President Barack Obama announced the signing of a cybersecurity Executive Order (EO) in in his State of the Union address on Tuesday, February 12. A copy of the final EO can be found at the White House site: here.
I provided a detailed analysis of an earlier draft on this blog. Here is a quick summary of the key differences between my earlier analysis and this final version:
- Several specific statutory citations that give the President authority to act on the matter have been deleted in the final (Sec. 2 & Sec. 4);
- He makes reference to “expanding” rather than “developing” the Enhanced Cybersecurity Services Program under development by the Department of Defense (Sec. 4(c));
- A section on consultation with civil liberties and privacy counsel within each of the critical infrastructure sector-specific agencies has been deleted from the final, instead the Civil Liberties Oversight Board is to be consulted (Sec. 5(c));
- NIST’s efforts to lead the development of a Framework is the same as in the draft, but they must also consider the provisions of the National Technology Transfer and Advancement Act of 1995 (Sec. 7);
- The Secretary of DHS is to come up with an “incentives” program for private sector participation in the Voluntary Critical Infrastructure Cybersecurity program within 120 days, rather than 90 days (Sec. 8(d));
- Federal agency procurement standards are to be “harmonized” with the cybersecurity requirements of this program (Sec. 8(e));
- For critical infrastructure companies identified to be at the greatest risk by the Secretary of DHS they are to be informed of the “basis of the determination” by the sector-specific agencies [language changed from sharing “relevant threat information”] (Sec. 9(c));
- Reference to E.O. 13609 of May 1, 2012 on Promoting International Regulatory Cooperation was added and the sector-specific agencies have 90 days rather than 60 days to act (Sec. 10(b)); and
- Within a year after the publication of the final Framework sector-specific agencies are to identify “inefficiencies” [rather than “duplicative”] in regulations (Sec. 10 (c)).
Although these changes are minor, they are also revealing as to how the agencies must have responded to the November draft. First, several deadlines have been slipped for the participating agencies. Second, there is a greater emphasis on the federal government agency procurement process and the implications this E.O. might have for subcontracting services. Third, the technologies from the National Laboratories could be made more readily available to the private sector for commercialization with the added emphasis on technology transfer. Fourth, there is a new emphasis on international cooperation.
Finally, the subtle change in Sec. 9(c) that originally referenced sharing of “threat” information but in the final version referenced sharing of the “basis for the determination” is very telling. The “threat” factor is just one of several inputs to a comprehensive risk assessment process. In generic terms the characterization of assets ( or “predisposing conditions” as it is called in NIST 800-30), vulnerabilities, and impacts (with both a magnitude and a frequency measure) should also be included. Granted, this process that the President is asking Secretary Napolitano of the Department of Homeland Security to spearhead is at the macro-level (versus the company-specific or micro-level). Nonetheless, the E.O. is very clear about specifying a “risk-based approach” to identify those companies and/or entities within one of the 18 identified critical infrastructure categories. As such, it is likely that one or more of the commonly used risk-based approaches will be applied at the conceptual level to this macro-level analysis.