What Firms Need to Know About U.S. and EU Moves to Tackle Cybersecurity
By Alan Charles Raul and Marci C. Haarburger, Sidley Austin LLP
On February 12, President Obama signed an Executive Order (“the Order”) mandating increased efforts to improve the nation’s cybersecurity. 1 On the same day, the President signed Presidential Decision Directive 21, Critical Infrastructure Security and Resilience (“the Presidential Directive”).2 The Executive Order, “Improving Critical Infrastructure Cybersecurity,” focuses on securing “critical infrastructure” (“CI”), defined as “systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.” Recognizing that cyber threats to CI are “one of the most serious national security challenges we must confront,” the Order provides a framework for agencies to collaborate with private sector entities to combat cyber attacks.4 The Presidential Directive replaces a 2003 directive of President George W. Bush, and names 16 CI areas and the federal agencies with corresponding responsibility. It expands upon the cybersecurity measures outlined in the Order, and also calls for improvements to the physical security of CI. The 16 CI areas, and the corresponding federal agency (or agencies) with jurisdiction, are set out at the end of this piece.
Order Seeks to Fill Legislative Vacuum
President Obama is believed to have chosen to issue an Executive Order and Directive on security for critical infrastructure following the inability of the House and Senate to agree upon a common approach. While there is a consensus that protecting cybersecurity and CI is a top national priority, there is considerable controversy over whether to adopt a “regulatory” approach or one that simply facilitates information sharing between the government and the private sector.
By issuing the presidential decision documents, the President mandated greater information sharing, asked agencies with existing regulatory authority to issue new rules to address cybersecurity within current laws, and initiated an inter-agency process to develop voluntary, consensus-based cybersecurity standards that CI companies could choose to follow, or not. However, the President will receive reports on whether companies are complying voluntarily, or if new legislative authority should be requested.
As discussed at the end of this piece, the European Union has also recently issued a significant cybersecurity proposal. Unlike the President’s effort to avoid imposing mandatory regulation, the EU course—which would require adoption by the Parliament and Council—is self-described as a “regulatory approach.” This may prove as controversial in Europe as the regulatory legislation considered by the last Congress was in the United States. Owners and operators of CI, and other interested companies, should monitor developments on both sides of the Atlantic and participate in the rulemaking process in Washington, and the policy development process in Brussels and EU capitals, as appropriate.
Cybersecurity Executive Order
The combined upshot of the Executive Order and Presidential Directive will be to move CI owners and operators in the private sector toward compliance with new cybersecurity standards to be identified and developed primarily by the National Institute of Standards and Technology (NIST), the Department of Homeland Security (DHS), sector-specific regulatory agencies (“SSAs”), and existing industry consensus standards.
Participation in the private sector cybersecurity program contemplated in the Order is voluntary. However, it will be difficult for CI companies to disregard the new voluntary standards in order to mitigate future potential liability, or if regulation based on the new standards is imposed by their respective primary regulators.
The confidential process whereby the DHS identifies which companies are deemed to be CI owners or operators is also sure to be fraught with considerable controversy and contention. Designated companies will have the opportunity to seek reconsideration, but the fact of initial designation could set off a concatenation of disclosure and safeguarding responsibilities.
Key provisions of the Order include:
- Within 120 days of the issuance of the Order, DHS and the Director of National Intelligence will develop a procedure for sharing unclassified reports of cyber threats with any specific entity targeted by the threat.5
- DHS, collaborating with the Department of Defense (DoD), will expand the Enhanced Cybersecurity Services program to all CI sectors. The program is voluntary and would provide government-classified cyber threat and technical information to eligible CI companies or commercial service providers that offer security services to CI.6
- DHS will expedite the processing of security clearances to employees of CI owners and operators.7
- NIST, under the direction of the Secretary of Commerce, will develop a “Cybersecurity Framework” that sets standards for addressing cyber risks to CI. The Framework will be developed in consultation with other interested agency heads, CI entities, and other relevant stakeholders. It will incorporate voluntary consensus standards and industry best practices “to the fullest extent possible” while also remaining consistent with international standards wherever possible. A final version is due to be published 1 year from the date of the Order.8
- Agencies with responsibility for regulating CI security must engage in a consultative process with DHS, the Office of Management and Budget (OMB), and the National Security Staff to review the preliminary Framework and determine if current cybersecurity regulatory requirements are sufficient given current and projected risks and whether the agency has authority to establish requirements needed to sufficiently address those risks. Independent regulatory agencies are encouraged, but not required, to engage in a similar consultative process.9
- DHS, in coordination with SSAs, will establish a voluntary program for CI owners and operators to encourage the adoption of the Framework standards and establish incentives for joining the program. SSAs shall report annually to the President on the extent to which CI owners and operators are participating in the Program. 10
- DoD and the Administrator of General Services will make recommendations to the President as to whether the Framework standards should be incorporated into government contracts.11
- DHS will identify the CI owners and operators (excluding commercial information technology products or consumer information technology services). DHS will confidentially notify all CI owners and operators of their designation, provide them with relevant threat information, and establish a process through which they may request reconsideration of their designation.12
- The Chief Privacy Officer and Office for Civil Rights and Civil Liberties at DHS will assess the new cybersecurity programs and issue a report evaluating its effect on civil liberties and Fair Information Practice Principles.13 The role for the Privacy and Civil Liberties Oversight Board is narrow, and is limited to providing consultation regarding the annual public report from DHS.
The Order has significant implications for companies that may be designated as CI. Although participation in the Cybersecurity Framework program is technically “voluntary,” a non-participating CI company will be identified within the government given the requirement that reports on participation be issued to the President. Moreover, there is a risk that the “voluntary” standards will be enforced as a practical matter through regulatory action or litigation. Public companies will also be interested to see whether the Securities and Exchange Commission issues any guidance as to how to handle a CI designation in public filings and disclosures. Notably, however, the Order is somewhat less “regulatory” in nature than the Lieberman-Collins Cybersecurity bill rejected by the Senate last year, and distinctly less “regulatory” than the EU’s recently proposed cybersecurity directive (discussed below).
It is also possible that companies may find the development of baseline, consensus standards to be valuable for advancing substantive cybersecurity efforts and such standards could give companies a basis to argue that compliance with the baseline standards is a sufficient defense to allegations of negligence (in cases where a company suffers losses from a cyber-attack that it could not prevent despite its implementation of safeguards). Significantly, however, the Order does not itself mandate any reporting to the government of network penetration or other cyber-attacks.
Presidential Directive on Critical Infrastructure Security
The Presidential Directive identifies three strategic imperatives for securing CI:
- refining and clarifying agencies’ functional relationships to promote uniformity across the federal government;
- identifying baseline data and systems requirements for government information exchange; and
- using integration and analysis functions to inform CI planning and operations decisions.
To achieve these aims, the Presidential Directive provides:
- DHS will establish and operate two integrated CI centers—one for physical infrastructure and one for cyber infrastructure—where CI can obtain information about security threats.
- DHS will develop a description of the functional relationships both within DHS and across the federal government related to CI security and resilience. These descriptions will serve as a guide to the government’s functions and primary points of contact assigned to each function.
- Coordinating with other relevant agencies and departments, state and local governments, and CI owners and operators, DHS will evaluate the existing public-private partnership model and recommend physical and cyber improvements.
The Presidential Directive identifies 16 critical infrastructure sectors and designates a sector-specific agency (SSA) for each. Each SSA will serve as a liaison to the federal government for its particular sector, carry out incident management responsibilities, provide support for identifying vulnerabilities, and issue annual reports of sector-specific information to DHS. The CI sectors and their designated SSAs are: Chemical (DHS); Commercial Facilities (DHS); Communications (DHS); Critical Manufacturing (DHS); Dams (DHS); Defense Industrial Base (DoD); Emergency Services (DHS); Energy (Department of Energy); Financial Services (Treasury); Food and Agriculture (Department of Agriculture and Department of Health and Human Services (HHS)); Government Facilities (DHS and General Services Administration); Healthcare and Public Health (HHS); Information Technology (DHS); Nuclear Reactors, Materials, and Waste (DHS); Transportation Systems (DHS and Department of Transportation); and Water and Wastewater Systems (Environmental Protection Agency).14
Companies that could be designated as CI owners or operators should carefully monitor implementation of the Order and Directive through regulatory proposals and agency actions, as well as any congressional action, of course.
EU Cybersecurity Proposal
Multinational companies will also be interested in the EU’s recent cybersecurity proposal, Cybersecurity Strategy of the European Union: An Open, Safe and Secure Cyberspace, issued on February 7, 2013.15 The proposal is embodied in a draft directive prepared by the European Commission (EC or Commission) in which the Commission recommends that the EU replace its current “voluntary approach” with a “regulatory approach.” As a proposed “directive,” if the draft were ultimately adopted by the European Parliament and Council, all member states would then have to implement conforming legislation in their national laws.
The EC’s proposed cybersecurity directive is a positive step in elevating attention to a subject that is recognized as a top threat to the national security and economic well-being of societies on both sides of the Atlantic. As noted above, President Obama issued his Executive Order in order to break the logjam on whether or not “regulatory” legislation should be enacted. The Commission’s proposal has come down firmly in favor of a self-described “regulatory approach.”
The Commission expressly concludes that the voluntary approach currently in effect does not provide sufficient protection. Accordingly, the EU would require CI operators in banking, stock exchanges, energy, transport, health, and internet services (like e-commerce, search engines and cloud service providers) to conduct risk assessments and report significant network security incidents to cybersecurity authorities to be established in each EU member state. “Trust service providers,” which authenticate electronic signatures and websites, etc., would also be subject to the new standards.
The Commission’s impact assessment for the proposed directive estimates that the additional obligations imposed by the new requirements would only run to between 1 billion and 2 billion euros. Even this quite large number may not be entirely realistic, however, and while the figure is backed up with more comprehensive analysis, the assumptions may be unduly optimistic. Internet service providers (ISPs) would not be covered under the new directive because they are already covered under an existing directive for electronic communications, and software and hardware manufacturers would also not be covered by the mandatory reporting standards because they are not providers of information society services.
National cybersecurity authorities in the EU would be required to establish “Computer Emergency Response Teams,” like those that currently exist in the U.S., and would also be empowered to impose cybersecurity standards, demand information from relevant businesses, conduct audits and impose sanctions for non-compliance.
The proposed directive would promote coordination within the EU, as well as with multilateral institutions outside the EU such as NATO, OECD, etc. Significantly, and positively, the Commission states that “cooperation with the Unites States is particularly important.”
The directive also requires that cybersecurity be implemented in a manner consistent with fundamental values recognized in the EU, such as respect for private life and communications, data protection and privacy, the right to property, the right to be heard in court and the freedom to conduct a business.
The proposed Directive would:
- Require EU member states to adopt a national Network and Information Security (NIS) strategy based on a current risk assessment and designate a “competent authority” to oversee the implementation of the directive;
- Require member states to set up a Computer Emergency Response Team (CERT) responsible for monitoring risks, responding to security incidents, and developing standard practices for incident and risk handling procedures;
- Require companies in “key areas” (energy, transport, banking, stock exchanges, key Internet services) and public administrations to report breaches having a “significant impact on the security of core services” to the competent authority of the member state;
- Require each member state to legislate sanctions for violations of laws mandated by the directive, and grant its competent authority the power to investigate and sanction security incidents; and
- Permit the EU to draft uniform security standards in accordance with EU Regulation 1025/2012 of the European Parliament and the Council of Oct. 25, 2012, regarding European standardization.16
The EU standards would also apply to companies that provide information society services and other covered services in the EU. This will obviously impact U.S. multinationals as well as leading Internet businesses such as cloud operators, search engines, etc. The lesson for the United States, however, may be that we must engage with the EU on cybersecurity in order to avoid the development of a pernicious, ongoing policy conflict and trade dispute as we see now regarding privacy and international data transfers.
Cybersecurity is a global problem that requires international attention. Through the policy initiatives of the White House, and the technical work of the NIST, DHS, NSA, FBI, and other agencies, the United States may well be ahead of the technological curve on cybersecurity. We should be sure to take the EU up on the Commission’s perspective that “cooperation with the United States is particularly important.”
© 2013 Bloomberg Finance L.P. All rights reserved. Bloomberg Law Reports ® is a registered trademark and service mark of Bloomberg Finance L.P.
This document and any discussions set forth herein are for informational purposes only, and should not be construed as legal advice, which has to be addressed to particular facts and circumstances involved in any given situation. Review or use of the document and any discussions does not create an attorney-client relationship with the author or publisher. To the extent that this document may contain suggested provisions, they will require modification to suit a particular transaction, jurisdiction or situation. Please consult with an attorney with the appropriate level of experience if you have any questions. Any tax information contained in the document or discussions is not intended to be used, and cannot be used, for purposes of avoiding penalties imposed under the United States Internal Revenue Code. Any opinions expressed are those of the author. Bloomberg Finance L.P. and its affiliated entities do not take responsibility for the content in this document or discussions and do not make any representation or warranty as to their completeness or accuracy.