As announced in his State of the Union address on February 12, 2013, President Obama issued an executive order directing federal departments and agencies to use their existing authorities to strengthen cybersecurity defenses. This follows months of congressional stalemate over cybersecurity legislation and recommendations from a number of politicians, including Senate Intelligence Chairwoman Dianne Feinstein, that the President circumvent Congress altogether to protect the country’s critical infrastructure.
Among its numerous provisions, the executive order directs the National Institute of Standards and Technology (NIST) to coordinate the development of a cybersecurity framework that includes a set of standards and procedures to address cyber risks. The order requires that voluntary consensus standards and industry best practices be incorporated to the extent possible. The White House anticipates the framework to be technology neutral and allow for critical infrastructure sectors to benefit from a competitive market for products and services that meet the standards developed to address cyber risks.
Further, the order requires that the Department of Homeland Security (DHS) establish a voluntary critical infrastructure program to support the adoption of the cybersecurity framework by owners and operators of critical infrastructure. It tasks DHS, the Department of Treasury, and the Commerce Department to make recommendations separately to the White House Administration on incentives that could be provided to owners and operators of critical infrastructure under existing laws and authorities, and a cost-benefit analysis on incentives that would require new legislation.
To accomplish these objectives, the executive order establishes the following deadlines:
DHS has 150 days to identify critical infrastructure at the greatest cyber risk. The order makes clear that commercial IT products cannot be designated as critical infrastructure at the greatest risk, which is an exception that industry members had sought in legislation.
NIST will have 240 days to publish a preliminary version of the cybersecurity framework and one year to publish a final version. In coordinating the development of the final cybersecurity framework, the order requires that NIST conduct an open public review and comment process and consult relevant federal agencies, owners and operators of critical infrastructure, and other stakeholders.
Within 90 days of the publication of the preliminary framework, designated federal agencies shall submit a report to the Administration that determines whether or not they have clear authority under current law to implement the framework in a way that would sufficiently address cyber risk, and whether additional authority would be required. If current regulatory requirements are deemed insufficient, the agencies shall propose further action to mitigate cyber risk.
In addition to this directive, President Obama underscored the urgency of comprehensive cybersecurity legislation in his State of the Union address:
“Now, we know hackers steal people’s identities and infiltrate private emails. We know foreign countries and companies swipe our corporate secrets. Now our enemies are also seeking the ability to sabotage our power grid, our financial institutions, our air traffic control systems. We cannot look back years from now and wonder why we did nothing in the face of real threats to our security and our economy . . . [n]ow Congress must act as well, by passing legislation to give our government a greater capacity to secure our networks and deter attacks.”