Enter to open, tab to navigate, enter to select
Obama Issues Cybersecurity Executive Order
Practical Law Legal Update 9-524-1518 (Approx. 4 pages)
Obama Issues Cybersecurity Executive Order
by PLC Intellectual Property & Technology
| Published on 13 Feb 2013 • USA (National/Federal) |
President Obama issued an Executive Order intended to improve the cybersecurity of the US's critical infrastructure. In accordance with the order, NIST announced development of a new, voluntary cybersecurity framework.
On February 12, 2013, President Obama issued an Executive Order aimed at improving cybersecurity of the nation's critical infrastructure. The order sets out a number of requirements for federal agencies and focuses on information sharing and accurate identification of critical infrastructure. The order generally defines critical infrastructure as physical or virtual systems and assets that are so vital to the US that their incapacity or destruction would have a debilitating impact on:
- Security.
- National economic security.
- Public health or safety.
- Any combination of the above.
Among other things, the order addresses:
- Increased cybersecurity information sharing between the government and the US private sector (see Government Information Sharing).
- NIST's development of a framework to reduce cyber risk to critical infrastructure (see NIST Framework to Reduce Cyber Risk to Critical Infrastructure).
- Identification of critical infrastructure at greatest risk (see Identification of Critical Infrastructure).
- Privacy and civil liberties protections (see Privacy and Civil Liberties Protections).
Government Information Sharing
The order aims to increase the volume, timeliness and quality of cyber threat information shared by the federal government with US private sector entities to allow them to better address cyber threats. Within 120 days of the date of the order, the US Attorney General, the Secretary of Homeland Security and the Director of National Intelligence must issue instructions to ensure the timely production of unclassified cyber threat reports that identify a specific targeted entity. They must also create a process to disseminate these reports and track them.
To assist owners and operators of critical infrastructure in protecting their systems from cyber threats, the Secretary of Homeland Security and Secretary of Defense must also create procedures within 120 days of the order to expand the Enhanced Cybersecurity Services program to all critical infrastructure sectors authorized to receive them. This voluntary information sharing program will provide classified cyber threat information from the government to critical infrastructure companies or commercial service providers that offer security services to critical infrastructure.
NIST Framework to Reduce Cyber Risk to Critical Infrastructure
The order requires the Director of the National Institute of Standards and Technology (NIST) to lead the development of a framework to reduce cyber risks to critical infrastructure. The framework will be a set of voluntary standards, methodologies, procedures and processes that align policy, business and technical approaches to address cyber risks.
In accordance with the order, NIST announced on February 13, 2013 that it will issue a Request for Information (RFI) from critical infrastructure owners and operators, federal agencies, state and local governments and other stakeholders to share their:
- Current risk management practices.
- Use of frameworks, standards, guidelines and best practices.
- Other industry practices.
In particular, the RFI will request information on many core practices across industries, including, for example:
- Encryption and key management.
- Asset identification and management.
- Security engineering practices.
NIST plans to hold workshops over the next several months and will complete the framework in one year. More information on the cybersecurity framework is available on NIST's website.
Identification of Critical Infrastructure
Within 150 days of the date of the order, the Secretary of Homeland Security must identify critical infrastructure where a cybersecurity incident could reasonably result in catastrophic regional or national effects on any of the following:
- Public health or safety.
- Economic security.
- National security.
In identifying critical infrastructure for this purpose, the Secretary of Homeland Security is to use a consultative process established in the executive order and draw upon the expertise of Sector-Specific Agencies. Notably, the order states that the Secretary of Homeland Security may not identify any commercial information technology products or consumer information technology services as critical infrastructure.
Owners and operators of critical infrastructure identified under the order will be notified and provided with the basis for the determination. The Secretary of Homeland Security must also create a process that allows owners and operators of critical to submit relevant information and request reconsideration of identification as a critical infrastructure.
Privacy and Civil Liberties Protection
The order aims to address concerns around protecting privacy and civil liberties by requiring that:
- Agencies incorporate privacy and civil liberties protections into their activities under the order, based on the Fair Information Practice Principles and other privacy and civil liberties policies, principles, and frameworks as they apply to each agency's activities.
- The Chief Privacy Officer and the Officer for Civil Rights and Civil Liberties of the Department of Homeland Security (DHS) assess the privacy and civil liberties risks of the functions and programs undertaken by DHS as called for in the order, as well as recommend to the Secretary of Defense ways to minimize or mitigate such risks, in a publicly available report, to be released within one year of the order.
- Information submitted voluntarily by private entities under 6 U.S.C. § 133 (Protection of voluntarily shared critical infrastructure information) be protected from disclosure to the fullest extent permitted by law.