On February 12, 2013, President Obama signed a long-expected Executive Order titled “Improving Critical Infrastructure Cybersecurity.” Here’s a look at what it does and what it covers.
“Cybersecurity” is a growing concern for the US government and its businesses. It refers to the possibility of computer-based attacks on crucial US institutions from either inside or outside the country.
Here are the primary aspects of the Executive Order that speaks to this threat:
1. Identify critical infrastructure. The Secretary of Homeland Security must identify critical infrastructure entities and notify their owners and operators that they have been so identified. Critical infrastructure is defined as
systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.
2. Share threat information. The Attorney General, the Secretary of Homeland Security, and the Director of National Intelligence must establish procedures for producing unclassified reports about cyber threats and processes for rapidly disseminating these reports among government agencies and private sector critical infrastructure entities. To facilitate information-sharing, three tools will be developed:
- A Cybersecurity Framework to set standards and approaches to address cyber risks;
- A Voluntary Critical Infrastructure Cybersecurity Program for operators of critical infrastructure entities; and
- A Critical Infrastructure Partnership Advisory Council.
3. Protect civil rights. Relevant government agencies must coordinate their activities with privacy and civil liberty agency officials, and apply federal privacy and civil liberties policies and principles as they move forward.
Although private US companies may be subject to the Order, particularly if identified as critical infrastructure because they provide “vital” goods or services, there seems to be some interesting exclusions: software companies and other companies that provide commercial information technology products or consumer information technology services may not be listed as critical infrastructure.
It appears that the President drafted and signed this Order as a stopgap measure in the absence of Congressional action. Necessary as the Order may be as a first step, a comprehensive legislative scheme would be the best means of combating a growing threat to the nation’s welfare, economy, and public safety.
For discussion of privacy laws, information security, and security breach as they affect California businesses, turn to CEB’s Privacy Compliance and Litigation in California.
Related CEB blog posts:
© The Regents of the University of California, 2012. Unauthorized use and/or duplication of this material without express and written permission from this blog’s author and/or owner is strictly prohibited.