Date: Feb 19, 2013
SPECIAL ALERT: White House Issues Long Awaited Executive Order on Cybersecurity
Following President Obama's State of the Union address last week, the White House released its much-anticipated cybersecurity executive order, Improving Critical Infrastructure Cybersecurity, ("Executive Order" or "EO"). The Executive Order is the Administration's initiative to address widely acknowledged cyber threats to domestic critical infrastructure.
The Executive Order looks to address cybersecurity threats to control systems and data networks associated with the major petroleum industry facilities such as refineries, petrochemical plants and pipelines, and the EO is equally concerned with cyber attacks directed toward electric generation facilities and the "smart grid," e.g., all the sensors added to grid devices, such as voltage sensors, fault detectors and power meters, and the data networks (RF and wireline) that collect and transmit the data. Keller and Heckman LLP attorneys prepared a summary of the EO, as well as an associated policy directive, which is available here.
Overview of the Executive Order
The EO includes four principal, inter-related components for addressing cybersecurity risks to critical infrastructure:
1. U.S. intelligence and law enforcement agencies and the Secretary of the Department of Homeland Security are directed to design a process to share timely unclassified reports of cyber threats to specifically targeted entities, as well as expand the Enhanced Cybersecurity Service program to include additional critical infrastructure sectors in order to provide classified reports to targeted entities with staff having the requisite security clearances.
2. The DHS Secretary is responsible for (i) identifying critical infrastructure facilities with a high risk of a cyber-attack that would create a substantial adverse impact on national security, economic security or public health and safety, and (ii) conveying this assessment to the identified owners and operators of the critical infrastructure facilities on a confidential basis.
3. The Director of the National Institute of Standards and Technology is charged with developing a "Cybersecurity Framework" to create a set of standards and procedures for addressing cyber risks and provide "a prioritized, flexible, repeatable, performance-based, and cost effective approach, including information security measures and controls, to help owners and operators of critical infrastructure identify, assess, and manage cyber risk."
4. The DHS Secretary will create a program to encourage critical infrastructure entities to voluntarily adopt the Cybersecurity Framework by offering benefits and incentives to entities adopting (apparently in some public or affirmative manner) the program. The program will include implementation guidance and supplements responding to sector-specific risks and differences in operating environments.
Legislative Action on Capitol Hill
Immediately following the release of the EO, members of the House Permanent Select Committee on Intelligence reintroduced the "Cyber Intelligence Sharing and Protection Act," or "CISPA". This bill is identical to the one passed with strong support back in April 2012. The Senate has not taken up the CISPA-version of the cybersecurity legislation and has had several failed attempts to pass its own legislation, the "Cybersecurity Act of 2012".
Unlike CISPA, the Executive Order only addresses the sharing of information from the government to critical infrastructure entities, not vice-versa, addressing concerns of some privacy advocates. The EO does not provide liability protection for companies providing voluntary information to the government. A limitation on liability can only be achieved through legislative action, triggering concerns whether participation and ultimate public disclosures could engender risk of additional liability. Companies are, however, provided protection from disclosure of information that is voluntarily submitted to the government.
K&H To Discuss Cybersecurity in Oil and Gas Webinar
Keller and Heckman attorneys will discuss the Executive Order and its implications during our complimentary webinar tomorrow, February 20, at noon Eastern Time. The webinar also will highlight other key telecom issues facing the oil and gas industry, including an overview of wireless spectrum requirements and options for the industry, FCC licensing and enforcement trends, as well as network services developments. Please contact Tara Busby (firstname.lastname@example.org; 202.434.4174) to register free-of-charge or for additional information.
Send Us Your Feedback
In an attempt to address in our weekly Telecom Business Alert the issues of most importance to the clients and friends of Keller and Heckman LLP, we invite you to submit suggestions on topics of interest to you. To make suggestions, please send an e-mail to TelecomAlert@khlaw.com.
Keller and Heckman LLP's Telecom Business Alert is a complimentary weekly electronic update created by the Telecommunications and the Business Counseling and Transactional practice groups of Keller and Heckman LLP.
To sign up for our weekly alert, please send us an email at TelecomAlert@khlaw.com and provide us with your name and email.