While I was completely off the grid last week, President Obama finally issued the much-anticipated cybersecurity executive order prior to his State of the Union address. For those who followed the machinations surrounding the order, the contents of the final order contained no surprises. In almost every respect, it tracked the publicly released draft executive order dated November 21, 2012, which was a very business-friendly modification of some of the early, more pro-regulatory draft orders.
The order, among other things, basically establishes a one-way information flow, ensuring that the government shares technical and cyber threat information with critical infrastructure providers. Most of the tweaks to the earlier order underscore the importance of government agencies sharing information with critical infrastructure owners rather than the other way around. Thus the final order is a far cry from the earliest versions, which proposed regulations of critical infrastructure owners to mitigate risks.
New language that emphasizes the importance of providing threat information (particularly classified threat information) to critical infrastructure owners is peppered throughout the order. For example, Section 4 (a) of the order says "It is the policy of the United States Government to increase the volume, timeliness, and quality of cyber threat information shared with U.S. private sector entities so that these entities may better protect and defend themselves against cyber threats."
Even if the order lacks true bite, a slew of government agencies, offices and departments will nevertheless quickly kick into gear to implement the order's directives. And any industry or company that might end up categorized as "critical infrastructure" in the order had better get involved right now because the ball will roll very quickly.
The table above and the chart at the top of the article list the major tasks spelled out in the order, when those tasks begin, how much time is slated for completing the task based on its start date and when the task is ordered to be completed. (Click on the images for clearer resolution).
As you can see, the deadlines are very tight. NIST, for example, has only 240 days from the date of the order to develop a preliminary cybersecurity framework that includes a set of standards, methodologies, procedures, and processes that align policy, business, and technological approaches to address cyber risks. NIST, therefore, must come up with a comprehensive technical, standards-based cybersecurity framework to cover all affected critical infrastructure industries by October 10, which is a very tall order indeed. (Update: NIST has already issued its RFI for this framework at http://www.nist.gov/itl/cyberframework.cfm).
Congress hasn't been cut out of the cybersecurity maelstrom, not by a long shot. The day after Obama issued the order, House Intelligence Committee Chairman Mike Rogers (R-MI) and Ranking Member Dutch Ruppersberger (D-MD) reintroduced the Cyber Intelligence Sharing and Protection Act (CISPA). From a brief scan of the language, it's basically the same bill of the same name passed by the House last year and slammed by privacy advocates. Not surprisingly, privacy advocates rushed in to slam this bill on the same grounds.
Moreover, the Obama Administration has said all along that even with this order, Congress must act to redress problems, particularly the lack of incentives for critical infrastructure providers to participate in a meaningful cybersecurity program, that the order cannot legally reach. Even in his State of the Union address, President Obama reiterated the need for legislation. "That's why, earlier today, I signed a new executive order that will strengthen our cyber defenses by increasing information sharing, and developing standards to protect our national security, our jobs, and our privacy. Now, Congress must act as well, by passing legislation to give our government a greater capacity to secure our networks and deter attacks," Obama said.