During the annual State of the Union address, delivered before the newly installed 113th Congress on Tuesday night, President Barack Obama once again stepped into the political hornets' nest of cyber-security and whether the private sector and government agencies should share anti-hacker data.
“We know hackers steal people's identities and infiltrate private e-mail. We know foreign countries and companies swipe our corporate secrets,” he said. “Now, our enemies are also seeking the ability to sabotage our power grid, our financial institutions, and our air traffic control systems. We cannot look back years from now and wonder why we did nothing in the face of real threats to our security and our economy.”
Prior to the speech, Obama signed an executive order he says will “strengthen our cyber defenses by increasing information sharing, and developing standards to protect our national security, our jobs, and our privacy.”
“Now, Congress must act as well, by passing legislation to give our government a greater capacity to secure our networks and deter attacks,” he said.
That last bit was less a request than a jab. In fact, what Obama called for in his executive order is a watered-down version of both what he proposed on the topic two years ago and subsequent legislation that suffered a slow death by filibuster last year.
Tuesday's executive order intends to increase data sharing, and facilitate real-time risk and threat reporting, between the government and private companies involved with “critical infrastructure” – a wide-ranging category that includes the electrical grid, utility pipelines, dams, chemical plants, financial institutions and even the management of national monuments.
The Department of Homeland Security, in coordination with other Federal departments and agencies, would maintain national critical infrastructure centers that provide “integrated, actionable information about emerging trends, imminent threats, and the status of incidents that may impact critical infrastructure.”
The Federal Bureau of Investigation would take charge of a National Cyber Investigative Joint Task Force, a multi-agency “focal point for coordinating, integrating, and sharing pertinent information related to cyber threat investigations.” The Department of Commerce is ordered to collaborate with other government entities and private sector, research, academic, and government organizations to “improve security for technology and tools related to cyber-based systems, and… enable the timely availability of industrial products, materials, and services to meet homeland security requirements.”
The executive order stops short, however, at mandating disclosures, enforcing baseline requirements for how critical infrastructure must be protected (including clarity on the government's own role), or offering protection against liabilities and the legal actions that might result from sharing information. Those specifics will presumably be left in the hands of Congress, which may not give proponents of tougher standards much cause for optimism.
In August, the Cybersecurity Act of 2012 –which established voluntary cyber-security standards for operators of critical infrastructure and authorized companies and the government to share information about cyber threats – was successfully thwarted by Senate Republicans with a cloture vote of 52-to-46, below the 60 votes needed to move it forward. A divisive issue was whether the bill represented the start of a voluntary initiative to develop policies for the disclosure and handling of breach reports, or whether it would effectively kick-start a government-controlled, regulatory regime that imposed significant costs for minimal benefit. Critics, including the U.S. Chamber of Commerce, argued that the sharing of cyber-threat information should not be mandatory.
Previous legislation, the Cyber Intelligence Sharing and Protection Act of 2011, better known as CISPA, drew similar concerns, as well as opposition from privacy advocates worried that it established a pipeline for companies to share private, personally identifiable customer data (including e-mails) with government agencies.
A separate, ongoing concern for public companies is whether regulators, notably the Securities and Exchange Commission, will mandate cyber-threat disclosures. The SEC issued guidance last October on best practices for companies on the question of when a cyber-intrusion triggers an obligation to disclose it to investors under the federal securities laws. Had it been successful, a bill introduced by Senator Jay Rockefeller (D-W.Va.) last year would have required the SEC to formalize its guidance into regulation and force companies to review, on an ongoing basis, the adequacy of their disclosures.