In a landmark announcement in the nation’s fight against cyber threats, President Obama on Tuesday signed a long-awaited cybersecurity executive order that asks organizations protecting critical infrastructure to voluntarily share threat information with the United States government.
The executive order mirrors in many ways the Cybersecurity Bill of 2012 that twice failed to get through the Senate last year and was recently reintroduced to the 113th Congress.
“Repeated cyber intrusions into critical infrastructure demonstrate the need for improved cybersecurity,” the order states. “The cyber threat to critical infrastructure continues to grow and represents one of the most serious national security challenges we must confront.”
It continues, the “national and economic security of the United States depends on the reliable functioning of the Nation’s critical infrastructure in the face of such threats. It is the policy of the United States to enhance the security and resilience of the Nation’s critical infrastructure and to maintain a cyber environment that encourages efficiency, innovation, and economic prosperity while promoting safety, security, business confidentiality, privacy, and civil liberties.”
The executive order calls for increased information sharing program with the federal government and the private sector and establishes the National Institute of Standards and Technology as one of the federal government’s leaders in the cyber fight.
The order had been rumored as late as last year, but was voted down, due in part to strong opposition from the U.S. Chamber of Commerce that felt it put unnecessary burdens on the private sector.
As did the legislation, the order calls for voluntary information sharing and creates a framework for that to be done.
The Obama administration also issued a Presidential Policy Directive on Tuesday on critical infrastructure security and resilience that updates the national approach from Homeland Security Presidential Directive 7, issued in 2003. The PPD adjusts to a new risk environment and includes key lessons learned over the past decade.
The executive order calls for the following actions:
- Defense industrial base information sharing program now open to other sectors: The order expands the voluntary enhanced cybersecurity services program, enabling near real time sharing of cyber threat information to assist participating critical infrastructure companies in their cyber protection efforts, the White House said. Federal agencies are required to produce unclassified reports of threats to U.S. companies and requires the reports to be shared in a timely manner.
- NIST takes a bigger role. NIST will lead development of a cybersecurity framework. According to the White House, the agency will work collaboratively with critical infrastructure stakeholders to develop the framework by relying on existing international standards. Within 240 days of the date of this order, the director shall publish a preliminary version of the cybersecurity framework for review and public comment.
- Establishes a voluntary program to promote the adoption of cyber security information sharing: The Department of Homeland Security will work with sector-specific agencies like the Department of Energy and the Sector Coordinating Councils that represent industry to develop a program to assist companies with implementing the cybersecurity framework and to identify incentives for adoption.
- A review of existing cybersecurity regulation. Regulatory agencies will use the cybersecurity framework to assess their cybersecurity regulations, determine if existing requirements are sufficient, and whether any existing regulations can be eliminated as no longer effective. If the existing regulations are ineffective or insufficient, agencies will propose new, cost-effective regulations based upon the cybersecurity framework.
- Cybersecurity information sharing. Within 120 days of the date of this order, the U.S. attorney general, the secretary of Homeland Security, and the director of National Intelligence shall each issue instructions consistent with their authorities and with the requirements of the order to ensure the timely production of unclassified reports of cyber threats to the U.S. homeland that identify a specific targeted entity.
- Identification of Critical Infrastructure at Greatest Risk. Within 150 days of the date of this order, the secretary shall use a risk-based approach to identify critical infrastructure where a cybersecurity incident could reasonably result in catastrophic regional or national effects on public health or safety, economic security, or national security.
- Adoption of Framework. Agencies with responsibility for regulating the security of critical infrastructure shall engage in a consultative process with DHS, the Office of Management and Budget, and the national security staff to review the preliminary cybersecurity framework and determine if current cybersecurity regulatory requirements are sufficient given current and projected risks.