President Barack Obama’s executive order on cybersecurity is a “very big deal” says Mark Weatherford, deputy under-secretary for cybersecurity at the US Department of Homeland Security (DoHS).
“The move is unprecedented and will have three significant effects,” he told the Cloud Security Alliance Summit at RSA Conference 2013 in San Francisco.
First, the executive order will establish an up-to-date over-arching framework for dealing with cybersecurity issues.
“This will set basic standards for private sector organisations to aim for; this is baseline stuff, but not everybody is doing it,” said Weatherford.
“I am astounded when I talk to companies and ask them questions about basic security, and I just get blank stares in response,” he said.
Read more about critical infrastructure
Barack Obama signs cyber security executive order
Is UK critical national infrastructure properly protected?
Government to monitor companies supporting critical national infrastructure
Critical infrastructure security: Electric industry shows the path
GRC Management and Critical Infrastructure Protection
Second, the executive order will help expedite information sharing about threats between government and private sector organisations that run parts of the critical national infrastructure.
“Historically, this information has been classified and consequently not shared as quickly or efficiently as it should be,” said Weatherford.
Through the executive order, he said, the president is enabling government agencies to get that information out faster.
Third, the executive order will help expedite security clearances for private sector organisations, especially those involved with critical national infrastructure.
“This ensures that the most critical of the critical national infrastructure organisations will be briefed on classified or sensitive information that cannot be issued more broadly,” said Weatherford.
Art Coviello, executive chairman of RSA, the security division of EMC, welcomed the executive order, saying “better late than never,” but said it failed to do all it needed to do.
For example, the executive order does not include any reforms of the Federal Information Security Management Act of 2002, he said.
Coviello also called for “more substance” on how to protect critical national infrastructures.
From a European perspective, the US cybersecurity executive order shows a unity of approach that is consistent with the European Commission’s cyber security strategy and proposed directive, according to Stewart Room, partner at legal firm Field Fisher Waterhouse.
“The US may have slightly different ways of applying pressure, but the fundamentals are the same, which means there is a convergence of approach,” he said.
Ultimately, both aim to get to the same result, said Room. “For the first time we see substantial building towards a global legal framework for cyber, which is significant for both Europe and the US, as well as other economies that are increasingly dependent on cyberspace,” he said.