President Obama has issued an executive order designed to boost the nation’s cyber-security.
Released ahead of his Feb. 13 State of the Union speech, the order suggests that the federal government can best defend the nation against cyber-attacks via partnerships with the “owners and operators of critical infrastructure.” Within 120 days, the government will start generating unclassified reports about current cyber-threats; in addition, it will produce classified reports for “critical infrastructure entities authorized to receive them.”
The order also asks the Secretary of Homeland Security to expand the Enhanced Cybersecurity Services program, in which the government shares classified cyber-threat information with critical infrastructure companies and their service providers. The expansion will apparently target “all critical infrastructure sectors.”
Other parts of the order tackle privacy and civil liberties protections—as in, government agencies will need to incorporate privacy and civil-liberties protections into their beefed-up cyber-security apparatus. “Such protections shall be based upon the Fair Information Practice Principles and other privacy and civil liberties policies, principles, and frameworks as they apply to each agency’s activities,” reads the beginning of the order’s Section 5.
Still other sections focus on ways to reduce the “cyber risk” to critical infrastructure. This Cybersecurity Framework, as the order formally calls it, “shall include a set of standards, methodologies, procedures, and processes that align policy, business, and technological approaches to address cyber risks.” The procedures behind the framework remain vague at this early stage, and it remains to be seen how the policies and procedures are shaped in months to come; the order asks that “a final Framework” arrive within one year.
Within 90 days of the publication of that final framework, affected government agencies will need to propose coordinated actions designed to mitigate cyber risk. Within two years of publication, those agencies will need to report on “any critical infrastructure subject to ineffective, conflicting, or excessively burdensome cybersecurity requirements,” with an eye toward figuring out how to eliminate the aforementioned.
The order goes on to establish a voluntary program for infrastructure owners and operators to support the Cybersecurity Framework, before tackling a program for identifying the critical infrastructure at greatest risk.
While certain privacy advocates are happy with the executive order—Mark Jaycox, policy analyst and legislative assistant for the Electronic Frontier Foundation, told Wired that Obama issuing that sort of directive trumped something similar coming from Congress—certain legislators aren’t happy with Obama acting unilaterally.
“Just because Congress doesn’t act doesn’t mean the president has a right to act,” Sen. Charles E. Grassley (R-Iowa) said in an interview with The Washington Post.
Image: spirit of america/Shutterstock.com