The administration has put out an executive order on cybersecurity for critical infrastructure. Congress is not happy. But I think that this order largely gets things right.
The order focuses on systems and assets, whether physical or virtual, whose destruction would have a debilitating effect on security, national security, economic security, national public health and safety, or any combination. That's the correct set of issues -- and a far cry from some earlier classifications of critical infrastructure that had included everything from a minature golf course in San Jose to the Statute of Liberty in New York Harbor.
The order requires the Director of National Intelligence to share unclassified information on cyberthreats with the Department of Homeland Security (DHS) in a timely fashion, and for DHS to "rapidly" disseminate the same to the targeted entity. Absolutely appropriate.
The order puts the Director of the National Institute for Standards and Technology (NIST) in charge of coordinating a "framework" for reducing cyber risks to critical infrastructure. That's the right agency for the job. DHS has law-enforcement agencies within the department, and these groups sometimes have complicated relations with the private sector. Securing critical infrastructure networks requires forging working relationships with private industry. Both NIST and its parent department, Department of Commerce, have loads of experience in developing such voluntary efforts. So this was a good call.
The framework is supposed to be "prioritized, flexible, repeatable, performance-based, and cost-effective" -- all critical aspects. The framework is to "include methodologies to identify and mitigate [negative] impacts" on business confidentiality and privacy and civil liberties. And it is to be reviewed and updated on a frequent basis. The DHS Secretary will establish a voluntary program to support adoption of the framework. All good.
Sector-specific agencies are to review the framework and develop implementing guidance. This is really important. Cyber protections that make sense for the power grid are not the ones that will work for telecommunications, and neither of those fit the needs of the financial sector. Putting in place the protections that work for each sector is a critical aspect of getting cybersecurity right. (This is something colleagues and I have written about here.) Fitting the cure to the problem is essential, and it is important that this has been recognized right from the start.
There will be annual reporting and incentives for participation. That's necessary, and good to see in place.
The order is weaker than it could be on procurement, asking only for recommendations on "steps [that] can be taken to harmonize and make consistent existing procurement requirements related to cybersecurity." This issue matters. Up to now, security has been an afterthought: we want bells and whistles, and, oh, yes, if you can do that while building a secure system, that's good. This is one place the administration could have real impact, and it remains to be seen how serious the procurement aspect will be.
It's good that the DHS Secretary must use a risk-based approach in determining which critical infrastructure systems need attention first.
The document is not without problems. On paper, privacy and civil liberties comes early (section 5 of the order). In practice, there is some danger that privacy and civil liberties could be shoved off the table.
The protections are to be built on the Fair Information Practice Principles, itself the basis for privacy protections around the globe. What is probably most important in this context are the Fair Information Practice Principles protections against "secondary use" of information without explicit opt in. That's the good part.
The bad news is that the lack of teeth on the enforcement side. Compliance assessments will come from the DHS Chief Privacy Officer, the DHS Officer for Civil Rights and Civil Liberties, the Office of Management and Budget, and the Privacy and Civil Liberties Oversight Board. But while one could argue that the present DHS Chief Privacy Officer has an interest in privacy, the current DHS Officer for CIvil Rights and Civil Liberties is only an acting appointment. The Privacy and Civil Liberties Oversight Board met last fall for the first time in five years -- and it still lacks a chair.
Now the administration has had a good record on aspects of privacy. The National Strategy for Trusted Identities in Cyberspace has put privacy front and center in its ID efforts. For a number of years the Federal Trade Commission has aggressively pursued cases against companies violating their own privacy policies. This enforcement has been strong enough that at least the larger firms are working hard not to be next. And the good news on the executive order is that its focus is on information sharing from the government to the private sector.
But whether it is the screening devices at airports, the increasing collection of telephone transactional data, or government access to everything from business records to library loans with a simple National Security Letter (and without judicial oversight), there is ample reason for the public to doubt the U.S. government's commitment to privacy. Which is why this otherwise excellent document has some ways to go.
What's missing? For a start, there's no governing principles in the document. Consider how the Department of Defense has responded to concerns about its role in protecting the cyber world. While General Keith Alexander, director of the NSA and head of U.S. Cyber Command, does not want to be pinned down as to where his power ends, Secretary of Defense Leon Panetta was very clear about DoD's role in cybersecurity. The Secretary said that protecting the nation against cyberwar, "does not mean that the Department of Defense will monitor citizens' personal computers. We're not interested in personal communication or in e-mails or in providing the day to day security of private and commercial networks. That is not our goal. That is not our job. That is not our mission."
The current executive order, however, discusses process but not principles. The president may have the same intentions as Secretary Panetta, but such protections must be clearly spelled out. Where does it say that communications monitored will only be used to prevent active harm to computer systems? That personal communications will only be monitored by the government if there is a wiretap order?
The executive order must be backed by explicit actions. That includes an active Privacy and Civil Liberties Board, a permanent DHS Officer for Civil Rights and Civil Liberties.
As for Congress's upset with the order, that has more to do with pique than content. For years the legislative body has dilly-dallyed on cybersecurity. Now the president has preempted them. That's not a good reason to oppose the order -- but it is a good reason for Congress to get behind cybersecurity. Support NIST in its efforts (fund the program!), get explicit commitments from the administration on civil-liberty protections, insist on annual reporting on the same, conduct oversight to ensure the framework's intent is actually followed. That oversight work is important -- and Congress should do it.
This executive order hits the right points. It puts responsibility for the cybersecurity framework within the Department of Commerce, which can work with private industry, it focuses on sector-specific solutions, it promises timely reviews of the cybersecurity framework, it puts risk and cost effectiveness first in determining protections. Strengthen the federal procurement and civil-liberties aspects, and we have a working cybersecurity plan here.
It's about time.