White House issues cyber order, giving NIST, DHS lead roles

Wednesday - 2/13/2013, 12:00am EST

The White House's long-awaited, and much anticipated, Executive Order to improve the cybersecurity of critical infrastructure is far from an answer to the lack of congressional action on the issue, and more about doing something to spur change.

The order and corresponding Presidential Policy Directive-21 detail a "whole of government approach" to creating standards and improving information sharing with critical infrastructure owners and operators, which include water, power, communications and financial services.

"Given the threats we are facing across our nation from cyber that could disrupt critical services, and the lack of legislation, that is why the president is issuing the Executive Order," said a senior administration official, speaking on background, during a call with reporters Tuesday. "It directs federal agencies to use existing authorities and calls for increased cooperation with the private sector on critical infrastructure protection. We all can agree there is inadequate cybersecurity and the critical infrastructure poses the greatest threat so it requires new partnerships and capabilities."

The order is split into three main parts.

  • Increase information sharing with the private sector, including classified cyber threat data.

  • Create a voluntary framework based on industry best practices to improve the cybersecurity of critical infrastructure providers.

  • Protect privacy and civil liberties throughout the sharing and framework.

The administration pushed for comprehensive cybersecurity legislation last year that would have taken more of a regulatory approach to requiring owners and operators to take specific steps to protect their networks. But opposition from mostly Republican lawmakers, the U.S. Chamber of Commerce and other industry experts caused the legislation to fail in the Senate.

The House passed several different bills, including an update to the Federal Information Security Management Act and the Cyber Intelligence and Sharing Protection Act (CISPA). But the Senate, going for a comprehensive bill that included FISMA and information sharing provisions, decided against the piecemeal approach.

"The prospect of a bill is uncertain so the administration must take action," the administration official said during the call. "An Executive Order is not a substitute for legislation. This is not the end of the conversation. It's really the beginning of it. It started last fall with engagements with agencies, members of Congress, think tanks, academia and industry. All their input was vital in crafting the EO, and we incorporated other suggestions from the Commission on Cybersecurity for the 44th President and the House cybersecurity working group."

President says legislation still is needed

President Barack Obama called for more attention and focus on cybersecurity across the country, especially from Congress, in his State of the Union address Tuesday night.

DHS responsibilities under the EO
  • Development of a description of the functional relationships within the Department of Homeland Security and across the Federal Government related to critical infrastructure security and resilience within 120 days.

  • Development of a description of the functional relationships within the Department of Homeland Security and across the Federal Government related to critical infrastructure security and resilience within 120 days.

  • Completion of an assessment of the existing public-private partnership model and recommended options for improving the partnership within 150 days.

  • Identification of baseline data and systems requirements for the Federal Government to enable efficient information exchange within 180 days.

  • Development of a situational awareness capability for critical infrastructure within 240 days.

  • Update the National Infrastructure Protection Plan within 240 days.

  • Completion of a national critical infrastructure security and resilience research and development plan within two years.

"We know hackers steal people's identities and infiltrate private e-mail. We know foreign countries and companies swipe our corporate secrets. Now our enemies are also seeking the ability to sabotage our power grid, our financial institutions, and our air traffic control systems," he said. "We cannot look back years from now and wonder why we did nothing in the face of real threats to our security and our economy. Now, Congress must act as well, by passing legislation to give our government a greater capacity to secure our networks and deter attacks."

White House officials emphasized the Executive Order is based on voluntary standards and participation by industry. Under this type of directive, the president cannot mandate companies do anything but what's required in the law.

While the EO and PPD assign responsibilities to nearly every agency, the National Institute of Standards and Technology and the Homeland Security Department are carrying the biggest loads.

NIST will lead the effort to create the voluntary cyber framework.