President Barack Obama issued the long-awaited cybersecurity executive order for Improving Critical Infrastructure Cybersecurity Tuesday evening. Aimed at improving public-private information sharing, the directive creates voluntary cybersecurity standards and best practices. Congress is today taking up a bill, a new version of the previously dropped Cyber Intelligence Sharing and Protection Act, which tackles many of the same concerns.
Within 120 days, the order states, "the Attorney General, the Secretary of Homeland Security (the "Secretary"), and the Director of National Intelligence shall each issue instructions consistent with their authorities …to ensure the timely production of unclassified reports of cyber threats."
The order tasks the National Institute of Standards and Technology to oversee the development of a risk assessment and best practices document, referred to as the Cybersecurity Framework, within the next year. Additional deliverables called for by the directive include an update to the National Infrastructure Protection Plan and the completion of a national critical infrastructure security and resilience research and development plan within 2 years.
There has been criticism of the president's decision to approach the matter via an executive order, rather than allowing legislators to tackle the matter, even though prior legislation has failed to survive both houses. Senator Charles Grassley was quoted in The Washington Post saying, "Just because Congress doesn't act doesn't mean the president has a right to act."
Others are concerned about whether the order actually gets anything done. A post at Kaspersky's Threatpost blog noted that, "What the order does not include are any mandates, required changes or a plan for significant action."
But at least one observer believes the president's action at least sets a new tone. Jagat Shah, CTO of Columbia, Md.-based SIEM vendor EventTracker, believes that "When the White House weighs in and makes a move like this, it definitely creates a greater awareness about an ongoing and serious problem. Most government agencies and contractors who support them are required to follow guidelines and standards to protect infrastructure, but cybersecurity projects have been on the back burner for the last few years. This order is now requiring them to assign the necessary resources and budget to implement long-needed cybersecurity guidelines and standards."