Submit to Digest

Executive Order Promotes Public-Private Collaboration to Protect Critical Infrastructure from Cyber Threats

Commentary Notes First Amendment
Executive Order on Cybersecurity By Jessica Vosgerchian — Edited by Ashish Bakshi Executive Order 13636—Improving Critical Infrastructure Cybersecurity, 78 Fed. Reg. 11739 (February 19, 2013) Order; Press Release [caption id="attachment_3060" align="alignleft" width="150"] Photo By: Mark Skrobola - CC BY 2.0[/caption] On February 12, President Obama signed an Executive Order to increase information sharing between government agencies and private companies regarding cybersecurity threats to critical infrastructure. The order, titled “Improving Critical Infrastructure Cybersecurity,” mandates the delivery of classified reports to infrastructure companies that are likely targets of cyber attacks. The Secretary of Homeland Security, the Attorney General, and the Director of National Intelligence will develop a process for tracking the dissemination of the reports. Improving Critical Infrastructure Cybersecurity, sec. 4(b), 78 Fed. Reg. at 11739. The New York Times provides an overview of the order and reactions to it. The Huffington Post notes that the order safeguards personal privacy, a feature that the ACLU applauds and contrasts favorably with CISPA, the cybersecurity legislation reintroduced in the House of Representatives. In order to promote greater communication between private actors and government agencies, the order expands the use of programs that temporarily recruit private sector experts into federal service to provide advice regarding the type of information that would most help infrastructure operators mitigate the risk of cyber attacks. Improving Critical Infrastructure Cybersecurity, sec. 4(e), 78 Fed. Reg. at 11740. The Secretary of Homeland Security is charged with expediting the process for issuing security clearances to receive classified information. Id., sec. 4(d). An executive order cannot impose obligations on private sector entities, but the plan lays out a strategy for encouraging private companies to voluntarily bolster their cybersecurity systems.  The Director of the National Institute of Standards, overseen by the Secretary of Commerce, will direct the development of a framework of standards and procedures to reduce cyber risks to critical infrastructure. Id., sec. 7(a). Infrastructure corporations can opt in to the “Cybersecurity Framework” to receive guidance and feedback to improve their security systems to meet suggested standards. Id.,sec. 8(a-b) at 11741–42. Privacy protection is also a central tenet of the executive order, which invokes safeguards such as the Fair Information Practice Principles to guide the private sector in protecting user data when reporting threats to the government. Id., sec. 5(a) at 11740. Department of Homeland Security officers will assess the program’s protection of privacy and civil liberties. Id., sec. 5(b). The executive order follows the White House and Congress’s failed attempt to pass legislation addressing major cyber vulnerabilities in the nation’s infrastructure.  One of the Obama administration’s top national security policies last year, the New York Times notes, was getting Congress to empower the Department of Homeland Security to enforce minimum security standards for critical infrastructure.  Senate Republicans objected, however, arguing that the standards would place too great a burden on private businesses, and filibustered the bill in August. In last week’s State of the Union address, President Obama discussed cybersecurity as an urgent problem: “Now our enemies are also seeking the ability to sabotage our power grid, our financial institutions, and our air traffic control systems. We cannot look back years from now and wonder why we did nothing in the face of real threats to our security and our economy.” The House of Representatives addressed the issue in April 2012 by passing the Cyber Intelligence Sharing and Protection Act (CISPA). The bill floundered in the Senate amid criticism that it would legally shield companies that gave the government their users’ or employees’ private information and did not limit how the government would use the information. On February 13, however, CISPA’s House co-sponsors reintroduced the bill. Some commenters criticized the executive order for doing little to address the cyberthreat problem, since only legislation could impose mandatory standards on private infrastructure operators to competently protect their systems against hackers. “The executive order is about information sharing — it does not even begin to address the real problem, which is that these systems are completely insecure,” said Dale Peterson of Digital Bond in an interview with the New York Times. “I’m amazed that 11 ½ years after 9/11, the government hasn’t even had the courage to say, ‘You need to replace this insecure equipment.’ If you get on these systems, they have no security and you can do whatever you want.” Others, however, are glad that the executive order avoids the pitfall of sacrificing personal privacy for greater surveillance faculties. According to The Huffington Post, White House officials said that the data shared under the order will be limited to threats such as malicious code, rather than private data like email contents. “The president's executive order rightly focuses on cybersecurity solutions that don't negatively impact civil liberties,” ACLU Legislative Counsel Michelle Richardson said. “For example, greasing the wheels of information sharing from the government to the private sector is a privacy-neutral way to distribute critical cyber information.”