The Executive Order, “Improving Critical Infrastructure Cybersecurity,” and the Presidential Policy Directive (“PPD”), “Critical Infrastructure Security and Resilience,” signed by President Obama on February 12, 2013, raise the stakes in the national debate over cybersecurity requirements and seem likely, if not designed, to provoke a legislative response. Industry has good reason to pay attention.
Although worded in terms of “consultation” and “voluntary” adoption of a yet-to-be-developed cybersecurity framework, the Executive Order also calls for federal agencies to consider incentives, including changes to the federal acquisition regulations, for encouraging adoption of the framework. It requires agencies to report on the extent to which the private sector is complying with the framework. And, most significantly, the Executive Order directs agencies to “determine if current cybersecurity regulatory requirements are sufficient given current and projected risks;” to report on “whether or not the agency has clear authority to establish requirements based upon the Cybersecurity Framework to sufficiently address current and projected cyber risks to critical infrastructure, the existing authorities identified, and any additional authority required;” and, if current regulatory requirements are deemed to be “insufficient,” to “propose prioritized, risk-based, efficient, and coordinated actions . . . to mitigate cyber risk.”
This is a dramatic change from President Obama’s first pronouncement on cybersecurity just five months after taking office. On May 29, 2009, the President promised to avoid security regulations even though he acknowledged that “the vast majority of our critical information infrastructure in the United States is owned and operated by the private sector.” Nevertheless, in 2009 he was adamant that his administration would “collaborate with industry to find technology solutions,” rather than “dictate security standards for private companies.” Following President Obama’s announcement at that time, some business leaders celebrated having “dodged the bullet” of new regulation, but after four years of increasing vulnerabilities and successful attacks against some of the United States’ largest and most tech-savvy companies, it is clear that regulation is back on the table after the release of the Executive Order.
Of course, it is not clear that the Administration can go far down the road of imposing cybersecurity requirements on industry without legislation. In repeated statements over the past five months, Administration spokespeople and cybersecurity experts have argued that congressional action was necessary. In last Tuesday’s State of the Union address, the President himself called on Congress to “act . . . by passing legislation to give our government a greater capacity to secure our networks and deter attacks.” It remains to be seen whether Congress will take up the invitation, but it is hard to imagine that it will leave a topic as important and as headline-worthy to the administration alone. After all, no elected official wants to appear weak on security.
A second interesting feature of the Executive Order and PPD are their continuing focus on “critical infrastructure” and the integration of physical and cyber security concepts. This aspect of the Executive Order represents a clear update to the previous approach to critical infrastructure identification, prioritization and protection set forth in the Bush Administration’s Homeland Security Presidential Directive 7, published in 2003. As detailed in the PPD accompanying the Executive Order, “critical infrastructure” includes virtually the entire economic infrastructure of the United States (the PPD lists: Chemical, Commercial Facilities, Communications, Critical Manufacturing, Dams, Defense Industrial Base, Emergency Services, Energy, Financial Services, Food and Agriculture, Government Facilities, Healthcare and Public Health, Information Technology, Nuclear Reactors, Materials, and Waste, Transportation Systems, and Water and Wastewater Systems). The breadth of the critical infrastructure concept is intended to allow for companies with common infrastructure and security concerns to collaboration and coordinate with appropriate government organizations regarding cybersecurity issues. While a useful organizational construct, it will require further evaluation and update, as called for by the PPD.
Finally, the alphabet soup of agencies in the Executive Order and PPD again raise the troubling question of who is in charge when it comes to cybersecurity in the federal government. The two documents give responsibilities to all of the federal cabinet agencies and other specialized agencies, with surprisingly no mention of the White House Cybersecurity Coordinator, a position the Administration created less than four years ago. The Department of Homeland Security (“DHS”) seems to be given the greatest number of new tasks and responsibilities, but there has been no public discussion of budget or personnel to carry out those tasks—at DHS or elsewhere, which is an issue that clearly will need to involve Congress.
Search
Recent Posts
Categories
- Behavioral Advertising
- Centre for Information Policy Leadership
- Children’s Privacy
- Cyber Insurance
- Cybersecurity
- Enforcement
- European Union
- Events
- FCRA
- Financial Privacy
- General
- Health Privacy
- Identity Theft
- Information Security
- International
- Marketing
- Multimedia Resources
- Online Privacy
- Security Breach
- U.S. Federal Law
- U.S. State Law
- Workplace Privacy
Tags
- Aaron Simpson
- Accountability
- Adequacy
- Advertisement
- Advertising
- American Privacy Rights Act
- Anna Pateraki
- Anonymization
- Anti-terrorism
- APEC
- Apple Inc.
- Argentina
- Arkansas
- Article 29 Working Party
- Artificial Intelligence
- Australia
- Austria
- Automated Decisionmaking
- Baltimore
- Bankruptcy
- Belgium
- Biden Administration
- Big Data
- Binding Corporate Rules
- Biometric Data
- Blockchain
- Bojana Bellamy
- Brazil
- Brexit
- British Columbia
- Brittany Bacon
- Brussels
- Business Associate Agreement
- BYOD
- California
- CAN-SPAM
- Canada
- Cayman Islands
- CCPA
- CCTV
- Chile
- China
- Chinese Taipei
- Christopher Graham
- CIPA
- Class Action
- Clinical Trial
- Cloud
- Cloud Computing
- CNIL
- Colombia
- Colorado
- Committee on Foreign Investment in the United States
- Commodity Futures Trading Commission
- Compliance
- Computer Fraud and Abuse Act
- Congress
- Connecticut
- Consent
- Consent Order
- Consumer Protection
- Cookies
- COPPA
- Coronavirus/COVID-19
- Council of Europe
- Council of the European Union
- Court of Justice of the European Union
- CPPA
- CPRA
- Credit Monitoring
- Credit Report
- Criminal Law
- Critical Infrastructure
- Croatia
- Cross-Border Data Flow
- Cyber Attack
- Cybersecurity
- Cybersecurity and Infrastructure Security Agency
- Data Brokers
- Data Controller
- Data Localization
- Data Privacy Framework
- Data Processor
- Data Protection Act
- Data Protection Authority
- Data Protection Impact Assessment
- Data Transfer
- David Dumont
- David Vladeck
- Delaware
- Denmark
- Department of Commerce
- Department of Health and Human Services
- Department of Homeland Security
- Department of Justice
- Department of the Treasury
- District of Columbia
- Do Not Call
- Do Not Track
- Dobbs
- Dodd-Frank Act
- DPIA
- E-Privacy
- E-Privacy Directive
- Ecuador
- Ed Tech
- Edith Ramirez
- Electronic Communications Privacy Act
- Electronic Privacy Information Center
- Elizabeth Denham
- Employee Monitoring
- Encryption
- ENISA
- EU Data Protection Directive
- EU Member States
- European Commission
- European Data Protection Board
- European Data Protection Supervisor
- European Parliament
- Facial Recognition Technology
- FACTA
- Fair Credit Reporting Act
- Fair Information Practice Principles
- Federal Aviation Administration
- Federal Bureau of Investigation
- Federal Communications Commission
- Federal Data Protection Act
- Federal Trade Commission
- FERC
- FinTech
- Florida
- Food and Drug Administration
- Foreign Intelligence Surveillance Act
- France
- Franchise
- Fred Cate
- Freedom of Information Act
- Freedom of Speech
- Fundamental Rights
- GDPR
- Geofencing
- Geolocation
- Georgia
- Germany
- Global Privacy Assembly
- Global Privacy Enforcement Network
- Gramm Leach Bliley Act
- Hacker
- Hawaii
- Health Data
- Health Information
- HIPAA
- HIPPA
- HITECH Act
- Hong Kong
- House of Representatives
- Hungary
- Illinois
- India
- Indiana
- Indonesia
- Information Commissioners Office
- Information Sharing
- Insurance Provider
- Internal Revenue Service
- International Association of Privacy Professionals
- International Commissioners Office
- Internet
- Internet of Things
- IP Address
- Ireland
- Israel
- Italy
- Jacob Kohnstamm
- Japan
- Jason Beach
- Jay Rockefeller
- Jenna Rode
- Jennifer Stoddart
- Jersey
- Jessica Rich
- John Delionado
- John Edwards
- Kentucky
- Korea
- Latin America
- Laura Leonard
- Law Enforcement
- Lawrence Strickling
- Legislation
- Liability
- Lisa Sotto
- Litigation
- Location-Based Services
- London
- Madrid Resolution
- Maine
- Malaysia
- Markus Heyder
- Maryland
- Massachusetts
- Meta
- Mexico
- Microsoft
- Minnesota
- Mobile App
- Mobile Device
- Montana
- Morocco
- MySpace
- Natascha Gerlach
- National Institute of Standards and Technology
- National Labor Relations Board
- National Science and Technology Council
- National Security
- National Security Agency
- National Telecommunications and Information Administration
- Nebraska
- NEDPA
- Netherlands
- Nevada
- New Hampshire
- New Jersey
- New Mexico
- New York
- New Zealand
- Nigeria
- Ninth Circuit
- North Carolina
- Norway
- Obama Administration
- OECD
- Office for Civil Rights
- Office of Foreign Assets Control
- Ohio
- Oklahoma
- Opt-In Consent
- Oregon
- Outsourcing
- Pakistan
- Parental Consent
- Payment Card
- PCI DSS
- Penalty
- Pennsylvania
- Personal Data
- Personal Health Information
- Personal Information
- Personally Identifiable Information
- Peru
- Philippines
- Phyllis Marcus
- Poland
- PRISM
- Privacy By Design
- Privacy Policy
- Privacy Rights
- Privacy Rule
- Privacy Shield
- Protected Health Information
- Ransomware
- Record Retention
- Red Flags Rule
- Regulation
- Rhode Island
- Richard Thomas
- Right to Be Forgotten
- Right to Privacy
- Risk-Based Approach
- Rosemary Jay
- Russia
- Safe Harbor
- Sanctions
- Schrems
- Scott H. Kimpel
- Scott Kimpel
- Securities and Exchange Commission
- Security Rule
- Senate
- Serbia
- Service Provider
- Singapore
- Smart Grid
- Smart Metering
- Social Media
- Social Security Number
- South Africa
- South Carolina
- South Dakota
- South Korea
- Spain
- Spyware
- Standard Contractual Clauses
- State Attorneys General
- Steven Haas
- Stick With Security Series
- Stored Communications Act
- Student Data
- Supreme Court
- Surveillance
- Sweden
- Switzerland
- Taiwan
- Targeted Advertising
- Telecommunications
- Telemarketing
- Telephone Consumer Protection Act
- Tennessee
- Terry McAuliffe
- Texas
- Text Message
- Thailand
- Transparency
- Transportation Security Administration
- Trump Administration
- United Arab Emirates
- United Kingdom
- United States
- Unmanned Aircraft Systems
- Uruguay
- Utah
- Vermont
- Video Privacy Protection Act
- Video Surveillance
- Virginia
- Viviane Reding
- Washington
- Whistleblowing
- Wireless Network
- Wiretap
- ZIP Code