Cybersecurity Executive Order: so what’s the need for CISPA?

Cyber attacks have caught the attention of both the president and Congress in recent months. While House legislation has received pushback, a similar Executive Order hasn’t. So what’s the difference?

President Barack Obama issued on Feb. 12 an Executive Order on cybersecurity, a move supported by Ron Gula, CEO of Tenable Network Security in Columbia.
One day later, the Cyber Intelligence Sharing and Protection Act (CISPA) was reintroduced in the House of Representatives, which rankled privacy and civil liberties groups in the U.S.
As Technically Baltimore has reported this week, such groups view CISPA as a legally dubious bill, mainly because of the bill’s vague terminology and the liability protections it would offer private companies who share cyber threat information from personal computers with the federal government.
The president’s Executive Order, however, hasn’t been met with the same contempt. Broadly, here’s what the EO does:

1. The Director of the National Institute of Standards and Technology will lead the creation of a Cybersecurity Framework, which will “include a set of standards, methodologies, procedures, and processes” for addressing potential cyber threats and cyber attack risks. See Sec. 7.
2. It expands the Enhanced Cybersecurity Services program to “all critical infrastructure sectors,” meaning private companies providing cybersecurity protections for critical infrastructure — electrical grids, dams, power stations, air traffic control, water supply companies and financial institutions — will be provided with security clearances in order to get the latest information on potential cyber threats. See Sec. 4, (c).

As the Electronic Frontier Foundation has noted, the Executive Order “addresses the core aim of CISPA without granting expansive powers to companies or broad legal immunity.” And it includes an entire section dealing with “privacy and civil liberties protections.”
Writing in this publication, Ron Gula at Tenable called the EO “a step in the right direction for national cybersecurity” because it provides the federal government “a potential pathway to communicate its building knowledge of cyber attacks.”
What’s important about the Executive Order is that it’s information sharing in one direction only, as Digital Trends astutely points out. CISPA, on the other hand, allows for two-way information sharing from government to private companies, and vice versa.
The concern here is over who determines who is a cybersecurity threat and what information can be shared between a private company and the government about potential cyber threats. That two-way conversation worries many privacy advocates in a way that the more limited Executive Order doesn’t.
A general House debate on CISPA will likely examine where, and why, the legislation goes beyond Obama’s policy.
This is part three of a Technically Baltimore series on CISPA.

• Part four will take a look at the telecommunications firms in support of CISPA, and how much money pro-CISPA groups have contributed to the national political campaigns of Congressmen Mike Rogers and Dutch Ruppersberger, the sponsor and co-sponsor, respectively, of the legislation.