On Friday, the White House circulated a revised draft cybersecurity executive order to the press and various interested parties. The new order, dated November 21, 2012, is a significant departure from the previous publicly available draft executive order, ostensibly dated September 28, 2012, because the latest version strips out the more stringent requirements on critical infrastructure owners, enhancing the voluntary nature of the order, and significantly weakens the regulatory roles of the sector-specific government agencies. (I’ve pasted at the end of this post for easy reference an excel table with the new order in its entirety, with some of the more salient new sections and language highlighted in red).
In addition, the new draft order is far more business friendly, granting greater flexibility to critical infrastructure owners and relevant technology suppliers to
- inject industry expertise and input into how cyber threat information sharing occurs by having their experts more easily attain security clearances as well as gain temporary government employment for the purposes of aiding the cybersecurity program,
- explain how business policies may “align” with the new cybersecurity regime,
- avoid having their commercial information technology products identified by name,
- opt-out of being classified as critical infrastructure,
- provide feedback on any burdens that may flow from the new regime and
- receive cyberthreat information from the government rather than merely serve as sources that feed cyberthreat incident information to the federal authorities.
The White House thus apparently heeded the criticism of Congressional Republicans and business lobbying groups, who earlier this fall decried the Obama Administration’s lack of consultation with key interested parties while drafting the order. In responding to press calls regarding the latest draft, a White House spokesperson issued the same statement to all inquiries: "The National Security Staff has held over 30 meetings with industry, think tanks, and privacy groups, meeting directly with over 200 companies and trade organizations representing over 6,000 companies that generate over $7 trillion in economic activity and employ more than 15 million people."
Quick and Dirty Comparison of the Two Orders
Although it’s difficult to produce a clean comparison between the two draft orders, it’s clear that in almost every major component, the latest order weakens the regulatory authority of the sector specific agencies, specifically as it relates to information sharing, while incorporating the expertise of critical infrastructure owners into the process. Moreover, the latest order features a looser definition of what constitutes critical infrastructure and builds in a more market-based approach to the creation of the overarching framework that would be the cornerstone of the program
Weaker regulatory authority of sector specific agencies, particularly regarding information sharing
The November 21 draft order replaces the earlier draft’s detailed directives to the sector specific government agencies, which are currently responsible for some oversight or regulation of each of the 20 critical infrastructure sectors (energy, telecommunications, chemical, critical manufacturing and so forth). Those earlier directives in the ostensible Septmber 28 draft order, which were largely originating from or coordinated through DHS, mandated that the agencies:
- Develop reports detailing the legal authorities under which they can regulate the cybersecurity of critical infrastructure.
- Follow a set of actions developed by DHS and OMB to mitigate cybersecurity risks.
- Propose regulations of critical infrastructure owners to mitigate cybersecurity risks.
- Receive reports from critical infrastructure owners of cybersecurity risks.
- Follow implementation guidance from DHS to encourage a comprehensive and integrated cybersecurity approach across all sectors.
That earlier system, which does not appear in the new order in any form, is now replaced by a more voluntary approach:
- The sector specific agencies will now engage in a consultative process with DHS, OMB and the National Security Staff to review a preliminary cybersecurity framework developed by NIST to determine if current cybersecurity regulatory requirements are sufficient given current and projected risks.
- Within 90 days of publication of the preliminary NIST framework, the agencies will submit to the President a report that states whether or not the agency has clear authority to establish requirements based upon the Cybersecurity Framework to sufficiently address current and projected cyber risks to critical infrastructure, the existing authorities identified, any additional authority required, and the extent to which existing requirements overlap, conflict, or could be harmonized.
- If the agencies deem current regulatory requirements insufficient, they can propose actions within 60 days of the publication of the final NIST requirements.
- Within two years after publication of the final NIST Framework, agencies shall, in consultation with owners and operators of critical infrastructure, report to OMB on any critical infrastructure subject to duplicative, conflicting, or excessively burdensome cybersecurity requirements. This report shall describe efforts made by agencies, and make recommendations for further actions, to minimize or eliminate such requirements.
- The DHS will now establish “procedures” that allow critical infrastructure owners to participate in the information sharing system on a voluntary basis. (The earlier version specified that DHS shall request owners and operators of critical infrastructure to report promptly to the Secretary or other appropriate agency cybersecurity incidents and threats.)
- DHS will expedite security clearances of critical infrastructure personnel, presumably to enable their greater participation in the whole program.
- DHS will expand the use of programs that bring private sector subject-matter experts into federal service on a temporary basis. These subject matter experts should provide advice regarding the content, structure, and types of information most useful to critical infrastructure owners and operators in reducing and mitigating cyber risks.
The earlier version of the draft cybersecurity order required that the Department of Homeland Security (DHS) would rely upon a prioritized critical infrastructure security list required under the Homeland Security Act. This list resulted in the creation of a controversial database that identified hundreds of thousands critical infrastructure assets.
The latest draft order relies instead on a looser consultative process as well as the expertise of the sector-specific agencies to identify critical infrastructure, using what it says is a risk-based approach. The new order also prohibits identifying any commercial information technology products (presumably this means no specific vendor’s products can be named) and provides for the creation of a process under which identified critical infrastructure owners can be removed from the list.
More Market-Based Approach to the Baseline Cybersecurity Framework
Both the earlier and the latest orders direct the National Institute of Standards and Technology (NIST) to develop a framework to help owners and operators of critical infrastructure identify, assess, and manage cyber risk. The new draft order, however, gives NIST more time to develop the initial framework – 240 days as opposed to 180 days.
The new draft order also incorporates more business-friendly language. For example, the new draft order states that “the Cybersecurity Framework shall include a set of standards, methodologies, procedures, and processes that align policy, business, and technological approaches to address cyber risks.”
It also states that:
“the Framework will also identify potential gaps that should be addressed through collaboration with particular sectors and industry-led standards organizations. To enable technical innovation and account for organizational differences, the Cybersecurity Framework will provide cybersecurity guidance that is technology neutral and that enables critical infrastructure sectors to benefit from a competitive market for products and services that meet the standards, methodologies, procedures, and processes developed to address cyber risks.”
It further provides for business confidentiality protection by stating that “the Cybersecurity Framework shall include methodologies to identify and mitigate impacts of the Cybersecurity Framework and associated information security measures or controls on business confidentiality.”
Finally, while the earlier order said the the Framework shall “include metrics for measuring the performance of an entity in implementing the Cybersecurity Framework,” the new draft merely calls for “guidance” in measuring the performance of an entity.
I’ve pasted below a table that includes the new draft order in its entirety, with the key new sections and language highlighted in red.