President Barack Obama on Tuesday signed a much-anticipated executive order intended to develop the nation’s defenses against cyberattacks, but the effort has already raised constitutional and regulatory concerns.
The order, called “Improving Critical Infrastructure Cybersecurity,” establishes a two-year timeline during which the federal government will determine what constitutes critical “physical or virtual” infrastructure, and establish security standards to keep those assets safe.
The order also attempts to take into consideration privacy and civil liberties concerns that have caused digital-rights activists to continue to lobby legislators against rushing into creating laws to regulate the Internet.
The development of the standards — called the “Cybersecurity Framework” —- will be led by the director of the National Institute of Standards and Technology (NIST).
“The Cybersecurity Framework shall include a set of standards, methodologies, procedures, and processes that align policy, business, and technological approaches to address cyber risks,” says the order.
A “Cyber Information Sharing” section of the order also calls for the secretary of homeland security, the attorney general and the director of national intelligence to each issue unclassified reports on cyberthreats against the U.S.
The order, which comes at a time when cyberattacks on the federal government and private companies are reportedly on the rise, was accompanied with a Presidential Policy Directive to provide guidance on the execution of the order.
During the State of the Union Address on Tuesday evening, Obama stated, “America must also face the rapidly growing threat from cyberattacks.”
“We know hackers steal people’s identities and infiltrate private e-mail,” said Obama.
“We know foreign countries and companies swipe our corporate secrets,” he said. “Now our enemies are also seeking the ability to sabotage our power grid, our financial institutions, and our air traffic control systems.”
“We cannot look back years from now and wonder why we did nothing in the face of real threats to our security and our economy,” he added, urging Congress to pass legislation to accompany the order.
House Homeland Security Chairman Michael McCaul responded favorably to the order, stating that he was “pleased that the president’s executive order establishes the Department of Homeland Security as having a lead role in cybersecurity—to rapidly disseminate both unclassified and classified cyber threat reports, to strengthen public-private partnerships and to coordinate national protection of our critical infrastructure.”
McCaul expressed concern, however, about the potential regulatory burden the order would place on businesses.
He also stated that the “executive branch also lacks constitutional authority possessed by Congress to provide the necessary liability protections that industry needs to freely share threat information with the federal government in a joint effort.”
“Without protections and incentives to adopt industry-led best practices, such programs will be ineffective and carry consequences for entities that choose to participate,” said McCaul.
The House homeland security committee is expected to hold a hearing later this month on the executive order to “examine its implications for the public and private sectors.”
McCaul stated that he plans to introduce legislation to facilitate cybersecurity coordination between the public and private sectors.
Similar legislation is anticipated to come from Representatives Mike Rogers and Dutch Ruppersberger, as well.