The President’s Cybersecurity EO

President Obama’s just-released cyber security executive order has sparked concern from several advocacy groups debating issues surrounding “too much regulation”, “not enough protection” and of course “too much private sector involvement”.

The U.S. Chamber of Commerce opposed the order. It argued that instituting new regulation is unnecessary.

Meanwhile, the Constitution Project stated that the order poses “far fewer threats” to Americans’ privacy rights than the Cyber Intelligence Sharing and Protection Act (CISPA), which was reintroduced in the U.S. House of Representatives Wednesday. I also believe that President Obama’s executive order has far less regulation than President Bush’s post 911’s “Patriot Act”.

The Information Technology and Innovation Foundation (ITIF) is among the organizations that contend Congress should pass a cybersecurity law anyway, because adhering to the executive order might expose companies to lawsuits over civil liberties and privacy.

What’s in the Executive Order?

The executive order defines what constitutes the nation’s critical infrastructure, and states that policy coordination, guidance, dispute resolution and in-progress reviews will be provided through an interagency process.

The U.S. National Institute of Standards and Technology (NIST) will lead the development of a cybersecurity framework to reduce risks to critical infrastructure. The framework will incorporate voluntary standards and, where they fit, voluntary international standards.

That framework will provide measurable and cost-effective ways to protect the country’s cyber assets, while lessening its impact on business confidentiality, individual privacy and civil liberties.
A preliminary version of the cybersecurity framework must be published within 240 days, and a final version within one year. Adoption of the framework by the private sector will be voluntary.
The order directs agencies to incorporate protection for privacy and civil liberties into their activities based on the Fair Information Practice Principles, and other policies covering privacy and civil liberties. Agencies will be assessed on this.

Information submitted voluntarily to the federal government by private entities will be protected from disclosure.

The U.S. Attorney General, the Secretary of Homeland Security and the Director of National Intelligence have 120 days to issue instructions on how to produce timely, unclassified reports of cyber threats that identify a specific targeted U.S. entity. They also have to set up a process to track the production, dissemination and disposition of these reports.

Is This Necessary?

Yes. During last week’s state of the union address, President Obama was correct is sounding the alarm about the threat of future cyber attacks. The government is tasked with protecting it’s citizens wherever threats may originate from. Sadly because everyone now relies on technology for almost everything, our enemies will see to hurt our nation not only with guns, ships and missiles and bombs but cyber terror.