President Barack Obama signed an executive order on Tuesday designed to make it easier to disseminate classified information on threats against critical infrastructure systems and to lay the groundwork for obtaining information from the private sector that would help the government protect critical infrastructures in the U.S.
The order, which runs eight pages (.pdf), directs the Attorney General’s office, the office of Homeland Security Secretary Janet Napolitano and the Director of National Intelligence to issue instructions to their agencies that would “ensure the timely production of unclassified reports of cyberthreats to the U.S. homeland that identify a specific targeted entity” to Congress and also develop a program for providing “classified cyber threat and technical information from the Government to eligible critical infrastructure companies or commercial service providers that offer security services to critical infrastructure,” according to the document.
To that end, the order also calls for the government to expedite security clearances to appropriate personnel employed by critical infrastructure owners and operators, so that they can receive information necessary to protect their systems.
“It is the policy of the United States Government to increase the volume, timeliness, and quality of cyber threat information shared with U.S. private sector entities so that these entities may better protect and defend themselves against cyber threats,” the order states.
The order, published in conjunction with a new Presidential Directive on cybersecurity (.pdf), follows numerous failed attempts by Capitol Hill to pass controversial cybersecurity legislation that would have given private companies legal immunity to share information with the government.
The order still allows the private sector to share information with the government, but references established safeguards — such as the Fair Information Practice Principles — for protecting the privacy of customers whose information is shared and also carries some built-in limitations for the kind of information that companies will likely share. The order requires DHS’s chief privacy officer and its officer for civil rights and civil liberties to assess the privacy and civil liberties risks of the programs.
Civil liberties advocates praised the executive order in this regard, but said they will withhold judgment until they see how the information-sharing gets played out in practice.
“A lot of what this shows is that the president can do a lot without cybersecurity legislation,” said Mark Jaycox, policy analyst and legislative assistant for the Electronic Frontier Foundation, who points out that the executive order satisfies the need for information sharing without the privacy problems that existed under legislative proposals where loopholes would have allowed companies to dump large amounts of data on the government in an effort to obtain legal immunities. Without those immunities, companies will by nature be more circumspect about what they provide the government, thus limiting what they hand over Jaycox said.
“An [executive order] can’t grant broad immunities to companies … so it will tighten the information that can be shared, and the government won’t be on the receiving end of tons of tons of information,” Jaycox said. “Companies will be more mindful about what they share.”
Although the order comes after a number of failed attempts by Congress last year to pass cybersecurity legislation, the White House has indicated that it doesn’t see the executive order as a substitute for legislation, and the order even indicates that further legislation is not ruled out in addressing the critical infrastructure issue.
Not everyone is happy with the order, however. Sen. Charles E. Grassley (R-Iowa) told the Washington Post that the president was out of line in bypassing legislation.
“It is a very dangerous road he’s going down contrary to the spirit of the Constitution,” Sen. Grassley said. “Just because Congress doesn’t act doesn’t mean the president has a right to act.”
The Cyber Intelligence Sharing and Protection Act, which passed the House last year but failed to gain support in the Senate, was one piece of legislation that garnered a lot of criticism from civil liberties groups who were happy to see it fail. EFF and others criticized the bill for failing to provide enough safeguards to protect the digital privacy of customers when private entities such as ISPs and others shared threat information with the government.
CISPA would have allowed companies to share sensitive and personal data with the National Security Agency and other government agencies without requiring companies to make reasonable efforts to protect their customers’ privacy. The bill also failed to adequately define how the government could use the data, saying only that it would be used for “national security” purposes.
House Intelligence Committee Chairman Mike Rogers (R-Michigan) and Ranking Member C.A. Dutch Ruppersberger (D-Maryland) plan on reintroducing CISPA this week.
Critical infrastructure sectors include chemical, communications, dams, critical manufacturing, emergency services, food and agriculture, energy, defense industrial base, healthcare and public health, government facilities, water and wastewater and transportation, among a few others.
DHS currently oversees the National Cybersecurity and Communications Integration Center, a 24-hour watch center tied in with other federal watch centers that parses threat information that comes in to the center and monitors government civilian networks for signs of cyber threats. DHS, along with the Department of Energy, also operates the Industrial Control System – Computer Emergency Readiness Team, which helps assess industrial control systems for vulnerabilities and maintains a flyaway team to assist critical infrastructure owners in the private sector with responding to suspected attacks on their networks.