Over the last decade, the topic of cyber security has been treated more as a partisan political football in the United States Congress rather than a national security concern. But this week, the course of that discussion took a radical change in direction.
Prior to Tuesday’s State of the Union address, President Obama signed an executive order making the protection of America’s information and data assets a priority. Coupled with the Presidential Policy Directive on Critical Infrastructure Security and Resilience released by the White House earlier in the day, it was clear that it was not "business as usual" when it came to defining the threat.
The Cyber Security Act failed in its last two attempts at passage in Congress, and while the Obama administration has said all the right things when it came to providing safeguards for the nation’s information assets, action was in short supply. Never before has the president spent as much time discussing cyber security in a public forum as he did Tuesday; in fact, he didn’t mention it at all in his 2010 and 2011 addresses.
But in Tuesday’s speech, the president made it clear that cyber security must be front-of-mind, and that a spirit of cooperation between government and industry would hold the key to creating a viable strategic plan. “America must face the rapidly growing threat from cyber attacks,” Obama said. “We know hackers steal people’s identities and infiltrate private e-mail. We know foreign countries and companies swipe our corporate secrets. Now our enemies are also seeking the ability to sabotage our power grid, our financial institutions and our air traffic control systems. We cannot look back years from now and wonder why we did nothing in the face of real threats to our security and our economy.”
The Executive Order (EO) gives government agencies a year to devise a “baseline framework” for cyber security that will incorporate peer-based standards and industry best practices that are already in place in other critical infrastructure sectors like utilities and gas and oil pipelines. The creation of a critical infrastructure council, run by the Department of Homeland Security, will include members of the Department of Defense, Commerce and Justice, along with the National Intelligence Office. The goal is to prevent malicious penetration of computer systems in key industries and infrastructure by hackers, criminals and enemy states.
“I think the president threw out a challenge in his address by specifically noting this was a bipartisan issue — he was provocative by noting that,” says Lisa J. Sotto, managing partner of the New York office of Hunton & Williams LLP, where she heads the firm’s Privacy and Data Security practice. She also serves as Chair of the DHS Data Privacy and Integrity Advisory Committee, “He is challenging our legislators to get together on this and move forward,”
While Sotto admitted that much of what was presented by the president was a “regurgitation of what has been seen before,” she is still encouraged.
Perhaps the most dramatic tenant of the EO is the urgency the administration has put on information sharing among public and private partners. Within the next 120 days DHS will be working closely with the U.S. attorney general, the secretary of Homeland Security and the director of National Intelligence to create a roadmap that will help with the timely production and release of unclassified cyber threat reports, including those aimed at specific industrial sectors. The EO addresses the need to protect intelligence and related law enforcement sources, methods, operations and investigations. At the same time, it instructs the DHS and DoD to create procedures that broaden the effectiveness of the Enhanced Cyber Security Services program for all the nation’s infrastructure.