On February 12, President Obama signed an Executive Order (“the Order”) mandating increased efforts to improve the nation'scybersecurity.1On the same day, the President signed Presidential Decision Directive 21, Critical Infrastructure Security and Resilience (“the Presidential Directive”).2The Executive Order, “Improving Critical Infrastructure Cybersecurity,” focuses on securing “critical infrastructure” (“CI”), defined as “systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.”Recognizing that cyber threats to CI are “one of the most serious national security challenges we must confront,” the Order provides a framework for agencies to collaborate with private sector entities to combat cyber attacks.4The Presidential Directive replaces a 2003 directive of President George W. Bush, and names 16 CI areas and the federal agencies with corresponding responsibility. It expands upon the cybersecurity measures outlined in the Order, and also calls for improvements to the physical security of CI. The 16 CI areas, and the corresponding federal agency (or agencies) with jurisdiction, are set out at the end of this piece.
President Obama is believed to have chosen to issue an Executive Order and Directive on security for critical infrastructure following the inability of the House and Senate to agree upon a common approach. While there is a consensus that protecting cybersecurity and CI is a top national priority, there is considerable controversy over whether to adopt a “regulatory” approach or one that simply facilitates information sharing between the government and the private sector.
By issuing the presidential decision documents, the President mandated greater information sharing, asked agencies with existing regulatory authority to issue new rules to address cybersecurity within current laws, and initiated an inter-agency process to develop voluntary, consensus-based cybersecurity standards that CI companies could choose to follow, or not. However, the President will receive reports on whether companies are complying voluntarily, or if new legislative authority should be requested.
As discussed at the end of this piece, the European Union has also recently issued a significant cybersecurity proposal. Unlike the President's effort to avoid imposing mandatory regulation, the EU course—which would require adoption by the Parliament and Council—is self-described as a “regulatory approach.” This may prove as controversial in Europe as the regulatory legislation considered by the last Congress was in the United States. Owners and operators of CI, and other interested companies, should monitor developments on both sides of the Atlantic and participate in the rulemaking process in Washington, and the policy development process in Brussels and EU capitals, as appropriate.
The combined upshot of the Executive Order and Presidential Directive will be to move CI owners and operators in the private sector toward compliance with new cybersecurity standards to be identified and developed primarily by the National Institute of Standards and Technology (NIST), the Department of Homeland Security (DHS), sector-specific regulatory agencies (“SSAs”), and existing industry consensus standards.
Participation in the private sector cybersecurity program contemplated in the Order is voluntary. However, it will be difficult for CI companies to disregard the new voluntary standards in order to mitigate future potential liability, or if regulation based on the new standards is imposed by their respective primary regulators.
The confidential process whereby the DHS identifies which companies are deemed to be CI owners or operators is also sure to be fraught with considerable controversy and contention. Designated companies will have the opportunity to seek reconsideration, but the fact of initial designation could set off a concatenation of disclosure and safeguarding responsibilities.
Key provisions of the Order include:
The Order has significant implications for companies that may be designated as CI. Although participation in the Cybersecurity Framework program is technically “voluntary,” a non-participating CI company will be identified within the government given the requirement that reports on participation be issued to the President. Moreover, there is a risk that the “voluntary” standards will be enforced as a practical matter through regulatory action or litigation. Public companies will also be interested to see whether the Securities and Exchange Commission issues any guidance as to how to handle a CI designation in public filings and disclosures. Notably, however, the Order is somewhat less “regulatory” in nature than the Lieberman-Collins Cybersecurity bill rejected by the Senate last year, and distinctly less “regulatory” than the EU's recently proposed cybersecurity directive (discussed below).
It is also possible that companies may find the development of baseline, consensus standards to be valuable for advancing substantive cybersecurity efforts and such standards could give companies a basis to argue that compliance with the baseline standards is a sufficient defense to allegations of negligence (in cases where a company suffers losses from a cyber-attack that it could not prevent despite its implementation of safeguards). Significantly, however, the Order does not itself mandate any reporting to the government of network penetration or other cyber-attacks.
Companies that could be designated as CI owners or operators should carefully monitor implementation of the Order and Directive through regulatory proposals and agency actions, as well as any congressional action, of course.
The EC's proposed cybersecurity directive is a positive step in elevating attention to a subject that is recognized as a top threat to the national security and economic well-being of societies on both sides of the Atlantic. As noted above, President Obama issued his Executive Order in order to break the logjam on whether or not “regulatory” legislation should be enacted. The Commission's proposal has come down firmly in favor of a self-described “regulatory approach.”
The Commission expressly concludes that the voluntary approach currently in effect does not provide sufficient protection. Accordingly, the EU would require CI operators in banking, stock exchanges, energy, transport, health, and internet services (like e-commerce, search engines and cloud service providers) to conduct risk assessments and report significant network security incidents to cybersecurity authorities to be established in each EU member state. “Trust service providers,” which authenticate electronic signatures and websites, etc., would also be subject to the new standards.
The Commission's impact assessment for the proposed directive estimates that the additional obligations imposed by the new requirements would only run to between 1 billion and 2 billion euros. Even this quite large number may not be entirely realistic, however, and while the figure is backed up with more comprehensive analysis, the assumptions may be unduly optimistic. Internet service providers (ISPs) would not be covered under the new directive because they are already covered under an existing directive for electronic communications, and software and hardware manufacturers would also not be covered by the mandatory reporting standards because they are not providers of information society services.
National cybersecurity authorities in the EU would be required to establish “Computer Emergency Response Teams,” like those that currently exist in the U.S., and would also be empowered to impose cybersecurity standards, demand information from relevant businesses, conduct audits and impose sanctions for non-compliance.
The proposed directive would promote coordination within the EU, as well as with multilateral institutions outside the EU such as NATO, OECD, etc. Significantly, and positively, the Commission states that “cooperation with the Unites States is particularly important.”
The directive also requires that cybersecurity be implemented in a manner consistent with fundamental values recognized in the EU, such as respect for private life and communications, data protection and privacy, the right to property, the right to be heard in court and the freedom to conduct a business.
The proposed Directive would:
The EU standards would also apply to companies that provide information society services and other covered services in the EU. This will obviously impact U.S. multinationals as well as leading Internet businesses such as cloud operators, search engines, etc. The lesson for the United States, however, may be that we must engage with the EU on cybersecurity in order to avoid the development of a pernicious, ongoing policy conflict and trade dispute as we see now regarding privacy and international data transfers.
Cybersecurity is a global problem that requires international attention. Through the policy initiatives of the White House, and the technical work of the NIST, DHS, NSA, FBI, and other agencies, the United States may well be ahead of the technological curve on cybersecurity. We should be sure to take the EU up on the Commission's perspective that “cooperation with the United States is particularly important.”
©2014 The Bureau of National Affairs, Inc. All rights reserved. Bloomberg Law Reports ® is a registered trademark and service mark of The Bureau of National Affairs, Inc.
DisclaimerThis document and any discussions set forth herein are for informational purposes only, and should not be construed as legal advice, which has to be addressed to particular facts and circumstances involved in any given situation. Review or use of the document and any discussions does not create an attorney-client relationship with the author or publisher. To the extent that this document may contain suggested provisions, they will require modification to suit a particular transaction, jurisdiction or situation. Please consult with an attorney with the appropriate level of experience if you have any questions. Any tax information contained in the document or discussions is not intended to be used, and cannot be used, for purposes of avoiding penalties imposed under the United States Internal Revenue Code. Any opinions expressed are those of the author. The Bureau of National Affairs, Inc. and its affiliated entities do not take responsibility for the content in this document or discussions and do not make any representation or warranty as to their completeness or accuracy.
To view additional stories from Bloomberg Law® request a demo now