It was expected that President Barack Obama was going to sign an executive order for improvement of the nation’s cybersecurity — although some have already criticized it — on Tuesday he has also issued a Presidential Policy Directive for infrastructure security as well.
The new directive updates the Homeland Security Presidential Directive, which was issued in 2003. It came with the president’s State of the Union address Tuesday, which touched on the cyberattacks and defense and announced his signing of the executive order.
“We know hackers steal people’s identities and infiltrate private e-mail. We know foreign countries and companies swipe our corporate secrets. Now our enemies are also seeking the ability to sabotage our power grid, our financial institutions, and our air traffic control systems,” Obama said during his evening address.
“Proactive and coordinated efforts are necessary for us to strengthen and maintain secure, functioning, and resilient critical infrastructure – including the assets, networks, and systems that are vital to public confidence and the Nation’s safety, prosperity, and well-being,” the press release issued by the White House’s Office of the Press Secretary read.
Given that the owners and operators of critical infrastructure are in the best position to manage risks and decide upon the best strategies to make them secure, this new directive seeks to strengthen the alliance between that sector and local, state, federal and tribal governments by:
- Refining and clarifying functional relationships across the Federal Government to advance the national unity of effort to strengthen critical infrastructure security and resilience;
- Enabling effective information exchange by identifying baseline data and systems requirements for the Federal Government; and
- Implementing an integration and analysis function to inform planning and operations decisions regarding critical infrastructure.
Going forward from here, the press release stated, an assessment will be conducted of the existing public-private partnership involving critical infrastructure and recommendations will be made for how it can be improved for national security. A plan will also be established to ensure efficient information flow from the federal government to industry stakeholders, as well as development of “a situational awareness capability.”
As for the executive order, Obama said in his State of the Union address it is meant to “strengthen our cyber defenses by increasing information sharing, and developing standards to protect our national security, our jobs, and our privacy.” He urged Congress to pass legislation as well that would “give our government a greater capacity to secure our networks and deter attacks.”
Under the president’s new order, the National Institute of Standards and Technology has a year to finalize a package of voluntary standards and procedures that will help companies address their cybersecurity risks. The package must include flexible, performance-based and cost-effective steps that critical infrastructure companies can take to identify the risks to their networks and systems and ways they can manage those risks.
Officials will also come up with incentives the government can use to encourage companies to meet the standards, and the Pentagon will have four months to recommend whether cybersecurity standards should be considered when the department makes contracting decisions.
The administration was limited by law in what it could include in an executive order. But the order also calls for agencies to review their existing regulations to determine if the rules adequately address cybersecurity risks.
Here’s more about the executive order from Wired:
The order still allows the private sector to share information with the government, but references established safeguards — such as the Fair Information Practice Principles — for protecting the privacy of customers whose information is shared and also carries some built-in limitations for the kind of information that companies will likely share. The order requires DHS’s chief privacy officer and its officer for civil rights and civil liberties to assess the privacy and civil liberties risks of the programs.
Civil liberties advocates praised the executive order in this regard, but said they will withhold judgment until they see how the information-sharing gets played out in practice.
“A lot of what this shows is that the president can do a lot without cybersecurity legislation,” said Mark Jaycox, policy analyst and legislative assistant for the Electronic Frontier Foundation, who points out that the executive order satisfies the need for information sharing without the privacy problems that existed under legislative proposals where loopholes would have allowed companies to dump large amounts of data on the government in an effort to obtain legal immunities. Without those immunities, companies will by nature be more circumspect about what they provide the government, thus limiting what they hand over Jaycox said.
Not everyone is pleased with the executive order, as we pointed out in an earlier post. Some lawmakers believe that just because Congress was not able to pass legislation regarding cybersecurity yet does not merit the president taking action himself.
“I think in general it means (the U.S.) will advance the case of cybersecurity, and that’s important,” said Paul Smocer, the head of the technology policy division at The Financial Services Roundtable, a powerful lobbying group that represents the nation’s biggest banks. “How much teeth versus how much gum there is, we’ll see.”
Take a look at the full executive order from Wired here.
The Associated Press contributed to this report.