Editor’s Note: The 11/21/12 updated version of the draft Improving Critical Infrastructure Executive Order is attached here.
White House revises EO draft on cybersecurity, commercial IT products excluded
After confirming earlier reports about the creation of an executive order draft addressing cyber-security issues, the White House is recently applying some changes on such directive, this time excluding commercial information technology products, according to a new report.
The order was initially drafted in respond to the rapidly growing issue of cyber assaults experienced by numerous business sectors and government institutions, particularly in the United States.
Pertinent reports indicated that the directive still covers the system to safeguard critical infrastructure including power plants and railways from potential cyber assaults, except commercial IT products. According to the revised draft, “any commercial information technology products” should not be regarded as a critical infrastructure, most vulnerable for an online assault.
As elucidated in The Hill report, the exemption of commercial products was made after a series of appointments and sessions by the White House officials with tech trade associations and the US Chamber of Commerce in the past few weeks. The White House purportedly considered some recommendations, the attending entities have uttered for the drafted EO, probably to evade from experiencing the same fate with the controversial Cyber Intelligence Sharing and Protection Act (CISPA). If recalled, the implementation of CISPA’s companion directive called The Cybersecurity Act of 2012 was previously delayed by a Republican filibuster.
The cybersecurity bill CISPA though, has recently passed the House and is fully backed by the Obama administration and both parties in the Congress.
Among other modifications the White House has made to its prior draft includes an explicit statement which indicates that prescribing a single type of security technology over another is not covered in its cybersecurity guidelines. This is based on the copy of the EO draft recently obtained by The Hill. Also stated in the revision is a direction addressed to the Treasury and Commerce departments, ordering them to come up with better incentives for those operators who would participate in the said program.
The EO draft against cyber assaults is primarily designed to offer a series of security standards that would help secure infrastructures from any possible assault. The regulation is said to be optional.
Late last month, an excerpt of the drafted EO (dated November 21st) by the White House has leaked. Emphasized in that statement is the primary objective of the regulation that says:
“To enable technical innovation and account for organizational differences, the cybersecurity framework will provide cybersecurity guidance that is technology neutral and enables critical infrastructure sectors to benefit from a competitive market for products and services that meet the standards, methodologies, procedures and processes developed to address cyber risks.”
President Obama has repeatedly emphasized the significance of enhancing the country’s resilience to cyber assaults from abroad.
The revised cybersecurity executive order made by the White House is expected to be implemented within this month or earlier next year. Once realized, this directive would make a voluntary program in which relevant firms within the critical infrastructure would opt to follow a set of cybersecurity guidelines, partly created and imposed by the US government.