The president's executive order on cybersecurity is being praised by many because it says that — in the event of a digital breach that could affect the nation's telecommunications, electrical, water, utility and other key infrastructure operations — government agencies must share data with private industry as soon as they can.
Previously, government agencies were encouraged to do so, but this order on improving critical infrastructure cybersecurity requires it.
"Our enemies are also seeking the ability to sabotage our power grid, our financial institutions, and our air traffic control systems," President Barack Obama said in his State of the Union address Tuesday. "We cannot look back years from now and wonder why we did nothing in the face of real threats to our security and our economy."
'Near real-time sharing'
The order can broken down into two components. First, it expands what have been considered "voluntary" efforts to share information by federal agencies when there's been a breach or hack, to doing so in "near real-time sharing of cyber-threat information to assist participating critical infrastructure companies," such as utilities or telecommunications companies "in their cyber-protection efforts."
"The order says there shall be no cult of secrecy regarding security threats," Bart A. Lazar, data privacy and security attorney with Seyfarth Shaw LLC, told NBC News Wednesday.
"So, for example, if the federal government discovers, or becomes aware, that U.S. government facilities and computer systems are being hacked, or (there are) attempted hacks, in a particular way, they should let private industry members of the nation's critical infrastructure know so they can defend themselves properly."
A recent "zombie alert" practical joke highlights the importance of the systematic cooperation, says James Barnett, a retired U.S. Navy admiral and former chief of public safety and homeland security for the Federal Communications Commission. Hackers cracked the Emergency Alert System in Montana, warning citizens of attacking zombie hordes. Though it was not an act of terrorism, the false message, which spread to other states, demonstrates a real risk.
"Somebody hacked in and did a very good job of making it sound real," Barnett told NBC News. "The problem was bad computer hygiene. [Admins] didn't change the passwords, so it was easy for someone to break into it."
Better, stronger securitystandards
The second initiative in the president's mandate directs the National Institute of Standards and Technology, part of the U.S. Department of Commerce, to work with "critical infrastructure stakeholders" for the "development of a framework of cybersecurity practices to reduce cyber-risks to critical infrastructure."
The first thing NIST will take on will be gathering information from organizations on "their current risk management practices," including " standards, guidelines and best practices; and other industry practices," the agency said in a release Wednesday.
NIST will hold workshops "over the next several months to collect additional input and will complete the framework within one year."
What it doesn't mean
The executive order doesn't mean you'll personally be getting an alert when a government website has been hacked or information stolen from it.
"For the average American, some of this will run in the background," said Barnett, who is now with the Venable law firm, which specializes in intellectual property and regulatory affairs.
Evidence of a security breach "might show up as their computer running slow. Or maybe an individual gets contacted by their bank saying 'We need to send you a new debit or credit card because this one's been breached,'" he said.
The president's order also does not mandate companies that operate the nation's infrastructure to participate in kind by reporting breaches to the federal government. That issue is a contentious one, because it raises privacy concerns.
"The executive order certainly does not exclude a flow of information the other way, although it seems to maintain it as a voluntary thing," Jeffrey Hermes, director of the Digital Media Law project at the Harvard-based Berkman Center for Internet & Society, told NBC News.
Some legislation required
Gen. Keith Alexander, head of the U.S. Cyber Command, told reporters Wednesday that he considers the executive order "only a down payment on what we need to address the threat," and that it's "not a substitute for legislation."
But which legislation? Perhaps it's the Cyber Intelligence Sharing and Protection Act (CISPA), re-introduced Wednesday by Rep. Mike Rogers, R-Mich., and Rep. Dutch Ruppersberger, D-Md., but that may not pass easily.
According to a press release announcing the bill, the legislation aims to:
- "Allow the Federal government to provide classified cyber threat information to the private sector to help American companies better protect themselves from advanced cyber threats;
- "Empower American businesses to share cyber threat information with others in the private sector and enable the private sector to share information with the government on a purely voluntary basis, all while providing strong protections for privacy and civil liberties;
- "Provides (sic) liability protection for companies acting in good faith to protect their own networks or share threat information."
Yet while the bill does seem to share certain goals outlined in the president's mandate, CISPA was shot down previously over privacy concerns, and is likely to meet fierce opposition again.
"CISPA once again allows companies to share sensitive and personal American Internet data with the government, including the National Security Agency and other military agencies," said American Civil Liberties Union legislative counsel Michelle Richardson, whose group nevertheless praises the president's executive order.
While it's perhaps easy for a president to mandate that government agencies report problems for the benefit of companies, the notion that companies should report problems for the benefit of the government comes with far more challenges and concerns.