State of the Cybersecurity Union — Obama’s Executive Order Aimed at Cyberattacks

“We know hackers steal people’s identities and infiltrate private e-mail.  We know foreign countries and companies swipe our corporate secrets.”  With those words, and just prior to his 2013 State of the Union address, President Obama signed an executive order on cybersecurity.   The order is focused on protecting critical cyber infrastructure from cyberattacks.

As an executive order, it directs government agencies to establish policies and procedures to thwart cyber intrusions.  Probably the most significant provision is that The Department of Homeland Security (DHS) and the Director of National Intelligence must now share information about cybersecurity threats with the private sector.  This could include classified as well as unclassified data, depending on the threat and the nature of the infrastructure potentially affected.

To the relief of privacy groups and technology companies, this information sharing is a one-way street.   Meaning that companies like Google and Microsoft will not have to share their data with the government which, privacy groups warned, could potentially invoke personal information of their users.  In fact, the order directs DHS to assess privacy risks as a result of any programs undertaken as a result of the order.  

Further, the executive order requires the establishment of a “Cybersecurity Framework” meant to reduce the cyber risks to critical infrastructure.  The framework must include standards, procedures and processes to reduce cyber risks, incorporating industry best practices.  The final version of the Cybersecurity Framework is due to be issued within 1 year of the date of the order  — by February 12, 2014.

It remains to be seen what new policies and procedures will be implemented as a result of President Obama’s order and what the final “framework” will look like.  However, this action is certainly an acknowledgment of the increasing threat of cyberattacks, not only to individuals and their personal information, but also to national security.