On February 12, 2013, just before delivering his fourth State of the Union address to Congress, President Obama signed an Executive Order entitled, “Improving Critical Infrastructure Cybersecurity.” Just eight pages long, Mr. Obama’s order puts in motion programs at the Department of Homeland Security, the Justice Department, and the Office of the Director of National Intelligence that are intended to assess and quantify the cyberthreats to our “critical infrastructure” and then to provide a set of voluntary standards for improving cybersecurity and an information sharing program to warn proprietors of critical systems about threats. Long-overdue, these programs and policies finally acknowledge that our nation is critically dependent on its computers and networks, and that cyberattacks have the potential, in the words of the order, to cause, “debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.” (Order, Sec. 2)
In early 2012, Senator Joseph Lieberman introduced a 205 page cybersecurity bill in the Senate, which, despite having broad bipartisan support, died under threat of filibuster at the behest of the United States Chamber of Commerce, a lobbying organization with a history of strong opposition to any increase in federal regulation of business. The reason for the Chamber’s opposition was essentially identical to those given for its successful opposition to President George W. Bush’s proposed cybersecurity initiative in 2003 – namely, that the cyberassets of critical infrastructure, such as the power grid, water and wastewater systems, oil and gas refineries and pipelines, and communications and transportation networks, were private sector, and thus, the owners should have the exclusive power to determine what security measures were warranted, and to implement them. Another threatened filibuster defeated a greatly watered-down version of the Lieberman bill introduced late in the Senate session, after headlines such as Forbes’ “Cyber Legislation Will Cost Businesses and Hurt Economy.”
After the last version of the Senate cybersecurity bill was dead and buried, the White House let it be known that the President was considering taking executive action to improve cybersecurity. This announcement was met with similar objections, and prompted reactions from those opposed to federal involvement such as the Heritage Foundation’s Paul Rosenzweig who termed it, “a step in the wrong direction.”
As promulgated, here, in brief, is what the President ordered:
- Federal organizations are to begin sharing information about known and specific cyberthreats with private sector entities that are the targets of the threats.
- Civil liberties and privacy are to be protected in all activities.
- DHS is directed to widely consult with other agencies, private sector representatives, state and local governments, universities and outside experts in conducting itself.
- NIST is to publish a cybersecurity “framework” to assist in identifying and mitigating potential effects of cyberattacks.
- A voluntary program to enhance cybersecurity is to be started.
- Identification of that critical infrastructure that is at greatest risk is to be performed the identified operators are to be confidentially informed of the risk.
- An examination of whether the framework should be made mandatory in certain instances of highest risk is to be performed by relevant regulatory agencies.
- DHS is to provide technical assistance to other government agencies.
As we have pointed out in the past, the current definitions of “critical infrastructure” have equally critical blind spots – areas of our economy and national life that are at least as critical as many on the existing list. Mr. Obama’s order, however, contains some flexibility in its language that, properly construed, may allow these diverse areas to have a seat at the table in discussions and policy formulation. We encourage both government and private sector interests to take advantage of this opening to broaden their discussions so that a threat-risk-value approach may be used to prioritize the consideration of cybersecurity.
In sum, the order is not even a first full step forward toward improving the defense of our cyber-infrastructure or increasing our ability to withstand a successful cyberattack. Ten years after President Bush first tabled the discussion of a federal role in protecting cybersystems, our government and those in the private sector who should safeguard our cyber-commons may soon be on speaking terms. FPRI looks forward to lending its knowledge to this process. We all must demand that what emerges from this process are effective and efficient tools that actually improve the nation’s cybersecurity.