Obama's cybersecurity executive order: What you need to know

Obama's cybersecurity executive order: What you need to know

Summary: Embargoed until the delivery the State of the Union address, US President Obama signed the expected and highly anticipated cybersecurity executive order. With potentially serious implications for US and foreign citizens' privacy, here's what you need to know.

SHARE:
53

In just eight pages, US President Obama today laid out his cybersecurity plans to protect the infrastructure that is critical to the country's functioning.

obama-cbsnews
President Obama delivers the 2013 State of the Union address.
(Image: CBS News)

There was grave concern that the president could sign an executive order effectively signing into law some, if not most, parts of the proposed Cyber Intelligence Sharing and Protection Act (CISPA) Bill. Though it was passed by the US House, it failed to gain traction in the Senate, and also faced threats by the White House to veto the Bill altogether. (The whole Bill can be found at the bottom of this article.)

However, CISPA remains on the table, and will be brought back up by the House tomorrow. According to TechDirt, nothing has been changed since it first stalled in the Senate.

The final executive order doesn't have half of the concerning privacy implications that CISPA does, and has also garnered support from a major privacy group, the American Civil Liberties Union (ACLU). Having said that, the privacy implications of this cybersecurity order have yet to be defined, and could still pose a significant risk to the privacy of web citizens.

In the president's State of the Union address, however, he repeated his call for Congress to "[pass] legislation to give our government a greater capacity to secure our networks and deter attacks". In the past, action by Congress has fallen afoul of not only privacy groups, but also online activists and the concern of the wider web population.

Although the privacy implications may not be as stark or concerning as CISPA would have been, there is still a lot of uncertainty around what the Obama administration plans to do regarding the ever-growing threat of cyberterrorism and cyberattacks. And, as ZDNet's Violet Blue explained, certain terms have yet to be defined, which could lead to potential abuses by the government.

We've outlined what you need to know below.

What does the executive order say, in a nutshell?

This executive order was designed to simply set up the foundations in which a "framework" can be constructed between the government and private sector industries. This executive order doesn't mean that intelligence sharing will automatically begin tomorrow, and there is a long road ahead until a system can be set up that is effective, reliable, and as secure as it can possibly be.

The "framework" will effectively allow intelligence to be gathered on cyberattacks and cyberthreats to privately owned critical national infrastructure — such as the private defense sector, utility networks, and the banking industry — so they can better protect themselves, as well as the general US population, the economy, and other nations that are reliant on US support.

However, certain terms have yet to be defined. "Cyberthreat" and "cyberintrusions" remain vague, leading to the suggestion that those involved in distributed denial-of-service (DDoS) attacks, one of the main "weapons" of choice for protest by hacktivist groups on the web, could also be at risk of being targeted by the US government.

What is "critical infrastructure"?

The executive order spelled out what "critical [national] infrastructure" actually is, making it easier for the US government to identify businesses and private sector organizations that hold the keys to the wider US economy.

From the order:

Critical infrastructure means systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.

This could range from energy networks to telecommunications networks, and ultimately companies that offer services that are important to the effective running of the economy, such as cloud-based services and Fortune 500 companies, those with a massive stake on the stock market, and companies that offer services that are vital to the government.

For now, the order explicitly excludes certain companies — although not named, private firms that offer social networking and consumer products and services — from the list of critical infrastructure. More on that shortly.

The text states that "within 150 days of the date of this order", Secretary of Homeland Security Janet Napolitano shall use a "risk-based approach to identify critical infrastructure where a cybersecurity incident could reasonably result in catastrophic regional or national effects on public health or safety, economic security, or national security".

By identifying this critical infrastructure, Homeland Security will be able to start a consultative process in which expertise can be drawn up by sector-specific agencies. The criteria for identifying critical infrastructure will be "consistent and objective", the order stated. Those identified will be reviewed on an annual basis to ensure that should contracts change or new companies arise, these can also be kept in the loop.

However, the text also noted: "The secretary shall not identify any commercial information technology products or consumer information technology services under this section", excluding the likes of Microsoft, Google, Facebook, Twitter, and others for the time being.

This will be of most interest to those who use the services, because, while they are kept out of the intelligence-sharing loop, it means that your data will not be handed seemingly arbitrarily to the government.

What is the "Cybersecurity Framework"?

The framework, a work in progress, will be developed in conjunction with those who own and operate critical infrastructure and those in government. This executive order gives the US government, from today, 240 days to publish a "preliminary framework" that meets the expectations of both the government and private industry, while balancing civil liberties. More on that later.

This will be updated over time to ensure that it is up to date and current with existing known threats and "updated as necessary, taking into consideration technological changes, changes in cyber risks", and "operational feedback from owners and operators of critical infrastructure".

This order is about intelligence sharing, correct?

In a sense, yes; but it doesn't appear to undo years of work on privacy laws that have protected the US population against its own government. In the order, US citizens are promised plenty of oversight — which we have yet to see or have defined in exact terms — but it's more of a one-way street to allow the US government to work more closely with potential targets to domestic and foreign cyberterrorists who aim to strike at the heart of what essentially keeps the US ticking.

From the text:

It is the policy of the United States government to increase the volume, timeliness, and quality of cyberthreat information shared with US private sector entities so that these entities may better protect and defend themselves against cyberthreats.

That's basically it, but it's unclear as to exactly how this will transpire in the finished form. Also, the executive order allows the US Department of Homeland Security to create channels in which information can flow, but it does not define how this can be done without violating the privacy of ordinary citizens.

Will the US be sharing classified material with those in the private sector?

There is still a lot of work to be done on the "framework" in order to ensure that US classified material remains classified, and that threats can be unclassified if need be. Sometimes, threats come in that relate to a certain country, group, or person, and this remains US classified material. One of the ways that this information could get passed on to private industries is if certain classified bits are blacked out — or "redacted" — but sometimes the most important parts are actually in the redacted zone.

From the text, reports that need to be passed on to owners of critical infrastructure will likely remain classified. The way to pass this on outside of the government is to someone, or a handful of people, at that private sector firm who already has, or is suitable to obtain, US national security clearance.

Homeland Security and the attorney general, along with the director of national intelligence, will establish "a process that rapidly disseminates the reports produced pursuant to section 4(a) of this order to the targeted entity" to ensure that the classified or sensitive material will go to those who need it, when they need it, without violating the privacy of others.

Again, there's still no word from the White House on exactly how citizens' privacy will be protected. In a "fact sheet" released by the Obama administration earlier today, there was not a single mention of privacy or civil liberties.

These files will likely be heavily audited to ensure that any unauthorized access will be logged so that appropriate action can take place, just as it is on the inner walls of the government and law enforcement. These classified materials will only be given to those who possess US national security clearance while in the private sector, and will likely be limited to just one or a few people in each organization.

To make sure that these designated people — likely chief security officers and other security personnel — have the correct clearance, the process in which they are vetted will be sped up. The appropriate authorities will:

Expedite the processing of security clearances to appropriate personnel employed by critical infrastructure owners and operators, prioritizing the critical infrastructure identified in section 9 of this order.

What will private companies share with the government?

The order has laid out the plans for the information "exchange", in which private companies can share information about their networks, security, and infrastructure with the government. But because companies like Microsoft, Google, Facebook, and so on are not part of this framework consultation yet, your personal data is safe. At least, for now.

It appears, from this order, that only data relating to their networks and infrastructure — rather than information relating to you, which CISPA would have allowed private firms to share with the government — will be passed on. By submitting information about their systems, it can allow the government to issue specific warnings based on the information they have, such as vulnerabilities in networking hardware or about third-party suppliers of technology equipment.

From the text:

Information submitted voluntarily ... by private entities under this order shall be protected from disclosure to the fullest extent permitted by law.

The framework will be technology neutral, and aimed at addressing security gaps in the computer networks of critical infrastructure, such as the electric grid, water plants, and transportation networks.

That said, the fact that some items, such as emails, what's contained in storage, IP records, and suchlike, were not defined or even mentioned may open the order to misinterpretation or abuse. It also leaves room for Congress to fill these gaps with proposed legislation — and history tells us that Congress is not a place where many technologists reside.

The order will be implemented in various government departments in the next 120 to 150 days. A draft version of the framework is due in 240 days, and the final version will be published within a year.

What about the civil liberties implications?

An entire section deals with this entirely, though not very well. In fact, the order doesn't go into specifics at all. As ZDNet's Violet Blue explained quite bluntly, "Privacy and digital rights may take a back seat as the assessment of privacy concerns and civil liberties risks is being kept in-house."

As Homeland Security is taking the lead in the consultative process of the framework, the Homeland Security chief privacy officer and the officer for civil rights and civil liberties will "assess the privacy and civil liberties risks of the functions and programs undertaken by [Homeland Security]", and will recommend to the Homeland Security secretary "ways to minimize or mitigate such risks".

It will be released and published no later than one year from today.

Other government departments will also have their say and make their recommendations. This report will be renewed on an annual basis to ensure that they are monitored and scrutinized regularly.

According to The Hill, these privacy measures received approval from the ACLU. The order may "rightly focus on cybersecurity solutions that don't negatively impact civil liberties", according to ACLU counsel Michelle Richardson; but, as of yet, there is practically zero information on this.

Many will want answers — at this point, it remains completely unclear how civil liberties will be preserved and privacy protected — but time will tell. It's not even clear whether the public report will be open for scrutiny by third parties.

Is the intelligence sharing agreement mandatory, or is it voluntary?

It will be voluntary for the most part, although the wording suggests that some private sector industries that run critical parts of national security may not be able to opt out of the framework. Interested parties and those who should be involved — at least, in the eyes of the government — will be offered "incentives designed to promote participation in the program".

The plan is to get enough members of the critical infrastructure group subscribed to the framework to determine exactly what the best practices relating to cybersecurity are to follow.

From the text:

The executive order is also aimed at increasing the pool of eligible companies that can receive classified cyberthreat information from the government, such as critical infrastructure operators or commercial service providers that deliver security services to critical infrastructure. The order also requires federal agencies to produce unclassified reports about cyberthreats to US companies in a timely manner, as well as classified reports to authorized critical infrastructure operators.

The order will give Homeland Security a "lead role" in establishing the "voluntary program" that encourages those who operate critical infrastructure to adopt the industry-developed framework.

If Facebook or Google faced a cyberthreat, would the US government warn them? Or is this order limited to networks like gas, electricity, and water?

As the text states, "The secretary shall not identify any commercial information technology products or consumer information technology services under this section." In this case, consumer technology product makers or services will be excluded for now, but this is not to say that it will never be designated as an important part of the wider economy.

The executive order is focusing on ultimately keeping the gas, water, and electricity supply running to your homes, rather than keeping you connected to your friends online.

If a vulnerability has been identified in a network router in a water-treatment plant, or intelligence has come in that a cyberattack will be imminently launched against a piece of critical infrastructure, data may be shared with that private sector organization to ensure that they are best protected.

From the text, it does note that the "timely production of unclassified reports of cyberthreats to the US homeland" should also "address the need to protect intelligence and law-enforcement sources, methods, operations, and investigations".

Topics: Security, Government US

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

53 comments
Log in or register to join the discussion
  • "Terms of Service"

    as unilaterally changeable offers of convenience by online service providers are becoming inadequate, anything they say "today" can magically disappear tomorrow. I'm thinking users will force some of the more privacy-sensitive services to enter into legally enforceable contractual commitments to not voluntarily disclose personal data, probably for a paid "premium".
    I2k4
    • RE: "Terms of Service"

      It's a shame that that may very well be. We assume, resonably so, that privacy is an included part of the package. Why it should come at a premium price is unknown.
      However, what does that have to do with this article?
      jetsethi
  • "Critical Infrastructure" should include widely used software

    Take Java and Adobe's stuff -- they are used all over, but have chronic, severe security bugs that never seemed to get fixed properly. I would like to see a list made of the most widely used software and OS's ("Top 100"?), see what their security vulnerabilities are, if they exist, what has been done to try to fix things permanently, and what, if anything, can be done to *really* fix things if the software owners seem incapable of doing so.
    JustCallMeBC
    • Yep, because it's always a good idea

      to put as much as possible under government control.
      baggins_z
    • Developers can fix their own software...

      ...but there's nothing wrong with Big Bad Government getting the word out if widely used software has holes; however, there are already private institutions like SANS that do just that.
      John L. Ries
      • Putting the word out doesn't fix anything

        How many zero-day security problems has Adobe products alone have had the past year? And it isn't like you can just easily swap in a safer alternative product. Even in the case of PDF files, I've been pushing alternatives like PDF Xchange for years, but there seems to be more and more incompatibilities that pop up, with the most troublesome ones being from government sites using some sort of arcane method to print fee-based land deeds and such that are iffy at best with non-Acrobat PDF viewers. And then there is Flash Player.....
        JustCallMeBC
        • Hmm

          In response to Government sites using some some sort of arcane method to print fee-based land deeds and such that are iffy at best with non-Acrobat PDF viewers.
          ---
          Of course the goal here is to reduce government to the smallest size possible. The best way to do this is to remove all funding. Perhaps the government wouldn't resort to using fee-based or arcane stuff if it had adequate funding. Don't complain about inadequate government services unless you are willing to fund improvements.
          ked@...
          • So by your logic

            If you your dog keeps peeing on your carpet, just remove the carpet so the dog will stop peeing on your carpet.
            JustCallMeBC
          • Anarchy is cool

            But if you really looked at how much deregulation has happened since 1980, your wish is already there.

            But nothing gets smaller. Just larger. And who controls it is different. Why not tell us how Big Corporation is better than Big Government by default?
            HypnoToad72
          • Comprehensive Annual Financial Report

            I wonder how many people know that the budget which we generate deficits against is only a small portion of Government income.

            Its like me making a hundred dollars an hour, telling my wife that I make $30, which we call the budget, as I skim off $70 an hour.

            That is exactly what the government does. Where do they get the extra income? Investments on your money. Research at cafr1.com
            Astringent
    • Some lists you might want to peruse

      There are lists of weaknesses and vulnerabilities. I've used the Common Vulnerabilites and Exposures list (http://cve.mitre.org) or for more general Common Weakness Enumeration list (http://cwe.mitre.org). However it is up to administrators/developers/engineers as to whether they want to fix these vulnerabilities or weaknesses.
      paendragon
      • I know all about those

        But, again, they do nothing, squat, diddly, nada, etc. to actually *fix* anything -- what part of "severe security bugs that never seemed to get fixed properly" are you not understanding?
        JustCallMeBC
    • So is Windows, which isn't Oracle or Adobe, what's your point?

      And to fix things costs money, which in turn hurts profit. Did it not occur to you that shareholders and other p@rasites want increased share value when it comes time for them to cash in their shares?
      HypnoToad72
    • Great Point

      Yes, the underlying software is a major vulnerability throughout critical infrastructure... So at the least, hopefully those developers would be privy to the details of the reported attacks.

      Google and Facebook should already have a handle on a "Top 100" list.
      tomxfoolery
    • why don't you fix it?

      try combing through the thousands of lines of code in any major app and try to figure out where you can hack it. Then, sell the fix to the company. They'll appreciate the help.

      Some of these hacks I've seen are just mind bending in what mental contortions one has to go through to figure out how to do that. I suspect it's more like the infinite number of monkies pounding on typewriters - eventually one of them writes War and Peace. There appear to be thousands of jerks out there with nothing better to do than try to figure out how to create damage. It has the taste and feel of Massively Parallel Programming. That's hard to beat.
      wizardjr
  • Laws being made by people who can't even spell technology.

    More dumb laws from the capitol of dumb, just a bunch of really stupid people pretending to know what they are doing while putting into place the plans of their masters the corporations.
    Reality Bites
  • Welcome To the American Police State

    You have no rights and you have no privacy, and big business cartels right the laws.
    Home Grown IT
    • correction

      damn no edit function right should have been write, but perhaps it was a good freudian slip after all.
      Home Grown IT
    • Funny...

      It seems that all the Police State tactics are coming to fruition with the LIBERAL establishment in charge. So I hope your reference to big business actually equates to big government.
      partman1969@...
      • Big Business is Big Goverment and visa versa

        Liberal or Conservative do you really think this make a difference? Only to fools who believe political advertising. Fools who believe things designed to cloud you mind. Things that have an existence only for the utility of reelection. Police State does not care about Liberal or Conservative does it? And both work as hard as possible to achieve it. Both isles.
        Altotus