Overview
On February 12, 2013, President Obama signed an Executive Order which attempts to improve critical infrastructure cybersecurity (the "Order"). President Obama issued the Order in response to Congress' failed attempts to pass various bills addressing the nation's need for increased cybersecurity, including the Cybersecurity Act of 2012 (the "Act"), introduced in February 2012 by Senators Lieberman (I-Conn.), Collins (R-Maine), Feinstein (D-Ca.) and Rockefeller (D-W.Va.). The Act would have set voluntary minimum cybersecurity standards for private industry, in part to address explicit warnings from the nation's top military leaders about growing cyberthreats. Citing the projected costs of the proposed cybersecurity standards on the private sector, the U.S. Chamber of Commerce and other private sector lobbyists successfully defeated the bill.
In the wake of the Act's defeat, Senator Rockefeller urged President Obama to issue an executive order requiring cybersecurity standards for critical infrastructure, thus circumventing the legislative gridlock. But, instead of simply issuing the Order, on November 12, 2012, President Obama took the unusual step of distributing a draft of the Order, and seeking collaboration from private industry on how to make his proposed cybersecurity framework and the efforts of the government succeed. In this regard, President Obama may have been intimidated by the Chamber and other private sector lobbyists' resolve in defeating the Act, and may have wanted to obtain industry buy-in before promulgating the Order. Although the Order establishes a cybersecurity standard for businesses supporting critical infrastructure, it does not provide definitive answers to the questions of: (1) who will be included in the Order's definition of "critical infrastructure" from the private sector; (2) what specific standards will be adopted to enhance cybersecurity; or (3) what incentives will be created to encourage private sector adoption of the selected standards. This QuickCounsel will cover these questions.
Who is included in "Critical Infrastructure"?
"Critical infrastructure" is "systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters." 42 U.S.C. 5195c(e). This wide-ranging and vague definition undoubtedly aims to encompass any and all systems or assets that could be deemed vital to national security. However, the definition fails to provide definitive guidance as to which systems or assets – such as card payment systems – are so vital to the United States that the incapacity of same would lead to a "debilitating" impact on security, national economic security, national public health or safety.
Adopting a Framework for Cybersecurity: Specific Standards
The Order directs the National Institute of Standards and Technology ("NIST") to coordinate the development of a framework to reduce cyber risks to critical infrastructure, which includes a set of standards, methodologies, procedures and processes (the "Framework"). The Framework is to be a "flexible and repeatable" approach intended to "help owners and operators of critical infrastructure identify, assess, and manage cyber risk and to protect privacy and civil liberties." This objective is so broad that it prevents any objective prediction about what NIST will create for the Framework, and whether the Framework will be effective or not in the defense against cyber-crime. However, based on the Order, the following observations may provide insight into the future Framework:
NIST is qualified to create a Framework
NIST is a prime candidate to create and implement a Framework due to its assets, staff, and expertise. NIST receives $857 million dollars a year from the federal government for funding. It employs about 2,900 scientists, engineers, technicians, and support and administrative personnel. About 2,600 NIST associates (guest researchers and engineers from academia, industry and other government agencies) complement that staff. In addition, NIST partners with 1,300 manufacturing specialists and staff at nearly 350 affiliated centers around the country. Since 1901, NIST has been tasked with developing and protecting national standards, and it has already researched and created several standards to aid in cybersecurity. As a government agency, NIST may be an impartial source of expertise in the area of cybersecurity.
NIST may look to PCI-DSS for inclusion in the Framework
Unfortunately, even though NIST has internal resources and standards to use in its implementation of the Framework, it may also look to current industry standards, such as PCI-DSS. PCI-DSS is problematic in several ways. First, PCI-DSS lacks any concrete "standard" by which issuers, acquirers, or merchants can protect data or themselves. Under PCI-DSS, which was created by the card brands, a business is only compliant until it is breached – regardless of the business' efforts to secure the system prior to the breach. So, PCI-DSS creates a "standardless" standard by which the card brands can insulate themselves from liability, while leaving merchants, acquirers and issuers in the untenable position of being required to adhere to a constantly shifting standard or face heavy non-compliance fines from the card brand.
In addition, PCI-DSS compliance takes a checklist-approach to security, which does not necessarily make a bank, acquirer or merchant more secure. For example, a merchant can set up a firewall, as required by PCI-DSS, but not configure it properly or never analyze the logs. So, while a merchant may be complying with the letter of PCI-DSS, it could be contravening the spirit of the standard by implementing the means but overlooking the goal of data security.
PCI-DSS's status as a moving standard and its checklist approach renders it an unsuitable standard for the nation's protection its critical infrastructure. Nonetheless, PCI-DSS may be promoted to NIST as a potential standard by the card brands, or NIST may feel industry pressure to absorb PCI-DSS as part of a Framework because it has already been implemented by merchants who accept card payments. In either circumstance, PCI-DSS may become part of the Framework, thus cementing our reliance on poor cybersecurity practices and perpetuating its shortcomings.
Other standards NIST may consider
- NIST Special Publication 800-53M
Perhaps more suitably, NIST may consider utilizing Special Publication 800-53 in the Framework, which is a standard it created for use by federal agencies. Application of the Special Publication 800-53 standard requires an organization to categorize its systems and data based on the impact of a breach of those systems or the disclosure of the data. Special Publication 800-53 also includes detailed descriptions of specific controls and different types of implementations based on security categorizations. As opposed to the "checklist" methodology of PCI-DSS, Special Publication 800-53 offers a flexible, yet structured approach to cybersecurity, which necessitates a disciplined and time-intensive deliberative process.
ISO 27000 series
The ISO 27000 series is another possible security standard for NIST to consider when creating the Framework. The ISO 20007 series establishes guidelines and general principles for initiating, implementing, maintaining, and improving information security management in an organization. It also includes a set of underlying standards designed to build and support a security program, such as auditing and management programs. NIST may be persuaded to incorporate the ISO 27000 series into the Framework because many commercial organizations, including those to which the Framework will apply, already use this standard and support its adoption. In addition, the adoption of the ISO 27000 series in the Framework is a fair compromise between the contemplative, but time-intensive, Special Publication 800-53 standard and the superficial checklist standard of PCI compliance.
Rushed timeline for completion
The Order provides NIST with only 240 days to publish a preliminary draft of the Framework, with a final draft due to the Federal Register in a year. This timeline is extremely aggressive for creating a major regulatory standard, leading to the potential for a slap-dash approach to the Framework in order to meet the Order's deadlines.
The Framework might not protect against future threats
Incentives to Adopt the Framework
Once the Framework is created and the sources of critical infrastructure are identified, the Order directs the Secretary of Homeland Security to encourage adoption of the Framework by the owners of critical infrastructure by providing undefined incentives. However, the President's administration cannot provide protection against liability if a business suffers a cybersecurity breach, as such protection is for the legislature to enact. This insulation from liability is the very incentive many businesses desire and would be the best inducement for adoption of the Framework by private industry. However, the Order also requires the Secretary of Defense and the Director of the General Services Administration to report to the President on whether or not a federal acquisition preference can be granted to vendors that voluntarily meet the Framework. Such an incentive would be very persuasive for any business looking to work with the government, although limited in its influence on non-government contractors.
Finally, the creation and implementation of the Framework will, in all likelihood, not be truly voluntary. As with PCI-DSS, the creation of a "voluntary" standard for cybersecurity may be used by the state government and legal forums as a baseline for negligence. Consequently, most businesses will be required to adopt the Framework in order to avoid liability in the event of a cybersecurity breach.
Sharing Information About Cyber Threats
The Order further directs members of government intelligence groups to create a method of disseminating information pertaining to cybersecurity threats to the public. To this end, the Order directs the expansion of programs that bring private sector subject-matter experts into federal service on a temporary basis. Overall, this directive may facilitate cybersecurity in the payment card industry if it results in set methods for the government to communicate known threats affecting the industry. However, the concept of information sharing is not a new concept in Washington. Since 1998, various government officials have directed Federal agencies to work with the private sector to integrate industry experts with public sector agencies to "share" intelligence. Today, public sector intelligence operations still have difficulty providing timely information to private industry, because such dissemination implicates concerns over protecting confidential methods and sources. So, the Order offers little change in the existing efforts to foster open sharing of cybersecurity threats and information.
Protecting Civil Liberties
Finally, the Order also requires government agencies to ensure that civil liberties are incorporated vis-Ã -vis the government's Fair Information Practice Principles, which include the following eight precepts of data privacy: transparency, individual participation, purpose specification, data minimization, use limitation, data quality and integrity, security, and accountability and auditing. Certain government officials must review the civil liberties and privacy risks involved with the programs to be created and draft an annual report on this topic. Although primarily neutral for the card payment purpose, the incorporation of civil liberties may impede the ability of the government and private sector to promote business and security. It remains to be seen how this directive will play into the Framework to be created for cybersecurity and the related initiatives provided for in the Order.
Conclusion
While the Order affirms the reality of cybersecurity as a widespread issue that touches almost every industry, it may or may not be the impetus to cybersecurity standard with real impact, and may or may not achieve the information sharing end it directs.
Additional Resources
- Wall Street Journal Deloitte Insights: Cyber Security, Critical Infrastructure, and Obama's Executive Order Federal Register: Developing a Framework to Improve Critical Infrastructure Cybersecurity Chatham House: Prioritizing Cyber Security in Critical Infrastructure National Institute of Standards and Technology (NIST): Cybersecurity Framework Project Website Electronic Privacy Information Center: Cybersecurity Privacy Practical Implications Bloomberg BNA: President Obama Signs Executive Order On Cybersecurity, Seeks Voluntary Standards