Finally. President Barack Obama signed the long-awaited
executive order on cyber security today. As expected, the order expands
information-sharing programs between the government and private sector and
establishes voluntary cyber security best practices for critical infrastructure
providers -- though the administration plans to use its
leverage to strongly encourage compliance.
One of the order's main provisions calls for the National
Institutes of Standards and Technology to work with the private sector to
identify a set of cyber security best practices that can be turned into a
"Cybersecurity Framework" that critical infrastructure firms would use to
ensure they are defended against cyber attack. A senior administration official
said this afternoon that this framework, due one year from today, "is not
designed to be a one size fits all approach" and will "not lock in specific
technology or approaches."
NIST and other government agencies will work with businesses
that have proven to be the best at cyber security to help develop these
practices. "We believe that companies driving cyber security innovations are
really in the best place to help us push out best practices across more of the
critical infrastructure and companies would have a lot of flexibility in
determining how to do so," said the official. "This is about taking the
existing best practices and spreading them out to as many of the critical
infrastructure companies as we can."
The Department of Homeland Security will form an
organization to push out these standards to critical infrastructure providers.
DHS, DoD and other government agencies will develop incentives, in
collaboration with the private sector, to coax critical infrastructure
companies into adhering to those standards, since they are officially
"There's a whole range of " incentives that have been
suggested, added the official, mentioning the recommendations of the Commission
for Cyber Security and the 44th Presidency as some examples.
Possible incentives could include government contracts, according
to the official. Government agencies have 120 days from now to come up with
In addition to the incentives, the order also has "teeth,"
according to the official. It calls for federal agencies to review their
regulations for industries they oversee to make sure they apply to cyber
security. If critical infrastructure providers don't live up to the minimal
best practices that emerge in the Cybersecurity Framework, the agencies could
find a way to make them.
"It makes business sense to [adopt these practices] in a lot
of cases, and that's something that a lot of businesses are starting to
understand," said the official. "What we want to make sure of with our
direction to our federal regulators is that, if for some reason that market
signal isn't getting through as clearly or as loudly as we would like, that
there's the backstop of the federal regulators to make sure those companies
that are in this critical infrastructure [sector] . . . are really putting into
the baseline levels of cyber security."
In other words, the administration believes the market will
demand better cyber security, and it is going to provide incentives to
encourage better practices. But if those approaches don't work, it will use its
regulating power to ensure that various critical infrastructure businesses
adhere to minimal standards, added the official.
"We're giving multiple avenues for either incentives to be
created in the voluntary program and for market forces to work, but we're also
putting in place the ability and the direction for the regulators to use their
existing authority, if needed" to make sure critical infrastructure businesses
adhere to minimal standards, said the official.
The order defines critical infrastructure providers as
company and organizations with "systems and assets, whether physical or
virtual, so vital to the United States that the incapacity of destruction of
such systems and assets would have a debilitating impact on security, national
economic security, national public health or safety, or any combination of
those matters." The senior administration official said the White House expects
this to amount to a very small number of private businesses.
The order also calls for increased information sharing about
cyber threats between government agencies like the Defense Department, the Department
of Justice, the Intelligence Community, the Department of Homeland Security.
One of the ways this will be done is by expanding the Pentagons DIB Pilot
program (click here
to read all about that), which allows the government to rapidly share information
on cyber threats aimed at defense contractors with those companies.
As expected, DHS will have the lead on information sharing
and is required to come up with a plan to ensure that civil liberties are
protected. The order does not provide liability protections for companies that
improperly share private citizens' information with the government or that
violate antitrust laws in the course of sharing information. Those issues will
have to be addressed by cyber security legislation, said the official. The
order also calls for an expansion in the number of critical infrastructure
workers who may receive classified briefings on cyber threats.
White House officials today said the information shared
under the executive order would be specific digital threat signatures -- strings
of ones and zeros -- that can identify pieces of malware aimed at critical
infrastructure providers, not the contents of peoples' email. Click here
to read more about the type of information that the government would share with
critical infrastructure providers. The order calls for numerous privacy protections
and reviews when information is shared to make sure that information about
private citizens or companies is not inappropriately used. The privacy
protections involved "will be based upon the Fair Information
Practice Principles," reads the document.
Here's a copy of the executive order:
White House Cybersecurity Executive Order