President Obama took to steps toward implementing administration cybersecurity policy Feb. 12 by signing an executive order
establishing a security framework for privately-held critical
infrastructure and releasing a new presidential policy directive on
critical infrastructure security.
The executive order, which administration officials began talking about last fall following the collapse of favored cybersecurity legislation in the Senate, will expand by mid-June an existing program started by the Defense Department for its contractors for the sharing of cyber threat information. The Enhanced Cybersecurity Services program should be open to "all critical infrastructure sectors" within 120 days, the order says. The Homeland Security Department announced in January 2012 it took control of the program.
The order says information shared through the program will be covered by protections based on Fair Information Practice Principles and other frameworks. Concern that information shared for cybersecurity practices could be later repurposed led many privacy to oppose in 2012 some cybersecurity bills. In a statement, the American Civil Liberties Union said the executive order "rightly focuses on cybersecurity solutions that don't negatively impact civil liberties."
The order also requires the National Institute for Standards and
Technology to develop within one year a framework incorporating
"consensus standards and industry best practices" for voluntary adoption
by operators of critical infrastructure. Opposition in the Senate to
cybersecurity at one point coalesced around administration-backed
language that would have made adoption
of such a framework mandatory. The order says DHS will coordinate an
effort to identify a set of incentives to spur industry adoption,
including those that could require legislation to activate.
Not included in the executive order is liability protection for private sector participants in the framework, something that would be beyond the scope of presidential powers. Private sector officials have cited concerns over liability and other legal related matters as major obstacles to greater public-private action on cybersecurity. One industry official with a large information technology manufacturer speaking on condition of anonymity who read the order expressed doubt that any program that leaves liability open as an issue will attract substantial voluntary participation.
However, the order leaves open the door to additional administrative action. It calls on agencies "with responsibility for regulating the security of critical infrastructure" to engage in a 90 day review of whether they have existing authority to establish requirements" based on the framework to address cyber risks. Should the review establish they don't, the order then says that within 90 days of the framework's final publication, they should propose additional regulation that would be sufficient for the mitigation of cyber risk.
"They keep trying to portray it as voluntary program, it's nothing of the sort," the industry official said. The White House did not respond to requests for clarification.
Presidential Policy Directive-21, which the president also issued (.pdf) Feb. 12, also calls for establishment within the Homeland Security Department of an integration and analysis function that has the capability "collate, assess, and integrate vulnerability and consequence information with threat streams and hazard information." That function will reside at two co-located DHS-operated critical infrastructure centers, one dedicated to physical infrastructure and the other to cyber-infrastructure. The success of the centers depends, the directive says, on receiving information from the private sector as well as other government entities – but it's not clear from the directive how the cyber-infrastructure center will get information from the private sector. The White House did not respond to a question of whether the primary means would be through the Enhanced Cybersecurity Services program.
The executive order, which administration officials began talking about last fall following the collapse of favored cybersecurity legislation in the Senate, will expand by mid-June an existing program started by the Defense Department for its contractors for the sharing of cyber threat information. The Enhanced Cybersecurity Services program should be open to "all critical infrastructure sectors" within 120 days, the order says. The Homeland Security Department announced in January 2012 it took control of the program.
The order says information shared through the program will be covered by protections based on Fair Information Practice Principles and other frameworks. Concern that information shared for cybersecurity practices could be later repurposed led many privacy to oppose in 2012 some cybersecurity bills. In a statement, the American Civil Liberties Union said the executive order "rightly focuses on cybersecurity solutions that don't negatively impact civil liberties."
Simplifying Programs for Better Performance in the Public Sector
The federal government leadership is being challenged to cut spending and reinvest in areas with greater opportunity. Review the Federal CIO's strategic approach to achieve more with less, and learn how to implement and create the infrastructure to support your strategy. Download Now.Not included in the executive order is liability protection for private sector participants in the framework, something that would be beyond the scope of presidential powers. Private sector officials have cited concerns over liability and other legal related matters as major obstacles to greater public-private action on cybersecurity. One industry official with a large information technology manufacturer speaking on condition of anonymity who read the order expressed doubt that any program that leaves liability open as an issue will attract substantial voluntary participation.
However, the order leaves open the door to additional administrative action. It calls on agencies "with responsibility for regulating the security of critical infrastructure" to engage in a 90 day review of whether they have existing authority to establish requirements" based on the framework to address cyber risks. Should the review establish they don't, the order then says that within 90 days of the framework's final publication, they should propose additional regulation that would be sufficient for the mitigation of cyber risk.
"They keep trying to portray it as voluntary program, it's nothing of the sort," the industry official said. The White House did not respond to requests for clarification.
Presidential Policy Directive-21, which the president also issued (.pdf) Feb. 12, also calls for establishment within the Homeland Security Department of an integration and analysis function that has the capability "collate, assess, and integrate vulnerability and consequence information with threat streams and hazard information." That function will reside at two co-located DHS-operated critical infrastructure centers, one dedicated to physical infrastructure and the other to cyber-infrastructure. The success of the centers depends, the directive says, on receiving information from the private sector as well as other government entities – but it's not clear from the directive how the cyber-infrastructure center will get information from the private sector. The White House did not respond to a question of whether the primary means would be through the Enhanced Cybersecurity Services program.