AMERICA - Cybersecurity, Executive Orders vs CISPA

"Obama's Cybersecurity Executive Order vs. CISPA: Which Approach Is Best?" by Chloe Albanesius, PCMag.com 2/13/2013

As part of his State of the Union speech last night, President Obama tipped an executive order that is intended to improve the security of Internet-based critical infrastructure.  But what does that order include?

Obama's plan would allow federal agencies to notify private companies if they detect any sort of cyber intrusion that would harm operations or the security of company data.

Specifically, the plan expands the Defense Industrial Base (DIB) information-sharing program to other federal agencies.  The DIB was put in place in 2011 and allows the Defense and Homeland Security Departments to share non-classified information about cybersecurity-related threats with DIB partner companies, like contractors.

But as we've seen with hacks of the Federal Reserve and the Department of Energy, defense-related agencies are not the only ones being targeted by hackers.  So the executive order "requires Federal agencies to produce unclassified reports of threats to U.S. companies and requires the reports to be shared in a timely manner," the White House said.  It also allows for "near real-time sharing of cyber threat information to assist participating critical infrastructure companies in their cyber protection efforts."

Obama has also ordered the National Institute of Standards and Technology (NIST) to develop a framework for handling cyber-security threats.  "NIST will work collaboratively with industry to develop the framework, relying on existing international standards, practices, and procedures that have proven to be effective," the White House said.

Given the rapid pace of technology, the recommendations will be technology neutral, the administration said.  Once they've been developed, DHS will work with other agencies to reach out to companies for voluntary implementation of the framework.

While sharing details about cyber attacks might seem like a no brainer, a major concern is how the data is handled.  If these threats deal with a credit card company or major social network, will your personal information be protected?

The White House insisted that the executive order includes "strong privacy and civil liberties protections."  Any type of information sharing will be based on the Fair Information Practice Principles (FIPP), a set of information-sharing principles developed by the FTC, as well as other applicable privacy and civil liberties policies, principles, and frameworks.

"Agencies will conduct regular assessments of privacy and civil liberties impacts of their activities and such assessments will be made public," the White House said.

Executive Order vs. CISPA

Last night, Obama called on Congress to do even more on cyber security.  Two members of the House, in fact, plan to re-introduce the controversial CISPA information-sharing bill today, but it has not secured the support of the White House.  A bill backed by the administration was introduced in the Senate last year, but did not make any major headway.

The main difference between the White House executive order and CISPA is that CISPA would allow private companies (like Facebook or Google) to share details about cyber attacks with the government, whereas the executive order is a one-way street, with the feds sharing information with the private sector.  CISPA opponents were concerned about immunity clauses that they said would incentivize companies to hand over customer information without hesitation.

As a result, the White House threatened to veto CISPA if it made it to President Obama's desk.  The White House Office of Management and Budget (OMB) released a statement that said the bill "departs from longstanding efforts to treat the Internet and cyberspace as civilian spheres."

In a statement last night, the ACLU issued its support for the executive order and warned against CISPA.  "The president's executive order rightly focuses on cybersecurity solutions that don't negatively impact civil liberties," said ACLU Legislative Counsel Michelle Richardson.  "For example, greasing the wheels of information sharing from the government to the private sector is a privacy-neutral way to distribute critical cyber information."

Broadband trade association USTelecom said the executive order "takes some important steps toward achieving policy goals that will help protect our nation from harmful threats," but said the issue should ultimately be handled by Congress - via bills like CISPA.