In his first State of the Union address since the election, President Obama warned: “We know hackers steal people’s identities and infiltrate private e-mail. We know foreign countries and companies swipe our corporate secrets. Now our enemies are also seeking the ability to sabotage our power grid, our financial institutions, and our air traffic control systems.” The President then added: “we cannot look back years from now and wonder why we did nothing in the face of real threats to our security and our economy.”
Before delivering the address, President Obama signed an executive order designed to facilitate collaboration between the federal government and private companies in order to protect the nation’s critical infrastructure against cyber attacks. The order, Obama declared, would “strengthen our cyber defenses by increasing information sharing, and developing standards to protect our national security, our jobs, and our privacy.”
By emphasizing cybersecurity in a marquee speech, President Obama addressed the renewed national attention on cybersecurity issues raised in recent weeks after revelations about security breaches of U.S. Federal Reserve computers claimed by hacker group Anonymous, intrusions at the New York Times and Wall Street Journal attributed to Chinese hackers, and a wave of denial-of-service attacks that disrupted the websites of U.S. banks.
In an interview with USA Today, Rep. Jim Langevin (D-RI), affirmed that “after the failure of comprehensive cybersecurity legislation last year, the need for immediate executive action was clearly apparent, and I applaud the President for taking on this difficult task.” Indeed, the order was prompted by Congress’ failure to pass cybersecurity legislation in recent years.
What does this executive order prescribe?
The executive order promotes increased information sharing about cyber threats between the government and the private companies that oversee the nation’s vital infrastructure, including dams, electrical grids, nuclear plants, air traffic control systems, railway systems, and financial institutions. This directive will foster collaboration and data sharing between private industry and government, providing classified and unclassified threat information to U.S. companies that may be vulnerable to attackers. This is an important first step to prevent cyber threats and proactively defend the country’s infrastructure and intellectual property.
The order also directs the National Institute of Standards and Technology (NIST), a federal agency, to develop a package of voluntary standards and procedures that companies should follow to prevent cyber attacks, and a set of incentives that the government can use to encourage companies to meet those standards. To this end, the package will more clearly define the responsibilities for different parts of the government that play a role in cybersecurity, and will include flexible, performance-based and cost-effective steps that critical infrastructure companies can take to identify and manage the risks to their networks.
What is it not?
The order does not prescribe minimum security standards for companies overseeing the nation’s critical infrastructure, it does not require businesses to tell the government if they have been hacked (and U.S. interest are at stake), and it does not propose new and potentially onerous regulations targeting private businesses—measures nonetheless considered important by cybersecurity experts. These measures were not included in the order because an executive order is restricted to directing the activities of federal agencies, rather than creating new laws which would require Congressional approval. In fact, the order is not a substitute for new cybersecurity laws, which are still needed. Obama himself called for Congress to follow his lead. “Now Congress must act as well, by passing legislation to give our government a greater capacity to secure our networks and deter attacks,” Obama said.
Richard Clarke, former White House cybersecurity adviser and author of the bestseller Cyber War, said that executive orders and intelligent estimates (to combat cyber espionage) aside, the U.S. in 15 years of debate on the subject still hasn’t answered the very practical questions of who exactly is in charge of stopping a cyber attack on commercial networks and at what point the government should deploy its own resources. This and other issues will hopefully be discussed during the renewed push in Congress to pass cybersecurity legislation.