The U.S. government is embarking on a massive effort to more fully secure the nation's critical IT systems. President Obama formally announced his new cybersecurity initiative during his State of the Union address on Tuesday night. The initiative is defined by an Executive Order that he signed on the same day.
"America must face the rapidly growing threat from cyber-attacks," President Obama said during his speech. He added that the U.S. knows that hackers and foreign governments infiltrate private email and steal corporate secrets. He warned that the enemies of the U.S are also now seeking the ability to sabotage air traffic control systems, the power grid and financial institutions.
Politically-motivated attacks are on the rise. Verizon's 2012 Data Breach Investigations Report found that activist groups were responsible for 58 percent of all stolen data in 2011. Experts expect this hacktivism to continue to grow.
"We cannot look back years from now and wonder why we did nothing in the face of real threats to our security and our economy," Obama said.
To that end, Obama announced the new executive order titled "Improving Critical Infrastructure Cybersecurity," with the goal of improving standards and collaboration in the interest of protecting U.S. national security.
At the core of the executive order is the development of a Cybersecurity Framework. The framework will include provisions that are intended to reduce the risk to critical infrastructure assets.
The Cybersecurity Framework effort will be led in part by the Director of the National Institute of Standards and Technology (NIST). Taking a vendor-neutral, standards based approach is a key focus for the new framework. The executive order specifically notes that by taking a standards-based approach, the U.S. will be able to benefit from," … a competitive market for products and services that meet the standards, methodologies, procedures, and processes developed to address cyber risks."
Getting the new Cybersecurity Framwork in place will take time, though President Obama has suggested a tight schedule in his executive order. The preliminary version of the framework is due inside of the next 240 days. The final version of the framework is supposed to be completed within a year.
Looking beyond the Cybersecurity Framework, President Obama also wants to have a complete understanding of threats to critical infrastructure.
"Within 150 days of the date of this order, the Secretary shall use a risk-based approach to identify critical infrastructure where a cybersecurity incident could reasonably result in catastrophic regional or national effects on public health or safety, economic security, or national security," the order states.
The Cybersecurity Framework is intended to increase collaboration and improve security. While security can sometimes be traded for civil liberty, that doesn't seem to be an initial concern with the new executive order.
"The president’s executive order rightly focuses on cybersecurity solutions that don’t negatively impact civil liberties," CLU Legislative Counsel Michelle Richardson said in a statement. "For example, greasing the wheels of information sharing from the government to the private sector is a privacy-neutral way to distribute critical cyber information."
The new order is also seen as an example of leadership in an area that desperately needs it. Stuart McClure, CEO of security startup Cylance and former CTO at McAfee, said that in his view an executive order on cybersecurity is sorely overdue.
"As a security professional with frontline experience in this war for the better part of 27 years, I can tell you beyond reproach that we are in dire need of executive leadership as a country here," McClure said.
The call to include private industry in a vendor-neutral standards based approach is also seen as a positive step forward. Bill Morrow, CEO of browser security vendor Quarri Technologies, commented that recent cyber attacks targeting several high-profile media companies and government agencies provides further proof that national security threats are real.
"There is a once-in-a-generation opportunity for our leaders in public and private industry to come together in the coming weeks in an effort to put measures in place to help minimize network risks to critical infrastructure that could occur in the future," Morrow said.