The executive order, limited though it is, intends to prod agencies toward crafting a framework to open the lines of communication regarding cyber threats both within the federal government and between the government and industry.
"As it relates to information sharing--in fact, that is the area where we have the most deliverables due later this week--first, it's the government working together to find a way to share information, as much as possible, as much unclassified information as possible, in a timely manner in a way that's actionable such that owners and operators [of critical infrastructure] can leverage that information and be able to act quickly to address and identify the threat," Moore says.
Information Sharing Is Key
Information sharing has been a central component of several proposals for legislation that have emerged on Capitol Hill. The White House has thrown its support behind a comprehensive approach to cybersecurity legislation that would address information sharing along with new regulatory standards for critical infrastructure providers in the private sector, cybersecurity research and development programs and other measures.
In the absence of legislation, however, the directive in Obama's executive order instructs DHS, the attorney general and the director of national intelligences to produce by Wednesday instructions for releasing unclassified information about cyber threats and potential targets that have been identified.
National security officials are also directed to develop a plan for expanding a voluntary program that involves the sharing of classified threat information to all participating critical infrastructure providers, and to formulate a process for promptly disseminating classified reports to cleared private-sector operators.
Upcoming milestones include the release of a preliminary version of the "cybersecurity framework" that Commerce's National Institute of Standards and Technology is to produce by day 240 from the release of the White House executive order.
That framework is to include a "prioritized, flexible, repeatable, performance-based and cost-effective approach, including information security measures and controls, to help owners and operators of critical infrastructure identify, assess, and manage cyber risk," drawing on standards that can be applied across industries and technologies. The framework is intended to include "voluntary consensus standards and industry best practices to the fullest extent possible."
"If you take anything out of this, we don't want to centrally plan what companies do to adopt cybersecurity practices," Kolasky says.
Sign up for CIO Asia eNewsletters.