President Obama Makes a Downpayment on Cybersecurity
In his State of the Union Address, President Obama announced that he has signed an executive order (EO) designed to advance critical infrastructure (CI) cybersecurity. The President’s framework is a downpayment on the challenging task of protecting America’s citizens, critical assets, and infrastructures from ever-evolving cyber threats.
As the White House developed this EO, we and other stakeholders provided our ideas, and we in the tech community stressed that the first, best cyber defense is innovation. We’re pleased that the EO adopts many of our ideas and seeks to maintain a cyber environment that encourages efficiency, innovation, and economic prosperity while promoting security, business and individual privacy, and civil liberties. It recognizes that effective cybersecurity policy should leverage public-private partnerships, be adaptable to emerging threats, technologies, and business models, and be based on risk management.
Information sharing is an important component of the White House approach. To be as nimble and flexible as cyber intruders have proved to be, we need an improved information-sharing system that operates in real time and is bi-directional -- from the private sector to government, and from government to the private sector. The President’s EO intends to improve the government’s sharing of actionable information with the private sector on specific, targeted cyber threats as well as technical indicators that flag risks generally. We hope that Congress will pass legislation that will complement the executive order, particularly by identifying additional ways to encourage companies to participate in expanded real-time information-sharing efforts.
We agree with the President’s emphasis on creating a security framework that is based on existing, voluntary, consensus-based standards and best practices; allows CI owners and operators to identify, assess, and manage their cyber risks; and is technologically neutral. And it’s good that the National Institute of Standards and Technology is taking the lead in coordinating the development of such a voluntary framework, which we hope will be built on consensus-based global standards and rely on agile, cutting-edge security technologies.
Finally, the President's directive aims to have the Secretary of Homeland Security use a risk-based approach to identify critical infrastructure where a cybersecurity incident could have catastrophic effects on public health or safety, economic security, or national security. In order to allow for innovation in information technology solutions, we agree with the EO that commercial information technology products or consumer information technology services should not be designated CI at greatest risk.
The information and communications technology sector is deeply committed to protecting against cyber threats. A collaborative, innovative cybersecurity structure is central to safeguarding public safety, national security, and economic stability. With his directive, the President proposes meaningful steps to improve the nation’s cyber defenses. We stand ready to work with the Administration to implement the policies in ways that preserve innovation and enhance America’s cybersecurity posture. And we stand ready to work with Congress to complete the job through enactment of strategic, effective cybersecurity legislation.