President Obama signed an executive order on February 12, 2013 that requires federal agencies to share information on cyber threats with each other and private companies. This will include unclassified information on activities of known criminals and terrorists and cyber-attacks and some classified information for owners of critical infrastructure. The order does not require private companies to share data with the government which alleviates some of the privacy concerns present in the Cyber Intelligence Sharing and Protection Act (CISPA).
Information will be collected and shared through two national critical infrastructure centers operated by the Department of Homeland Security (DHS); one for physical infrastructure such as fences, gates and checkpoints and the other for cyber infrastructure such as intrusion prevention systems, application gateways and firewalls. These DHS centers will also assist with incident response and restoration efforts related to cyber-attacks.
Aspects of the executive order are unclear but there will be some requirement for owners of critical infrastructure to establish security metrics and guidelines as specified by the DHS and federal agencies. Meanwhile, the National Institute of Standards and Technology (NIST) has been tasked with coming up with a preliminary framework for federal agency actions that are “prioritized, flexible, repeatable, performance-based and cost-effective.” (Sec. 7b)
This executive order is not the same as a law but it does show that the Obama administration is concerned about cyber security and it will impact further legislation in this area. Upcoming legislation may carry this to the next phase and establish a long-term program of cyber security information sharing and awareness.
