GovDefenders Wednesdays | The Cybersecurity Executive Order: What You Need to Know
“We know hackers steal people’s identities and infiltrate private e-mail. We know foreign countries and companies swipe our corporate secrets. Now our enemies are also seeking the ability to sabotage our power grid, our financial institutions, and our air traffic control systems. We cannot look back years from now and wonder why we did nothing in the face of real threats to our security and our economy.” President Obama
Yesterday, before his fifth State of the Union address, President Obama signed a cybersecurity executive order detailing how he plans to focus on infrastructure security.
Two weeks ago, Van Ristau wrote a piece on the need for cybersecurity legislation focused on critical infrastructure. While this order doesn’t bring us as far forward as Van wanted, it’s a step in the right direction.
This is what you need to know about Improving Critical Infrastructure Cybersecurity.
Critical Infrastructure Defined
The order defines critical infrastructure as “systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact” on the nation’s security. They include power grids, air traffic control systems, nuclear power plants, and banks.
It also specified what companies are not considered critical: Homeland Security “shall not identify any commercial information technology products or consumer information technology services.”
To be certain, the Department of Homeland Security will “confidentially notify owners and operators of critical infrastructure” that are considered important.
Sharing Is Caring
President Obama wants to public to private cybersecurity information sharing in real-time.
Within 120 days, the Department of Homeland Security, Office of the Director of National Intelligence, and the Department of Justice will release “instructions” to ensure the “timely” distribution of unclassified cyber threat reports.
The order also expands the Enhanced Cybersecurity Services program. The program shares classified cybersecurity threat information with specific private sector organizations with security clearances. It will now include infrastructure companies.
However, the flow of information won’t go both ways. Perhaps with the failure of the Cyber Intelligence Sharing and Protection Act (CISPA) still fresh in his mind (which he would have vetoed), President Obama only recommended US agencies share information with the private sector; not the other way around. Many organizations have fought hard against legislation giving private companies legal immunity for sharing information out of concern that it would violate consumer privacy.
However, many critical infrastructure systems are privately owned. By limiting information sharing to a one-way street, the government will remain unaware when attacks happen.
To Progress We Need Cybersecurity Standards
President Obama also focused on the need for cybersecurity standards and best practices for critical infrastructure providers. He has tasked the National Institute of Standards and Technology (NIST) with the creation of those standards, as well as, reviewing existing cybersecurity regulations. NIST will do this by working closely with other agencies and private sector companies. He expects the Cybersecurity Framework finalized within a year.
However, those standards will only be recommendations and completely voluntary. The Department of Homeland Security will be responsible for directing the adoption of those standards. President Obama does recognize companies may need incentives to encourage widespread implementation. To that end, he will ask regulatory agencies to determine if developing “carrot and stick mechanisms” is needed.
What Does It All Mean
An executive order is not legislation. These are simply guidelines and a redirection for the Executive branch. It’s now up to Congress to create laws that focus on protecting our nation’s cybersecurity. Representatives are preparing the reintroduction of bills including CISPA and the Cybersecurity and American Cyber Competitiveness Act.
Until legislation is passed and the private and public sectors begin working together, our critical infrastructure systems will remain vulnerable. This is a step in the right direction; there are just many more to take.
Read the White House’s press release – Executive Order on Improving Critical Infrastructure Cybersecurity – for more information.
Interested in learning more about cybersecurity? The GovDefenders Virtual Event is a free online cybersecurity conference on April 24. Join us from your desk as experts from NetApp, Symantec, ForeScout, Red Hat, Quest Software, SolarWinds, and DLT Solutions, discuss trends, best practices, and the future of public sector cybersecurity. Register today!