Following President Obama’s State of the Union address on February 12, the White House released its much-anticipated cybersecurity executive order, Improving Critical Infrastructure Cybersecurity. The EO was an opportunity for the Administration to address widely acknowledged cyber threats to domestic critical infrastructure and to clarify Executive Branch authority to respond fully to cyber-attacks by terrorist organizations or foreign powers, including recent intrusions into the computer networks of the New York Times, the Wall Street Journal, and the Washington Post.
During his address, the President recognized growing cybersecurity concerns, noting that “America must also face the rapidly growing threat from cyber-attacks” and called on Congress to pass legislation to protect the nation’s critical infrastructure from cyber-attacks, recognizing that the Executive Order can only direct federal agencies to act.
The EO includes four components to address cyber risks for critical infrastructure:
1. Information Sharing. Designing a process for government agencies to share real time classified and unclassified cyber threat information with targeted critical infrastructure entities.
2. Risk Assessment. Identifying the critical infrastructure entities currently facing the greatest cyber risks and attacks on which would create a severe impact on national security, economic security or public health and safety.
3. Cybersecurity Framework. NIST (National Institute of Standards and Technology) will develop a “Cybersecurity Framework” to collect cybersecurity best practices and standards of conduct in one place and issue a preliminary framework within 240 days.
4. Voluntary Incentive Program. DHS will design a program to encourage the critical infrastructure community to voluntarily adopt the Cybersecurity Framework through the use of a benefits and incentives program.
Getting right down to business, NIST released a Request for Information (RFI) on February 26 seeking information to help “identify, refine, and guide the many interrelated considerations, challenges, and efforts needed to develop the framework.”
While the EO provides guidance on the Administration’s cybersecurity policy, it can’t take the place of legislation to address industry concerns, such as liability protection, regulatory-use protections, and avenues for private-to-private and private-to-government information sharing. The EO has renewed the debate on Capitol Hill over comprehensive cybersecurity legislation. The “Cyber Intelligence Sharing and Protection Act,” or “CISPA” has been reintroduced in the House and the Senate Commerce and Homeland Security Committee announced they will hold a joint hearing on March 7 to discuss implementation of the EO and potential legislation.
One thing is clear, 2013 is shaping up to be a big year for cybersecurity developments and legislation.