Shows & Panels
- AFCEA Answers
- Ask the CIO
- The Big Data Dilemma
- Carrying On with Continuity of Operations
- Connected Government
- Constituent Servicing
- Continuous Monitoring: Tools and Techniques for Trustworthy Government IT
- The Cyber Imperative
- Cyber Solutions for 2013 and Beyond
- Expert Voices
- Federal Executive Forum
- Federal IT Challenge
- Federal Tech Talk
- Mission-critical Apps in the Cloud
- The Path from Legacy Systems
- The Real Deal on Digital Government
- The Reality of Continuous Monitoring... Is Your Agency Secure?
- Veterans in Private Sector: Making the Transition
Shows & Panels
White House issues cyber order, giving NIST, DHS lead roles
Wednesday - 2/13/2013, 12:00am EST
The White House's long-awaited, and much anticipated, Executive Order to improve the cybersecurity of critical infrastructure is far from an answer to the lack of congressional action on the issue, and more about doing something to spur change.
The order and corresponding Presidential Policy Directive-21 detail a "whole of government approach" to creating standards and improving information sharing with critical infrastructure owners and operators, which include water, power, communications and financial services.
"Given the threats we are facing across our nation from cyber that could disrupt critical services, and the lack of legislation, that is why the president is issuing the Executive Order," said a senior administration official, speaking on background, during a call with reporters Tuesday. "It directs federal agencies to use existing authorities and calls for increased cooperation with the private sector on critical infrastructure protection. We all can agree there is inadequate cybersecurity and the critical infrastructure poses the greatest threat so it requires new partnerships and capabilities."
The order is split into three main parts.
- Increase information sharing with the private sector, including classified
cyber threat data.
- Create a voluntary framework based on industry best practices to improve the
cybersecurity of critical infrastructure providers.
- Protect privacy and civil liberties throughout the sharing and framework.
The administration pushed for comprehensive cybersecurity legislation last year that would have taken more of a regulatory approach to requiring owners and operators to take specific steps to protect their networks. But opposition from mostly Republican lawmakers, the U.S. Chamber of Commerce and other industry experts caused the legislation to fail in the Senate.
The House passed several different bills, including an update to the Federal Information Security Management Act and the Cyber Intelligence and Sharing Protection Act (CISPA). But the Senate, going for a comprehensive bill that included FISMA and information sharing provisions, decided against the piecemeal approach.
"The prospect of a bill is uncertain so the administration must take action," the administration official said during the call. "An Executive Order is not a substitute for legislation. This is not the end of the conversation. It's really the beginning of it. It started last fall with engagements with agencies, members of Congress, think tanks, academia and industry. All their input was vital in crafting the EO, and we incorporated other suggestions from the Commission on Cybersecurity for the 44th President and the House cybersecurity working group."
President says legislation still is needed
President Barack Obama called for more attention and focus on cybersecurity across the country, especially from Congress, in his State of the Union address Tuesday night.
|DHS responsibilities under the EO|
"We know hackers steal people's identities and infiltrate private e-mail. We know foreign countries and companies swipe our corporate secrets. Now our enemies are also seeking the ability to sabotage our power grid, our financial institutions, and our air traffic control systems," he said. "We cannot look back years from now and wonder why we did nothing in the face of real threats to our security and our economy. Now, Congress must act as well, by passing legislation to give our government a greater capacity to secure our networks and deter attacks."
White House officials emphasized the Executive Order is based on voluntary standards and participation by industry. Under this type of directive, the president cannot mandate companies do anything but what's required in the law.
While the EO and PPD assign responsibilities to nearly every agency, the National Institute of Standards and Technology and the Homeland Security Department are carrying the biggest loads.
NIST will lead the effort to create the voluntary cyber framework.