President Obama issues executive order for critical infrastructure firms

Federal agency seeks industry input for voluntary guidelines, holds workshops

President Obama on Tuesday issued an executive order that contains voluntary standards and best practices for enterprises in critical infrastructure sectors to reduce the cyber risks to their networks, computers and data and promotes expanded cyber threat data sharing between government and the private sector.

The order directs the National Institute of Standards and Technology (NIST) to work with the industry in developing a best practices framework to improve cybersecurity, while maintaining a technology-neutral stance on security products and services.

NIST is seeking input from the private industry on development of the framework. The agency is asking enterprises to provide information on their current risk management practices; on their use of security frameworks, standards, guidelines and best practices; and on encryption and key management, asset identification and management and security engineering practices. NIST will hold workshops over the next few months to collect additional input and expects to complete the framework within a year.

The executive order also calls for the Department of Homeland Security to expand the sharing of classified cyber threat information with critical infrastructure firms and establish a "consultative process to coordinate improvements to the cybersecurity of critical infrastructure."

In his State of the Union address, President Obama said: "I signed a new executive order that will strengthen our cyber defenses by increasing information sharing and developing standards to protect our national security, our jobs and our privacy. But now Congress must act as well, by passing legislation to give our government a greater capacity to secure our networks and deter attacks. This is something we should be able to get done on a bipartisan basis."

In response to the executive order, Rep. Mike Rogers (R-Mich.) and Rep. Dutch Ruppersberger (D-Md.) reintroduced on Wednesday the Cyber Intelligence Sharing and Protection Act (CISPA) that would expand the sharing of cyber threat information between the government and private industries and would provide liability protection for companies sharing threat information. Unlike the executive order, CISPA does not contain guidelines or requirements for private companies to improve their cybersecurity.

Last year, CISPA generated controversy because of provisions allowing the sharing of corporate information with the intelligence community and the National Security Agency. The White House threatened to veto the bill because of the lack of privacy, confidentiality and civil liberties safeguards.

The House Intelligence Committee, which Rogers chairs, is holding a hearing on the bill Thursday morning.

Industry groups in general support the approach taken by CISPA, while privacy groups are opposed to the sharing of personal information with national intelligence agencies.

For more:
- see President Obama's executive order
- read the NIST announcement
- check out Rogers' and Ruppersberger's release
- see the CISPA 2013 bill

Related articles:
EU considering mandatory network and information security directive
Telecommuting policy backfires on U.S. critical infrastructure firm