The executive order was needed, said Obama, because, “We know hackers steal people’s identities and infiltrate private email. We know foreign countries and companies swipe our corporate secrets. Now our enemies are also seeking the ability to sabotage our power grid, our financial institutions, and our air traffic control systems.”
The two key elements of the order direct the government to share cyberthreat information with critical infrastructure owners, and for government agencies to develop a security framework that business can voluntarily adopt. The intention is that unclassified threat reports “that identify a specific targeted entity” will be shared, and that classified reports will be shared with “critical infrastructure entities authorized to receive them.”
The concern over data sharing has always focused on privacy issues. The order includes the instruction “that privacy and civil liberties protections are incorporated into such activities,” but also adds, “Information submitted voluntarily in accordance with 6 U.S.C. 133 by private entities under this order shall be protected from disclosure to the fullest extent permitted by law.”
When introducing the order during the State of the Union address, Obama added, “Now, Congress must act as well, by passing legislation to give our government a greater capacity to secure our networks and deter attacks.” Since CISPA is separately expected to be reintroduced today, this can be taken as a clear request by the President for CISPA to be enacted. ‘The fullest extent permitted by law’ will therefore likely include the protections provided by CISPA.
The second purpose of the order is a requirement for the development of a Cybersecurity Framework which “shall incorporate voluntary consensus standards and industry best practices to the fullest extent possible... to help owners and operators of critical infrastructure identify, assess, and manage cyber risk.” The order cannot compel industry to adopt the framework, but includes measures to help persuade it to do so. Foremost in this will be a DHS-compiled list of ‘critical infrastructure at greatest risk.’ The way to get off the list will be to comply with the Framework.
Since an executive order is designed to manage the executive, it cannot manage private industry with the same force as legislation. The third and unstated purpose of Obama’s Cybersecurity Executive Order is to send a clear message to the legislature about what laws the president expects it to enact – starting almost certainly with the return of CISPA.