On Friday, the White House circulated a revised
draft cybersecurity executive order to the press and various interested
parties. The new order, dated November
21, 2012, is a significant departure from the previous publicly available draft executive order, ostensibly dated September 28,
2012, because the latest version strips out the more stringent requirements on
critical infrastructure owners, enhancing the voluntary nature of the order,
and significantly weakens the regulatory roles of the sector-specific government
agencies. (I’ve pasted at the end of
this post for easy reference an excel table with the new order in its
entirety, with some of the more salient new sections and language highlighted
in red).
In addition, the new draft order is far more business friendly, granting greater flexibility to
critical infrastructure owners and relevant technology suppliers to
- inject industry expertise and input into how cyber threat information sharing occurs by having their experts more easily attain security clearances as well as gain temporary government employment for the purposes of aiding the cybersecurity program,
- explain how business policies may “align” with the new cybersecurity regime,
- avoid having their commercial information technology products identified by name,
- opt-out of being classified as critical infrastructure,
- provide feedback on any burdens that may flow from the new regime and
- receive cyberthreat information from the government rather than merely serve as sources that feed cyberthreat incident information to the federal authorities.
The White House thus apparently heeded
the criticism of Congressional Republicans and business lobbying groups,
who earlier this fall decried the Obama Administration’s lack of consultation
with key interested parties while drafting the order. In responding to press calls regarding the latest
draft, a White House spokesperson issued the same statement to all
inquiries: "The National Security
Staff has held over 30 meetings with industry, think tanks, and privacy groups,
meeting directly with over 200 companies and trade organizations representing
over 6,000 companies that generate over $7 trillion in economic activity and
employ more than 15 million people."
Quick
and Dirty Comparison of the Two Orders
Although it’s difficult to produce a clean comparison between the two
draft orders, it’s clear that in almost every major component, the latest order
weakens the regulatory authority of the sector specific agencies, specifically
as it relates to information sharing, while incorporating the expertise of
critical infrastructure owners into the process. Moreover, the latest order features a looser
definition of what constitutes critical infrastructure and builds in a more
market-based approach to the creation of the overarching framework that would
be the cornerstone of the program
Weaker regulatory authority of sector specific agencies, particularly
regarding information sharing
The November 21 draft order replaces the earlier draft’s detailed
directives to the sector specific government agencies, which are currently
responsible for some oversight or regulation of each of the 20 critical
infrastructure sectors (energy, telecommunications, chemical, critical
manufacturing and so forth). Those
earlier directives in the ostensible Septmber 28 draft order, which were
largely originating from or coordinated through DHS, mandated that the agencies:
- Develop reports detailing the legal authorities under which they can regulate the cybersecurity of critical infrastructure.
- Follow a set of actions developed by DHS and OMB to mitigate cybersecurity risks.
- Propose regulations of critical infrastructure owners to mitigate cybersecurity risks.
- Receive reports from critical infrastructure owners of cybersecurity risks.
- Follow implementation guidance from DHS to encourage a comprehensive and integrated cybersecurity approach across all sectors.
That earlier system, which does not appear in the new order in any
form, is now replaced by a more voluntary approach:
- The sector specific agencies will now engage in a consultative process with DHS, OMB and the National Security Staff to review a preliminary cybersecurity framework developed by NIST to determine if current cybersecurity regulatory requirements are sufficient given current and projected risks.
- Within 90 days of publication of the preliminary NIST framework, the agencies will submit to the President a report that states whether or not the agency has clear authority to establish requirements based upon the Cybersecurity Framework to sufficiently address current and projected cyber risks to critical infrastructure, the existing authorities identified, any additional authority required, and the extent to which existing requirements overlap, conflict, or could be harmonized.
- If the agencies deem current regulatory requirements insufficient, they can propose actions within 60 days of the publication of the final NIST requirements.
- Within two years after publication of the final NIST Framework, agencies shall, in consultation with owners and operators of critical infrastructure, report to OMB on any critical infrastructure subject to duplicative, conflicting, or excessively burdensome cybersecurity requirements. This report shall describe efforts made by agencies, and make recommendations for further actions, to minimize or eliminate such requirements.
- The DHS will now establish “procedures” that allow critical infrastructure owners to participate in the information sharing system on a voluntary basis. (The earlier version specified that DHS shall request owners and operators of critical infrastructure to report promptly to the Secretary or other appropriate agency cybersecurity incidents and threats.)
- DHS will expedite security clearances of critical infrastructure personnel, presumably to enable their greater participation in the whole program.
- DHS will expand the use of programs that bring private sector subject-matter experts into federal service on a temporary basis. These subject matter experts should provide advice regarding the content, structure, and types of information most useful to critical infrastructure owners and operators in reducing and mitigating cyber risks.
The earlier version of the draft cybersecurity order required that the Department of Homeland Security (DHS) would rely upon a prioritized critical infrastructure security
list required under the Homeland Security Act.
This list resulted in the creation of a controversial database that
identified hundreds of thousands critical infrastructure assets.
The latest draft order relies instead on a looser consultative process as well as the expertise of the sector-specific agencies to identify
critical infrastructure, using what it says is a risk-based approach. The new order also prohibits identifying any
commercial information technology products (presumably this means no specific
vendor’s products can be named) and provides for the creation of a process
under which identified critical infrastructure owners can be removed from the
list.
More Market-Based Approach to the Baseline Cybersecurity Framework
Both the earlier and the latest orders direct the National Institute of Standards and Technology (NIST) to develop a
framework to help owners and operators of critical infrastructure identify,
assess, and manage cyber risk. The new draft
order, however, gives NIST more time to develop the initial framework – 240 days
as opposed to 180 days.
The new draft order also incorporates more business-friendly
language. For example, the new draft
order states that “the Cybersecurity Framework shall include a set of
standards, methodologies, procedures, and processes that align policy,
business, and technological approaches to address cyber risks.”
It also states that:
“the Framework will also identify potential gaps that should be addressed through collaboration with particular sectors and industry-led standards organizations. To enable technical innovation and account for organizational differences, the Cybersecurity Framework will provide cybersecurity guidance that is technology neutral and that enables critical infrastructure sectors to benefit from a competitive market for products and services that meet the standards, methodologies, procedures, and processes developed to address cyber risks.”
It further provides for business confidentiality protection by stating that
“the Cybersecurity Framework shall include methodologies to identify and
mitigate impacts of the Cybersecurity Framework and associated information
security measures or controls on business confidentiality.”
Finally, while the earlier order said the the Framework shall “include
metrics for measuring the performance of an entity in implementing the Cybersecurity
Framework,” the new draft merely calls for “guidance” in measuring the
performance of an entity.
I’ve pasted below a table that includes the new draft order in its
entirety, with the key new sections and language highlighted in red.
0 comments:
Post a Comment
Note: Only a member of this blog may post a comment.