Obama Issues Cybersecurity Executive Order

President Calls on Congress to Enact IT Security Legislation

By , February 12, 2013.
Obama Issues Cybersecurity Executive Order

President Obama has signed the long-awaited executive order directing the U.S. federal government to share cyberthreat information with critical infrastructure owners. The order also requires the government to work with business to develop IT security best practices that infrastructure owners could voluntarily adopt.

See Also: How Cybercriminals Use Phone Scams To Take Over Accounts and Commit Fraud

In his State of the Union address, Obama said America must face the rapidly growing threat from cyber-attacks. "We know hackers steal people's identities and infiltrate private e-mail," the president said. "We know foreign countries and companies swipe our corporate secrets. Now our enemies are also seeking the ability to sabotage our power grid, our financial institutions and our air traffic control systems. We cannot look back years from now and wonder why we did nothing in the face of real threats to our security and our economy.

"That's why, earlier today, I signed a new executive order that will strengthen our cyberdefenses by increasing information sharing, and developing standards to protect our national security, our jobs and our privacy. But now, Congress must act as well, by passing legislation to give our government a greater capacity to secure our networks and deter attacks. This is something we should get done on a bipartisan basis."

'Down Payment'

Senior administration officials, in a briefing held hours before Obama's Feb. 12 address, said the president issued the executive order because lawmakers failed to enact a significant IT security legislation in the 112th Congress. One senior administration official characterized the executive order as a "down payment" toward more comprehensive cybersecurity legislation.

"At this point, the prospect for [passage of] a bill remains uncertain, and given the level of risk, the administration is in a position where it has to take some action," the senior administration official said. "I want to emphasize the point that an executive order is not a substitute for legislation, and it's not the end of a conversation. In fact, it's actually really just a continuation of it."

Preventing Catastrophic Events

The executive order applies to critical infrastructures in which a cyber-incident could have a catastrophic impact on public health or safety, economic security or national security. The order charges the homeland security secretary to lead a process using a risk-based approach to determine which businesses should be deemed critical infrastructure.

Entitled Improving Critical Infrastructure Cybersecurity, the executive order:

  • Creates new, real-time information sharing programs that would provide American companies with classified and unclassified cyberthreat information. The order establishes procedures to expedite the processing of security clearances to appropriate personnel employed by critical infrastructure operators.
  • Directs the National Institute of Standards and Technology to collaborate with industry to develop a framework of cybersecurity best practices to reduce risk to critical infrastructure. The framework would rely on existing international standards, practices and procedures that have proven to be effective. One example of a best practice would be the use of authentication in identifying those who could gain access to high-risk systems. Infrastructure owners would not be compelled to adopt the framework.
  • Requires strong privacy and civil liberties protections based on the Fair Information Practice Principles, widely accepted guidelines to assure that practices are fair and provide adequate privacy protections.
  • Establishes a voluntary program to promote the adoption of the cybersecurity framework. The Department of Homeland Security will work with sector-specific agencies such as the Department of Energy and the sector coordinating councils to develop a program to assist companies with implementing the cybersecurity framework and to identify incentives for adoption.
  • Calls for a review of existing cybersecurity regulation. Regulatory agencies will use the cybersecurity framework to assess their cybersecurity regulations, determine if existing requirements are sufficient and whether any existing regulations can be eliminated as no longer effective.

One-Way Sharing

Follow Eric Chabrow on Twitter: @GovInfoSecurity

  • Print
  • Tweet Like LinkedIn share
Get permission to license our content for reuse in a myriad of ways.
ARTICLE Google Leaked Whois Data

Google has warned Google Apps administrators that their private Whois contact information has been...

Latest Tweets and Mentions

ARTICLE Google Leaked Whois Data

Google has warned Google Apps administrators that their private Whois contact information has been...

The ISMG Network