Obama announces cyber executive order during speech

President Barack Obama on Feb. 12 signed an executive order on cybersecurity, aiming to strengthen the nation's critical infrastructure through cross-sector information-sharing and framework. He announced the move in his State of the Union address at just before 10 p.m. Eastern Time.

"We cannot look back years from now and wonder why we did nothing in the face of real threats to our security and economy," Obama said. "Now Congress must act as well, by passing legislation to give our government a greater capacity to secure our networks and deter attacks. This is something we should be able to get done on a bipartisan basis."

Accompanied by a presidential policy directive that updates 2003's Homeland Security Presidential Directive 7, Obama's plans build on cybersecurity measures already underway throughout the government and industry. It also includes new provisions for identifying the most pressing risks, establishing standards and disseminating data on cyber threats.

"It is the policy of the United States to enhance the security and resilience of the Nation's critical infrastructure and to maintain a cyber environment that encourages efficiency, innovation and economic prosperity while promoting safety, security, business confidentiality, privacy and civil liberties," the executive order states. "We can achieve these goals through a partnership with the owners and operators of critical infrastructure to improve cybersecurity information sharing and collaboratively develop and implement risk-based standards."

The order expands the current defense industrial base information-sharing program that has been in place since 2011 between the Defense Department and some private organizations, including top contractors. Under the voluntary Enhanced Cybersecurity Services program, which effectively takes the former pilot project a step further, is designed to exchange real-time threat data and help bolster protections.

"This voluntary information-sharing program will provide classified cyber threat and technical information from the government to eligible critical infrastructure companies or commercial service providers that offer security services to critical infrastructure," the order states.

The sharing of unclassified information also receives a boost in the order, which directs the attorney general, DHS secretary and director of national intelligence to produce within 120 days guidelines for agencies to produce, quickly disseminate and track unclassified reports on cyber threats.

Obama's directive includes plans to expedite the processes for issuing clearances for cybersecurity experts -- part of broader plans to attract and retain subject-matter experts from outside the government.

Among other key themes in the executive order include a focus on a "consultative process" for strengthening U.S. cybersecurity, including the participation of industry, academia, advisory councils and other stakeholders in the development of cyber strategies. There are also provisions for the establishment of voluntary guidance, standards and best practices -- much of which is delegated to the National Institutes of Technology, which is charged with developing baseline framework.

"The cybersecurity framework shall include a set of standards, methodologies, procedures and processes that align policy, business and technological approaches to address cyber risks," the document states. "The cybersecurity framework shall provide a prioritized, flexible, repeatable, performance-based and cost-effective approach, including information security measures and controls, to help owners and operators of critical infrastructure identify, assess and manage cyber risk."

Beyond the information-sharing and standardization efforts, the administration puts into place privacy and civil liberties protections based on the Fair Information Practice Principles. Furthermore, under the PPD, Obama also directs government agencies to review, refine and clarify existing cyber efforts, partnerships and regulations, as well as implement integration and analysis capabilities to help with planning and decision-making.

"This endeavor is a shared responsibility among federal, state, local, tribal and territorial entities, and public and private owners and operators of critical infrastructure," a White House fact sheet noted. "While there has been extensive work done to enhance both the physical and cyber security and resilience of critical infrastructure, this PPD will create a stronger alliance between these two intertwined components."

The executive measures, which have been in the works for months, come as the 113th Congress prepares to again take up cybersecurity legislation that failed last fall. On Feb. 13 Rep. Mike Rogers (R-Mich.) and Rep. Dutch Ruppersberger (D-Md.) are expected to reintroduce the Cyber Intelligence Sharing and Protection Act, a controversial bill that last year passed in the House but went no further.

The president also touched on the looming agency budget cuts, though he focused on the broader economic threats that sequestration poses come March 1. "These sudden, harsh, arbitrary cuts would … certainly slow our economy and cost hundreds of thousands of jobs," Obama said. He called on Congress to "work to pass a budget that replaces reckless cuts with smart savings."