US businesses to be incentivised to improve cyber security practices, according to Obama executive order

Out-Law News | 14 Feb 2013 | 5:17 pm | 2 min. read

Private sector businesses are to be incentivised to participate in a new voluntary program designed to ensure the adoption of improved cyber security standards in the US.

President Barack Obama outlined a new 'executive order' in which he set out plans to improve information-sharing between US law enforcement and the private sector about cyber threats to the US' "critical infrastructure".

Obama has also set out plans to create a new 'Cybersecurity Framework'. The Framework will involve the setting of security standards and guidance on cyber security and is to be established within the next year. The precise scope of the organisations that will be impacted by the Framework has yet to be established, but the executive order has indicated that it could cover every owner and operator of critical infrastructure in the country.

In addition, Obama has set out plans to establish a new 'Voluntary Critical Infrastructure Cybersecurity Program' to compliment the Cybersecurity Framework where organisations will be incentivised to adopt the voluntary regime.

"The Secretary [of Homeland Security] shall coordinate establishment of a set of incentives designed to promote participation in the Program," the executive order said. "Within 120 days of the date of this order, the Secretary and the Secretaries of the Treasury and Commerce each shall make recommendations ... that shall include analysis of the benefits and relative effectiveness of such incentives, and whether the incentives would require legislation or can be provided under existing law and authorities to participants in the Program."

The Cybersecurity Framework, once established, will set out how critical infrastructure operators and owners can "identify" cyber threats and "mitigate" their impact if the risks materialise.

A new information-sharing regime will also ensure that critical infrastructure operators and owners are provided with "rapid" reports about cyber security risks facing them, whilst wider dissemination of reports to other "critical infrastructure entities" could also take place if it is deemed necessary "to protect national security information".

According to the executive order, 'critical infrastructure' is defined as "systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters".

"It is the policy of the United States Government to increase the volume, timeliness, and quality of cyber threat information shared with US private sector entities so that these entities may better protect and defend themselves against cyber threats," the order said.

"Repeated cyber intrusions into critical infrastructure demonstrate the need for improved cybersecurity," it said. "The cyber threat to critical infrastructure continues to grow and represents one of the most serious national security challenges we must confront. The national and economic security of the United States depends on the reliable functioning of the Nation's critical infrastructure in the face of such threats."

"It is the policy of the United States to enhance the security and resilience of the Nation's critical infrastructure and to maintain a cyber environment that encourages efficiency, innovation, and economic prosperity while promoting safety, security, business confidentiality, privacy, and civil liberties. We can achieve these goals through a partnership with the owners and operators of critical infrastructure to improve cybersecurity information sharing and collaboratively develop and implement risk-based standards," it said.

Under proposals outlined by the European Commission last year in a draft Directive relating to how personal data is treated by 'competent authorities' such as law enforcement bodies, practices around the sharing of personal data between those authorities across the EU would be standardised.

Earlier this month the Commission also proposed new laws on network and information security that would require a range of businesses across the financial services, energy, technology sectors and others to adhere to new cyber security and breach notification rules which would also see regulators share information about cyber security risks.