In time for the SOTU, the Obama Administration late yesterday finally issued the much anticipated Executive Order to strengthen cybersecurity protection. It had been in the works since last October.
Some key provisions:
- Within 120 days, DHS, the Office of the Director of Nat’l Intelligence and Dept of Justice will issue instructions to ensure the timely production and dissemination of unclassified cyber threat reports that can be more broadly shared than they can be today
- Security clearances for critical infrastructure employees will be expedited
- The Enhanced Cybersecurity Services program will be expanded – this program allows sharing of classified cyber threat information by and with defense contractors and other cleared personnel. It will now be open to a wider array of critical infrastructure companies
- The National Institute of Standards and Technology will work with other government agencies and private industry in developing the Cybersecurity Framework – a new risk framework and best practices – due out within a year; DHS will oversee voluntary adoption
However, since EOs aren’t the law, the cyber EO can’t require threat reporting to the government or eliminate possible privacy-related and antitrust liability for sharing information with the government or other companies. It still will rely on voluntary cooperation, until such time as Congress may act.
The White House intends for the EO to motivate Congress action. Unfortunately, all we’ve seen so far this year is the re-introduction of last year’s CISPA bill (Cyber Intelligence Sharing and Protection Act), which failed due to privacy concerns, coming back in identical form. Since the new Executive Order offers greater privacy protection (its leadership point of view), we obviously have a ways to go in getting to middle ground – if that will be at all possible with this Congress. Given the critical nature of this situation (witness the recent spate of attacks on US banks), we at least now have a starting place.