<strong>the</strong> installation of underseacables in <strong>the</strong> navigable watersof <strong>the</strong> United States <strong>and</strong> incoastal estuaries pursuant to<strong>the</strong> Rivers <strong>and</strong> Harbors Act of1899 <strong>and</strong> <strong>the</strong> Clean Water Act);<strong>and</strong> <strong>the</strong> U.S. Navy (which playsa key role in cable protectioninitiatives <strong>and</strong> works closelywith <strong>the</strong> State Department inprotecting treaty rights <strong>and</strong>freedoms). Most of <strong>the</strong>seagencies are not even identifiedas stakeholders in <strong>the</strong> ExecutiveOrder or PPD. Even withinDHS, <strong>the</strong> agency componentmost versed in undersea cableissues—<strong>the</strong> Office of Policy,which acts for DHS in <strong>the</strong> TeamTelecom process—resides in acompletely different part of DHSfrom <strong>the</strong> National Programs <strong>and</strong>Protection Directorate, whichholds primary responsibility forcybersecurity matters.• M<strong>and</strong>atory in All but Name.Although <strong>the</strong> program issupposedly “voluntary,” <strong>the</strong>Executive Order requiresagencies to report annually onwhich owners <strong>and</strong> operatorsare participating—a “name<strong>and</strong> shame” provision—<strong>and</strong> encourages agencies todevise incentives to encourageparticipation. In practice,program participation will be allbut m<strong>and</strong>atory.• New Requirements for Sales toGovernment Customers. TheDepartment of Defense (“DOD”)<strong>and</strong> <strong>the</strong> General ServicesAdministration (“GSA”)must also recommend how toincorporate <strong>the</strong> program intofederal procurement processes—13• Absence of Liability Protections.The cybersecurity informationsharingprogram contains noliability protection for industry.To obtain such protection, <strong>the</strong>Congress would need to passlegislation.
14fur<strong>the</strong>r underscoring <strong>the</strong>essentially m<strong>and</strong>atory nature of<strong>the</strong> program. Federal law alreadyrequires industry to providecybersecurity information to GSA<strong>and</strong> DOD. The Executive Order,however, is likely to increaseongoing reporting obligationsfor federal contracts <strong>and</strong> to createnew compliance risks. Theserequirements would apply tocapacity sales to U.S. Governmentagencies, including <strong>the</strong> DefenseInformation Systems Agency.• Disparate Burden onInfrastructure Owners. TheExecutive Order createsobligations regarding bothphysical <strong>and</strong> virtual or cyberinfrastructure, but excludesfrom its scope “commercialinformation technology productsor consumer informationtechnology services.” As aresult, <strong>the</strong> Executive Orderclearly reaches physical network<strong>and</strong> infrastructure providers,but may not clearly reachedge, application, <strong>and</strong> over<strong>the</strong>-topproviders. Underseacable owners <strong>and</strong> operatorsmay find <strong>the</strong>mselves subjectto additional regulatorycompliance requirements that donot apply equally to customersor end-users, <strong>and</strong> for which<strong>the</strong>y may be unable to recovercosts. The Executive Order thusmay complicate commercialarrangements between networkor physical infrastructureproviders <strong>and</strong> edge or over<strong>the</strong>-topproviders, <strong>and</strong> createambiguity about cybersecurityobligations <strong>and</strong> accountability.3. Initial Implementation Steps byNIST <strong>and</strong> DHSNIST began preparing forimplementation of <strong>the</strong> ExecutiveOrder <strong>and</strong> PPD long before <strong>the</strong> WhiteHouse issued final versions of thosedocuments, <strong>the</strong>reby underscoring <strong>the</strong>need for early industry engagement.On February 12, 2013, NIST <strong>and</strong>DHS entered into a Memor<strong>and</strong>um ofAgreement (“MOA”) that sets forth <strong>the</strong>ircollaboration plan for cybersecurityissues. Under <strong>the</strong> MOA, NIST agrees,among o<strong>the</strong>r things, to enable DHSparticipation in NIST-led engagementswith industry. DHS agrees to consultwith NIST on <strong>the</strong> metrics it intendsto use to measure <strong>the</strong> effectiveness ofcybersecurity programs.On February 26, 2013, NIST publishedin <strong>the</strong> Federal Register a Request forInformation (“RFI”) 4 to stakeholders,including critical infrastructureowners <strong>and</strong> operators, asking <strong>the</strong>m toshare: (1) current cybersecurity riskmanagement practices; (2) current useof existing cybersecurity st<strong>and</strong>ards<strong>and</strong> best practices; <strong>and</strong> (3) specificindustry practices concerning, amongo<strong>the</strong>r things, encryption <strong>and</strong> keymanagement, asset identification <strong>and</strong>management, <strong>and</strong> security engineeringpractices. Stakeholders may submitresponses to <strong>the</strong> RFI until April 8, 2013.4. Congressional InitiativesCongressional action on cybersecurityremains likely. In <strong>the</strong> immediate4. NIST, Developing a Framework to Improve Critical Infrastructure Cybersecurity,78 Fed. Reg. 13,024 (Feb. 26, 2013).