Published by The Lawfare Institute
in Cooperation With
provide a prioritized, flexible, repeatable, performance-based, and cost-effective approach, including information security measures and controls, to help owners and operators of critical infrastructure identify, assess, and manage cyber risk. The Cybersecurity Framework shall focus on identifying cross-sector security standards and guidelines applicable to critical infrastructure. The Cybersecurity Framework will also identify areas for improvement that should be addressed through future collaboration with particular sectors and standards-developing organizations. To enable technical innovation and account for organizational differences, the Cybersecurity Framework will provide guidance that is technology neutral and that enables critical infrastructure sectors to benefit from a competitive market for products and services that meet the standards, methodologies, procedures, and processes developed to address cyber risks. The Cybersecurity Framework shall include guidance for measuring the performance of an entity in implementing the Cybersecurity Framework.Anyone who thinks that 240 days is sufficient time for this task is an unfettered optimist. But, let’s leave that aside. At some point a Framework will appear. What then? Under section 8 of the EO, they become part of a voluntary program for cybersecurity. Sector-specific agencies will help out by providing sector-specific guidance on how to implement the Framework. [In other words, FERC will tell the energy community how the Framework applies to, say, electricity generators.] Meanwhile the government will be examining what, if any, incentives it can give to private industry to adopt the standards. Of course, those “incentives” are undefined by the EO. And that’s where the rubber will meet the road – if strong incentives (say procurement preferences as suggested in section 8(e)) can be adopted administratively, the Framework might have some real teeth and significant persuasive effect. The incentives will need, of course, to provide benefits that outweigh the costs of implementation to industry, but in theory that’s not impossible. I have to wonder, however, how that will turn out in practice. If strong incentives were possible without new legislation, I have to think that they might have been fronted here in the EO. Recall that an earlier draft of the EO also mentioned the DoD procurement issue. If DoD hasn’t figured out a way to make procurement preferences effective since September 2012, I suspect another 120 days to think about it (the time the EO gives them) won’t change the result. And, finally, of course, we don’t know what the Framework will actually say. If it recommends that the private sector do what it already is doing, it will be an anodyne bit of fluff. If it has new recommendations and directives I suspect they will only be implemented if they are truly “good ideas” and that the incentive program to be developed will have little practical impact. Regulations – The real sting, if any, will come from Section 10. This section directs all the sector-specific agencies to take the voluntary Framework and make it mandatory for their sectors. If they can do it with existing rules, they should. If they need to propose new rules through notice and comment rulemaking they should do that. This is where all the action really will be. Look for agencies to have a bit more understanding of industry complaints than the Administration overall, or DHS, might have had. And look for the regulated community to use the administrative process to delay and challenge any rules they don’t like. In the end, we may be several years (at a guess 4-6 years) before we see mandatory regulations – by which time the Framework and the regulations are likely to be outdated. Who knows? Maybe I’ll be surprised. But this doesn’t seem a formula for effective action to me. Confidential Identification – The EO has one true innovation in it – a confidential naming program that will identify the critical cyber infrastructure “where a cybersecurity incident could reasonably result in catastrophic regional or national effects on public health or safety, economic security, or national security.” This is a subset, of course, of the earlier broader definition. Infrastructure owners who are identified as operating cyber critical infrastructure will be notified of that fact (and entitled to challenge the notification). After they are notified …. Nothing more happens! And that’s pretty subtle. I’d hate to get one of those notices and not respond by implementing the Framework! What if, later, something did happen, and, of course, at that time the government would be free to say “we told you so.” Boy that would be a job killer. The in terroem effect of this “secret designation” is going to be pretty powerful. I have to think about its legality of course – it will need a FOIA exemption for instance, and it might be unduly coercive – but you do have to admire the way in which this aspect of the program will box some folks in. Political Effect What, then, of the political effect of the EO? Here I think there is likely to be more significant impact – though it is impossible to say in which direction. One view (the pessimistic one) is that President Obama has skimmed off the cream with his EO and gotten much of what he wanted (like the regulatory program), leaving the hard parts (broadened regulation and liability protection) to Congress. If that’s the case, Congress (or so the thinking goes) will be very reluctant to do the dirty work. Especially in a session with so many other priorities (sequestration, gun control legislation and immigration reform to name just three) cyber will sink to the bottom of the priority list and never be heard of again. The more optimistic view is the opposite. Here, President Obama has drawn a roadmap or blueprint and Congress will just follow. It could, for example, take his information sharing program, add the missing authorization and liability protection, tie that up in a neat little bow with, say, some more funding for cyber education, and have a nice pretty package to deliver. Indeed, if it wanted to find a bipartisan compromise that would probably work pretty well. Who can say which course Congress will take? Me? I’m a pessimist by nature. It seems to me that Congress rarely “misses an opportunity to miss an opportunity.” So I’m guessing that nothing will happen – but that’s a prediction worth the price you paid for it.