DHS Announces Petition for Review Process for Critical Infrastructure Classifications
April 17, 2014. The Department of Homeland Security's (DHS) National Protection and Programs Directorate published a notice in the Federal Register (FR) that announces that it has made determinations that contain classifications of critical infrastructure in which "a cybersecurity incident could reasonably result in catastrophic regional or national effects", and sets the process challenging such determinations.
This FR notice states that the deadline to submit petitions for reconsideration, and all accompanying materials, is May 15, 2014. See, FR, Vol. 79, No. 74, April 17, 2014, at Pages 21780-21782.
This FR notice does not include any of the following words or terms: "hearing", "impartial decision maker", "discovery", "confrontation", or "judicial review".
These determinations subject the listed owners and operators to heightened government regulation. The DHS did not disclose which businesses, or what infrastructure, it intends to subject to this heightened regulatory regime.
The DHS developed its initial list last July. This DHS notice states that this list will be reviewed and updated annually.
President Obama issued an Executive Order (EO) titled "Improving Critical Cybersecurity Infrastructure" on February 13, 2013. It states, at Section 9(a), that the DHS "shall ... identify critical infrastructure where a cybersecurity incident could reasonably result in catastrophic regional or national effects on public health or safety, economic security, or national security."
Then, Section 9(c) states that the DHS "shall confidentially notify owners and operators of critical infrastructure identified under subsection (a) of this section that they have been so identified, and ensure identified owners and operators are provided the basis for the determination."
It adds that the DHS "shall establish a process through which owners and operators of critical infrastructure may submit relevant information and request reconsideration of identifications under subsection (a) of this section."
The just published item in the FR discloses that the DHS has made its secret Section 9(a) determinations, and that owners and operators who received the secret notices may file Section 9(c) petitions for reconsideration pursuant to the procedure set forth in this FR item.
The Congress has not enacted legislation giving the President general authority to regulate cyber security related business practices. The House passed major legislation in both the 112th and 113th Congresses intended to improve cyber security. For the 112th Congress, see HR 3523 [LOC | WW], the "Cyber Intelligence Sharing and Protection Act of 2011". For the current Congress, see HR 624 [LOC | WW], the "Cyber Intelligence Sharing and Protection Act".
However, the Senate has passed neither bill, and President Obama opposes such legislation. See, Executive Office of the President (EOP) statement and story titled "Obama EOP Opposes CISPA" in TLJ Daily E-Mail Alert No. 2,379, April 24, 2012. Moreover, these bills would not give the President the authority that he is now exercising by administrative fiat.
See also, story titled "Obama Signs Cyber Security Order and Policy Directive" and related stories in TLJ Daily E-Mail Alert No. 2,525, February 19, 2013.
(Published in TLJ Daily E-Mail Alert No. 2,640, April 16, 2014.)