Cybersecurity order fosters data sharing
- Directive announced as part of State of the Union address
- Legislation still required to protect critical infrastructure
- Information sharing crucial to stopping hackers
SEATTLE – President Obama on Tuesday issued an executive order designed to get the federal government and private companies working more closely to protect the nation's critical infrastructure against cyberattacks.
The widely expected directive was signed just before the president's State of the Union address. It was prompted by Congress' failure to pass cybersecurity laws that would compel companies to share information about cyberattacks with federal authorities.
"After the failure of comprehensive cybersecurity legislation last year, the need for immediate executive action was clearly apparent, and I applaud the President for taking on this difficult task," says Rep. Jim Langevin, D-RI.
Obama assigned the National Institute of Standards and Technology (NIST) to lead development of a framework for voluntary information sharing aimed at stemming cyberattacks on water and power plants and other critical systems. A senior White House official, who briefed reporters prior to the president's speech, said the order was "not a substitute" for new cybersecurity laws, which are still needed.
Jody Westby, CEO of consultancy Global Cyber Risk, says wider sharing of intelligence about what criminals and spies are doing is a good thing. But Westby worries that NIST, in particular, could develop an unwieldy framework of mandatory standards for critical infrastructure companies.
"This sort of overreaching by the president could result in numerous legal challenges over his ability to usurp the powers of the legislative branch," Westby says.
Chris Bronk, fellow of information technology at Rice University, says voluntary standards implemented by federal agencies will only go so far. "All you're doing is leaving it to the agencies to reallocate existing resources," he says. "It (the order) basically just asks for a lot of planning and reporting about what to do next."
Pravin Kothari, CEO of encryption company CipherCloud, for one, is optimistic that the president's directive will foster collaboration and data sharing. "Bringing key industry sectors and the government to the same table will enable our country to react and, in time, proactively defend our infrastructure and intellectual property," Kothari says.
In a related development, the European Commission last week proposed a sweeping Cybersecurity Directive underscoring that "the push for regulation in this area extends well beyond Washington," notes Harriet Pearson, a privacy and information management attorney.
"Information sharing between the government and private companies needs to increase, to improve the cybersecurity ecosystem overall" says Mary Ellen Callahan, chair of privacy and information governance at law firm Jenner & Block.
"Almost everyone agrees that the federal government has a big role to play in cybersecurity," Pearson adds. "Companies will be wary of information sharing without liability protection – which is something only Congress can provide."