Obama Cybersecurity Executive Order Calls for Voluntary Standards, Expansion of Threat Reporting

Obama’s order, signed Tuesday, is “only a down-payment on what we need to address this threat,” National Security Agency (NSA) Director Keith Alexander said Wednesday during a Commerce Department event on the order. The order (http://xrl.us/bogr2v) was the administration’s long-anticipated policy response to the failed Cyber Intelligence Sharing and Protection Act (CISPA). The administration had threatened to veto the bill last year, but it did not make it out of the Senate after passing in the House. Senate Democrats backed an executive order after the Senate failed to reach cloture on the Cybersecurity Act (S-3414), which Democrats preferred to the House-passed CISPA or the Senate’s SECURE IT Act (WID Nov 16 p1). Senior administration officials told reporters Tuesday that the order was “not a substitute for legislation,” noting that the order only directs agencies to take actions they are already empowered to take under existing statutes. Congress must pass a bill to institute more fundamental changes on company-to-company information sharing, federal information security and security breach reporting procedures, officials said.

House Intelligence Committee Chairman Mike Rogers, R-Mich., and Ranking Member Dutch Ruppersberger, D-Md. -- the sponsors of CISPA -- reintroduced the bill and responded to the order in a joint speech Wednesday at the Center for Strategic and International Studies.

Obama’s order emphasizes the role of public-private partnerships in combating cybersecurity, including directing the National Institute of Standards and Technology (NIST) to lead federal development of the Cybersecurity Framework -- a set of voluntary cybersecurity standards and best practices -- in concert with industry players. The NSA, Office of Management and Budget and other interested agencies will also be consulted during the framework’s development. The framework will focus on “identifying cross-sector security standards and guidelines” that apply to critical infrastructure, as well as identify areas of improvement that can be addressed through future collaboration with specific industry sectors. The framework’s guidance will be technology neutral and will include steps to measure a company’s performance in implementing the framework’s standards.

The planned development of the Cybersecurity Framework “reflects a core component of NIST’s work -- bringing together various stakeholders to address a technical challenge,” said NIST Director Patrick Gallagher at the Commerce event. Collaborating with industry will help NIST “better protect our nation from the cybersecurity threat while enhancing America’s ability to innovate and compete in a global market,” he said. NIST plans to issue a request for information from infrastructure companies, other agencies, state and local governments, standards-setting organizations, other industry players and related stakeholders. NIST will be required to publish a preliminary version of the framework within 240 days of the order, and a final version within one year.

DHS will coordinate a program to support voluntary industry adoption of the framework’s standards by critical infrastructure owners and operators. That program will include sector-specific risk analyses and annual reports on each sector’s rate of adoption of the framework standards. Those efforts may also include “a set of incentives” to encourage standards adoption, though the order does not outline what those incentives would be. DHS, Commerce and the Department of the Treasury will need to issue recommendations to the White House on incentives within 120 days of the order, including an “analysis of the benefits and relative effectiveness of such incentives, and whether the incentives would require legislation or can be provided under existing law and authorities to participants,” it said. Defense and the General Services Administration will make recommendations to the White House within 120 days of the order on “the feasibility, security benefits, and relative merits of incorporating security standards into acquisition planning and contract administration,” it said. Those recommendations will detail what steps can be taken to “harmonize and make consistent” existing procurement requirements that relate to cybersecurity, the order said.

The standards NIST plans to develop are a starting point, “not a complete solution,” former Homeland Security Secretary Michael Chertoff told reporters after the Commerce event. “Nor, by the way, is there anything that’s ever going to eliminate risk. So I don’t think anybody suggests that all you have to do is apply these standards and you're done. I think the standards give you a framework."

The order also directs the Department of Homeland Security (DHS), the Justice Department and the Director of National Intelligence to issue “instructions” within 120 days of the order “to ensure the timely production of unclassified reports of cyber threats to the U.S. homeland that identify a specific targeted entity.” The agencies will also be required to create a process to “rapidly” issue those reports and classified reports to “critical infrastructure entities authorized to receive them.” The order also requires DHS and the Defense Department to begin expanding the experimental Enhanced Cybersecurity Services program to include “all critical infrastructure sectors.” That program provides classified information on cyber threats to infrastructure companies and service providers that provide security services for critical infrastructure. The order also directs DHS to expedite security clearance processing for employees of critical infrastructure companies. DHS will notify owners and operators of critical infrastructure identified as being at “greatest risk,” while commercial IT products and consumer IT services will not be a part of the risk analysis, the order said.

DHS will also be required to identify to the White House within 150 days of the order critical infrastructure “where a cybersecurity incident could reasonably result in catastrophic regional or national effects on public health or safety, economic security, or national security.” DHS will draw on sector-specific agencies in identifying critical infrastructure at greatest risk, and will explain the reasons for that determination. The agency will create a process for owners and operators to request reconsideration of identification, the order said.

Administration officials emphasized the inclusion of privacy and civil liberties protections in the order, which directs agencies to coordinate their order-related activities with agency privacy and civil liberties officials and ensure protections are incorporated into their activities as prescribed by the Fair Information Practice Principles and similar policies. DHS’s chief privacy officer and the officer for civil rights and civil liberties will assess the privacy and civil liberties risk posed by DHS activities related to the order. The DHS officers will consult with the Privacy and Civil Liberties Oversight Board and issue a public report on their assessment of those risks within a year of the order. Privacy and civil liberties officials in other agencies will also conduct assessments and provide them to DHS for inclusion in the report. The order will also ensure that companies do not disclose customers’ personal information in their reports, Deputy Attorney General James Cole said Wednesday. “This order sets the direction for responsible, effective cybersecurity standards and information sharing, while preserving individual privacy and civil liberties and ensuring transparency and accountability to the American public we seek to protect,” he said.

The White House issued a separate policy directive that provides guidance on execution of the order and updates a 2003 policy directive on critical infrastructure security “to adjust to the new risk environment, key lessons learned, and drive toward enhanced capabilities” (http://xrl.us/bogr2t).

Industry experts at a Federal Communications Bar Association event Tuesday night said government had an important role to play in a multistakeholder approach to cybersecurity. Government should take the lead on cybersecurity issues, but acknowledge that “everyone is a part of solving the problem,” said Anne Bader, founder of the International Cybersecurity Dialogue. Government “only owns 10 percent of the Internet, but they are responsible for protecting 100 percent of the Internet,” she said.

While some stakeholders questioned the FCC’s ability to exercise authority on cybersecurity issues, “we didn’t have any trouble at all with getting people to come in and sit down,” Jeffery Goldthorp, Public Safety Bureau associate chief-Cybersecurity and Communications Reliability Division, told the FCBA event. “We were having detailed, technical conversations with engineers at these companies” in the lead-up to the formation of the Communications Security, Reliability and Interoperability Council (CSRIC). NIST involvement in cybersecurity standards setting would be an important example of government leadership in multistakeholder cybersecurity efforts, since “NIST has a long track record of working in a collaborative manner with industry, rather than sit down and dictate,” said Eric Wenger, Microsoft policy counsel-cybersecurity, standards and interoperability. “I feel very comfortable saying that if NIST is leading the effort, it will be with all of the stakeholders around the table."

Hill, Industry Response

Senate Majority Leader Harry Reid, D-Nev., applauded the executive order. The order “will significantly advance cybersecurity in the networks of our nation’s critical infrastructure, and will facilitate more rapid, more effective sharing of time-sensitive threat information between the government and private sector,” he said in a statement. Legislation is “essential to address current gaps in authority,” Reid said, saying he will work with other members to advance legislation. “Until Congress acts, President Obama will be fighting to defend this country with one hand tied behind his back,” he said.

The executive order will help protect the country from cyberthreats, Senate Commerce Committee Chairman Jay Rockefeller, D-W.Va., said in a statement. “There is no doubt the President’s Executive Order will improve the partnership between the government and the private sector needed to defend our country,” he said. He will “continue to build on it by working on cybersecurity legislation in the weeks and months ahead.” Last month, Rockefeller introduced the Cybersecurity and American Cyber Competitiveness Act (http://1.usa.gov/X3NLQX). The five-page “sense of Congress” measure -- co-sponsored by Democratic Sens. Tom Carper, Del., Dianne Feinstein, Calif., Carl Levin, Mich., Barbara Mikulski, Md., Sheldon Whitehouse, R.I., and Chris Coons, Del. -- asks Congress to enact legislation that would create better information sharing mechanisms with the private sector, improve cybersecurity research and training and expand “tools and resources for investigating and prosecuting cybercrimes in a manner that respects privacy rights and civil liberties and promotes United States innovation."

The executive order “could open the door to increased regulations that would stifle innovation, burden businesses, and fail to keep pace with evolving cyber threats,” House Homeland Security Committee Chairman Michael McCaul, R-Texas, said in a statement. “The executive branch also lacks constitutional authority possessed by Congress to provide the necessary liability protections that industry needs to freely share threat information with the federal government in a joint effort,” which will provide disincentives to join information sharing efforts, he said. McCaul pointed to the CISPA bill by Rogers and Ruppersberger, which he said would “facilitate this partnership between the public and private sector and [provide] the necessary protections.” McCaul also said he would be introducing legislation “to enhance coordination between the private sector and government in order to protect our critical infrastructure including communications networks, information technology, pipelines, dams, and transportation systems."

Though legislation is necessary, the executive order is an “important step towards improving our nation’s cybersecurity,” said House Homeland Security Committee Ranking Member Bennie Thompson, D-Miss., in a statement. With the order, “the Administration has built a framework to foster an effective partnership between our government and the private sector to ensure that the critical infrastructure that keeps our citizens safe and secure is properly shielded from malicious cyber activity,” he said.

The executive order is commendable but needs complementary legislation to effectively combat cyberthreats, Rep. Jim Langevin, D-R.I., said in a statement. “The executive order cannot provide many of the liability protections and other incentives for industry to participate in cybersecurity initiatives, and it cannot fully address the changes needed to allow a robust cyber threat information sharing program,” he said, applauding the executive order for including recommendations made by Center for Strategic and International Studies’ Commission on Cybersecurity, of which Langevin was co-chair. Whitehouse agreed that legislation is needed to fill the gaps left by the executive order. “I look forward to working with Congressman Langevin ... to ensure that public-private partnerships are developed to respond to these threats, and that relevant government agencies have the capabilities, resources, and authorities necessary to protect our nation."

The executive order is not sufficient and Congress needs to pass cybersecurity legislation, said Rep. Mac Thornberry, R-Texas, in a statement. “Strengthening cybersecurity must be collaborative and bipartisan,” he said. “The only way we are going to be able to move forward is with the House, Senate, and Administration working together."

The executive order fails “to recognize that cybersecurity is a shared responsibility,” said Verizon Senior Vice President of Public Policy Craig Silliman in a statement. “Categorically excluding relevant entities in the Internet ecosystem undermines our shared objective of protecting critical broadband assets.” Silliman said he agreed with Obama that the executive order alone will not be sufficient to combat cyberthreats. “Now that the executive order has addressed the issue of critical infrastructure protection, we urge the administration to work with Congress to achieve the rapid enactment of bipartisan information-sharing legislation,” he continued.

CenturyLink is encouraged by the executive order, said Steve Davis, executive vice president for public policy and government relations, in a statement. “A voluntary, flexible, balanced and collaborative partnership between government agencies and the private sector is essential to improving the nation’s cybersecurity posture,” he said. He also encouraged the White House to work with Congress on legislation to establish information sharing and liability protection frameworks.

The executive order strikes the right balance between protecting against cybersecurity threats and protecting civil liberties, said ACLU Legislative Counsel Michelle Richardson in a statement. Providing incentives for companies to take part in information sharing efforts is “a privacy-neutral way to distribute critical cyber information,” and “the adoption of Fair Information Practice Principles for internal information sharing demonstrates a commitment to tried-and-true privacy practices -- like consent, transparency, minimization and use limitations,” she said. Richardson compared the executive order to the “overbroad” information sharing practices in CISPA, which the ACLU opposes.

The Center for Democracy and Technology (CDT) applauded the executive order for its privacy and civil liberties protections. By requiring that the government’s cybersecurity plans include privacy-by-design and “explicitly requiring adherence to fair information practice principles, the order adopts a comprehensive formulation of privacy,” CDT President Leslie Harris said in a statement. Additionally, the annual privacy assessment “can create accountability to the public for government actions taken in the name of cybersecurity,” she continued.

The Software and Information Industry Association warned that the order’s implementation will be critical. President Ken Wasch said in a statement that effective cybersecurity policy will avoid “rigid regulations” that harm innovation. “A regulatory approach seeking to cover a broad, rapidly-evolving cross-section of industry would have the unintended consequence of slowing technological innovation and limiting our collective cybersecurity preparedness,” he said. Therefore, the executive order should be implemented “in a way that retains necessary flexibility."

The executive order “proposes meaningful steps to improve the nation’s cyber defenses,” including improving information sharing and “creating a security framework that is based on existing, voluntary, consensus-based standards and best practices,” said Danielle Kriz, Information Technology Industry Council (ITI) director for global cybersecurity policy, in a blog post (http://bit.ly/YVPTdM). ITI appreciates the information sharing focus and hopes that Congress will pass complementary legislation, she said. “To be as nimble and flexible as cyber intruders have proved to be, we need an improved information-sharing system that operates in real time and is bi-directional -- from the private sector to government, and from government to the private sector.” ITI applauds NIST for developing the voluntary standards and best practices and agrees “that commercial information technology products or consumer information technology services should not be designated [critical infrastructure] at greatest risk."

Obama’s cyber policy is a “mixed bag” whose success will rely on implementation, said Internet Security Alliance (ISA) President Larry Clinton in a statement. The policy’s upsides include broadening the Information Sharing Program to include more private companies, examining market incentives to encourage cybersecurity best practices and requiring new standards to be cost-effective, Clinton said: Potential negatives in the policy include not requiring government to secure its own systems first, failing to provide law enforcement agencies with enhanced tools to combat cybercrime and the threat of a voluntary system for private entities becoming required under federal regulation. “The most fundamental fact about cyber security is that the networks are owned by the private sector, and it is unrealistic to attempt to manage them via government regulation. ... Yet, until now, the government has never seriously assessed security from an economic aspect,” he continued. The new approach of examining market incentives “can, as the Rogers-Ruppersberger bill has demonstrated, attract bipartisan support and lead to a sustainable system of cyber security."

New CISPA Passage Aided by New Threats, Political Tone

The new CISPA bill by Rogers and Ruppersberger, HR-624, would allow the government to share with the private sector classified information related to cyberthreats, allow private companies to voluntarily share cyberthreat information with each other and the government and provide liability protections to companies that share cyberthreat information in good faith. “We're just trying to get the information that we have ... and pass that information, we call it secret sauce, to providers” so they can better protect their systems and customers from cyberthreats, Ruppersberger said Wednesday at the CSIS event.

The bill would “allow the private sector to prepare to defend themselves,” which is increasingly important as cyberattacks become more common and more harmful, Rogers said at the event. “We are in a cyberwar ... and at this point, we're losing,” he continued. The ability of cyberattacks to harm companies is evidenced by a recent Iranian cyberattack against Saudi Arabia’s national oil company Aramco. “They destroyed 30,000 machines. That’s new. That’s a level of capability we haven’t seen before,” Rogers said. Additionally, nations like China are stealing intellectual property “at a breathtaking pace” and then using it to compete against American companies, he said.

This year’s CISPA is more likely to pass, due to new threats and a changed political tone around cybersecurity conversations, Rogers and Ruppersberger said. The president’s executive order and inclusion of cybersecurity in the State of the Union address is a good step forward, Rogers said: The executive order “takes a little pressure off the Senate’s insistence on infrastructure rules, regulation and standards.” Additionally, the White House has been more willing to work with the two lawmakers, Ruppersberger said. “We're working with the White House ... to make sure, somehow, some way that we get a bill.” There’s been a change in tone, Rogers said. “We are wildly accepting of that tone change."

The new bill addresses many of the privacy concerns that helped derail the bill last year, Ruppersberger said. “We bent over backwards to make sure ... that we're not invading anyone’s privacy.” Ruppersberger said the drafters worked with privacy advocates to limit the information that can be shared to the “very basic” elements currently in the bill, including information about cyberthreats, national security, child pornography and imminent threats, such as when a person is in danger. “We listened to the privacy groups, we put that in the bill,” he said. “The bill does not authorize the government to monitor your computer or read your email, tweets or Facebook posts.” Additionally, the bill requires the inspector general responsible for overseeing U.S. intelligence agencies to review how the government is using the information that companies have voluntarily shared, the representatives said.

The reintroduction of CISPA drew industry approval and activist criticism. Verizon supports legislation like CISPA “that boosts ongoing cybersecurity efforts and promotes the sharing of cyberthreat information among communications companies and federal agencies, provides appropriate liability protections and consumer privacy safeguards, and achieves greater cybersecurity without technology mandates or prescriptive rules,” said Peter Davidson, senior vice president-federal government relations: Infrastructure providers need “flexibility” with their networks. ISA said separately it “strongly supports” CISPA’s reintroduction. The bill is refreshing because it doesn’t “utilize a traditional, top-down regulatory approach that is too limited in scope and too slow to keep pace with ever-changing cyber threats,” said an ISA letter dated Tuesday to Rogers and Ruppersberger. CTIA President Steve Largent said the bill provides a “sensible framework” for addressing cyberattacks such as those recently made against news media and the Federal Reserve, and Congress should “act quickly” to pass it. AT&T, USTelecom and the U.S. Chamber of Commerce also released supportive statements.

In contrast to other “minimization procedures” that have “been in effect in other security statutes for decades,” CISPA lets the government use customer data given by companies for “undefined ‘national-security’ purposes,” the ACLU’s Richardson said in the same statement concerning the executive order. The Cybersecurity Act in the Senate makes “significant progress” on privacy and “it is discouraging that the House persists in taking the low road,” she said. CDT “strongly opposes” the bill, “as did virtually all civil liberties and Internet freedom groups” last year, the group said. Once the NSA -- which “operates secretly with little public accountability” -- gets private information from companies, “it can be used for purposes completely unrelated to cybersecurity,” CDT’s Harris said: It creates “a sweeping exception to all privacy laws.”