Truman National Security Project

President Takes Aim at Cybersecurity Through Executive Order

Typing_computer_screen_reflection

Just a few hours before the State of the Union address, President Obama signed an executive order authorizing new policies to protect U.S. critical infrastructure cybersecurity. Following several failed attempts by Congress to legislation in this area, the president addressed the important issue of “repeated intrusions into critical infrastructure.” During the past few years, we have seen evidence that what was once science fiction is now coming true. The administration acknowledged the increased role of hackers in the national security landscape, and the president’s speech included specific language in this regard.

“America must… face the rapidly growing threat from cyber-attacks… our enemies are also seeking the ability to sabotage our power grid, our financial institutions, and our air traffic control systems. We cannot look back years from now and wonder why we did nothing in the face of real threats to our security and our economy.”

The number of cyber attacks on U.S. based networks is increasing significantly, and we are not prepared for the inevitable instance where we’re faced with a catastrophic event. Terrorists now have these tools in their hands, and we’ve seen several examples of how computers can be used to take infrastructure offline. Once terrorists gain expert knowledge of tools and techniques to cripple infrastructure, they will plan the kind of attack that would use computers to do kinetic — physical — damage. This could mean hacking into a network connected to the electrical grid and disabling it, potentially for a length of time, which at a time of year with 100 degree heat as we’ve faced in the Midwest or record snow like we have seen in recent years, a significant number of lives could be at stake.

Even as members of Congress applauded at the president’s mention of critical infrastructure protection during his address, it was clear looking at their faces that many still do not understand the potential impact of these technological threats. It’s a more challenging picture to paint than turning airplanes into flying bombs or launching a nuclear missile, but the damage could be widespread. This is a public health, safety and security issue, not just a financial data concern. That’s where this executive order concentrates its emphasis.

While the new policy still leaves many details to be determined, such as how public-private partnerships will take place and who exactly the participants will be involved in the process, there is a clear push toward collaboration during the process, which technologists and policy makers should support. The Department of Homeland Security will also have a role in this process, but not as large as some proponents had hoped.

The order also includes a substantial section on privacy and civil liberties protections. The ongoing debate over privacy vs. security will continue, but the administration has made it very clear that they take this seriously. Steering away from much of the language in recent bills that could have opened doors wide for privacy breeches, the section on privacy was vague on details but decisive in its intent. Nobody wants Big Brother to become reality.

Key issues debated in recent months focused on which agency would take the lead on critical infrastructure protection, what kind of information sharing between organizations would take place, and how data would be protected. Clearly there is still room for debate here, but the administration will be working with key stakeholders to clarify these things in the coming months. Legalities around information transfer contain several layers of complexity, so a new Voluntary Critical Infrastructure Cybersecurity Program will be launched, allowing for participation from committed organizations.

The Director of the National Institute of Standards and Technology (NIST) will develop a cybersecurity framework, taking leadership on new standards, practices and procedures while also reviewing existing regulations. The first important step will be to identify critical infrastructure most at risk, not including commercial information technology products or services. Owners and operators of infrastructure so designated will be notified confidentially. The aggressive timeline selected for this identification — five months — will require extensive resources, based on the risk of attacks to infrastructure systems and on what we know of existing hackers and emerging threats. Expect the White House to deliver.

For the past four years, cybersecurity has remained a priority for the administration and it’s in our best interest that it remain that way. Much still needs to be done, and the necessary protections we should have had in place a decade ago still remain a few years away. The call for additional legislation in this area acknowledges the need for continued vigilance. We must also continue down a path of deep, challenging discussion about privacy implications, government access to information, and related legal implications. This topic will remain a challenge until technical, civil liberties and legal experts can come together on solutions that make sense, work well, and are easily articulated to policymakers and the American public.

Sarah Granger is a Truman Project Fellow. This post originally appeared on the Huffington Post.