The executive order that President Barack Obama signed yesterday in advance of his State of the Union Address contains a lot of provisions for information sharing on attacks and threats on critical infrastructure, and also calls for the development of a framework to reduce cybersecurity risks in federal agencies and critical infrastructure. What the order does not include are any mandates, required changes or a plan for significant action.
The most-discussed section of the executive order on cybersecurity is the one that directs the attorney general, secretary of the Department of Homeland Security and the Director of national Intelligence to establish an information-sharing program that will produce unclassified reports on “cyber threats to the U.S. homeland that identify a specific targeted entity.” However, this is not the broad, two-way sharing of attack and threat data between the government and the private sector that some in the security community had been pushing for. Rather, it’s a program designed to let intelligence agencies and the DHS take some of the data they gather on current attacks and notify targeted agencies about the attacks.
The executive order focuses almost exclusively on the threats facing critical infrastructure providers, both inside and outside the government, and discusses the need for better data on those threats and coordination among the entities responsible for running them. To that end, the order requires that DHS and the intelligence community figure out a method for disseminating classified threat information to those critical infrastructure providers. However, it does not provide a mechanism for getting that information to other, private-sector companies that may be targeted by the same kind of attacks.
“The Secretary and the Attorney General, in coordination with the Director of National Intelligence, shall establish a process that rapidly disseminates the reports produced pursuant to section 4(a) of this order to the targeted entity. Such process shall also, consistent with the need to protect national security information, include the dissemination of classified reports to critical infrastructure entities authorized to receive them. The Secretary and the Attorney General, in coordination with the Director of National Intelligence, shall establish a system for tracking the production, dissemination, and disposition of these reports,” the executive order says.
The other major section of the order lays out the need for a voluntary risk-management framework designed to reduce vulnerabilities in critical infrastructure organizations such as utilities, government agencies and others. The framework “shall include a set of standards, methodologies, procedures, and processes that align policy, business, and technological approaches to address cyber risks,” the order says, and there are no provisions in the document that require compliance with the framework’s provisions. Instead, the government will establish a voluntary program to promote the adoption of the framework.
The issuance of the executive order comes nearly 10 years to the day after the publication of the National Strategy to Secure Cyberspace, a document developed in the aftermath of the Sept. 11 attacks that was meant to lay out a road map for how the government, businesses and users could help improve security. At the time of its release on Feb. 14, 2003, the document was criticized heavily by security experts who saw it as being too weak and lacking any direct action. Much of that initial strategy discussed the need for better information sharing, more data on attacks and threats and better security at critical infrastructure facilities, as well.