OBS IRIS Merlin
english francais deutsch

IRIS 2013-4:1/28

United States

Executive Order “Cyber-security Framework” Signed by President

print add to caddie Word File PDF File

Jonathan Perl

New York Law School

On 12 February 2013, the President of the United States of America (“President”) signed an executive order (“Order”) that directs federal agencies to develop a voluntary “Cyber-security Framework to help owners and operators of critical infrastructure in the United States identify, assess, and manage cyber risk” (“Framework”). The Order, which seeks to protect all “physical or virtual assets" that are “so vital to the United States that their incapacity or destruction […] would have a debilitating impact on security, national economic security, or national public health or safety,” comes on the heels of a failed attempt by Senate Democrats to pass a similar cyber-security bill (S. 3414) in the summer of 2012. While the President explained that he was prompted to issue the Order because of Congressional inaction, he acknowledged in his 2013 State of the Union address that congressional action is still needed.

The Order directs the Department of Homeland Security (“DHS”) to establish a preliminary Framework in collaboration with sector-specific federal agencies (“Participating Agencies”) within 240 days of the date of the Order. The Framework must include: (1) the initial list of ‘critical infrastructure’ as determined by a “risk-based approach” that applies “consistent, objective criteria,” (2) voluntary consensus standards, (3) industry best-practices that “align policy, business, and technological approaches,” (4) incentives to promote participation in the program and (5) recommendations for ways the Participating Agencies can design privacy and civil liberties protections. Participating Agencies must review the preliminary Framework to determine whether it is sufficient given the "current and projected risks" and whether the agency has clear authority to establish requirements. If an agency finds the regulatory requirements are insufficient or that additional authority is required it must propose “prioritized, risk-based, efficient, and coordinated actions.” Within two years of the release of the final Framework, which must be issued within one year of the date of the Order, Participating Agencies must report to the DHS whether any critical infrastructure is “subject to ineffective, conflicting, or excessively burdensome requirements,” and issue “recommendations for minimizing or eliminating such requirements”.

The Order was widely praised by the Democrats. The Senate Majority Leader hailed it a “decisive action” that addresses gaps in cyber-security protection. However, it was received with skepticism by Republicans, who argued that the President had exceeded his authority in bypassing the Congress and that the Order will “stifle innovation, burden businesses, and fail to keep pace with evolving cyber threats.” The Republican-controlled House of Representatives thus introduced a more limited cyber-security bill (H.R. 624) shortly after the Order was issued. Concerns were also raised about the voluntary nature of the standards. A partner in Sidley Austin LLP explained that the standards may become quasi-mandatory in practice because the “…independent agencies may make these standards actually or practically mandatory for significant sectors of the economy.” A partner of Steptoe & Johnson LLP echoed that concern, explaining that the voluntary standards may establish the negligence for cyber-security because “government standards” are used to “rebut claims of negligence.”

References
Executive Order (“Improving Critical Infrastructure”) of 12 February 2013 EN
 http://merlin.obs.coe.int/redirect.php?id=16353
 
Cyber security bill of the Democrats of 19 July 2012 EN
 http://merlin.obs.coe.int/redirect.php?id=16355
 
Cyber security bill of the House of Representatives of 13 February 2013 EN
 http://merlin.obs.coe.int/redirect.php?id=16356