President Obama signed an executive order aimed at countering cyber security threats with better information sharing and coordination between U.S. government agencies and the owners and operators of critical infrastructure across the country.
In his State of the Union speech, Obama said the United States faces real threats to its infrastructure and economy and he called on Congress to give the government more authority to secure networks and deter attacks.
Some key elements of the new directive.
- New information sharing programs to provide both classified and unclassified threat and attack information to U.S. companies. The Executive Order requires Federal agencies to produce unclassified reports of threats to U.S. companies and requires the reports to be shared in a timely manner. The Order also expands the Enhanced Cybersecurity Services program, enabling near real time sharing of cyber threat information to assist participating critical infrastructure companies in their cyber protection efforts.
- The development of a Cybersecurity Framework. The Executive Order directs the National Institute of Standards and Technology (NIST) to lead the development of a framework of cybersecurity practices to reduce cyber risks to critical infrastructure. NIST will work collaboratively with industry to develop the framework, relying on existing international standards, practices, and procedures that have proven to be effective. To enable technical innovation, the Cybersecurity Framework will provide guidance that is technology neutral and that enables critical infrastructure sectors to benefit from a competitive market for products and services.
The directive defines the term critical infrastructure as "systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters."
The White House also ordered Federal agencies to incorporate privacy and civil liberties safeguards in their activities, including safeguards based upon the Fair Information Practice Principles (FIPPS) and other applicable privacy and civil liberties policies, principles, and frameworks.
The Obama administrations also plans to set-up a voluntary program to promote the adoption of the Cybersecurity Framework.