President Obama’s long awaited executive order on cyber security was released earlier this month. Along with the Executive Order, Improving Critical Infrastructure: Cybersecurity, the administration also released a companion policy directive for federal agencies. Although both documents are a step in the right direction for security efforts, legislative action by Congress remains essential to combat increasing instances of cyber attacks. For more GovLoop cyber security resources, please visit ourcyber security knowledge cycle page.
Recently I spoke with Jeffrey Greene, Senior Policy Counsel, Symantec, reviewing President Obama’s Executive Order. Greene states, “The importance of the Executive Order should not be overlooked, I think it is worth pausing and reflecting on the significance of the Executive Order and the time the President spent speaking about cybersecurity during the State of the Union.”
The Executive Order was a reminder that too often cybersecurity is described solely as identity theft or stolen credit card numbers. The executive order specifically focuses on critical infrastructure, which the executive order defines, “As used in this order, the term critical infrastructure means systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.”
Today, cybersecurity impacts our lives in a variety of ways. The critical infrastructure that is defined in the order includes broadband networks, power grids, financial data, hospitals, schools, and dozens of other services. With President Obama’s Executive Order, Obama has made it readily clear that cybersecurity is a vital part of our national and economic priorities. In a fact sheet provided by the White House, the administration provides seven focus areas:
- Defense Industrial Base Information Sharing Program Now Open to Other Sectors
- NIST to Lead Development of Cybersecurity Framework
- New information sharing programs to provide both classified and unclassified threat and attack information to U.S. companies.
- Development of a Cybersecurity Framework.
- Strong privacy and civil liberties protections based on the Fair Information Practice Principles.
- Voluntary program to promote the adoption of the Cybersecurity Framework.
- Review of existing cybersecurity regulation.
Although the Executive Order is comprehensive in nature, there are certain elements that the order lacks. This is not due to the administration neglecting key information; there are some remaining challenges for cyber professionals that will only be solved through legislative action. Greene observes, “The Executive Order lacked things that can’t be done through executive orders, most importantly from our perspective, some legal protections for sharing information. The Executive Order does a good job directing the federal government to share information with the private sector but doesn’t address sharing within the private sector – because it can’t.”
Clearly, after nearly a year since cybersecurity legislation failed in the Senate, it is time for Congress to act on it. The continuing challenge now is for Congress to pass legislation that mandates action that could not be provided within an Executive Order. The executive order has certainly opened the door for legislation on cybersecurity. Greene states, “There are a lot of different ways it [legislative action] can break, and the executive order definitely creates an opportunity. It’s a question of whether it actually leads to progress.”
Yet, legislative action is one of many challenges to cybersecurity. The United States has yet to see an attack on the scale of that causes any physical damage, and most people are still identifying cyber with identify theft, not related to critical infrastructure. Greene states, “The biggest hurdle is getting people to realize the significant threat to both economic and national security.”
The hope is that through this executive order, and increasing pressure on Congress to pass legislation, cyber will ultimately make its way into mainstream America- absent any large-scale attack. Cyber threats are only increasing, and now is the time for our legislators to act and work collaboratively to secure and set standards for critical infrastructure. Although threats will always exist, agencies must work diligently to stay a step ahead of sophisticated attacks and secure systems for America’s economic and national security.
What needs to happen to push Congressional action on cybersecurity? How secure are we from an attack on our critical infrastructure?