President Obama signed an executive order aimed at bolstering U.S. cybersecurity prior to tonight’s State of the Union address. The Order precedes a House Homeland Security Committee hearing on “new threats.”
It is the government’s latest move in attempting to deal with cyber threats, and the order has not undergone any public technical, rights-based, or privacy review.
The Order “enables the government to share more information with private industry partners and developing a new framework of practices to reduce cybersecurity risks.”
President Barack Obama’s Improving Critical Infrastructure Cybersecurity Executive Order is to “maximize the utility of cyber threat information sharing” – although the document does not define ‘cyber threat’, ‘cyber intrusions’ or exactly what will be shared for its information sharing provisions.
The Order requires the Attorney General, the Secretary of Homeland Security (the “Secretary”), and the Director of National Intelligence to issue implemenation instructions within 120 days.
Privacy and digital rights may take a back seat as the assesment of privacy concerns and civil liberties risks is being kept in-house.
The Chief Privacy Officer and the Officer for Civil Rights and Civil Liberties of the Department of Homeland Security will assess the privacy and civil liberties risks of the Order and make ‘recommendations’ a year after today’s signing.
The Order puts the Department of Homeland Security in charge of creating ways to share information between entities, but does not define or explain how this will be done without enacting critical privacy violations of citizens.
The White House has put together this Fact Sheet on the new Order, though the listed items do not include the privacy and civil liberties points in the Order.
As the Order was signed, the Obama administration released a “Presidential Policy Directive.”
The Directive is actualization of the administration’s intent to update the national approach to critical infrastructure security.
The directive aims to bridge certain infrastructure’s physical security and cybersecurity—likely energy resources, telecommunications, and water systems.
It also puts for a plan to, “identify critical infrastructure where a cybersecurity incident could reasonably result in catastrophic regional or national effects on public health or safety, economic security, or national security.”
After tonight’s State of the Union address, tomorrow Congress will hold a hearing called “A New Perspective on Threats to the Homeland” to talk about what it will define as new threats, including drug cartel action at the borders and cyber-attacks on infrastructure.
The executive order establishes new information sharing between the private and public sectors, providing classified and unclassified threat information to U.S. companies. It requires federal agencies to produce unclassified reports of threats to U.S. companies and requires the reports to be shared in a timely manner. It also opens up a real-time information sharing program, currently open to the defense industry, to other sectors.
The order also directs the National Institute of Standards and Technology (NIST), a federal agency, to develop a new cybersecurity framework to reduce cyber risks to critical infrastructure. It calls on agencies to incorporate privacy and civil liberties safeguards, based in part on the Fair Information Practice Principles, into their cybersecurity efforts and requires agencies to conduct regular, public assessments of their privacy and civil liberties standards.
According to Bloomberg: “The administration has been drafting an executive order on computer security since at least last fall, before the Senate failed in its second attempt to pass Obama-backed legislation to create cyber standards for companies.”
News of the order comes just after House Intelligence Committee Chairman Mike Rogers announced last Friday they will reintroduce the controversial CISPA cybersecurity bill—the Cyber Intelligence Sharing and Protection Act—on February 13.
CISPA’s primary function is to remove legal barriers that might keep Internet companies from giving all your communication and information to the government, or even to other companies.
It allows “cyber entities,” such as Internet service providers, social networks like Facebook and Twitter, and cell phone companies like AT&T, to circumvent Internet privacy laws when they’re pressured by U.S. Homeland Security to hand over or shut down almost anything of yours online that the government wants.
No warrant would be needed to access this personal, sensitive citizen data.
CISPA is accurately described as a setup to wipe out decades of consumer privacy protections, giving the U.S. government unprecedented access to individuals’ online data and communications.