As announced during the 2013 State of the Union Address, President Obama recently signed an Executive Order on cybersecurity. The primary goals of the Executive Order are to (a) improve communication between private companies and the federal government about emerging cyber threats and (b) safeguard the nation’s critical infrastructure against cyber attacks by developing and implementing baseline cybersecurity standards. Critical infrastructure refers to those systems and assets, both physical and virtual, so vital to our nation that any cyber attacks upon them would have a debilitating impact on national security, economic security, and/or public health or safety.
According to a report issued by the Department of Homeland Security (the “DHS”) in December 2012, there were 198 cyber attacks on the nation’s critical infrastructure last year, several of which were successful. One such successful attack involved highly sophisticated malware found on critical engineering workstations at a power generation facility. According to the DHS’ Industrial Control Systems Cyber Emergency Response Team Monitor, an “ineffective or failed cleanup would have significantly impaired” the power plant’s operations. Critical infrastructure systems ranging from air traffic control systems, highways, and hospitals to electrical grids, water systems, power plants and financial systems all have virtual components that are vulnerable to cyber attack. Over the past year, the need for stronger defenses against cyber attacks has gained traction in the public eye, as hackers have successfully targeted numerous high profile companies, including major newspapers, banks, and federal agencies.
President Obama’s Executive Order on cybersecurity comes in the wake of proposed cybersecurity legislation, which was stalled in Congress last year. The Executive Order relies heavily on a voluntary program that encourages private companies operating critical infrastructure to adopt baseline cybersecurity standards, which the federal government will develop with industry assistance.
The main points of the Executive Order are as follows:
Cybersecurity Information Sharing: The government will increase the volume, timeliness, and quality of cyber threat information shared with private sector entities. This will enable private companies to better protect and defend themselves against cyber threats. Federal agencies will timely disseminate unclassified reports of cyber threats targeting specific entities to the targets and will distribute classified reports to those critical infrastructure entities authorized to receive them.
Cybersecurity Framework: The National Institute of Standards and Technology, an agency of the Department of Commerce, will work with critical infrastructure operators to develop a framework of baseline standards designed to strengthen the digital security of the nation’s critical infrastructure (the “Framework”). Existing standards and industry best practices will be incorporated into the Framework to the fullest extent possible. To account for organizational differences and allow for technological innovation, the Framework will provide technology-neutral guidance.
Voluntary Critical Infrastructure Cybersecurity Program: Federal agencies will establish a voluntary program to encourage critical infrastructure operators to adopt the Framework. The DHS will spearhead the effort, working with sector-specific agencies and industry council to implement the Framework’s best practice standards and to incentivize participation in the voluntary program. Various federal agencies will assess the effectiveness of incentives and whether there is sufficient authority under existing legislation to provide them.
Privacy and Civil Liberties Protections: Federal agencies must ensure that privacy and civil liberties protections are incorporated into their activities under the Executive Order.
Some have lauded President Obama’s efforts, opining that the voluntary standards could become quasi-mandatory in practice, by essentially setting a new negligence bar for cybersecurity. Others have been more skeptical, arguing that without intervention by Congress, the Executive Order may have little practical effect. President Obama himself has emphasized the need for bipartisan action on the cybersecurity front, stating during the 2013 State of the Union Address that “[n]ow Congress must act as well, by passing legislation to give our government a greater capacity to secure our networks and deter attacks.”
“We know hackers steal people’s identities and infiltrate private e-mail. We know foreign countries and companies swipe our corporate secrets. Now our enemies are also seeking the ability to sabotage our power grid, our financial institutions and our air traffic control systems,” the President stated. Given the constant headlines about hackers from abroad gaining access to and disrupting the workings of large corporations and government agencies, the President’s Executive Order comes as a welcome first step towards strengthening the nation’s cybersecurity.