By Jochai Ben-Avie, Michael Carbone, and Katherine Maher
On Tuesday February 12, US president Barack Obama released a long-anticipated executive order on US cybersecurity. The order, first floated in 2012 following the failure of the US Congress to advance meaningful cybersecurity legislation, addresses processes “to improve cybersecurity information sharing” and to “collaboratively develop and implement risk-based standards” for owners and operators of “critical infrastructure.”
The order sets out provisions for sharing critical threat information from government to the private sector, but potentially establishes a foundation for later bidirectional sharing of sensitive information. Its vague categorization of what constitutes critical infrastructure limits transparency on threat reduction, and may hinder confidence building measures intended to mitigate cyber conflict. It offers some civil liberties protections, but doesn’t go far enough.
We’ll focus on where it may be good in the short term (at least compared to proposed legislation such as CISPA), but why it may be harmful–both for privacy and actual security of critical infrastructure–in the long term.
Defining critical infrastructure
The executive order is explicit in its purpose of “improving critical infrastructure cybersecurity,” but nowhere does the executive order identify what infrastructure is considered critical. Rather, Section 2 broadly recognizes critical infrastructure as meaning “systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters,” a categorization so broad as to defy clear definition.
There are existing catalogues of critical infrastructure, including the US 2003 Homeland Security Presidential Directive (HSPD-7), released during the George W. Bush administration. However, this order does not appear to build on this work.
Instead, Section 9 (a) empowers the Secretary of Homeland Security to “use a risk-based approach to identify critical infrastructure where a cybersecurity incident could reasonably result in catastrophic regional or national effects” on the areas cited in Section 2, and calls for ‘risk based approach’ developed based on a consultative process. That consultation group is defined in Section 6 as including the “Critical Infrastructure Partnership Advisory Council; Sector Coordinating Councils; critical infrastructure owners and operators; Sector Specific Agencies; other relevant agencies; independent regulatory agencies; State, local, territorial, and tribal governments; universities; and outside experts.” The order does not define the transparency or reporting of those consultations, nor does it specifically offer avenues of engaging civil society or the technical community.
Interestingly, Section 9 (a) also explicitly excludes “commercial information technology products or consumer information technology services” from core critical infrastructure. Previous critiques of the US cybersecurity approaches have centered on the relative priority of consumer platforms as critical infrastructure as opposed to sectors such as energy or water, as well as charges that major technology companies have pushed for government involvement in cybersecurity as a means of outsourcing private sector cybersecurity defenses to government. This exclusion somewhat mitigates those critiques. However, as classification of information remains the purview of the executive branch, government still may share information with these major tech firms as it sees fit.
Limited transparency provisions
Other than this exemption, however, the order does not provide mechanisms to ensure transparency on what sectors or infrastructure would be considered ‘critical.’ In fact, Section 9 (c) provides instruction to the Secretary of Homeland Security that, following identification of critical infrastructure in the consultative process, DHS undertake ‘confidential’ notification of owners and operators of said infrastructure.
Section 7 instructs the Director of the National Institute of Standards and Technology to create a ‘Framework’ for mitigating risks to critical infrastructure, and directs that this occur within an “open public review and comment process,” based in part on inputs from the consultative group created in Section 6. However, without clarity about what infrastructure requires defense, this ‘open’ process is unlikely to be truly transparent.
Some will argue that transparency and explicit definition of critical infrastructure would constitute an invitation to adversaries. However, it is more likely that lack of transparency on cybersecurity may inhibit the process of developing clear redlines for international engagement. Former US Assistant Secretary of Defense for International Affairs, Franklin Kramer, has argued that increasing transparency:
“may create international norms of behavior both with respect to possible partners and potential adversaries. For the first group, it offers the prospect of information and assistance. For the potential adversaries it may create shared learning possibly leading to two conclusions: first, that there may be useful areas of collaboration—even though there is not universal agreement; and, second, that there may be good reasons to limit cyber use in order to avoid inadvertent generation of conflict and/or escalation.”
As the United States continues to push ahead in developing guidance and rules of engagement for cyberspace, it should include confidence-building measures with transparency at their core.
Information flows and sharing
The crux of the current US discourse on cybersecurity is about the role of information sharing between governments and the private sector–and what impact that may have on privacy rights and civil liberties of citizens.
The primary purpose of the executive order is to provide a mechanism which explicitly directs this information flow from government to the private sector, and does not create pathways for private sector information to flow to government. This has led civil liberties groups like the ACLU to commend the order as “embracing privacy principles.”
This is also one of the primary differences in information sharing processes between the executive order and the 2011/2012 proposed Cyber Intelligence Sharing and Privacy Act (CISPA). CISPA would have first permitted information sharing from the private sector to the government, and then facilitated information sharing among government agencies–without restrictions on whether that information was used for cybersecurity purposes, or, say law enforcement–creating potential for gross privacy violations¹.
In order to initiate this information sharing, Section 4 (a) of the executive order lays out a directive for the US Attorney General, the US Department of Homeland Security, and the US Director of National Intelligence to each issue instructions for the “production of unclassified reports of cyber threats to the U.S. homeland that identify a specific targeted entity,” to be shared with the owners and operators of critical infrastructure. This order is in line with executive powers on classification and information sharing.
However, a different reading of the order finds this unidirectional approach may pave the way for bidirectional information sharing in the future.
As noted above, Section 7 instructs the Director of the National Institute of Standards and Technology to create a ‘Framework’ for mitigating risks to critical infrastructure. Section 10 (b) offers a mechanism for the various agencies involved to review that Framework, and assess whether its ‘regulatory requirements’ are sufficient. Should the agencies ‘deem’ existing provisions insufficient, this may enable the consultative group, established in Section 6, to make recommendations on systems for mutual information sharing.
Furthermore, provisions of Section 9 (b), which enables information sharing from agencies to the Department of Homeland Security in order to identify infrastructure at risk, may provide a framework for sharing of information among agencies, absent oversight or due process.
Limited privacy oversight
Much has been made of the fact that the order includes a four-point section on Privacy and Civil Liberties protections. It is heartening to find references to Fair Information Practice Principles, and privacy and civil liberties must be a fundamental part of any cybersecurity approach.
However, the order does not go far enough. Section 5 (b) grants oversight for privacy and civil liberties to the Department of Homeland Security Office for Civil Rights and Civil Liberties, requiring an impact report within one year of the release of this executive order. Section 5 (c) directs that report to be written in conjunction with the Privacy and Civil Liberties Oversight Board (PCLOB), a woefully under-resourced entity with a history of Congressional neglect.
Furthermore, the order gives authority to the same DHS office which, just last week, finally released an impact assessment (executive summary, not the full report) nearly three years overdue, assessing years of warrantless and suspicionless searches of electronic devices at the US border. They found these searches to have no negative civil liberties or privacy impacts², and recommended the practice continue. The ACLU has filed a Freedom of Information Act request for the full report.
And, despite assurances that the order is designed to only facilitate information sharing from government to the private sector, Section 5 (d) makes it clear that when the private sector chooses to share information, it will be protected: “Information submitted voluntarily in accordance with 6 U.S.C. 133 by private entities under this order shall be protected from disclosure to the fullest extent permitted by law.”
Along with Section 8 (d), which outlines authority for the Department of Homeland Security to create “incentives” for participation in the information sharing program, Sections 5 (d) and 8 (d) underscore the potential for future privacy-infringing information sharing practices. Indeed, some previous versions of CISPA defined ways to maintain the ‘voluntariness’ of the program, adding safeguards against retaliation by the government for a company’s decision not to ‘participate.’ No such safeguards are mentioned in the EO.
Finally, there are questions as to whether information sharing is in fact the solution for cybersecurity threats–nevermind the actual extent of those threats. Numerous critiques of the US cybersecurity have identified vulnerabilities that lie beyond the scope of regulation: social engineering, internetworked systems, and unreconciled known system vulnerabilities. These threats are better addressed through industry standard and norms on a sectoral and institutional level than through executive decree or legislation on information sharing.
Some positives, but a worrying precedent
Although the executive order is focused on unidirectional government sharing of cybersecurity threat information to private industry actors, it potentially establishes a foundation for later bidirectional sharing of sensitive information. The lack of transparency around the definition of critical infrastructure limits transparency and accountability on frameworks for risk reduction, and obstructs the development of confidence building measures intended to mitigate cyber conflict.
The order does provide some positive protections for privacy and civil liberties, most notably a commitment to the Fair Information Practice Principles. Importantly, the order lays out civilian (as opposed to military or intelligence) oversight for sensitive information, an improvement upon previous legislative proposals. However, it places this authority in the hands of the Department of Homeland Security and the Privacy and Civil Liberties Oversight Board–institutions that have done nothing to distinguish themselves as rights defenders. On the whole, privacy rights and civil liberties are left largely unsecured.
While transparent sharing of information between government and the private sector can be useful to protecting cybersecurity in certain instances, this single-minded focus detracts from larger underlying threats facing critical infrastructure industries. Rather than attempt to order or legislate critical national resources into line, future action should instead focus on creating incentives and processes to resolve known vulnerabilities in a timely fashion, improve security architecture by design, remove key infrastructure from the internet itself, and foster greater international dialogue of best practices and communication of cyber conflict red lines. Until then, these efforts are insufficient to meet the actual cybersecurity and cyber-resilience issues faced by critical infrastructure industries.
¹The original November 2011 version of CISPA would have enabled companies to indiscriminately share personally identifiable information (PII) with the government. Once shared, the bill placed no restrictions on the sharing of that information among government agencies or the use of that information for purposes other than cybersecurity. These concerns were only partially addressed by a package of amendments from bill co-sponsor Congressman Mike Rogers and Congressman Ben Quayle.