On February 12, 2013, President Obama signed an executive order entitled “Improving Critical Infrastructure Cybersecurity.” The Order has two key components.
First, the Attorney General, the Secretary of Homeland Security and the Director of National Intelligence must ensure timely production of unclassified reports of cyber threats and must rapidly disseminate the reports to the targeted entities.
Second, the National Institute of Standards and Technology (“NIST”), which is part of the Commerce Department, must develop a Cybersecurity Framework. The Cybersecurity Framework will be a set of standards, methodologies and procedures to help owners and operators of critical infrastructure to reduce cyber risks. NIST must consult with other agencies and stakeholders and must incorporate voluntary consensus standards and industry best practices.
In conjunction with the Department of Homeland Security (“DHS”), sector-specific agencies must develop a program to support the private sector in adopting the Cybersecurity Framework. DHS must coordinate and recommend to the President a set of incentives to encourage industry adoption.
The President also issued the Policy Directive on Critical Infrastructure Security and Resilience. Under the Policy Directive, DHS and sector-specific agencies must assess the Nation’s critical infrastructure and assist the owners and operators in strengthening their cyber security.
The Executive Order and Policy Directive were issued after Congress failed to pass numerous cybersecurity bills in 2012, including a proposal by the White House. In September, the White House said that it would consider issuing an executive order if Congress remained deadlocked. The White House noted that the executive branch is “hamstrung by outdated and inadequate statutory authorities,” and in President Obama’s State of the Union Address, he called on Congress to “pass legislation to give our government a greater capacity to secure our networks and deter attacks.”