President Obama signed a long rumored executive order aimed at strengthening the cybersecurity of critical infrastructure and a Presidential Directive on Critical Infrastructure Security and Resilience before the State of the Union yesterday.
The executive order creates new information sharing programs under the direction of the Department of Homeland Security (DHS) to provide threat and attack information to U.S. businesses, opens up the voluntary Enhanced Cybersecurity Services program to other sectors participating in critical infrastructure beyond the defense industrial base, and calls for the National Institute of Standards and Technology to implement a cybersecurity framework to reduce the cyber risks to critical infrastructure.
Under the order, agencies and the private companies participating in the information sharing program are also required to incorporate privacy and civil liberties safeguards based upon the Fair Information Practice Principles (FIPPS) and other applicable standards. The Chief Privacy Officer and the Officer for Civil Rights and Civil Liberties of DHS will also produce an annual report on the privacy and civil liberty impacts of the programs outlined in the order, and provide guidance on how to minimize or mitigate those risks.
Largely due to these provisions, online privacy advocates have applauded the order, in stark contrast to other cybersecurity proposals in recent years. While cybersecurity breaches have made big headlines in recent months, with the hacking of major newspapers and new revelations about the network insecurity some federal agencies, legislative efforts to address the issue languished in 2012 — although much to the dismay of privacy advocates, the most troubling of them, the Cyber Intelligence Sharing and Protection Act (CISPA), appears to be attempting a comeback.
Center for Democracy and Technology (CDT) President Leslie Harris released a statement praising the order’s protections and emphasis on sharing the government’s cybersecurity expertise with private stakeholders:
“The executive order says that privacy must be built into the government’s cybersecurity plans and activities, not as an afterthought but rather as part of the design. By explicitly requiring adherence to fair information practice principles, the order adopts a comprehensive formulation of privacy. The annual privacy assessment, properly done, can create accountability to the public for government actions taken in the name of cybersecurity [...]
CDT has long argued that one of the best things government can do to bolster cybersecurity is to share the cyberthreat insights and expertise it has with private industry. Rather than having the government monitor private networks, it is better for security and privacy to have private entities protect their own systems and networks. Better sharing of what the government knows will enhance that effort.”
The Presidential Directive accompanying the order clarifies the role of many federal agencies in cybersecurity, with DHS leading the effort and other agencies working with sector-specific industries to promote cybersecurity best practices, and outlines three major imperatives for DHS to pursue to improve the resiliency of the federal government’s critical infrastructure against cyberattacks: Define current function relationships across across government, identify baseline data and systems requirements to enable information exchange, and implement an analysis and integration function with the capability to process and respond to cyber vulnerabilities.
This is the second Presidential Directive to address cybersecurity, following a secret directive signed by the President in mid-October that redefined some military cybersecurity actions previously considered offensive as defensive around the same time Defense Secretary Leon Panetta warned of a looming “cyber-Pearl Harbor.”