On Tuesday, Feb. 12, President Obama signed an executive order on cybersecurity -- an order that aims to increase cyber defenses of our nation's critical infrastructure, improve information sharing about cyberthreats between the public and private sectors, and establish a framework of cybersecurity best practices.
There has been talk of such an order since August 2012, following the Cybersecurity Act's failure to pass in Congress. Obama signaled he may invoke his power of executive order to pass similar legislation, and on Sept. 19, 2012, Homeland Security Secretary Janet Napolitano said the executive order on cybersecurity was “close to completion.”
But it wasn't quite ready back then, and the White House worked on crafting the order for the last several months, The Hill reported.
Then, during Obama's State of the Union address the evening of Feb. 12, he referenced the severity of cyberattacks.
"We know hackers steal people’s identities and infiltrate private email. We know foreign countries and companies swipe our corporate secrets," Obama said during his address. "Now our enemies are also seeking the ability to sabotage our power grid, our financial institutions, and our air traffic control systems."
He also referenced the executive order's recent signing, and then called upon Congress to act.
"We cannot look back years from now and wonder why we did nothing in the face of real threats to our security and our economy. That’s why, earlier today, I signed a new executive order that will strengthen our cyberdefenses by increasing information sharing, and developing standards to protect our national security, our jobs, and our privacy," Obama said. "Now, Congress must act as well, by passing legislation to give our government a greater capacity to secure our networks and deter attacks."
According to The New York Times, the order will allow companies that oversee infrastructure such as dams, electrical grids and financial institutions to join an experimental program that provides real-time reports about cyberthreats. Companies will also be given advice to follow to prevent attacks. The executive order further specifies that government agencies that play a role in cybersecurity will have their responsibilities more clearly defined.
Finally, the U.S. Department of Homeland Security and the National Institute of Standards and Technology [NIST] will work with industry to develop a framework for cybersecurity standards for critical infrastructure entities, said James Arden Barnett Jr., former chief of the FCC's Public Safety and Homeland Security Bureau and senior vice president for the Potomac Institute for Policy Studies' National Security Policy.
"The process run by the National Institute of Standards and Technology will incorporate the thoughts, best practices and methodologies of companies and stakeholders from every critical infrastructure sector," said Barnett, who is now a partner and co-chair of telecom in the law firm Venable, working in its cybersecurity practice. "This process will result in voluntary industry standards, best practices and methods for cybersecurity, but in doing so, America may come to expect a level of performance for cybersecurity of each company within that sector."
The NIST process, Barnett said, is designed to solicit industry and stakeholder participation. "And companies and associations would do well to monitor and participate in the process," he said, adding that an NIST request for information will be issued shortly, with workshops to follow as soon as April 2013.
And the executive order will not do everything, Barnett said. It does not grant federal agencies and departments any new powers. It is not a substitution for legislation, which is why the Obama administration is still pushing for Congress to pass a cybersecurity bill.
"Everyone acknowledges that legislation will be necessary to do what is effective," he said. "That includes providing protections for companies to share information, limitations of liability for protecting their networks, privacy protections for customers and stakeholders, addressing supply chain threats and ensuring that agencies have the authority needed to prevent and prosecute cybercrime."
And members of Congress in both the House and Senate either have reintroduced -- or plan to reintroduce -- similar legislation in this congressional session, according to InformationWeek. But at least this is a start.
"Since no one is able to predict when legislation for effective cybersecurity will pass, the [executive order] is a reasonable start," Barnett said. "But it is just a start to the process."