President Obama on Tuesday signed a new cybersecurity executive order, allowing the government to share more information it has on so-called national "cyber threats" with private companies, namely infrastructure providers.
Obama introduced the order during the State of the Union address, saying "America must also face the rapidly growing threat from cyber-attacks," also calling upon Congress to pass legislation to "give our government a greater capacity to secure our networks and deter attacks." As the President said:
We know hackers steal people’s identities and infiltrate private e-mail. We know foreign countries and companies swipe our corporate secrets. Now our enemies are also seeking the ability to sabotage our power grid, our financial institutions, and our air traffic control systems. We cannot look back years from now and wonder why we did nothing in the face of real threats to our security and our economy.
The executive order signed Tuesday expands upon a voluntary cyber threat information-sharing program already in place — the "Enhanced Cybersecurity Services program" (PDF) launched in May 2012 under the Departments of Defense and Homeland Security as part of a larger initiative for information sharing between the government and defense contractors, known as the "Defense Industrial Base Cybersecurity Activities (PDF)." Participation in that program has gone up and down, though, with 17 companies joining initially only for five to pull out as of October 2012, according to Foreign Policy.
In press materials, the White House also noted that it had included "strong privacy and civil liberties protections."
Now the President's executive order should allow the government's realtime cyber threat information to be shared with other firms outside the defense sector. It also puts the National Institute of Standards and Technology (NIST), a Commerce Department agency designed to foster the country's development and research of new technologies, in charge of setting up best practices and a "framework" for private industry's cybersecurity preparedness. This is how the order describes it:
The Cybersecurity Framework shall include a set of standards, methodologies, procedures, and processes that align policy, business, and technological approaches to address cyber risks.
The President's cybersecurity order, long expected, is designed to accomplish through executive muscle what wasn't achieved through Congress. In April 2012, the Republican-led House passed the Cyber Intelligence Sharing and Protection Act (CISPA), which drew controversy from online Web freedom and privacy advocates who argued it didn't contain enough restrictions on how companies and the government could access and share Web user information.
CISPA didn't become law. It didn't get further than the House, in fact. The Senate never picked it up and an alternative cybersecurity bill proposed by Sen. Joseph Lieberman (I-CT) was voted down late last year.
You can read the full text of the order right here.