Obama Signs Cybersecurity Executive Order to Protect Nation’s “Critical Infrastructure”

“This Executive Order will begin a multi-year legislative and regulatory process that will result in new cybersecurity regulations, information sharing channels and changes in cyber liability for critical infrastructure and government contractors. These changes will create a number of opportunities and risks for companies in a wide range of private sector companies.” (Holland & Knight)

In his 2013 State of the Union address last night, President Obama announced that he had just signed the “Improving Critical Infrastructure Cybersecurity” executive order, a crucial first step in establishing national standards for protecting the country’s “critical infrastructure,” defined as:

“… systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.”

What’s in the order? Four key elements, from Christopher DeLacy and Joel Edward Roberson of Holland & Knight:

  1. “[Department of Homeland Security (DHS)] will designate certain industries as Critical Infrastructure at Greatest Risk [that] … will begin receiving certain additional cyber threat information.
  2.  The [National Institute of Standards and Technology (NIST)] is required to establish a Cybersecurity Framework, which is defined as ‘a framework to reduce cyber risks to critical infrastructure.’ The Cybersecurity Framework is required to be established within one year and must be updated ‘as necessary.’ …
  3.  DHS is required to establish a Voluntary Critical Infrastructure Cybersecurity Program to encourage owners and operators of critical infrastructure to adopt the Cybersecurity Framework…
  4.  The Executive Order is intended to increase Information Sharing between the government and critical infrastructure by ‘increase[ing] the volume, timeliness, and quality of cyber threat information shared with U.S. private sector entities so that these entities may better protect and defend themselves against cyber threats.’”

Sound like a lot to achieve? It is. What’s more, the president wants it done quickly, write Dennis Olle and Pedro Pavon at law firm Carlton Fields:

“The Executive Order gives the Secretary of Homeland Security 150 days to identify critical infrastructure where a cyber incident ‘could reasonably result in a debilitating impact on national security, national economic security, or national public health and safety.’ Within 240 days, the National Institute of Standards and Technology (NIST) must publish a framework to reduce cyber risks to critical infrastructure… A final version of the NIST framework must be completed by February 2014.”

Stay tuned…

Read the updates:

Read the executive order:

See also:

Find more on Cybersecurity at JD Supra>>

[Photo credit: The White House]