Federal News Radio’s Jason Miller reports that he’s seen a draft of the executive order on cybersecurity. What he describes is quite plausible:
- The order creates a council chaired by DHS to coordinate the mission. This provision would be a defeat for the business lobbyists who fought to keep DHS from getting a central cybersecurity role in legislation — and who will now have little say in the drafting of the order.
- Within 90 days, the DHS-led council will propose which agencies will take responsibility for which parts of the infrastructure. Lots of log-rolling to be expected there, all of it scheduled to be completed before the end of the administration’s first term.
- DHS is also assigned to identify within 60 days the critical infrastructure owners who’ll be asked to participate in a voluntary cybersecurity framework. Again, business lobbyists had persuaded Congress to construct elaborate restrictions on who would be considered part of the critical infrastructure; all of those restrictions are now up for grabs and many will likely fall away as the administration creates facts on the ground that even a future Congress will find it hard to undo. A provision promising that first amendment protections will apply to designations of critical infrastructure is cold comfort – mainly because it’s meaningless.
- The DHS-led council is instructed to develop a mitigation framework in 90 days and to put it out for comment in 180 days. Note that the first deadline will fall after the election and the second after the inauguration.
- The council is next instructed to create a program to encourage companies to adopt the cybersecurity framework. Public disclosure of who is participating and who is not participating is one option.
- The order contemplates other possible incentives, such as acquisition preferences, for products and services meeting voluntary standards; it even asks the council to explore liability protections and to report on what could be done in this area within 120 days.
- Federal cybersecurity is addressed briefly; DHS is specifically authorized to identify other agencies whose infrastructure is critical and to move them toward compliance. The chairs (and would-be chairs) of non-homeland committees are the losers here, since this undercuts their ability to keep DHS off “their” agencies’ turf.
- Industry would be asked to submit information voluntarily about cyberthreats; and DHS would conduct privacy assessments of the data collection effort. This looks like an expansion of authority for the DHS chief privacy officer, but what’s more significant is that the administration apparently hopes to find something that it can do about the information sharing restrictions in aging privacy laws. In the past, it has treated the old laws as serious barriers to sharing that would have to be legislatively removed. It’s possible that the administration is rethinking this view.
On the whole, this looks like a surprisingly focused document. I rather expected a more political document bulked out with unneeded but popular filler about cybersecurity research and FISMA, but apparently none of that made the cut. As my comments suggest, I suspect that DHS is the big winner, and the Chamber of Commerce the big loser, if the order is issued in this form.