1 Voice of the Industry 69 m a r 2013 ISSN Finance & Legal Edition In This Issue: Cybersecurity Developments Raise Growing Regulatory Concerns For Undersea Cable Industry Current Legal Trends And Contract Issues For Data Center Development And Leasing Eating A Cable: Internet Access Still Elusive In Cuba
2 In This Issue... Exordium Wayne Nielsen News Now 5 Cybersecurity Developments Raise Growing Regulatory Concerns For Undersea Cable Industry Kent Bressie & Madeleine Findley 3 8 Eating A Cable: Internet Access Still Elusive In Cuba Yoani Sanchez Advancements of Plough Technology Dr. Paul Davison Financing A Submarine Cable System Jim Lemberg Advertiser Index 45 Coda Kevin G. Summers 46 Current Legal Trends And Contract Issues For Data Center Development And Leasing Andrew D. Lipman 18 Back Reflection Stewart Ash 42 Conferences 44 4
3 Cybersecurity Developments Raise Growing Regulatory Concerns For Undersea Cable Industry 8 Kent Bressie & Madeleine Findley
4 For the past decade or so, the U.S. Government has escalated its oversight of infrastructure security and information security of undersea cable systems and services. It has designated undersea cables as critical infrastructure, imposed new requirements for initial licensing and mergers and acquisitions, required reporting of deployed equipment, software, outages, and restoration arrangements, and even tried to influence procurements of equipment and software. Most of these initiatives were ad hoc and specific to undersea cables. All of these measures increased the costs of doing business for operators and suppliers. 9 With news of cyberattacks increasingly making front-page headlines, and with many governments already moving to counter such attacks, the United States has now acted to adopt broad cybersecurity measures for U.S. communications infrastructure, including but not specific to undersea cables. These new measures will add to existing regulatory burdens and threaten to create new regulatory uncertainties and tensions in existing commercial relationships. These measures pose a particular risk to undersea cable operators, as neither the undersea cable industry nor many of the agencies that regularly regulate undersea cables are identified expressly as stakeholders or decisionmakers for the development and implementation of those measures. In this article, we describe the U.S. Government s recent cybersecurity initiatives, outline issues of concern for the undersea cable industry, and make some preliminary recommendations for enhancing cable protections while minimizing regulatory burdens. 1. Executive Order and Presidential Policy Directive On February 12, 2013, U.S. President Barack Obama issued a broad Executive Order 1 designed to enhance physical and cybersecurity protections for critical infrastructure. The President also issued a Presidential Policy Directive ( PPD ) 2 to implement the 1. Executive Order No. 13,636, Improving Critical Infrastructure Cybersecurity, 78 Fed. Reg. 11,739 (Feb. 19, 2013). 2. Presidential Policy Directive/PPD-21, Critical Infrastructure Security and Resilience (Feb. 12, 2013),
5 WASHINGTON, DC - JANUARY 25: U.S. President Barack Obama addresses a Joint Session of Congress while delivering his State of the Union speech January 25, 2011 in Washington, DC. During his speech Obama was expected to focus on the U.S. economy and increasing education and infrastructure funding while proposing a three-year partial freeze of domestic programs and $78 billion in military spending cuts. (Photo by Chip Somodevilla) 10 Executive Order. The PPD provides for increased coordination between government and industry regarding physical and cyber security, and resilience of critical infrastructure, noting, in particular, the vital role that communications networks play in such infrastructure. The Executive Order and PPD define critical infrastructure as systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters. This definition clearly encompasses undersea cable systems, although neither the Executive Order nor the PPD references them specifically. The Obama Administration has long contemplated issuing an Executive Order and PPD due to concerns about cyber risks and Congress inability to enact comprehensive cybersecurity legislation. This Executive Order and PPD create an initial cybersecurity framework, and U.S. regulatory agencies have begun the process of developing and implementing the framework s objectives. The potential for Congressional action still exists and may be increased as a result of the Administration s actions. The Executive Order and PPD direct the Department of Homeland Security ( DHS ) and the National Institute for Standards and Technology ( NIST ) to, among other things: create policies and procedures to increase information sharing about cyber threats; develop a Cybersecurity Framework to reduce risk to critical infrastructure; and create a voluntary, incentivesdriven cybersecurity program for critical infrastructure to share threat information with the U.S. Government. The Executive Order and PPD provide little specific information about how DHS and NIST will fulfill their new obligations, or the degree to which they will consult with industry stakeholders in designing the Cybersecurity Framework or cybersecurity information-sharing program. The Executive Order includes the following key provisions: Information Sharing. The Executive Order directs federal government agencies to share unclassified reports of cyber threats with U.S. companies. It also requires DHS to provide classified government cyber threat and technical information to eligible critical infrastructure companies.
6 Framework to Reduce Cyber Risk to Critical Infrastructure. The Executive Order requires NIST to work with industry to develop a set of industry best practices (the Cybersecurity Framework ) to reduce cyber risks to critical infrastructure. A preliminary version of the Cybersecurity Framework is due within 240 days of the Executive Order and a final version within one year. 11 Regulatory Review. The Executive Order directs federal agencies to review their regulations and propose new authority as needed to address current and projected cyber risks to critical infrastructure. The PPD designates DHS as the sector-specific agency for the communications sector, subject to consultations with the FCC. Identifying Critical Infrastructure. Within 150 days, DHS must identify critical infrastructure where a cybersecurity incident could reasonably result in catastrophic consequences. DHS must confidentially notify owners and operators of critical infrastructure that they appear on the list, and listed entities will have an opportunity to appeal their identification as high-risk critical infrastructure. The PPD includes the following key provisions: DHS to Take Lead Role. As in the Executive Order, the PPD designates DHS as the primary authority in coordinating the federal government s actions to improve the security of critical infrastructure. The PPD instructs DHS to establish and operate two national critical infrastructure centers one for physical infrastructure and one for cyber infrastructure.
7 12 Directives to FCC. The PPD instructs the FCC to identify communications infrastructure and communications-sector vulnerabilities and to work with industry to address those vulnerabilities. The PPD also instructs the FCC to work with industry to develop best practices to promote the security and resilience of critical communications-sector infrastructure. Because the FCC is an independent regulatory agency, however, the PPD is not binding on the FCC. Information Sharing. The PPD requires all levels of government and critical infrastructure owners and operators to timely exchange information on threats and vulnerabilities, including information that allows for the development of a situational awareness capability during incidents. 2. Issues of Concern to the Undersea Cable Industry The undersea cable industry should be concerned about a number of aspects of the regulatory program established by the Executive Order and PPD. These include: Mismatch Between Decisionmaking Responsibility and Expertise. The regulatory processes established by the Executive Order and PPD could result in inappropriate or overly burdensome regulation because regulatory responsibility for undersea cables is diffuse, and many of the agencies that play a role in regulating undersea cables have not been identified formally as decision-making agencies. The Executive Order and PPD identify DHS as the sector-specific agency responsible for developing and implementing the Cybersecurity Framework and cybersecurity information-sharing program for the communications sector. The PPD directs the Federal Communications Commission ( FCC ) the principal licensing agency for undersea cables landing in the United States pursuant to the Cable Landing License Act of to partner with DHS to the extent legally permitted. But the President and his Administration can only request but not require FCC action, as the FCC is answerable to the Congress as an independent regulatory agency. Even for Executive Branch agencies, however, the processes do not expressly include agencies such as: the U.S. Department of State (which coordinates Executive Branch input on cable landing license applications filed with the FCC and plays a key role in defending undersea cable treaty rights and freedoms from encroachment by other governments); the National Telecommunications and Information Administration; the U.S. Army Corps of Engineers (which authorizes U.S.C ; 47 C.F.R
8 the installation of undersea cables in the navigable waters of the United States and in coastal estuaries pursuant to the Rivers and Harbors Act of 1899 and the Clean Water Act); and the U.S. Navy (which plays a key role in cable protection initiatives and works closely with the State Department in protecting treaty rights and freedoms). Most of these agencies are not even identified as stakeholders in the Executive Order or PPD. Even within DHS, the agency component most versed in undersea cable issues the Office of Policy, which acts for DHS in the Team Telecom process resides in a completely different part of DHS from the National Programs and Protection Directorate, which holds primary responsibility for cybersecurity matters. Mandatory in All but Name. Although the program is supposedly voluntary, the Executive Order requires agencies to report annually on which owners and operators are participating a name and shame provision and encourages agencies to devise incentives to encourage participation. In practice, program participation will be all but mandatory. New Requirements for Sales to Government Customers. The Department of Defense ( DOD ) and the General Services Administration ( GSA ) must also recommend how to incorporate the program into federal procurement processes 13 Absence of Liability Protections. The cybersecurity informationsharing program contains no liability protection for industry. To obtain such protection, the Congress would need to pass legislation.
9 14 further underscoring the essentially mandatory nature of the program. Federal law already requires industry to provide cybersecurity information to GSA and DOD. The Executive Order, however, is likely to increase ongoing reporting obligations for federal contracts and to create new compliance risks. These requirements would apply to capacity sales to U.S. Government agencies, including the Defense Information Systems Agency. Disparate Burden on Infrastructure Owners. The Executive Order creates obligations regarding both physical and virtual or cyber infrastructure, but excludes from its scope commercial information technology products or consumer information technology services. As a result, the Executive Order clearly reaches physical network and infrastructure providers, but may not clearly reach edge, application, and overthe-top providers. Undersea cable owners and operators may find themselves subject to additional regulatory compliance requirements that do not apply equally to customers or end-users, and for which they may be unable to recover costs. The Executive Order thus may complicate commercial arrangements between network or physical infrastructure providers and edge or overthe-top providers, and create ambiguity about cybersecurity obligations and accountability. 3. Initial Implementation Steps by NIST and DHS NIST began preparing for implementation of the Executive Order and PPD long before the White House issued final versions of those documents, thereby underscoring the need for early industry engagement. On February 12, 2013, NIST and DHS entered into a Memorandum of Agreement ( MOA ) that sets forth their collaboration plan for cybersecurity issues. Under the MOA, NIST agrees, among other things, to enable DHS participation in NIST-led engagements with industry. DHS agrees to consult with NIST on the metrics it intends to use to measure the effectiveness of cybersecurity programs. On February 26, 2013, NIST published in the Federal Register a Request for Information ( RFI ) 4 to stakeholders, including critical infrastructure owners and operators, asking them to share: (1) current cybersecurity risk management practices; (2) current use of existing cybersecurity standards and best practices; and (3) specific industry practices concerning, among other things, encryption and key management, asset identification and management, and security engineering practices. Stakeholders may submit responses to the RFI until April 8, Congressional Initiatives Congressional action on cybersecurity remains likely. In the immediate 4. NIST, Developing a Framework to Improve Critical Infrastructure Cybersecurity, 78 Fed. Reg. 13,024 (Feb. 26, 2013).
10 15 wake of the President s action, Representatives Mike Rogers (R-Mich.) and Dutch Ruppersberger (D-Md.) reintroduced the Cyber Intelligence Sharing and Protection Act ( CISPA ), which passed the House but not the Senate in the last Congress. The House Permanent Select Committee on Intelligence held a hearing on the bill on February 14, 2013, and the Secretary of Homeland Security testified before a hearing of the Senate Committee on Homeland Security and Governmental Affairs on cybersecurity issues on March 7, Before passing any legislation, however, Congress must first resolve several key contentious issues, including whether to mandate specific cybersecurity standards or provide liability protection to industry. Representative Mike McCaul (R-Tex.), chairman of the House s Homeland Security Committee, and Senator Tom Carper (D-Del.), chairman of the Senate s top homeland security committee, have both expressed their intent to push for legislation in the coming months Preliminary Recommendations for Industry Involvement Given the risks and uncertainties of the 5. See, e.g., Rep. Michael McCaul, Opinion, Hardening Our Defenses Against Cyberwarfare, Wall St. J., Mar. 6, 2013, available at SB html; Rep. Michael McCaul, Statement, Legislation Needed to Bolster Cybersecurity Executive Order, Feb. 12, 2013, available at gov/ press-release/legislation-needed-bolster-cybersecurity-executive-order. processes established by the Executive Order and PPD, we think it important for the undersea cable industry to take several actions. First, the industry should participate actively in the standards-development and other implementation proceedings already begun by various U.S. Government agencies, including the NIST RFI and stakeholder meetings. Second, it should continue to monitor and influence cybersecurity legislation. If possible, it should consider introducing other cable-protection elements in such legislation, including an increase in the statutory penalties for cable damage and a broader definition of cable damage. Third, it should engage proactively with U.S. Government agencies, the U.S. Congress, and other stakeholders to share information about existing industry cybersecurity efforts and the impact of proposals for new or additional compliance requirements. Fourth, it should take any and all opportunities to remind the U.S. Government and other stakeholders of the critical importance of undersea cable infrastructure and services to the U.S. economy and national security. Fifth, it should remind the U.S. Government and other stakeholders that infrastructure protection and undersea cable
11 16 protection in particular involves more than just malicious threats. In fact, other natural and human activities pose greater day-to-day risks to undersea cable infrastructure. Given the number of entities involved and the timelines provided in the Executive Order, agencies likely will feel significant pressure to act quickly. The undersea cable industry should therefore plan to engage quickly and proactively with DHS, NIST, and the other key entities in order to ensure that the policies and procedures created do not result in overly burdensome or costly reporting and compliance obligations. Its first opportunity is to participate in the NIST-led effort to develop a Cybersecurity Framework. Additionally, industry may benefit from engaging, either individually or as part of industry coalitions, with regulatory agencies, including DHS, the FCC, and others, and with legislative bodies, including the U.S. Congress, to share information about the cybersecurity efforts already underway and the impact of proposals for new or additional compliance requirements. Kent Bressie is a partner with the law firm of Wiltshire & Grannis LLP in Washington, D.C., and heads its international practice. An expert on telecommunications regulation and international trade and investment, he has extensive experience with the range of legal and regulatory issues affecting undersea cables, including licensing and permitting; national and cyber security, export controls, and economic sanctions; transaction and investment reviews; market access; corporate and commercial transactions; and the law of the sea. He has represented undersea cable operators, suppliers, and investors in connection with projects on six continents. Madeleine Findley is a partner with Wiltshire & Grannis LLP in Washington, D.C., and practices principally in the area of telecommunications law. She regularly advises undersea cable operators and suppliers on a wide variety of legal and regulatory issues arising from cross-border operations.