President Obama addressed cybersecurity during his State of the Union address tonight:
America must also face the rapidly growing threat from cyber-attacks. We know hackers steal people’s identities and infiltrate private e-mail. We know foreign countries and companies swipe our corporate secrets. Now our enemies are also seeking the ability to sabotage our power grid, our financial institutions, and our air traffic control systems. We cannot look back years from now and wonder why we did nothing in the face of real threats to our security and our economy.
That’s why, earlier today, I signed a new executive order that will strengthen our cyber defenses by increasing information sharing, and developing standards to protect our national security, our jobs, and our privacy. Now, Congress must act as well, by passing legislation to give our government a greater capacity to secure our networks and deter attacks.That full text of the executive order is expected to be released on Wednesday, February 13. The White House did, however, release a statement that listed the executive order key components [here]:
- New information sharing programs to provide both classified and unclassified threat and attack information to U.S. companies. The executive order requires federal agencies to produce unclassified reports of threats to U.S. companies and requires the reports to be shared in a timely manner. The order also expands the Enhanced Cybersecurity Services program, enabling near real time sharing of cyber-threat information to assist participating critical infrastructure companies in their cyber-protection efforts.
- The development of a Cybersecurity Framework. The executive order directs the National Institute of Standards and Technology (NIST) to lead the development of a framework of cybersecurity practices to reduce cyber-risks to critical infrastructure. NIST will work collaboratively with industry to develop the framework, relying on existing international standards, practices, and procedures that have proven to be effective. To enable technical innovation, the Cybersecurity Framework will provide guidance that is technology neutral and that enables critical infrastructure sectors to benefit from a competitive market for products and services.
- Includes privacy and civil liberties protections based on the Fair Information Practice Principles. Agencies are required to incorporate privacy and civil liberties safeguards in their activities under this order. Those safeguards will be based upon the Fair Information Practice Principles (FIPPS) and other applicable privacy and civil liberties policies, principles, and frameworks. Agencies will conduct regular assessments of privacy and civil liberties impacts of their activities and such assessments will be made public.
- Establishes a voluntary program to promote the adoption of the Cybersecurity Framework. The Department of Homeland Security (DHS) will work with sector-specific agencies like the Department of Energy and the sector coordinating councils that represent industry to develop a program to assist companies with implementing the Cybersecurity Framework and to identify incentives for adoption.
- Calls for a review of existing cybersecurity regulation. Regulatory agencies will use the Cybersecurity Framework to assess their cybersecurity regulations, determine if existing requirements are sufficient, and whether any existing regulations can be eliminated as no longer effective. If the existing regulations are ineffective or insufficient, agencies will propose new, cost-effective regulations based upon the Cybersecurity Framework and in consultation with their regulated companies. Independent regulatory agencies are encouraged to leverage the Cybersecurity Framework to consider prioritized actions to mitigate cyber risks for critical infrastructure consistent with their authorities.
The Order was developed with the Presidential Policy Directive on Critical Infrastructure Security and Resilience also released today. The executive order and policy directive follow the Obama administration's previous efforts in cyberspace, including:
- Creating the National Cybersecurity & Communications Integration Center, which is a 24-hour DHS-led coordinated watch and warning center to address threats and incidents affecting critical infrastructure, the internet, and cyberspace.
- Issuing the National Strategy for Trusted Identities in Cyberspace, which creates alternatives to passwords for online services that are more convenient, secure, and privacy enhancing.
- Unveiling the Consumer Privacy Bill of Rights (February 2012)
Comprehensive federal cybersecurity legislation was defeated in the Senate last year. However, this month in the House, the Cyber Intelligence Sharing and Protection Act (CISPA), was reintroduced. More on CISPA, its history, and its contents can be found here.