By Nickolas Milonas, Marc Martin, and Paul Stimers
In the wake of recent cyber attacks on US banks, newspapers, and government agencies, President Obama signed an executive order to strengthen the nation’s cyber defenses and protect its critical infrastructure. The President announced the executive order during Tuesday’s State of the Union address, noting the order aims to increase “information sharing” between government and industry and to develop “standards to protect our national security, our jobs, and our privacy.”
The executive order directs federal agencies to facilitate the real-time exchange of cyber threat information with companies that operate “critical infrastructure” components. The order defines critical infrastructure as “systems . . . so vital to the United States that the incapacity . . . of such systems . . . would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.” The order excludes “commercial information technology products or consumer information technology services” (e.g., Facebook, Twitter, and other social media platforms) from the definition of “critical infrastructure” components.
The order also directs the Commerce Department’s National Institute of Standards and Technology (NIST) to work with companies that operate critical infrastructure components in developing a set of cybersecurity best practices within 240 days of the order. The order requires that NIST’s framework be “technology neutral” and focused on “cross-sector security standards and guidelines applicable to critical infrastructure.” As part of this process, federal agencies will need to review their existing cybersecurity regulations, in consultation with the industries they regulate, to determine if existing measures are consistent with NIST’s new standards.
Notably, the order further directs agencies to implement privacy and civil liberties protections as part of their cyber activities, in accordance with existing laws and privacy principles. Federal agencies will need to assess the privacy impacts of their work under the order, and findings will be available in an annual report compiled by the Department of Homeland Security.
Response to the executive order has been mixed. The American Civil Liberties Union responded favorably in a release, noting its support for the order’s emphasis on privacy and civil liberty protections. A group of Republican Senators, however, issued a statement noting that the order could not achieve the “balanced approached” accomplished by legislation, and called for the crafting of legislation through “regular order” without “adding or prompting regulations that could discourage innovation and negatively impact our struggling economy.”
Since the executive order was signed, there has been considerable movement and attention in the cybersecurity arena. On Wednesday, House Republicans reintroduced the Cyber Intelligence Sharing and Protection Act (CISPA). CISPA, the controversial legislation that passed the House and failed in the Senate last year, would allow companies to share information with the government for national security purposes without requiring the implementation of measures to reduce exposure of sensitive information. Representative Mike McCaul (R-TX), Chairman of the House’s Homeland Security Committee, issued a statement criticizing the executive order for “open[ing] the door to increased regulations” and pledged to introduce legislation of his own that would compliment CISPA and “enhance coordination between the private sector and government.” Finally, the Government Accountability Office (GAO) released its annual report today on “high-risk areas” within the federal government. Cybersecurity made the GAO’s list, and the report notes a steep increase in cyber incidents and highlights widespread information security weaknesses across the federal government.