On Tuesday, President Barack Obama signed a new executive order meant to safeguard the United States’ critical infrastructure from cyber attack. Announced during the State of the Union, the order, Improving Critical Infrastructure Cybersecurity, lays down a plan to create guidelines and standards for how to better defend the nation against cyber intrusions.
The order will improve American cyber security in two key ways.
First, it expands on the cyber threat information sharing that is already conducted through the Enhanced Cybersecurity Services program. This program was established to ensure that some critical areas of US infrastructure, run by private interests, are kept informed about potential cyber attacks. With the new order, the Attorney General, the Secretary of Homeland Security, and the Director of National Intelligence shall each issue instructions to “ensure the timely production of unclassified reports of cyber threats to the U.S. homeland that identify a specific targeted entity.” These reports are then available to all areas of critical infrastructure in the US, helping them guard against identified risks.
Second, the order directs the National Institute of Standards and Technology to create a Cybersecurity Framework. This framework “shall include a set of standards, methodologies, procedures, and processes that align policy, business, and technological approaches to address caber risks.” Once created, this framework will be used to help the private sector operators of infrastructure, “identify, assess, and manage cyber risk.” This framework will be created through an open process, subject to public review and comment, and will be advised by the Secretary of National Security and Director of National Intelligence, as well as other relevant agencies, to ensure that relevant “vulnerability information” and “technical expertise” are significant inputs towards creating the framework.
Through this program, Obama is taking clear steps to improve the country’s cyber preparedness, something that Congress has repeatedly tried and failed to do for a number of years. The order falls within the realm of the executive branch’s power, meaning that the plans within should begin to be enacted soon.
Despite the clear plans laid out in the order, there is a significant risk that it could all end up being a lot of hot air. As this is an executive order and not an act of Congress, it does not carry the weight of law behind it. Rather, all programs laid out within the order relating to the private sector, especially the Cybersecurity Framework, are purely voluntary programs that privately owned infrastructure couldn’t be made to adopt. The Secretaries of Homeland Security, the Treasury, and Commerce will each make suggestions for incentives to encourage adoption of the framework, but there is no telling if they will be good enough to ensure that most of private infrastructure choose to adopt the framework.
At the very least, the order proves that Obama does take American cybersecurity seriously, a stance that some questioned when he threatened to veto the Cyber Intelligence Sharing and Protection Act (CISPA) last year. An order like this ensures that something is being done and should help grease the wheels for actual legislation from Congress later this year.