Obama's cybersecurity executive order: What you need to know
Embargoed until the delivery the State of the Union address, US President Obama signed the expected and highly anticipated cybersecurity executive order. With potentially serious implications for US and foreign citizens' privacy, here's what you need to know.
In just eight pages, US President Obama today laid out his cybersecurity plans to protect the infrastructure that is critical to the country's functioning.
There was grave concern that the president could sign an executive order effectively signing into law some, if not most, parts of the proposed Cyber Intelligence Sharing and Protection Act (CISPA) Bill. Though it was passed by the US House, it failed to gain traction in the Senate, and also faced threats by the White House to veto the Bill altogether. (The whole Bill can be found at the bottom of this article.)
However, CISPA remains on the table, and will be brought back up by the House tomorrow. According to TechDirt, nothing has been changed since it first stalled in the Senate.
The final executive order doesn't have half of the concerning privacy implications that CISPA does, and has also garnered support from a major privacy group, the American Civil Liberties Union (ACLU). Having said that, the privacy implications of this cybersecurity order have yet to be defined, and could still pose a significant risk to the privacy of web citizens.
In the president's State of the Union address, however, he repeated his call for Congress to "[pass] legislation to give our government a greater capacity to secure our networks and deter attacks". In the past, action by Congress has fallen afoul of not only privacy groups, but also online activists and the concern of the wider web population.
Although the privacy implications may not be as stark or concerning as CISPA would have been, there is still a lot of uncertainty around what the Obama administration plans to do regarding the ever-growing threat of cyberterrorism and cyberattacks. And, as ZDNet's Violet Blue explained, certain terms have yet to be defined, which could lead to potential abuses by the government.
We've outlined what you need to know below.
What does the executive order say, in a nutshell?
This executive order was designed to simply set up the foundations in which a "framework" can be constructed between the government and private sector industries. This executive order doesn't mean that intelligence sharing will automatically begin tomorrow, and there is a long road ahead until a system can be set up that is effective, reliable, and as secure as it can possibly be.
The "framework" will effectively allow intelligence to be gathered on cyberattacks and cyberthreats to privately owned critical national infrastructure — such as the private defense sector, utility networks, and the banking industry — so they can better protect themselves, as well as the general US population, the economy, and other nations that are reliant on US support.
However, certain terms have yet to be defined. "Cyberthreat" and "cyberintrusions" remain vague, leading to the suggestion that those involved in distributed denial-of-service (DDoS) attacks, one of the main "weapons" of choice for protest by hacktivist groups on the web, could also be at risk of being targeted by the US government.
What is "critical infrastructure"?
The executive order spelled out what "critical [national] infrastructure" actually is, making it easier for the US government to identify businesses and private sector organizations that hold the keys to the wider US economy.
From the order:
Critical infrastructure means systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.
This could range from energy networks to telecommunications networks, and ultimately companies that offer services that are important to the effective running of the economy, such as cloud-based services and Fortune 500 companies, those with a massive stake on the stock market, and companies that offer services that are vital to the government.
For now, the order explicitly excludes certain companies — although not named, private firms that offer social networking and consumer products and services — from the list of critical infrastructure. More on that shortly.
The text states that "within 150 days of the date of this order", Secretary of Homeland Security Janet Napolitano shall use a "risk-based approach to identify critical infrastructure where a cybersecurity incident could reasonably result in catastrophic regional or national effects on public health or safety, economic security, or national security".
By identifying this critical infrastructure, Homeland Security will be able to start a consultative process in which expertise can be drawn up by sector-specific agencies. The criteria for identifying critical infrastructure will be "consistent and objective", the order stated. Those identified will be reviewed on an annual basis to ensure that should contracts change or new companies arise, these can also be kept in the loop.
However, the text also noted: "The secretary shall not identify any commercial information technology products or consumer information technology services under this section", excluding the likes of Microsoft, Google, Facebook, Twitter, and others for the time being.
This will be of most interest to those who use the services, because, while they are kept out of the intelligence-sharing loop, it means that your data will not be handed seemingly arbitrarily to the government.
What is the "Cybersecurity Framework"?
The framework, a work in progress, will be developed in conjunction with those who own and operate critical infrastructure and those in government. This executive order gives the US government, from today, 240 days to publish a "preliminary framework" that meets the expectations of both the government and private industry, while balancing civil liberties. More on that later.
This will be updated over time to ensure that it is up to date and current with existing known threats and "updated as necessary, taking into consideration technological changes, changes in cyber risks", and "operational feedback from owners and operators of critical infrastructure".
This order is about intelligence sharing, correct?
In a sense, yes; but it doesn't appear to undo years of work on privacy laws that have protected the US population against its own government. In the order, US citizens are promised plenty of oversight — which we have yet to see or have defined in exact terms — but it's more of a one-way street to allow the US government to work more closely with potential targets to domestic and foreign cyberterrorists who aim to strike at the heart of what essentially keeps the US ticking.
From the text:
It is the policy of the United States government to increase the volume, timeliness, and quality of cyberthreat information shared with US private sector entities so that these entities may better protect and defend themselves against cyberthreats.
That's basically it, but it's unclear as to exactly how this will transpire in the finished form. Also, the executive order allows the US Department of Homeland Security to create channels in which information can flow, but it does not define how this can be done without violating the privacy of ordinary citizens.
Will the US be sharing classified material with those in the private sector?
There is still a lot of work to be done on the "framework" in order to ensure that US classified material remains classified, and that threats can be unclassified if need be. Sometimes, threats come in that relate to a certain country, group, or person, and this remains US classified material. One of the ways that this information could get passed on to private industries is if certain classified bits are blacked out — or "redacted" — but sometimes the most important parts are actually in the redacted zone.
From the text, reports that need to be passed on to owners of critical infrastructure will likely remain classified. The way to pass this on outside of the government is to someone, or a handful of people, at that private sector firm who already has, or is suitable to obtain, US national security clearance.
Homeland Security and the attorney general, along with the director of national intelligence, will establish "a process that rapidly disseminates the reports produced pursuant to section 4(a) of this order to the targeted entity" to ensure that the classified or sensitive material will go to those who need it, when they need it, without violating the privacy of others.
Again, there's still no word from the White House on exactly how citizens' privacy will be protected. In a "fact sheet" released by the Obama administration earlier today, there was not a single mention of privacy or civil liberties.
These files will likely be heavily audited to ensure that any unauthorized access will be logged so that appropriate action can take place, just as it is on the inner walls of the government and law enforcement. These classified materials will only be given to those who possess US national security clearance while in the private sector, and will likely be limited to just one or a few people in each organization.
To make sure that these designated people — likely chief security officers and other security personnel — have the correct clearance, the process in which they are vetted will be sped up. The appropriate authorities will:
Expedite the processing of security clearances to appropriate personnel employed by critical infrastructure owners and operators, prioritizing the critical infrastructure identified in section 9 of this order.
What will private companies share with the government?
The order has laid out the plans for the information "exchange", in which private companies can share information about their networks, security, and infrastructure with the government. But because companies like Microsoft, Google, Facebook, and so on are not part of this framework consultation yet, your personal data is safe. At least, for now.
It appears, from this order, that only data relating to their networks and infrastructure — rather than information relating to you, which CISPA would have allowed private firms to share with the government — will be passed on. By submitting information about their systems, it can allow the government to issue specific warnings based on the information they have, such as vulnerabilities in networking hardware or about third-party suppliers of technology equipment.
From the text:
Information submitted voluntarily ... by private entities under this order shall be protected from disclosure to the fullest extent permitted by law.
The framework will be technology neutral, and aimed at addressing security gaps in the computer networks of critical infrastructure, such as the electric grid, water plants, and transportation networks.
That said, the fact that some items, such as emails, what's contained in storage, IP records, and suchlike, were not defined or even mentioned may open the order to misinterpretation or abuse. It also leaves room for Congress to fill these gaps with proposed legislation — and history tells us that Congress is not a place where many technologists reside.
The order will be implemented in various government departments in the next 120 to 150 days. A draft version of the framework is due in 240 days, and the final version will be published within a year.
What about the civil liberties implications?
An entire section deals with this entirely, though not very well. In fact, the order doesn't go into specifics at all. As ZDNet's Violet Blue explained quite bluntly, "Privacy and digital rights may take a back seat as the assessment of privacy concerns and civil liberties risks is being kept in-house."
As Homeland Security is taking the lead in the consultative process of the framework, the Homeland Security chief privacy officer and the officer for civil rights and civil liberties will "assess the privacy and civil liberties risks of the functions and programs undertaken by [Homeland Security]", and will recommend to the Homeland Security secretary "ways to minimize or mitigate such risks".
It will be released and published no later than one year from today.
Other government departments will also have their say and make their recommendations. This report will be renewed on an annual basis to ensure that they are monitored and scrutinized regularly.
According to The Hill, these privacy measures received approval from the ACLU. The order may "rightly focus on cybersecurity solutions that don't negatively impact civil liberties", according to ACLU counsel Michelle Richardson; but, as of yet, there is practically zero information on this.
Many will want answers — at this point, it remains completely unclear how civil liberties will be preserved and privacy protected — but time will tell. It's not even clear whether the public report will be open for scrutiny by third parties.
Is the intelligence sharing agreement mandatory, or is it voluntary?
It will be voluntary for the most part, although the wording suggests that some private sector industries that run critical parts of national security may not be able to opt out of the framework. Interested parties and those who should be involved — at least, in the eyes of the government — will be offered "incentives designed to promote participation in the program".
The plan is to get enough members of the critical infrastructure group subscribed to the framework to determine exactly what the best practices relating to cybersecurity are to follow.
From the text:
The executive order is also aimed at increasing the pool of eligible companies that can receive classified cyberthreat information from the government, such as critical infrastructure operators or commercial service providers that deliver security services to critical infrastructure. The order also requires federal agencies to produce unclassified reports about cyberthreats to US companies in a timely manner, as well as classified reports to authorized critical infrastructure operators.
The order will give Homeland Security a "lead role" in establishing the "voluntary program" that encourages those who operate critical infrastructure to adopt the industry-developed framework.
If Facebook or Google faced a cyberthreat, would the US government warn them? Or is this order limited to networks like gas, electricity, and water?
As the text states, "The secretary shall not identify any commercial information technology products or consumer information technology services under this section." In this case, consumer technology product makers or services will be excluded for now, but this is not to say that it will never be designated as an important part of the wider economy.
The executive order is focusing on ultimately keeping the gas, water, and electricity supply running to your homes, rather than keeping you connected to your friends online.
If a vulnerability has been identified in a network router in a water-treatment plant, or intelligence has come in that a cyberattack will be imminently launched against a piece of critical infrastructure, data may be shared with that private sector organization to ensure that they are best protected.
From the text, it does note that the "timely production of unclassified reports of cyberthreats to the US homeland" should also "address the need to protect intelligence and law-enforcement sources, methods, operations, and investigations".