President Obama has signed the long-awaited executive order directing the U.S. federal government to share cyberthreat information with critical infrastructure owners. The order also requires the government to work with business to develop IT security best practices that infrastructure owners could voluntarily adopt.
In his State of the Union address, Obama said America must face the rapidly growing threat from cyber-attacks. "We know hackers steal people's identities and infiltrate private e-mail," the president said. "We know foreign countries and companies swipe our corporate secrets. Now our enemies are also seeking the ability to sabotage our power grid, our financial institutions and our air traffic control systems. We cannot look back years from now and wonder why we did nothing in the face of real threats to our security and our economy.
"That's why, earlier today, I signed a new executive order that will strengthen our cyberdefenses by increasing information sharing, and developing standards to protect our national security, our jobs and our privacy. But now, Congress must act as well, by passing legislation to give our government a greater capacity to secure our networks and deter attacks. This is something we should get done on a bipartisan basis."
Senior administration officials, in a briefing held hours before Obama's Feb. 12 address, said the president issued the executive order because lawmakers failed to enact a significant IT security legislation in the 112th Congress. One senior administration official characterized the executive order as a "down payment" toward more comprehensive cybersecurity legislation.
"At this point, the prospect for [passage of] a bill remains uncertain, and given the level of risk, the administration is in a position where it has to take some action," the senior administration official said. "I want to emphasize the point that an executive order is not a substitute for legislation, and it's not the end of a conversation. In fact, it's actually really just a continuation of it."
Preventing Catastrophic Events
The executive order applies to critical infrastructures in which a cyber-incident could have a catastrophic impact on public health or safety, economic security or national security. The order charges the homeland security secretary to lead a process using a risk-based approach to determine which businesses should be deemed critical infrastructure.
Entitled Improving Critical Infrastructure Cybersecurity, the executive order:
- Creates new, real-time information sharing programs that would provide American companies with classified and unclassified cyberthreat information. The order establishes procedures to expedite the processing of security clearances to appropriate personnel employed by critical infrastructure operators.
- Directs the National Institute of Standards and Technology to collaborate with industry to develop a framework of cybersecurity best practices to reduce risk to critical infrastructure. The framework would rely on existing international standards, practices and procedures that have proven to be effective. One example of a best practice would be the use of authentication in identifying those who could gain access to high-risk systems. Infrastructure owners would not be compelled to adopt the framework.
- Requires strong privacy and civil liberties protections based on the Fair Information Practice Principles, widely accepted guidelines to assure that practices are fair and provide adequate privacy protections.
- Establishes a voluntary program to promote the adoption of the cybersecurity framework. The Department of Homeland Security will work with sector-specific agencies such as the Department of Energy and the sector coordinating councils to develop a program to assist companies with implementing the cybersecurity framework and to identify incentives for adoption.
- Calls for a review of existing cybersecurity regulation. Regulatory agencies will use the cybersecurity framework to assess their cybersecurity regulations, determine if existing requirements are sufficient and whether any existing regulations can be eliminated as no longer effective.
At the heart of the executive order is the sharing of threat information. Most of the information sharing would be one way: from government to business. That's because existing laws limit the type of information businesses can share due to antitrust laws. Also, companies might be reluctant to share information that might prompt a lawsuit from shareholders, competitors, customers or other stakeholders. Those types of protections can be provided only by statute.
"There's a fairly unsubstantial list of things that you cannot do through an executive order that needs statutory changes," the senior administration official said. "That's why it is so important for us to emphasize that this is really a down payment on that legislative process and that we will need to continue to work with Congress to actually get to cybersecurity legislation."
The executive order also does not address how the federal government governs its own IT security. Legislation would be needed to update the Federal Information Security Management Act, such as eliminating the requirement for paper compliance and replacing it with an automated process to identify vulnerabilities.
Reaction to the executive order depended, in part, on party affiliation. "No executive order can possibly do what needs to be done to protect our networks and our nation," Rep. Mac Thornberry, the House Republican's point man on cybersecurity, said in a statement. "It also cannot take the place of legislation. Strengthening cybersecurity must be collaborative and bipartisan. The only way we are going to be able to move forward is with the House, Senate and administration working together and taking steps to make progress on cybersecurity."
Sen. Tom Carper, D-Del., the new chairman of the Senate Homeland Security and Governmental Affairs Committee, characterized the executive order's voluntary framework and information sharing improvements as vital components of ensuring the security and resiliency of the nation's critical infrastructure. "I commend the administration for using existing authorities in our ongoing fight against this growing threat," said Carper, whose committee provides IT security oversight. "That being said, more action is needed to address cybersecurity and I still believe that legislation offers the best long-term solution."
Still, the senior administration official said the White House didn't see the executive order as too little, too late. "From our perspective," the official said, "we're actually moving out. This is a significant accomplishment for the administration to get this executive order out the door and get the process initiated. Yes, the best time to plant an oak tree was 50 years ago, but we are where we are. The next best time is now."