In his State of the Union address, President Obama announced that he had signed an executive order (EO) on cybersecurity. The order uses a standard-setting approach to improve cybersecurity. However, such a model will only impose costs, encourage compliance over security, keep the U.S. tied to past threats, and threaten innovation. While the EO does take some positive steps in the area of information sharing, these steps are hamstrung by the EO’s inability to provide critical incentives such as liability protection. As a result, this order could result in few modest changes, or it could result in substantial negative effects.
The Scope of the Order The EO uses a very broad definition of critical infrastructure, defining it as “systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.” Such a broad definition could be understood to include systems normally considered outside the cybersecurity conversation, such as agriculture. While there is no way of knowing how far implementation will actually go, this broad definition is certainly concerning. Inhibited Information Sharing In Section 4, the EO attempts to expand information sharing in several noteworthy ways. It calls for the federal government to quickly move unclassified information to the private sector and increase the number of security clearances given to appropriate owners of covered infrastructure. Additionally, the EO expands already existing information-sharing systems such as the Defense Industrial Base (DIB) Enhanced Cyber Services and Cyber Security/Information Assurance Program. These objectives are worthwhile, and the President should be applauded for including them. However, these worthwhile pursuits will not be very effective because the EO must rely completely on existing authorities. Essentially, it directs government agencies to do a better job of sharing information than they already are. And where it does expand programs, such as with the DIB, these efforts will not be effective without additional incentives and protections to get more businesses involved. These include liability, Freedom of Information Act (FOIA), and regulatory-use protections. The problem is that the EO cannot provide these important protections—they can be created only by Congress. As a result, many businesses will be reluctant to share their information for fear that their proprietary information could be endangered by a FOIA request or that an honest mistake might lead to a lawsuit being filed against them. Regarding other private-to-private or private-to-government solutions, the EO is silent. Although the information-sharing provisions are limited, the privacy protections for this limited sharing are actually where they should be. The EO calls for consultation with privacy officers and oversight reports on the order’s implementation. While some may find this provision weak, effective oversight is the best way to respect privacy concerns while not limiting information sharing that enhances the nation’s security.