Eric A. Fischer
Senior Specialist in Science and Technology
Edward C. Liu
Specialist in Terrorism and National Security
Catherine A. Theohary
Analyst in National Security Policy and Information Operations
The federal role in cybersecurity has been a topic of discussion and debate for over a decade. Despite significant legislative efforts in the 112th and 113th Congress, no major legislation on this topic has been enacted since the Federal Information Security Management Act (FISMA) in 2002, which addressed the security of federal information systems. In February 2013, the White House issued an executive order designed to improve the cybersecurity of U.S. critical infrastructure (CI). Citing repeated cyber-intrusions into critical infrastructure and growing cyberthreats, Executive Order 13636, Improving Critical Infrastructure Cybersecurity, attempts to enhance security and resiliency of CI through voluntary, collaborative efforts involving federal agencies and owners and operators of privately owned CI, as well as use of existing federal regulatory authorities.
Entities posing a significant threat to the cybersecurity of critical infrastructure assets include cyberterrorists, cyberspies, cyberthieves, cyberwarriors, and cyberhacktivists. E.O. 13636 attempts to address such threats by, among other things,
• expanding to other CI sectors an existing Department of Homeland Security (DHS) program for information sharing and collaboration between the government and the private sector;
• establishing a broadly consultative process for identifying CI with especially high priority for protection;
• requiring the National Institute of Standards and Technology to lead in developing a Cybersecurity Framework of standards and best practices for protecting CI; and
• directing regulatory agencies to determine the adequacy of current requirements and their authority to establish additional requirements to address the risks.
Among the major issues covered by the unenacted legislative proposals in the 112th Congress, E.O. 13636 mainly addresses two: information sharing and protection of privately held critical infrastructure. It does not provide exemptions from liability stemming from information sharing, which would require changes to current law. Several of the legislative proposals included such changes. With respect to protection of critical infrastructure, the provisions on designation of CI and identification of relevant regulations are related to those in some legislative proposals.
In the 113th Congress, some bills would provide explicit statutory authority for informationsharing and framework activities similar to those in the executive order.
The issuance of E.O. 13636, as with many other executive orders, raises questions about whether the order exceeds the scope of the President’s authority, in relation to the constitutional separation of powers and validly enacted legislation. While answers to those questions are complex, the executive order specifies that implementation will be consistent with applicable law and that nothing in the order provides regulatory authority to an agency beyond that under existing law.
Overall, response to the executive order appears to be cautiously optimistic. Given the absence of comprehensive cybersecurity legislation, some security observers contend that the order is a necessary step in securing vital assets against cyberthreats. Others have argued, in contrast, that it offers little more than do existing processes, that it could make enactment of a bill less likely, or that it could lead to government intrusiveness into private-sector activities, for example through increased regulation under existing statutory authority. It appears to be too early in the implementation of the order to determine how such concerns will be addressed and whether the responses will satisfy critics and skeptics.
Date of Report: November 8, 2013
Number of Pages: 22
Order Number: R42984
For email and phone orders, provide a Visa, MasterCard, American Express, or Discover card number, expiration date, and name on the card. Indicate whether you want e-mail or postal delivery. Phone orders are preferred and receive priority processing