By Airen Adamonis, Copy Editor
The United States is currently at war with China. However, this war is not taking place on any battlefields. It’s taking place in cyberspace. According to a recent article published by the Washington Post, the United States has been the target of an immense “cyber-espionage campaign” that is threatening the country’s economic competitiveness.
Just days after a private security firm released a study accusing the Chinese military of carrying out numerous cyber-attacks against U.S. businesses, the Obama Administration released a long-awaited Executive Order on cybersecurity measures. The Executive Order on Improving Critical Infrastructure Cybersecurity (the “Order”), released on February 12, 2013, has a goal to address cyber threats through a strengthened partnership between the U.S. Government and critical infrastructure owners. To accomplish this goal, the Order:
- Requires the development of new information sharing programs to provide both classified and unclassified threat and attack information to U.S. companies;
- Requires the NIST’s creation of a Framework of cybersecurity practices (“Cybersecurity Framework”) to reduce cyber risks to critical infrastructure;
- Compels agencies to conduct regular assessments of privacy and civil liberties impacts of their activities and to make such assessments available to the public;
- Establishes a voluntary program to promote the adoption of the Cybersecurity Framework, which will provide incentives for companies to comply; and
- Calls for a review of existing cybersecurity regulation.
What does all of this mean for businesses? For now, it does not mean much since none of the industries covered by the order will actually have to meet the completely voluntary standards. According to Hunton & Williams’ Privacy Blog, the Order could potentially impact businesses in the following ways:
(1) Businesses in the private sector will receive a surge of notifications from the government concerning cyber threats and recommended ways to respond to threats based on a process developed by the Department of Homeland Security (“DHS”). The current DHS process mainly shares classified cyber threats only with defense companies, but under the new Order, information will be shared with other critical infrastructure companies, such as energy companies.
(2) Critical infrastructure companies and secondary actors (i.e. insurance companies) will be able to voluntarily use the new Cybersecurity Framework to address potential risks. Since participation is completely voluntary, it is likely that DHS will create incentives for companies to comply. An example included in the Order is the call for a review of the federal procurement process to create a preference for vendors who meet the Cybersecurity Framework standards.
(3) Certain private sector companies, who if targeted would have a devastating effect, will be named on a list of “Critical Infrastructure at Greater Risk.” If added onto the list, companies can request reconsideration of their inclusion on the list. However, this list does not change the fact that compliance with the Framework remains completely voluntary.
Although the new Order appears to be a positive step in the right direction by encouraging information sharing between the public and private sectors, it is unlikely that it is enough to prevent what seems like an inevitable national cybersecurity catastrophe. Congress needs to make the next move fast.