Obama signs executive order to boost critical infrastructure security

President Obama signed an executive order on Feb. 12 that seeks to better protect the nation's critical infrastructure from cyber intrusions through increased information sharing and the joint development and implementation of a framework of shared cybersecurity practices between government and industry.

The executive order, "Improving Critical Infrastructure Cyber Security, which coincided with Obama's State of the Union address, follows on the heels of failed efforts by Congress in 2012 to pass comprehensive cybersecurity legislation. President Obama's executive order was widely anticipated and seeks to provide intermediate measures to protect critical infrastructure against cyberattacks from hostile actors that are increasing in number and frequency.

Obama acknowledged in his State of the Union address the growing threat that the United States faces from cyberattacks, citing how hackers steal people's identities and infiltrate private e-mail. He also mentioned that foreign countries hostile to the United States are systematically stealing corporate secrets through hacking.

"Now our enemies are also seeking the ability to sabotage our power grid, our financial institutions, and our air traffic control systems," Obama said. "We cannot look back years from now and wonder why we did nothing in the face of real threats to our security and our economy."

He said that the new executive order "will strengthen our cyber defenses by increasing information sharing, and developing standards to protect our national security, our jobs, and our privacy."

In concluding his remarks on cybersecurity, the president called on Congress to act on the matter "by passing legislation to give our government a greater capacity to secure our networks and deter attacks."

Congressional action on cybersecurity is required for many reasons, including liability protections that require statutory authority and are not covered by an executive order.

The executive order instructs the National Institute of Standards and Technology to develop a baseline framework to reduce cyber risk to critical infrastructure. The framework will include voluntary security standards for critical infrastructure companies.

The Homeland Security Department will coordinate participation by the Energy Department and solicit industry input to develop a program to assist companies in implementing the cybersecurity framework and in identifying incentives for its adoption.

The executive order also calls for expanding the Defense Industrial Base Information Sharing Program to include additional critical infrastructure companies. The order expands the voluntary Enhanced Cybersecurity Services program, thereby enabling near real-time sharing of cyber threat information to assist participating critical infrastructure companies in their cyber protection efforts.

The order also requires federal agencies to share unclassified reports of threats with U.S. companies in a timely manner.