President Obama Issues Cybersecurity Executive Order, Establishing New Standards for Many Companies

On February 12, 2013, President Obama signed an Executive Order on "Improving Critical Infrastructure Cybersecurity," which increases information sharing between the government and the private sector and establishes a "Cybersecurity Framework" to reduce cyber risks to critical infrastructure. The President also issued a Presidential Policy Directive on "Critical Infrastructure Security and Resilience."

The Obama Administration has long warned of the danger of cyber threats. In fact, in June 2012, President Obama declared that "the cyber threat to our nation is one of the most serious economic and national security challenges we face," and the Executive Order has been anticipated since September 2012, when the initial draft was introduced.

The Executive Order is aimed at private sector companies operating critical infrastructure (e.g., energy, water, transportation, telecommunications, financial services), but also could apply to companies that are regulated by sector-specific agencies as well as other companies. The Policy Directive identifies 16 critical infrastructure sectors:

  1. chemical;
  2. commercial facilities;
  3. communications;
  4. critical manufacturing;
  5. dams;
  6. defense industrial base;
  7. emergency services;
  8. energy;
  9. financial services;
  10. food and agriculture;
  11. government facilities;
  12. healthcare and public health;
  13. information technology;
  14. nuclear reactors, materials, and waste;
  15. transportation systems; and
  16. water and wastewater systems.

The primary components of the Executive Order include:

  • Cybersecurity Information Sharing-the Order creates information-sharing mechanisms between private industry and government, including near real-time sharing of cyber threat information;
  • Cybersecurity Framework-the Order requires the National Institute of Standards and Technology to develop a framework to reduce critical infrastructure cyber risks, which must include a set of standards and procedures to address cyber risks, and must incorporate voluntary consensus standards and industry best practices;
  • Voluntary Critical Infrastructure Cybersecurity Program-the order requires the Department of Homeland Security, in conjunction with sector-specific agencies, to establish a voluntary program to support the adoption of the Cybersecurity Framework by critical infrastructure companies and "any other interested entities."

Although the Obama Administration views the Executive Order as necessary to mitigate the threat of cyber attacks, the Administration "continues to urge Congress" to pass legislation to further address cyber threats. In fact, after issuing the Cybersecurity Executive Order, President Obama referenced the Executive Order in the State of the Union address, urging Congress to take additional action:

America must also face the rapidly growing threat from cyber-attacks. Now, we know hackers steal people's identities and infiltrate private emails. We know foreign countries and companies swipe our corporate secrets. Now our enemies are also seeking the ability to sabotage our power grid, our financial institutions, our air traffic control systems. We cannot look back years from now and wonder why we did nothing in the face of real threats to our security and our economy.

And that's why, earlier today, I signed a new executive order that will strengthen our cyber defenses by increasing information sharing, and developing standards to protect our national security, our jobs, and our privacy. Now, Congress must act as well, by passing legislation to give our government a greater capacity to secure our networks and deter attacks.

Thus, as noted in our recent Boston Bar Association seminar, "Data Security Laws and the Rising Cybersecurity Debate," more cybersecurity legislation is expected in the near future.

For more information regarding cybersecurity laws and developments, please contact Corey M. Dennis ([email protected]).