In the State of the Union address Tuesday, President Obama announced a sweeping executive order implementing new national cybersecurity measures, opening the door for intelligence agencies to share more information about suspected "cyber threats" with private companies that oversee the nation's "critical infrastructure." The order is voluntary, giving companies the choice of whether or not they want to receive the information, and takes effect in four months, by June 12.
It remains to be seen just how the order will play out, which specific companies will choose to receive this new threat information, and what they will be able to do with it. However, the White House is today clarifying at least some parts of the order with immense implications, the definitions of "cyber threat" and "critical infrastructure."
"Cyber threats cover a wide range of malicious activity that can occur through cyberspace," wrote Caitlin Hayden, spokeswoman for the White House National Security Council, in an email to The Verge. "Such threats include web site defacement, espionage, theft of intellectual property, denial of service attacks, and destructive malware."
threats include web site defacement, espionage, theft of intellectual property
So last month's apparent hacking and defacement of MIT's website in honor of late internet activist Aaron Swartz could be considered a "cyber threat," by the White House under this definition, for example. Less clear is just who will be getting that information from the government, or who falls under the term "critical infrastructure."
"The EO [executive order] relies on the definition of critical infrastructure found in the Homeland Security Act of 2002," Hayden wrote.
The Homeland Security Act of 2002 (PDF), passed in the wake of the September 11, 2001 terror attacks, was what created the Department of Homeland Security. At that time, the US was still reeling from the attacks and Congress sought to rapidly bolster the nation's defenses, including "critical infrastructure" as part of its definition of "terrorism." As the act states: "The term 'terrorism' means any activity that involves an act that is dangerous to human life or potentially destructive of critical infrastructure or key resources..."
the White House appears to be relying to some degree on circular reasoning
But again, that act doesn't exactly spell out which infrastructure is considered "critical," instead pointing to the definition as outlined in a 2001 bill, also passed in response to September 11, which reads:
"The term “critical infrastructure” means systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters."
This is the same exact definition that was originally provided in the president's cybersecurity order as originally published on Tuesday, meaning that the White House appears to be relying to some degree on circular reasoning when it comes to that definition. Some in Washington, including the right-leaning think tank The Heritage Foundation, are worried that the definition is too broad and "could be understood to include systems normally considered outside the cybersecurity conversation, such as agriculture."
In fact, the Department of Homeland Security, which is one of the agencies that will be sharing information on cyber threats thanks to the order, includes 18 different industries in its own label of "critical infrastructure," from agriculture to banking to national monuments. There's an argument to be made that including such a broad and diverse swath of industries under the blanket term "critical" is reasonable given the overall increasing dependence of virtually all businesses on the internet for core functions. But even in that case, its unclear how casting such a wide net would be helpful in defending against cyber threats, especially as there is a limited pool of those with the expertise and ability to do so.