A long-awaited cybersecurity executive order released by the White House last week seeks to boost the nation’s cyber defenses by increasing cyber threat information sharing and pushing critical infrastructure operators, such as water and wastewater utilities, to adopt government-crafted cybersecurity best practices. President Barack Obama signed theexecutive order before his State of the Union address on February 12.
The executive order has two major components. First, it requires the Attorney General and the Director of National Intelligence to increase cybersecurity intelligence information sharing with private sector critical infrastructure operators. Second, the order tasks the National Institute of Standards and Technology, in consultation with other agencies and the private sector, with developing a set of cybersecurity best practices, known as the Cybersecurity Framework, that critical infrastructure operators could implement voluntarily.
The executive order is expected to attract controversy due to provisions that have DHS and “sector-specific agencies” encourage critical infrastructure operators to abide by the voluntary standards. The agencies will also have to report annually on the level of adoption among operators. This means U.S. EPA will be required to promote adoption of the best practices by water and wastewater utilities and annually report on utilities’ cooperation.
Congressional Republicans are likely to view these last sections as a back-door effort to implement federal cybersecurity mandates – something they have consistently opposed. Instead, the GOP plans to push legislation to boost information sharing without new regulations. Democrats, in contrast, are hoping to build on the executive order by reintroducing cyber legislation that would offer incentives to critical infrastructure entities that adopt the standards, but would also further encourage government agencies to incorporate them into existing or future cyber regulations.