President Barack Obama issued a long-anticipated Executive Order for improving the nation’s cyber security late Tuesday.
The Order, released on the same evening as President Obama addressed both chambers of Congress with his State of the Union Address called cyber attacks “one of the most serious national security challenges we must confront,” and put public and private owners of critical infrastructure in the U.S. on notice that they would need to work closely with the government to reduce the risk of crippling cyber attacks.
President Obama issued the Order after Congress failed, in its last session, to agree on comprehensive cyber security legislation. Negotiations over the bill broke down over Republican amendments to a Democratic sponsored bill and concerns from the business community about the cost of complying with some of the more controversial provisions. Among those: a requirement that the Department of Homeland Security be able to audit the networks of private companies that manage critical infrastructure, in exchange for a government assurance f legal liability in the event of a cyber attack.
The Executive Order lacks much of the force of legislation, but focuses on setting up a voluntary system for critical infrastructure owners to adopt government guidelines for information sharing and security critical systems. Among other things, Section 8 of the Order empowers the Secretary of Commerce to set up a program of incentives to promote participation in the Program. Commerce will also maintain a list of identified critical infrastructure and provide such list to the President and notify infrastructure owners of the government’s findings.
The main thrust of the Executive Order is to increase information sharing about cyber attacks between private and public officials. At its heart, the Order establishes a federal Cybersecurity Framework that standardized information security measures and controls and provides guidance to help owners and operators of critical infrastructure to identify, assess, and manage cyber risk.
The Framework focuses on identifying cross-sector security standards and guidelines applicable to critical infrastructure. The Cybersecurity Framework will also identify areas for improvement that should be addressed through future collaboration with particular sectors and standards-developing organizations, the White House announced.
The announcement came on the same evening as the President’s State of the Union address – one of his biggest speeches of the year. In that speech, President Obama explicitly mentioned the threat of cyber attacks – the first known State of the Union where that issue was raised.
“America must also face the rapidly growing threat from cyber-attacks,” President Obama said. “We know hackers steal people’s identities and infiltrate private e-mail. We know foreign countries and companies swipe our corporate secrets. Now our enemies are also seeking the ability to sabotage our power grid, our financial institutions, and our air traffic control systems. We cannot look back years from now and wonder why we did nothing in the face of real threats to our security and our economy.”
The President called attention to his executive order, which he said would “strengthen our cyber defenses by increasing information sharing, and developing standards to protect our national security, our jobs, and our privacy.” He also called on Congress to pass legislation to accomplish many of the same tasks