President Barack Obama has issued a new executive order calling on the federal government to develop cyber security standards for companies that operate key utilities, such as electric grids, telecommunications networks, and air traffic control systems. Will the president's move succeed in shoring up security gaps?
Some experts say the president's executive order doesn't go far enough. Frank Cilluffo, former special assistant to President George W. Bush on homeland security, said in a White House announcement
that the order "is a good first step" but that "it can only take us so far" if it doesn't provide incentives for companies to boost their own security efforts.
"It's not a substitute for legislation," Cilluffo asserted. Cilluffo is currently the director of the Cyber Center for National and Economic Security (CCNES) at George Washington University.
The new Executive Order on Critical Infrastructure Cybersecurity
was issued in tandem with a Presidential Policy Directive on Critical Infrastructure Security and Resilience, in connection with the President's State of the Union Address that same day.
The order calls for strengthening the cyber security of critical infrastructure by increasing information sharing and jointly developing and implementing a framework of cyber security practices with the government's industry partners.
One key initiative will be an expansion of the federal government's Enhanced Cybersecurity Services program, which will enable near real-time sharing of cyber threat information to assist participating infrastructure companies in their protection efforts. When they learn of threats to U.S. companies, federal agencies will be required to produce unclassified reports and share them "in a timely manner."
Another key provision is the development of a cybersecurity framework. The order directs the National Institute of Standards and Technology (NIST) to lead the initiative, working in collaboration with industry to develop a framework of cyber security standards, practices, and procedures to reduce potential risks. The president has directed that this framework be "technology neutral" and enable "critical infrastructure sectors to benefit from a competitive market for products and services."
The order also includes safeguards for privacy and civil liberties. It calls for a program that promotes adoption of the cyber security framework and a review of existing cyber security regulation.
In his comments on the new order, Cilluffo acknowledged that this measure will likely improve the government's ability to address cyber threats by promoting security standards, clarifying agency roles, and increasing information sharing with the private sector. But an executive order can only accomplish so much.
"It is essential that Congress work in a bipartisan manner this year to develop legislation that can strengthen the incentives for private sector action on cyber security (notably indemnification of liability), facilitate better information sharing between the government and the private sector on cyber threats, and establish more flexible hiring authorities for cyber experts at federal agencies," Cilluffo argued.
Mike McConnell, formerly director of national intelligence under both the Bush and Obama administrations and now vice chairman at Booz Allen Hamilton, agreed that the executive order is "a very good start." He also noted, however, that for any security measures to truly be successful, the U.S. needs robust and comprehensive legislation to protect citizens and businesses from increasing cyber exploitation and destructive cyber attacks.
"We have witnessed growth in nation-state willingness to engage in cyber espionage and destructive attacks at an alarming rate," McConnell said. "An executive order signed by the president addresses some of these important issues, but mostly is limited to direction to the executive branch and does not have the power of legislation. The executive order provides improvements, but it does not take the place of legislation for the needed changes across the cyber security landscape."
Steve Davis, executive vice president for public policy and government relations at telecommunications provider CenturyLink, said that as a provider of cybersecurity protections, his company is "encouraged" by the new provisions for information-sharing between the public and private sectors.
Such a "voluntary, flexible, balanced, and collaborative partnership" is essential for improving the nation's cyber security posture. Along with other industry experts, he also said the president should "work with Congress on bipartisan legislation that establishes a legal framework for information sharing and liability protections."
The Obama administration acknowledges that legislation is needed to bring cyber security up to date. The White House has made it clear that this new executive order will ensure that federal agencies and departments take steps to secure critical infrastructure from cyber attacks, but it's only "a down-payment on expected further legislative action."
The administration further noted that existing laws do not permit the government to do all that is necessary to fully protect the U.S. from global cyber threats. The next step needs to come from the legislative branch.