Obama signs cyber security executive order

Finally. President Barack Obama signed the long-awaited executive order on cyber security today. As expected, the order expands information-sharing programs between the government and private sector and establishes voluntary cyber security best practices for critical infrastructure providers — though the administration plans to use its leverage to strongly encourage compliance. One of the order’s main ...

Wikimedia Commons
Wikimedia Commons
Wikimedia Commons

Finally. President Barack Obama signed the long-awaited executive order on cyber security today. As expected, the order expands information-sharing programs between the government and private sector and establishes voluntary cyber security best practices for critical infrastructure providers -- though the administration plans to use its leverage to strongly encourage compliance.

One of the order's main provisions calls for the National Institutes of Standards and Technology to work with the private sector to identify a set of cyber security best practices that can be turned into a "Cybersecurity Framework" that critical infrastructure firms would use to ensure they are defended against cyber attack. A senior administration official said this afternoon that this framework, due one year from today, "is not designed to be a one size fits all approach" and will "not lock in specific technology or approaches."

NIST and other government agencies will work with businesses that have proven to be the best at cyber security to help develop these practices. "We believe that companies driving cyber security innovations are really in the best place to help us push out best practices across more of the critical infrastructure and companies would have a lot of flexibility in determining how to do so," said the official. "This is about taking the existing best practices and spreading them out to as many of the critical infrastructure companies as we can."

Finally. President Barack Obama signed the long-awaited executive order on cyber security today. As expected, the order expands information-sharing programs between the government and private sector and establishes voluntary cyber security best practices for critical infrastructure providers — though the administration plans to use its leverage to strongly encourage compliance.

One of the order’s main provisions calls for the National Institutes of Standards and Technology to work with the private sector to identify a set of cyber security best practices that can be turned into a "Cybersecurity Framework" that critical infrastructure firms would use to ensure they are defended against cyber attack. A senior administration official said this afternoon that this framework, due one year from today, "is not designed to be a one size fits all approach" and will "not lock in specific technology or approaches."

NIST and other government agencies will work with businesses that have proven to be the best at cyber security to help develop these practices. "We believe that companies driving cyber security innovations are really in the best place to help us push out best practices across more of the critical infrastructure and companies would have a lot of flexibility in determining how to do so," said the official. "This is about taking the existing best practices and spreading them out to as many of the critical infrastructure companies as we can."

The Department of Homeland Security will form an organization to push out these standards to critical infrastructure providers. DHS, DoD and other government agencies will develop incentives, in collaboration with the private sector, to coax critical infrastructure companies into adhering to those standards, since they are officially voluntary.

"There’s a whole range of " incentives that have been suggested, added the official, mentioning the recommendations of the Commission for Cyber Security and the 44th Presidency as some examples.

Possible incentives could include government contracts, according to the official. Government agencies have 120 days from now to come up with these incentives.

In addition to the incentives, the order also has "teeth," according to the official. It calls for federal agencies to review their regulations for industries they oversee to make sure they apply to cyber security. If critical infrastructure providers don’t live up to the minimal best practices that emerge in the Cybersecurity Framework, the agencies could find a way to make them.

"It makes business sense to [adopt these practices] in a lot of cases, and that’s something that a lot of businesses are starting to understand," said the official. "What we want to make sure of with our direction to our federal regulators is that, if for some reason that market signal isn’t getting through as clearly or as loudly as we would like, that there’s the backstop of the federal regulators to make sure those companies that are in this critical infrastructure [sector] . . . are really putting into the baseline levels of cyber security."

In other words, the administration believes the market will demand better cyber security, and it is going to provide incentives to encourage better practices. But if those approaches don’t work, it will use its regulating power to ensure that various critical infrastructure businesses adhere to minimal standards, added the official.

"We’re giving multiple avenues for either incentives to be created in the voluntary program and for market forces to work, but we’re also putting in place the ability and the direction for the regulators to use their existing authority, if needed" to make sure critical infrastructure businesses adhere to minimal standards, said the official.

The order defines critical infrastructure providers as company and organizations with "systems and assets, whether physical or virtual, so vital to the United States that the incapacity of destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters." The senior administration official said the White House expects this to amount to a very small number of private businesses.

The order also calls for increased information sharing about cyber threats between government agencies like the Defense Department, the Department of Justice, the Intelligence Community, the Department of Homeland Security. One of the ways this will be done is by expanding the Pentagons DIB Pilot program (click here to read all about that), which allows the government to rapidly share information on cyber threats aimed at defense contractors with those companies.

As expected, DHS will have the lead on information sharing and is required to come up with a plan to ensure that civil liberties are protected. The order does not provide liability protections for companies that improperly share private citizens’ information with the government or that violate antitrust laws in the course of sharing information. Those issues will have to be addressed by cyber security legislation, said the official. The order also calls for an expansion in the number of critical infrastructure workers who may receive classified briefings on cyber threats.

White House officials today said the information shared under the executive order would be specific digital threat signatures — strings of ones and zeros — that can identify pieces of malware aimed at critical infrastructure providers, not the contents of peoples’ email. Click here to read more about the type of information that the government would share with critical infrastructure providers. The order calls for numerous privacy protections and reviews when information is shared to make sure that information about private citizens or companies is not inappropriately used. The privacy protections involved "will be based upon the Fair Information Practice Principles," reads the document.

Here’s a copy of the executive order:

White House Cybersecurity Executive Order 

John Reed is a national security reporter for Foreign Policy. He comes to FP after editing Military.com’s publication Defense Tech and working as the associate editor of DoDBuzz. Between 2007 and 2010, he covered major trends in military aviation and the defense industry around the world for Defense News and Inside the Air Force. Before moving to Washington in August 2007, Reed worked in corporate sales and business development for a Swedish IT firm, The Meltwater Group in Mountain View CA, and Philadelphia, PA. Prior to that, he worked as a reporter at the Tracy Press and the Scotts Valley Press-Banner newspapers in California. His first story as a professional reporter involved chasing escaped emus around California’s central valley with Mexican cowboys armed with lassos and local police armed with shotguns. Luckily for the giant birds, the cowboys caught them first and the emus were ok. A New England native, Reed graduated from the University of New Hampshire with a dual degree in international affairs and history.

More from Foreign Policy

An illustration shows George Kennan, the father of Cold War containment strategy.
An illustration shows George Kennan, the father of Cold War containment strategy.

Is Cold War Inevitable?

A new biography of George Kennan, the father of containment, raises questions about whether the old Cold War—and the emerging one with China—could have been avoided.

U.S. President Joe Biden speaks on the DISCLOSE Act.
U.S. President Joe Biden speaks on the DISCLOSE Act.

So You Want to Buy an Ambassadorship

The United States is the only Western government that routinely rewards mega-donors with top diplomatic posts.

Chinese President Xi jinping  toasts the guests during a banquet marking the 70th anniversary of the founding of the People's Republic of China on September 30, 2019 in Beijing, China.
Chinese President Xi jinping toasts the guests during a banquet marking the 70th anniversary of the founding of the People's Republic of China on September 30, 2019 in Beijing, China.

Can China Pull Off Its Charm Offensive?

Why Beijing’s foreign-policy reset will—or won’t—work out.

Turkish Defense Minister Hulusi Akar chairs a meeting in Ankara, Turkey on Nov. 21, 2022.
Turkish Defense Minister Hulusi Akar chairs a meeting in Ankara, Turkey on Nov. 21, 2022.

Turkey’s Problem Isn’t Sweden. It’s the United States.

Erdogan has focused on Stockholm’s stance toward Kurdish exile groups, but Ankara’s real demand is the end of U.S. support for Kurds in Syria.