White House Cyber Executive Order: Interpretive English Language Translation & Summary

NovaBlogger Jack “@sintixerr” Whitsitt, a local expert on national critical infrastructure protection issues, published this article last weekend while we were all enjoying ShmooCon. With his permission we are cross-posting it here. This post is the first in a series of two that nicely summarizes the Executive Order that Obama issued last week.

#####

Section-by-Section translation of the EO based on my own interpretation; designed to get through all of the heavy government language to the spirit of what each section is attempting to convey. Some of this might be wrong, but I think I’ve hit the substance. Will refine over time:

Important to remember: EO can’t change existing law and responsibilities

Sec. 1-3

Fluff

Sec. 4. Cybersecurity Information Sharing

a) The US Government will pass more (unclassified) information than they already are, and from more sources, to the private sector faster so that they (industry) can better protect themselves.

b) More about the rapid dissemination of these reports, but now mentions the ability to disseminate limited classified reports

c)The government will enhance a new program (previously announced) to provide classified threat and technical information to qualified critical infrastructure companies (including commercial service providers who work with criticalinfrastructure)

d) The intel community will speed up processing of security clearances for private sector companies with critical infrastructure

e) Since actually becoming a fed is hard, and because not everyone wants to, there are initiatives going on – and which the EO directs to be hurried/expanded – to allow private citizen subject matter experts to come under temporary service

Sec. 5. Privacy and Civil Liberties Protections

a) Agencies already have privacy/civil liberty offices and procedures in place. They must make sure any action they take in regard to the EO is done using those offices and procedures.

b) DHS must make formally sure on a recurring bases that 5a) is indeed happening

c) When DHS reports on this, it will consult with OMB (to provide another layer of oversight)

d) Private entity information will be protected by the most protective interpretation of the law

Sec. 6. Consultative Process

The government will engage with private sector stakeholders on all aspects of the EO and will utilize mechanisms that already exist and are currently being used to collaborate with industry on cyber security and critical infrastructure – particularly those outlined in HSPD-7 and DHS’s National Infrastructure Protection Plan

Sec. 7. Baseline Framework to Reduce Cyber Risk to Critical Infrastructure.

a) NIST will lead the development of a framework to reduce risks to critical infrastructure from cyber systems.  The framework speaks to the process of reducing risk.  The framework is intended to make sure business efforts, policy efforts, and technical efforts are aligned and working together. The framework will incorporate existing standards and best practices as much as possible (clarification: NIST has said here that they mean interoperability/common frame of reference type standards, not performance or measurability focused standards. Ie, the intent of the standards is to help everyone work together.)

b) The framework is *process focused* and intended to deal with the fact that this is the real world; it’s goal is to work collectively to figure out the best ways to reduce risk – the process is the focus, not the results. “The journey is the destination”.  The framework will include ways to measure how well organizations are participating in the process.

c) The framework will explicitly include ways to protect business interests and civil liberties

d1) This process will be as inclusive as possible. Government required to show up to the table and government required to engage industry as much as industry is willing to participate.

d2) The government will provide outcome goals for the framework based on critical determinations made in section 9 (the intricacies of this are a bit out of scope of this review. Suffice it to say that there is already existing work here being done and existing processes already in use that will most likely be used to fulfill this requirement.). This is assigned to the heads of relevant agencies, which means its a performance criteria for those individuals, which means it will get done.

e) a preliminary version of the framework will be done in 240 days, final in a year

f) The process of engagement and validity of approaches will be reviewed regularly for appropriateness in addressing cyber security

Sec. 8. Voluntary Critical Infrastructure Cybersecurity Program

a) There will be a program (outreach & engagement?) to encourage private sector adopting the framework process

b) The agencies already on the hook for industry engagement for critical infrastructure (sector specific agencies – SSAs – under HSPD-7 and the National Infrastructure Protection Plan – NIPP) will use their existing mechanisms (like CIPAC) to reach out to industry on a sector by sector basis and address sector specific risks and concerns

c)The Sector Specific Agencies will let the president know annually how this is all going – is industry participating or no?

d)the government will try and create additional value for industry to participate

e) The government will try and figure out how – or if it even makes sense – for the government to adjust its procurement and contracts to use/fit in with the framework

Sec. 9. Identification of Critical Infrastructure at Greatest Risk

a) Within 150 days, DHS will determine, based on potential national consequences from a cyber attack, what infrastructure is critical.  This speaks to a consultative process (as described in section 6) that the government will use to identify what the framework and the rest of the Order is aimed at. I’ve been working within one industry for some time using a version of the process that will be used here. The process uses business-function driven risk analysis to determine priorities: Critical Functions->Value Chain->Supporting Cyber Infrastructure->Program level vulnerabilities->Scenarios to be protected against. Ish.

b) The sector specific agencies will, in line with their existing role, provide DHS with enough information to make these determinations. The EO assigned this to the heads of the sector specific agencies, in particular, and so it is a performance criteria for them. This tends to mean it will get done.

c) Owners and operators of critical infrastructure will be confidentially notified of their status as critical infrastructure and there will be a mechanism for them to ask to be reconsidered

Sec. 10. Adoption of Framework

(Read: Potential Regulation)

a) Agencies who can currently regulate will look at any new information provided by the preliminary framework and determine if the way they are currently handling regulation is sufficient based on framework identified risks (my note here: TSA has, in the past, declined to regulate because industry was actively participating already. This directive does not make future regulation a given).

b) If current regulation isn’t sufficient, regulatory agencies will propose actions.

c) within two years, agencies will work with owners and operators to determine if any new regulation is ineffective or excessively burdensome and will make recommendations for relief/changes

d) DHS will help out any agencies who don’t have the technical cyber qualifications to do this effectively

e) Regulatory agencies that aren’t sector specific agencies should consult with everyone and get on board, too

Sec. 11. Definitions

(Speaks for itself. Read these without translation)

(a) “Agency” means any authority of the United States that is an “agency” under 44 U.S.C. 3502(1), other than those considered to be independent regulatory agencies, as defined in 44 U.S.C. 3502(5).

(b) “Critical Infrastructure Partnership Advisory Council” means the council established by DHS under 6 U.S.C. 451 to facilitate effective interaction and coordination of critical infrastructure protection activities among the Federal Government; the private sector; and State, local, territorial, and tribal governments.

(c) “Fair Information Practice Principles” means the eight principles set forth in Appendix A of the National Strategy for Trusted Identities in Cyberspace.

(d) “Independent regulatory agency” has the meaning given the term in 44 U.S.C. 3502(5).

(e) “Sector Coordinating Council” means a private sector coordinating council composed of representatives of owners and operators within a particular sector of critical infrastructure established by the National Infrastructure Protection Plan or
any successor.

(f) “Sector-Specific Agency” has the meaning given the term in Presidential Policy Directive-21 of February 12, 2013 (Critical Infrastructure Security and Resilience), or any successor.

Cross-posted from Jack Whitsitt: Art and Security in Washington, DC.

#####

Today’s post pic is from GovInfosecurity.com. See ya!

9 comments for “White House Cyber Executive Order: Interpretive English Language Translation & Summary

  1. February 20, 2013 at 11:05 pm

    #NoVABlogger White House Cyber Executive Order: Interpretive English Language Translation & Summary http://t.co/1I1UlEicWM

  2. February 20, 2013 at 11:37 pm

    #NOVABLOGGER: White House Cyber Executive Order: Interpretive English Language Translation … http://t.co/YYuGHtNmvW http://t.co/cYHF0lcT4I

  3. February 21, 2013 at 3:37 am

    White House Cyber Executive Order: Interpretive English Language Translation & Summary: NovaBlogger Jack Whitsit… http://t.co/O1ugIbU24X

  4. Thomas
    February 21, 2013 at 9:56 am

    The most important section wasn’t mentioned – section 12, it basically states that all the above is contingent upon funding being available. In other words, unless there is additional funding from Congress none of this will really happen. Some of the stuff may happen because agencies move money around but with sequestration funding cuts that is unlikely.

  5. February 21, 2013 at 10:11 am

    It’s actually happening already and has been happening. Extensive prep work has been done, working groups are forming, and the first public workshops from NIST kick off in April.

  6. February 22, 2013 at 1:03 pm

    Get a section-by-section breakdown of the Executive Order – see our post for more info http://t.co/in4MP1jLVZ

  7. February 22, 2013 at 7:02 pm

    Get a section-by-section breakdown of the Executive Order – see our post for more info http://t.co/DiW3Yja5qG

  8. February 23, 2013 at 2:02 pm

    Get a section-by-section breakdown of the Executive Order – see our post for more info http://t.co/rJYl6AQM1Q

  9. February 23, 2013 at 3:45 pm

    “@novainfosec: section-by-section breakdown of Cyber Executive Order – see post for more info http://t.co/kONzhqE0SN” – non-legalese summary

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.