Executive Order 13636: Improving Critical Infrastructure Cybersecurity

On February 12, 2013, President Obama issued Executive Order 13636 (“EO”): “Improving Critical Infrastructure Cybersecurity” in response to “[r]epeated cyber intrusions into critical infrastructure.  The order expands information sharing, including classified information, between the government and the private sector to enhance “the security and resilience of the Nation’s critical infrastructure.”  [1] This is done through expansion of the Enhanced Cybersecurity Services program, which is a voluntary information sharing program that “supplements existing services and commercial capabilities with U.S. Government cyber threat information.” [2]

Critical Infrastructure are “assets . . . so vital to the United States that the incapacity or destruction of such . . . assets would have a debilitating impact on security, national economic security,” and “national public health or safety”. [3] (emphasis added). The Department of Human Services (“DHS”) is also tasked with identifying critical infrastructure assets, and required to “confidentially notify owners and operators of critical infrastructures.” [4] DHS must consider information submitted by owners and operators and update the list annually. [5]

A subset of sectors are collectively called the “lifeline sectors”, which include Energy, Water, Transportation, and Telecommunications, because of dependencies on these by other sectors, and thus need to be prioritized. [6] North American Electric Reliability Corporation (“NERC”), for example, is a self-regulatory non-government organization that has raised concerns regarding “Critical Cyber Assets” and cyber attacks since 2009. [7] NERC enforces compliance to its Critical Infrastructure Protection, which was designated by the Federal Energy Regulatory Commission as a mandatory standard. [8]

The EO directs the National Institute of Standards and Technology to develop a cross-sector and technology neutral framework of “security standards and guidelines applicable to critical infrastructure”. [9] In a December 11, 2013 comment to the Preliminary Cybersecurity Framework, the American Hospital Association (“AHA”) recommended detailed HIPAA/HITECH requirements to be included in the final framework in order to avoid “contradictory and duplicative requirements”. [10] The AHA is collaborating with DHS, Health and Human Services (“HHS”), and other organizations within the health sector to develop “sector-specific  definitions, tools, and processes” in addition to those provided in the NIST framework. [11]

Following the review and comments period, the National Institute of Standards and Technology (“NIST”) released Version 1.0 of its Cybersecurity Framework on February 12, 2014.  The Framework did not include sector-specific HIPPA/HITECH requirements, but will be a “living” document that will be updated based on changes in technology, cyber risks, and “operation all feedback from owners and operators of critical infrastructure.”  [12]

Reports on regulatory requirements are due from agencies with regulatory responsibilities for critical infrastructure by May 13, 2014. Those agencies are also due to report on “ineffective, conflicting, or burdensome requirements by February 12, 2016.

 The Treasury Department was directed to “make recommendations on a set of incentives that would promote private sector participation in” the voluntary program developed by DHS. [13] The Treasury Report identified market failures and potential solutions to address those failures. [14] Failures relate to information including: underinvestment by companies in research because of perceived low threat or high cost, the free rider problem, “inability to assign liability to a party that has not taken sufficient security measures, legal and regulatory barriers to information sharing, and low insurance costs to high-risk cyber insurance policyholders because the insurance companies have little information on security practices of those policyholders.  The Treasury Department evaluated solutions such as government support for research, government facilitation of information sharing through regulatory requirements and incentives, and disclosure mandates by the government or private sector. [15]

DHS has long recognized unique challenges presented by the Healthcare and Public Health Sector (“HPH”) and its vulnerability to both natural and man-made threats. [16] The number of assets, such as hospitals and clinics, is relatively large compared to other sectors. [17] These assets are also owned and operated by a large number of independent organizations. [18] The HPH Sector also has to rely on other critical infrastructure for “continuity of operations and service delivery, including the Communications, Emergency Services, Energy, Food & Agriculture, Information Technology, Transportation Systems, and Water Sectors.” [19] Therefore, EO 13636 is of great value to the HPH Sector because improvements to cybersecurity in many sectors will improve resilience in the HPH Sector.

 

References:

[1] Exec. Order  No. 13636, 78 C.F.R. §11739 (2013).

[2] Enhanced Cybersecurity Services, Department of Homeland Security, https://www.dhs.gov/enhanced-cybersecurity-services

[3] Exec. Order  No. 13636, 78 C.F.R. §11739 (2013).

[4] Id.

[5] Id.

[6] Implementation of EO 13636 and PPD-21, National Infrastructure Advisory Council, (Nov. 5, 2013), http://www.dhs.gov/sites/default/files/publications/niac-eo-ppd-implementation-report-draft-v10.pdf.   

[7] Michael Assante, Letter, Critical Cyber Asset Identification, North American Electric Reliability Corporation (April 7, 2009), http://online.wsj.com/public/resources/documents/CIP-002-Identification-Letter-040609.pdf.

[8] CIP Compliance, North American Electric Reliability Corporation,http://www.nerc.com/pa/CI/Comp/Pages/default.aspx.

[9] Exec. Order  No. 13636, 78 C.F.R. §11739 (2013).

[10] Linda E. Fishman, Letter, Request for Comments on the Preliminary Cybersecurity Framework, American Hospital Association (Dec. 11, 2013), http://www.aha.org/advocacy-issues/letter/2013/131211-cl-cybersecurity.pdf.

[11] Id.

[12] Exec. Order  No. 13636, 78 C.F.R. §11739 (2013).

[13] Treasury Department Report to the President on Cybersecurity Incentives Pursuant to Executive Order 13636, Department of the Treasury, http://www.treasury.gov/press-center/Documents/Supporting%20Analysis%20Treasury%20Report%20to%20the%20President%20on%20Cybersecurity%20Incentives_FINAL.pdf.

[14] Id.

[15] Id.

[16] Fact Sheet: Executive Order (EO) 13636 Improving Critical Infrastructure Cybersecurity and President Policy Directive (PPD) – 21 Critical Infrastructure Security and Resilience, Department of Homeland Security, (March 2013), http://www.dhs.gov/sites/default/files/publications/EO-PPD%20Fact%20Sheet%2012March13.pdf

[17] Id.

[18] Id.

[19] Id.