On Tuesday, February 12, President Obama signed a long-awaited cybersecurity executive order. The full text of the order is posted to the White House web site.
Graphic from White House’s presentation on cybersecurity
“It is the policy of the United States to enhance the security and resilience of the Nation’s critical infrastructure and to maintain a cyber environment that encourages efficiency, innovation, and economic prosperity while promoting safety, security, business confidentiality, privacy, and civil liberties.”
The Department of Homeland Security, the Attorney General, the Director of National Intelligence and others are ordered to improve information sharing about cyber threats between government and industry and establish a framework of cybersecurity best practices that industry would elect to follow. Specific initiatives include:
- Increase the volume, timeliness, and quality of cyber threat information shared with U.S. private sector entities so that these entities may better protect and defend themselves against cyber threats.
- Develop a framework of cybersecurity best practices. The National Institute of Standards and Technology (NIST) will head up the process of defining a technology-neutral framework which will be aimed at addressing security gaps faced by both the public and private sectors.
- Establish a voluntary program to support the adoption of the cybersecurity framework by owners and operators of critical infrastructure and any other interested entities.
The policies outlined in the executive order arose from failed efforts to pass cyber-security legislation last spring. Executive orders do not grant additional powers to federal agencies—that requires legislation. They do, however, define and mobilize how the federal government should act within current legal parameters. In other words, the executive order “describes and encourages” secure practices rather than “legally requires minimum requirements.”
Media coverage by The Hill, The New York Times and and InformationWeek show a mixed opinion about the cybersecurity provisions in the executive order. Many view it as an important step towards securing critical infrastructure from cyber attack. Others point out that outdated practices and insecure systems are allowed to remain in place. What is clear is there is more work ahead for public and private sector organizations to address current cybersecurity weaknesses.
Some bad actors focus on attacking national infrastructure while others target any web application for profit or just to create havoc. Many attacks are independent of an organization’s brand, size, industry and location. To ensure reliable functioning of your systems and protect your assets, you must take decisive action.
Cenzic specializes in helping businesses improve their security posture, from providing focused assessments of individual applications to comprehensive security monitoring services. Contact Cenzic to speak with a security professional about how you can take important steps to reduce your organization’s cyber risk.
For aditional analysis of the Executive Order on Cybersecurity, check out what Marc Rotenberg of the Electronic Privacy Information Center thinks. His comments were publised today in the Daily Beast:
A Deep Read of Obama’s Executive Order on Cybersecurity