In concert with the State of the Union speech, in this case the state of the online union, the President late Tuesday issued an executive order on cybersecurity mandating a public-private partnership to protect critical infrastructure, which is defined as "assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters."
That clearly includes broadband providers, whose networks are critical components of those systems.
"America must...face the rapidly growing threat from cyber-attacks," the President said in his speech. "We know hackers steal people’s identities and infiltrate private e-mail. We know foreign countries and companies swipe our corporate secrets. Now our enemies are also seeking the ability to sabotage our power grid, our financial institutions, and our air traffic control systems. We cannot look back years from now and wonder why we did nothing in the face of real threats to our security and our economy.
"That’s why, earlier today, I signed a new executive order that will strengthen our cyber defenses by increasing information sharing, and developing standards to protect our national security, our jobs, and our privacy. Now, Congress must act as well, by passing legislation to give our government a greater capacity to secure our networks and deter attacks," he said.
The order comes after Congress failed to come to agreement on cybersecurity legislation in the last Congress, despite agreement that cyber threats were growing and needed to be addressed. The
Administration had soon after threatened the order, while saying legislation was also still
The order requires the Secretary of Commerce to direct the head of the National Institute of
Standards and Technology to head up development of a voluntary cybersecurity protection framework
that "shall include a set of standards, methodologies, procedures, and processes that align
policy, business, and technological approaches to address cyber risks." An initial framework must
be ready within 240 days of the date of the order (Feb. 12).
While critical infrastructure providers don't have to participate, they will be encouraged to do so through a set of specific incentives.
The order also directs the government to share government cyberthreat information with affected
companies in near real time and will attempt to mitigate the potential data privacy and civil
liberties issues via adherence to Fair Information Practice Principles (FIPPS).
Sector-specific agencies will be tasked with reviewing their own cybersecurity regs and adopt
whatever new ones they need or get rid of ones that are no longer effective.
The White House framework will be open to comment and review.
Two years after the order date, the government will kick the tires on that framework to check for
any "ineffective, conflicting, or excessively burdensome cybersecurity requirements."
The President's action came only hours before the planned reintroduction of a Republican-backed
version of cybersecurity legislation.
Sen. Jay Rockefeller (D-W. Va.), who backed Democratic legislation, said he would continue to
push for legislation as well.
“We know that cyber vulnerabilities exist in everything from power plants to financial institutions and some of our country’s most successful companies," he said in a statement in response to the President's order. "I strongly supported comprehensive cybersecurity legislation last year that would have addressed the growing cyber threats facing our country. I also strongly
support President Obama’s action to strengthen our economic and national security. I will continue my efforts this Congress to enact legislation that bolsters the cooperation between the federal government and private sector to protect our country from cyber attacks.”
The White House also released an associated Presidential Policy Directive (PPD) check-off list on critical infrastructure security. According to a White House summary of the PPD, it comprises three "strategic operatives" and six "key deliverables."
The "imperatives" are:
•"Refine and clarify functional relationships across the Federal Government to advance the national unity of effort to strengthen critical infrastructure security and resilience;
•"Enable effective information exchange by identifying baseline data and systems requirements for the Federal Government; and
•"Implement an integration and analysis function to inform planning and operations decisions regarding critical infrastructure."
The deliverables are:
•"Development of a description of the functional relationships within the Department of Homeland Security and across the Federal Government related to critical infrastructure security and resilience within 120 days.
•"Completion of an assessment of the existing public-private partnership model and recommended options for improving the partnership within 150 days.
•"Identification of baseline data and systems requirements for the Federal Government to enable efficient information exchange within 180 days.
•"Development of a situational awareness capability for critical infrastructure within 240 days.
•"Update the National Infrastructure Protection Plan within 240 days.
•"Completion of a national critical infrastructure security and resilience research and development plan within 2 years."