White House draft cyber order promotes voluntary critical infrastructure protections

Friday - 9/7/2012, 7:48pm EDT

Federal News Radio's Jason Miller on In Depth with Francis Rose

Download mp3

The White House so far has failed to get a bill passed by both houses of Congress to improve the cybersecurity of the nation's critical infrastructure, so it wants to take an alternative approach.

The administration has created a draft executive order detailing how, within its authority, it would improve the information assurance of the nation's critical infrastructure, such as the power grid and financial industries.

The draft EO includes eight sections, including the requirement to develop a way for industry to submit threat and vulnerability data to the government.

The draft EO, which Federal News Radio viewed a draft copy of, closely follows the second version of comprehensive cyber legislation introduced by Sens. Joseph Lieberman (I-Conn.) and Susan Collins (R- Maine) in July.

The draft order gives agencies several deadlines to meet, either by writing reports or creating and implementing frameworks.

For instance, 90 days after the EO is signed by President Barack Obama, the cybersecurity council — led by the Homeland Security Department secretary — must develop a report to determine which agencies should regulate which parts of the critical infrastructure. The creation of the council is in section 2 of the draft EO.

Under earlier cyber bills, DHS would take the lead in regulation, and that concerned some lawmakers and experts. It was a major sticking point in moving forward with a vote on a comprehensive bill.

"An executive order is one of a number of measures we're considering as we look to implement the President's direction to do absolutely everything we can to better protect our nation against today's cyberthreats," said a National Security Council spokeswoman in an email statement. "We are not going to comment on ongoing internal deliberations."

Voluntary guidelines

Sources say the White House held a call with federal cyber leaders last week to discuss the draft order.

Section 8 of the draft order, which has five subsections, includes the most significant changes to how the government wants to oversee critical infrastructure.

One subsection would ask industry to voluntarily submit cyber threat information to the government. The draft order says this data wouldn't be used for regulatory purposes or used against companies. Sources say there aren't any liability protections in the EO because that could only come from Congress.

A second subsection would require DHS to undertake privacy assessments of the data they collect around critical infrastructure.

A third subsection limits what critical infrastructure is included under the draft EO, and makes clear that First Amendment protections will apply to how the government identifies critical infrastructure.

A fourth subsection would address acquisition and the preferences for products and services that meet the cyber standards developed by the DHS-led council.

The final subsection would call for a report within 120 days discussing possible incentives such as liability protection, expedited security clearances and recognition by the government that the critical-infrastructure owner and operator meet the voluntary standards.

Sources say this subsection also is very similar to the Lieberman-Collins cyber bill.

Another part of the EO, Section 4, requires the DHS-led council to develop a framework to remediate and mitigate risks for critical infrastructure. A draft roadmap would be due in 90 days and then be sent out for public comment in 180 days.

Sources say the order doesn't advocate for any specific technology or approach to remediating or mitigating risks, and is not "ordering" industry to take specific steps.

Section 3 would require DHS to identify the critical infrastructure owners and operators that the government would ask to voluntarily participate in the framework. In 60 days, DHS would have to submit a report to the President detailing the critical infrastructure that if attacked would threaten the lives of citizens or the national security of the country.

Sources say DHS already has identified these owners and operators.

Does not address FISMA

The next part, Section 5, would require the council to create a voluntary critical-infrastructure program to promote adoption of the framework. It would address incentives such as telling the public who conforms to the framework and who doesn't. Sources say it doesn't advocate for rewards or more tangible incentives such as liability protection like the Lieberman-Collins bill does.

Section 7 is the only part of the EO that would specifically address federal agency networks.

It calls for DHS to identify critical infrastructure owned and operated by federal agencies and to assist the agencies in identifying and mitigating risks.

Sources say this too is very similar to the Lieberman-Collins bill.