Finally. President Barack Obama signed the long-awaited executive order on cyber security today. As expected, the order expands information-sharing programs between the government and private sector and establishes voluntary cyber security best practices for critical infrastructure providers -- though the administration plans to use its leverage to strongly encourage compliance.
One of the order's main provisions calls for the National Institutes of Standards and Technology to work with the private sector to identify a set of cyber security best practices that can be turned into a "Cybersecurity Framework" that critical infrastructure firms would use to ensure they are defended against cyber attack. A senior administration official said this afternoon that this framework, due one year from today, "is not designed to be a one size fits all approach" and will "not lock in specific technology or approaches."
NIST and other government agencies will work with businesses that have proven to be the best at cyber security to help develop these practices. "We believe that companies driving cyber security innovations are really in the best place to help us push out best practices across more of the critical infrastructure and companies would have a lot of flexibility in determining how to do so," said the official. "This is about taking the existing best practices and spreading them out to as many of the critical infrastructure companies as we can."
The Department of Homeland Security will form an organization to push out these standards to critical infrastructure providers. DHS, DoD and other government agencies will develop incentives, in collaboration with the private sector, to coax critical infrastructure companies into adhering to those standards, since they are officially voluntary.
"There's a whole range of " incentives that have been suggested, added the official, mentioning the recommendations of the Commission for Cyber Security and the 44th Presidency as some examples.
Possible incentives could include government contracts, according to the official. Government agencies have 120 days from now to come up with these incentives.
In addition to the incentives, the order also has "teeth," according to the official. It calls for federal agencies to review their regulations for industries they oversee to make sure they apply to cyber security. If critical infrastructure providers don't live up to the minimal best practices that emerge in the Cybersecurity Framework, the agencies could find a way to make them.
"It makes business sense to [adopt these practices] in a lot of cases, and that's something that a lot of businesses are starting to understand," said the official. "What we want to make sure of with our direction to our federal regulators is that, if for some reason that market signal isn't getting through as clearly or as loudly as we would like, that there's the backstop of the federal regulators to make sure those companies that are in this critical infrastructure [sector] . . . are really putting into the baseline levels of cyber security."
In other words, the administration believes the market will demand better cyber security, and it is going to provide incentives to encourage better practices. But if those approaches don't work, it will use its regulating power to ensure that various critical infrastructure businesses adhere to minimal standards, added the official.
"We're giving multiple avenues for either incentives to be created in the voluntary program and for market forces to work, but we're also putting in place the ability and the direction for the regulators to use their existing authority, if needed" to make sure critical infrastructure businesses adhere to minimal standards, said the official.
The order defines critical infrastructure providers as company and organizations with "systems and assets, whether physical or virtual, so vital to the United States that the incapacity of destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters." The senior administration official said the White House expects this to amount to a very small number of private businesses.
The order also calls for increased information sharing about cyber threats between government agencies like the Defense Department, the Department of Justice, the Intelligence Community, the Department of Homeland Security. One of the ways this will be done is by expanding the Pentagons DIB Pilot program (click here to read all about that), which allows the government to rapidly share information on cyber threats aimed at defense contractors with those companies.
As expected, DHS will have the lead on information sharing and is required to come up with a plan to ensure that civil liberties are protected. The order does not provide liability protections for companies that improperly share private citizens' information with the government or that violate antitrust laws in the course of sharing information. Those issues will have to be addressed by cyber security legislation, said the official. The order also calls for an expansion in the number of critical infrastructure workers who may receive classified briefings on cyber threats.
White House officials today said the information shared under the executive order would be specific digital threat signatures -- strings of ones and zeros -- that can identify pieces of malware aimed at critical infrastructure providers, not the contents of peoples' email. Click here to read more about the type of information that the government would share with critical infrastructure providers. The order calls for numerous privacy protections and reviews when information is shared to make sure that information about private citizens or companies is not inappropriately used. The privacy protections involved "will be based upon the Fair Information Practice Principles," reads the document.
Here's a copy of the executive order: