US President Barack Obama has signed a long-awaited executive order requiring federal agencies to share cyber threat information with private companies.
The order, announced during Barack Obama’s State of the Union address, also requires the creation of a cyber security framework aimed at reducing risks to companies providing critical infrastructure.
The framework will be voluntary for some operators, but the order requires federal agencies overseeing critical infrastructure to identify the operators most at risk and to explore whether the government can require those companies to adopt the framework.
The order will "strengthen our cyber defences by increasing information sharing and developing standards to protect our national security, our jobs and our privacy," Obama said.
Other components of the executive order include: expanding "real time sharing of cyber threat information" to companies that operate critical infrastructure; asking the US National Institute of Standards and Technology (NIST) to devise cyber security standards; and proposing a "review of existing cyber security regulation".
Read more about critical infrastructure
- Is UK critical national infrastructure properly protected?
- Government to monitor companies supporting critical national infrastructure
- Critical infrastructure security: Electric industry shows the path
- GRC Management and Critical Infrastructure Protection
- NetWars CyberCity missions to improve critical infrastructure protection
- Steve Lipner on the Microsoft SDL, critical infrastructure protection
Obama said enemies of the US want to sabotage the country's power grid, financial networks and air-traffic control systems.
"We cannot look back years from now and wonder why we did nothing in the face of real threats to our security and our economy," Obama said.
According to US reports, the American Civil Liberties Union praised Obama's approach, saying it would better protect privacy than the Republicans’ controversial Cyber Intelligence Sharing and Protection Act (CISPA), which remains under consideration.
The order focuses on established fair information practices and cyber security solutions that do not have a negative effect on civil liberties, the group said.
Other reports said the executive order does not propose new and potentially onerous regulations targeting private businesses, which Democrats had proposed in their unsuccessful legislation last year.
It also does not appear to rewrite privacy laws by allowing companies to share confidential information with intelligence agencies without oversight, which the Republicans had suggested.
The executive order also avoids internet companies such as Facebook being covered by overly broad definitions of critical infrastructure, by saying homeland security "shall not identify any commercial information technology products or consumer information technology services" as especially critical infrastructure.
The executive order the US can move forward in improving defences for critical infrastructure without any further delays caused by political wrangling over proposals for cyber security legislation.
However, in his State of the Union address, Obama repeated his call for Congress to pass legislation to give the government greater capacity to secure US networks and deter attacks.
In the past, action by Congress has fallen foul of privacy groups and online activists.