Homeland Security Today February 13, 2013

Obama Issues Cybersecurity Executive Order

By Dan Verton

President Barack Obama on Tuesday signed the long-awaited executive order designed to enhance the security posture of the nation's critical cyber infrastructure. Obama made the announcement during the State of the Union address.

"America must also face the rapidly growing threat from cyber-attacks," Obama stated. "We know hackers steal people's identities and infiltrate private email. We know foreign countries and companies swipe our corporate secrets. Now our enemies are also seeking the ability to sabotage our power grid, our financial institutions, and our air traffic control systems. We cannot look back years from now and wonder why we did nothing in the face of real threats to our security and our economy."

The White House released a summary of the order on Tuesday, but the full details have not been made public.

The central component of the new order, the so-called Cybersecurity Framework, remains a voluntary initiative for critical infrastructure operators. The National Institute of Standards and Technology (NIST) will manage the Cybersecurity Framework effort, which will focus on establishing a framework of cybersecurity practices based on "existing international standards, practices, and procedures that have proven to be effective," according to the White House.

"To enable technical innovation, the Cybersecurity Framework will provide guidance that is technology neutral and that enables critical infrastructure sectors to benefit from a competitive market for products and services," said the White House statement on the order.

The order also opens the Defense Industrial Base Information Sharing Program to other critical infrastructure sectors, such as the electric grid and financial services, to enable what the White House called "near real time sharing of cyber threat information." The order also requires federal agencies to produce unclassified reports of cyber threats for distribution to the private sector companies that own and operate more than 85 percent of the nation's critical infrastructure.

The president assigned the Department of Homeland Security (DHS) the task of working with sector-specific agencies, such as the Department of Energy (DOE), and industry coordinating councils, to come up with a plan and incentives to get private infrastructure operators to adopt the Cybersecurity Framework.

The new executive order, however, does not have the force of law. And some analysts see it simply as the latest attempt by the administration to increase pressure on Congress to pass meaningful cybersecurity legislation.

"The administration has been building up to issuing an executive order on this for months," said George Smith, a senior fellow at Globalsecurity.org. "And, no, it won't have any impact on infrastructure cybersecurity. None of the Obama administration's executive orders, in anything for that matter, have any teeth or any practical consequence. They're essentially blandishments and suggestions that are ignored or meant for window dressing. It's an attempt to shape the debate and push legislation."

And that's exactly how Obama left the issue in his State of the Union speech. "Now, Congress must act as well, by passing legislation to give our government a greater capacity to secure our networks and deter attacks," he said.

Attempts to pass cybersecurity legislation have failed repeatedly due to partisan bickering over how much regulatory powers the government should have over private businesses, who should set the standards for cybersecurity, and what federal agency should ultimately be responsible for setting and enforcing those standards.

Rep. Bennie G. Thompson (D-MS), Ranking Member of the House Committee on Homeland Security, issued a statement late Tuesday praising the signing of the executive order. "Though we all recognize that legislation will still be required to provide the strongest mechanisms for securing critical infrastructure, I commend President Obama for taking this important step towards improving our nation’s cybersecurity," said Thompson. "The next step must be a legislative solution from Congress, and I urge the leaders in the House to act on this as soon as possible.”