President Barack Obama announced during his State of the Union address Feb. 12, 2013, that he had signed a highly anticipated executive order with the aim of establishing a framework of cybersecurity best practices that companies would elect to follow and improving information sharing about cyberthreats between government and private industry.
The executive order (EO) was prompted by Congress’ failure to pass cybersecurity legislation in 2012, and the president called on Congress to revisit the challenge.
“We know foreign countries and companies swipe our corporate secrets. Now our enemies are also seeking the ability to sabotage our power grid, our financial institutions and our air traffic control systems. We cannot look back years from now and wonder why we did nothing in the face of real threats to our security and our economy,” he said.
The sponsors of the bipartisan Cyber Intelligence Sharing and Protection Act (CISPA) answered the president’s call and reintroduced the bill in the House of Representatives the following day, Feb. 13.
CISPA passed the House in 2012 but never reached a vote in the Senate. The White House had threatened to veto it if it ever got to the president’s desk, due to concerns over privacy of personal data.
“American businesses are under siege,” said CISPA co-sponsor Rep. Mike Rogers, R-Mich. “We need to provide American companies the information they need to better protect their networks from these dangerous cyberthreats,” he said in a press teleconference.
“Our bill does just that by permitting the voluntary sharing of critical threat intelligence while preserving important civil liberties,” said fellow co-sponsor Rep. C.A. Dutch Ruppersberger, D-Md.
“The president’s executive order is a very good step, and it helps clear the way for the successful passage of a cybersecurity bill,” Ruppersberger said.
How the Executive Order May Affect You
The executive order, which does not require approval from Congress, create regulations or have enforcement power, sets up and expands public-private cybersecurity threat information sharing initiatives and creates a process for building a framework of voluntary cybersecurity standards for critical infrastructure companies.
The EO requires federal agencies to notify companies that oversee critical infrastructure like hospitals, utilities, transportation and financial institutions about cyberthreats if any sort of cyber intrusion that would harm operations or the security of company data is detected.
Establishing the program will require industry involvement to determine what types of information will be most helpful in combating cybersecurity threats.
“Everyone is for information sharing,” said Howard Waltzman, a partner with Mayer Brown, based in Washington, D.C.
“But the problem with the executive order is that it doesn’t have the power of law to make several fundamental changes that are critical to robust information sharing,” he told SHRM Online. These changes include exemptions from certain privacy laws, such as the Electronic Communications Privacy Act, and liability protection for information sharing-related activities. “You need legislation to do that, and those legislative protections are what CISPA provides,” Waltzman added.
The executive order elevates the importance of information sharing, which is a positive development, agreed Ann Beauchesne, vice president of National Security and Emergency Preparedness at the U.S. Chamber of Commerce. But executive action is unnecessary, she told SHRM Online. “If the proposed cybersecurity program is to counter major threats to U.S. security, it needs to operate in a manner that is fast, flexible and innovative, just like our adversaries.”
But while the order allows the sharing of government data with the private sector, the data sharing doesn’t flow back the other way. The main difference between the EO and CISPA is that CISPA would allow private companies to share details about cyberattacks with the government and one another, whereas the executive order outlines a one-way street, with the government sharing information with the private sector only. CISPA opponents are concerned about immunity clauses that they say would incentivize companies to hand over private customer information.
In addition to information sharing, the other major piece to the executive order is the development and establishment of voluntary cybersecurity standards or best practices that critics fear may become mandatory regulations for companies.
The Department of Homeland Security (DHS) and the National Institute of Standards and Technology have been tasked with working with industry to develop a framework for these standards.
The order calls for agencies to review incentives that could be offered to induce compliance.
But one of the biggest incentives—protection from lawsuits—can only come from Congress.
Lastly, although the administration is stressing the program’s voluntary nature, Section 10 of the EO introduces the possibility that regulators may use their authority to enforce the standards.
Also, the new standards could in the future serve as the basis for tort liability for companies who do not adequately protect their IT systems.
A standard-setting approach to cybersecurity “will only impose costs, encourage compliance over security, keep the U.S. tied to past threats and threaten innovation,” said Paul Rosenzweig, the founder of Red Branch Consulting PLLC, a homeland security consulting company and former top DHS official. “Obama will continue with the EO standard-setting no matter what happens with proposed legislation,” Rosenzweig told SHRM Online.
Businesses should be concerned about “standards creep,” said Al Saikali, an attorney and co-chair of Shook Hardy & Bacon’s Data Security and Data Privacy Practice Group, based in Miami.
“These are voluntary standards for companies responsible for critical infrastructure, but I would not be surprised to see these standards become mandatory,” he told SHRM Online, “perhaps in exchange for liability protection and then see the standards spread to companies not responsible for critical infrastructure.”
The chamber’s Beauchesne agreed. Existing regulatory models are no match for the fast-paced demands of the cybersecurity environment, she said. “Today’s regulations can be outdated tomorrow, likely escalating a company’s risk by compelling it to maintain security requirements that have been rendered obsolete.”
The electric industry has been living with cybersecurity regulation since 2005, when Congress granted authority to the Federal Energy Regulatory Commission (FERC). While cybersecurity compliance can be challenging—in the last three years alone, FERC has issued nearly $11 million in civil penalties against industry members for violations—the arrangement is working, according to Kenneth W. DeFontes, president and CEO of Baltimore Gas & Electric.
Addressing the U.S. House Intelligence Committee Feb. 14, 2013, on behalf of Edison Electric Institute, the leading trade association of electric companies, DeFontes said that the standards-drafting relied heavily on the technical expertise of industry experts to “ensure that cybersecurity standards are technically and operationally sound and do not result in unintended consequences.”
However, one of the key lessons the electric industry learned is that threats evolve rapidly, he said.
“While standards encourage good business practices and enforce a baseline level of security, standards alone are not sufficient to address cyber threats. Standards may take a long time to develop and can provide a road map for our adversaries to evade security controls.”
The order creates more questions than it answers, said Saikali. For example, “What will these voluntary standards be and for how long? Even if the standards are ‘voluntary,’ what company would refuse to comply with them given the effect noncompliance could have on their reputation? Who will be identified as critical infrastructure operators? Will these standards become the new standard for determining whether a noncritical infrastructure company’s security measures are ‘reasonable’?”
CISPA Returns from the Dead
Business groups from the Chamber of Commerce to the Business Roundtable and the telecommunications lobbies have urged the White House to abandon its executive order and let Congress take the reins on passing cybersecurity legislation.
“The executive order may result in new cybersecurity regulations, but the order does not, however, obviate the need for legislation, especially as the federal government seeks to facilitate increased cyberthreat information sharing by private companies, which will require changes to certain privacy statutes and liability protection for information sharing-related activities,” said Waltzman.
That legislative process is now in motion with the resurrected CISPA. CISPA proposes:
- Allowing the federal government to provide classified cyberthreat information to the private sector.
- Empowering American businesses to share cyberthreat information with others in the private sector and enable the private sector to share information with the government on a purely voluntary basis.
- Providing liability protection for companies acting in good faith to protect their own networks or share threat information. This is needed, Rogers said, because companies fear lawsuits if they share cyberthreat information with each other or the government.
- Providing protections for privacy and civil liberties.
Privacy advocates and civil liberties groups argue that CISPA lacks sufficient privacy protections.
During the Feb. 14 hearing about the bill, Rogers said there is “a lot of misunderstanding” about CISPA and the type of information companies would share with the government if their computer systems are attacked. The bill would allow companies to share malicious source code and other technical information about potential attacks on their systems, but not e-mails or other types of content with personal information included in it, he argued.
The panel of four industry witnesses, all of whom support CISPA, agreed, testifying that companies would share technical information, such as IP addresses sourced to hackers and not people’s personal information or communications.
Private Sector Needs Help
The industry representatives testifying before the committee said that they believe the best way to prevent hackers from infiltrating companies’ computer systems and networks is to receive critical, real-time intelligence about forthcoming cyberthreats from the government.
“By sharing threat information more effectively between business and government, we can anticipate and repel most serious threats,” said Business Roundtable President John Engler.
The Business Roundtable, an association of CEOs of leading U.S. companies, supports CISPA’s “robust, two-way information sharing, with appropriate legal and privacy protections, between government and the private sector.”
The government must create a clear and predictable legal framework for private-sector-to-private-sector and private-sector-to-public-sector sharing, with appropriate liability and antitrust protections for those acting within the framework, he said.
Engler testified that CEOs are making cybersecurity a top priority by establishing and resourcing programs to incorporate cybersecurity threat information into corporate risk management, instilling the importance of cybersecurity in the culture of the corporation by setting tone and expectations, assigning responsibilities and developing appropriate metrics, actively monitoring and responding to ongoing risks, and working collaboratively with government on an ongoing basis to improve and advance cybersecurity resilience.
In addition, the Business Roundtable is recommending that boards of directors, as part of their risk oversight responsibilities, oversee corporations’ risk assessment and management processes, including those applicable to cybersecurity.
But the private sector cannot do this alone, testified Kevin Mandia, CEO of computer security firm Mandiant, which was hired by The New York Times to address the recent cyberattacks it faced. “While many industry players have extremely capable security programs, the majority of threat intelligence is currently in the hands of the government,” he said. Mandia told the committee that about two-thirds of the breaches Mandiant responds to are first detected by a third party, usually the government, and not the victim companies.
“Threat information, if shared consistently with the right people, could be used to prevent or mitigate the impact of these breaches instead of merely notifying victims long after their intellectual property has been stolen,” he said.
Mandia and the other witnesses representing business groups stated that information sharing also needs to occur among private-sector participants. “U.S. companies remain at a severe disadvantage until they can access and utilize all of the information available,” said Mandia.
Roy Maurer is an online editor/manager for SHRM.
Follow him on Twitter @SHRMRoy.
Cybersecurity Bill Dies, Executive Order on the Way?, SHRM Online Safety & Security, November 2012
SHRM Online Safety & Security pageKeep up with the latest Safety & Security HR news