The White House moved to strengthen the security of the nation’s critical information infrastructure on Tuesday, launching initiatives that will raise significant legal questions for the nation’s biggest industries.
President Barack Obama used his State of the Union speech to announce an executive order that will allow for improved sharing of cyberthreat information between the government and private companies and develop federal standards to best deter attacks.
The order, signed earlier in the day, called upon federal agencies to review existing cybersecurity regulations and determine whether they enjoy the legal authority to require improved defenses at the nation’s critical infrastructure companies.
"We know hackers steal people’s identities and infiltrate private e-mail. We know foreign countries and companies swipe our corporate secrets," Obama said during the speech. "Now our enemies are also seeking the ability to sabotage our power grid, our financial institutions, and our air traffic control systems."
"We cannot look back years from now and wonder why we did nothing in the face of real threats to our security and our economy," Obama said, calling on Congress to pass laws to expand on the order.
Lawyers familiar with cybersecurity have been anticipating the executive order for months—ever since Congress failed to pass legislation to address cyberthreats last session. Many of the provisions will take agencies months or a year to study and then implement.
But lawyers said that key parts of the order—and an accompanying presidential policy directive—will require immediate attention from attorneys for companies in the critical infrastructure category.
For example, companies will want to be involved in the government’s discussion about that framework of best practices, which will be hashed out in a process that may take months, said James Barnett, co-chairman of Venable’s telecommunications group and a partner in the firm’s cybersecurity practice.
The framework may prove very broad or very specific. "They’re going to want their legal counsel on this because they don’t want to be on the wrong side or have the wrong standards adopted, and they’re going to want to at least have their concerns heard," Barnett said.
The executive order’s information-sharing program raises a number of legal issues, said Ted Kobus and Jerry Ferguson, co-chairmen of BakerHostetler’s privacy and data protection practice.
Under the order, businesses could enter a voluntary information-sharing program, providing information about cyberthreats to the government; in return, the government could provide classified technical information.
But the order also tells agencies to come up with incentives to lure companies into the sharing program, possibly including preferences for government contracts, Ferguson said. "If you’ve got your regulator creating incentives, it may be very difficult to say ‘No,’ " he said.
Attorneys for these companies will "have to step back and think" about what might happen to the information they share, Kobus said. Is this information going to be shared with competitors? Will it be subject to Freedom of Information Act requests? Could it open the company to liability?
Law firms are not likely to be included among businesses considered to represent critical infrastructure, such as utilities and financial services companies. But they might be affected by the executive order because they represent companies that house intellectual property and government secrets.
"Because our clients are going to be involved in that litigation, lawyers are going to be dragged into these disclosures as well," Kobus said.
The executive order cannot grant some of the things law firms and other businesses need most to help prevent cyberattacks—mainly, liability protections for sharing information about cyberattacks with the government and with each other. The White House has said that legislation is still needed to protect the nation’s key infrastructure. It is too early to tell how much change this executive order could bring when it offers no funding for the effort, said Ferguson.
"You look at the actual language of this and it’s pretty vague stuff. You can see an order like this being announced and then just disappearing," Ferguson said. "It is also possible this is going to be a watershed event in that it will be a first step toward a coordinated cybersecurity strategy."
Legislation stalled last year, in part, because Republicans were worried the bill would create new government regulations for companies, while Democrats worried about privacy concerns.
Several legislators have already filed bills and pledged to make a comprehensive cybersecurity bill a top priority, including the new chairman of the Senate Homeland Security and Governmental Affairs Committee, Senator Tom Carper (D-Del.)
Todd Ruger is a reporter for The National Law Journal, a Legal affiliate based in New York.