What one website has called a leaked draft of the long awaited executive order from the Obama administration (the “EO”) reveals that it is a bit short on specific detail and sets forth only a few new ideas. Admittedly, an executive order cannot (and should not) begin to approach the level of specificity that might appear in legislation. As a result, though, this EO (a) provides little incentive to the private sector, (b) contains some vague statements about undefined goals that could make it hard to implement, and (c) seems to have forgotten about privacy. It could be that the authors purposefully drafted the EO in this way to instigate community dialog. If so, they will likely succeed.
Perhaps of greatest concern, the EO speaks in too little detail about a number of different endeavors. Two specific examples include references to “coordination with Sector-Specific Agencies and relevant Federal departments and agencies” and description of a near-real time common operating picture that “disseminates critical information that may be needed to save or sustain lives, mitigate damage, and/or reduce further degradation of a critical infrastructure capability throughout an incident.” Many people (including several who likely contributed to this EO) have been trying for many years to achieve these and other similar goals mentioned in the EO. Unfortunately, time has shown that it’s much easier to articulate the goals than to make them happen. As the old saying goes, the devil is in the details and the EO is short on those. Perhaps DHS will rise to the task – that remains to be seen.
A broader concern (which several other folks have also expressed) involves the general use of an EO to implement many of these programs and mandates. Part of the reason for the gridlock over cybersecurity in this past Congress involved the fundamental difference of opinion between mandates and voluntary actions. With this EO, who knows what will come out of it – the vague language could lead to mandates that industry would have been able to oppose via the legislative process but not when it’s an EO. This raises the specter of possible claims that those mandates become unconstitutional takings under the takings clause in the Fifth Amendment. As an example, we could have DHS, under the EO’s mandate “to develop an information exchange framework for critical infrastructure between the Federal government and owners and operators of critical infrastructure and [state, local, tribal, and territorial] entities”, put in place requirements for the private sector to disclose threat indicators and other information about their networks and, under certain conditions, be required to shut down those networks. Some commentators have suggested that such a requirement (or others like it) could be Constitutionally problematic, absent Congressional scrutiny and approval.
A final concern involves privacy protections. As we saw with the Lieberman-Collins bill (S.2105) that morphed into the Cyber Security Act (S.3414), privacy plays a pivotal role in any of these types of activities. Lieberman-Collins was criticized for not providing enough privacy protections. Greater attention to privacy was paid in the CSA. Interestingly, the word “privacy” does not appear at all in the EO. In only one place is the phrase “protecting civil rights and civil liberties” mentioned. This will likely be another interesting area of debate.
All is not bad, however. One interesting features of the EO include the identification of “three strategic imperatives.” The first involves making changes to the “United States Government architecture to enhance the protection and resilience of critical infrastructure.” This describes a Federal architecture that will be “revised and streamlined” and that will have the cyber and physical elements of critical infrastructure be “viewed holistically.” Also, two coordination centers will be established, one for physical and one for cyber. Finally, the National Infrastructure Protection Plan (NIPP) will be superseded by a new “adaptable National Plan.” The second strategic imperative involves developing an Information Exchange Framework that allow for “effective collaboration.” This will be required “between all levels of government and critical infrastructure owners and operators.” It will be interesting to see how this mandate is carried out. As mentioned earlier, the third imperative (if it can be articulated and achieved) will result in a “near-real time Nation-wide Common Operating Picture for Critical Infrastructure.”
Also on the bright side, the EO contains a list of six deliverables that, if actually delivered, could lead to definite progress in the government’s cyber efforts. Further, a really smart proposal involves an approach to information sharing that makes good sense: pull together existing (and already functioning) information sharing frameworks and coordinate via one centralized office within the government. The EO gets something else right – it recognizes that the owners and operators of critical infrastructure “are best positioned to manage risks to their individual operations and assets, and to determine the optimal strategies to protect them and make them more resilient.” Instead of a one-size-fits-all approach, it suggests that the commercial sector knows best how to protect itself and will allow it to continue to do so. Again, it will be interesting to see how that reconciles with the rest of the EO.
Overall, the EO paints some broad brush strokes of proposals that we’ve seen before (in the report from the Commission on Cybersecurity for the 44th Presidency, in the 60-day Cyberspace Policy Review, and in various bills from the past couple of sessions of Congress). There are a few new ideas to consider but questions remain about how far some of the provisions can be taken before Constitutional questions start getting raised. Again, the devil is in the details. Let us know your thoughts.