary of Defense, the Director of the National Security Agency, the Director of National Intelligence and the Attorney General. As a part of this process, unclassified reports of all known cyber threats to the United States that identify a target will be sent to the victims of those attacks. The transparency of this process is important because one issue in past government/industry cooperation efforts has been the government’s unwillingness to share threat information with the private sector.
The executive order is based on legislation that was strongly opposed by business interests, especially the U.S. Chamber of Commerce. The chamber said it believed that the proposed law would force additional regulations on industry.
Other critics of the legislation, such as Steve Bucci of the Heritage Foundation, feel that the Senate’s regulatory approach to cybersecurity would be too static to deal with the dynamic cyber environment. Speaking at a post-election conference in Colorado Springs, he noted that the competing McCain bill in the Senate was closer to industry’s needs, although it too was not perfect.
The government should not regulate industry, Bucci said, because regulation is too inflexible and slow. “All you are doing is giving the bad guys a target,” he said, arguing hackers would just pinpoint the vulnerable areas identified as requiring regulation and target them.
He proposed a bill that would, among other things, provide liability protection and encourage firms to create cyber supply chain standards. Companies would be graded for their supply chain security. “You could charge more more if you have a good grade,” he said.
Companies should also have the right to defend themselves from cyber attack, Bucci said. He cited the example of the nation of Georgia, which in its ongoing struggle with Russia, set up a honeypot website loaded with malware. “They went for it and now the Georgians have information about the Russian hacker’s FSB handlers,” he said.