Following his recent State of the Union address, President Obama issued an Executive Order entitled “Improving Critical Infrastructure Cybersecurity.”
The Policy section of the Executive Order notes that repeated cyber intrusions into critical infrastructure demand improved cybersecurity. This section correctly points out that the threat to critical infrastructure “continues to grow and represents one of the most serious national security challenges we must confront.”
Indeed, it is stated that the “national and economic security of the United States depends on the reliable functioning of the Nation’s critical infrastructure in the face of such threats.”
Accordingly, the Executive Order provides in no uncertain terms that “it is the policy of the United States to enhance the security and resilience of the Nation’s critical infrastructure and to maintain a cyber environment that encourages efficiency, innovation, and economic prosperity while promoting safety, security, business confidentiality, privacy, and civil liberties.” The Executive Order provides that these aspirations can be achieved by way of “a partnership with owners and operators of critical infrastructure to improve cybersecurity information sharing and collaboratively develop and implement risk-based standards.”
The first major prong of the Executive Order calls for cybersecurity information sharing. Specifically, the U.S. government is “to increase the volume, timeliness, and quality of cyber threat information shared with U.S. private sector entities so that these entities may better protect and defend themselves against cyber threats.” The Attorney General, the Secretary of Homeland Security, and the Director of National Intelligence are tasked with coming up with instructions to fulfill this goal.
The second significant prong of the Executive Order seeks to maintain privacy and civil liberties protections. Thus, federal agencies are directed to coordinate their activities pursuant to the Order with senior privacy and civil liberties agency officials to “ensure that privacy and civil liberties protections are incorporated into such activities.”
The third important prong of the Executive Order demands a baseline framework to reduce cyber risks to critical infrastructure. The Secretary of Commerce is to direct the Director of the National Institute of Standards and Technology “to lead the development of a framework to reduce cyber risks to critical infrastructure.”
The fourth key prong of the Executive Order calls for a voluntary critical infrastructure cybersecurity program. The Secretary of Homeland Security, in tandem with sector-specific agencies, is to set up a voluntary program to support the adoption of a cybersecurity framework by owners and operators of critical infrastructure along with other potential interested parties.
A fifth noteworthy prong of the Executive Order requires identification of critical infrastructure at greatest risk. The Secretary of Homeland Security is to implement a risk-based approach “to identify critical infrastructure where a cybersecurity incident could reasonably result in catastrophic regional or national effects on public health or safety, economic security, or national security.”
President Obama is on the right track in proactively seeking to grapple with potential threats to critical infrastructure cybersecurity. But the devil can be in the details, and time will tell whether the instructions provided in the Executive Order will lead to the development of sufficient programs and protections.
Eric Sinrod is a partner in the San Francisco office of Duane Morris LLP , where he focuses on litigation matters of various types, including information technology and intellectual property disputes. You can read his professional biography here. To receive a weekly email link to Mr. Sinrod’s columns, please email him at ejsinrod@duanemorris.com with Subscribe in the Subject line. This column is prepared and published for informational purposes only and should not be construed as legal advice. The views expressed in this column are those of the author and do not necessarily reflect the views of the author’s law firm or its individual partners.