Rise Conference:
Talk Civic Tech and Innovation at Rise, a new event brought to you by Technical.ly, Oct. 22-24

Civic

Apr. 11, 2013 10:30 am

Cybersecurity Executive Order: so what’s the need for CISPA?

Cyber attacks have caught the attention of both the President and Congress in recent months. While House legislation has gained push back, a similar Executive Order hasn't. So what's the difference?

This is part three of a Technically Baltimore series on CISPA. Click here to read part one, about the privacy concerns surrounding cyber threat information sharing between private companies and the federal government. Click here for part two, outlining the trouble with liability protections in the CISPA bill.
Cyber attacks have caught the attention of both the president and Congress in recent months. While House legislation has received pushback, a similar Executive Order hasn’t. So what’s the difference?

President Barack Obama issued on Feb. 12 an Executive Order on cybersecurity, a move supported by Ron Gula, CEO of Tenable Network Security in Columbia.

One day later, the Cyber Intelligence Sharing and Protection Act (CISPA) was reintroduced in the House of Representatives, which rankled privacy and civil liberties groups in the U.S.

As Technically Baltimore has reported this week, such groups view CISPA as a legally dubious bill, mainly because of the bill’s vague terminology and the liability protections it would offer private companies who share cyber threat information from personal computers with the federal government.

The president’s Executive Order, however, hasn’t been met with the same contempt. Broadly, here’s what the EO does:

  1. The Director of the National Institute of Standards and Technology will lead the creation of a Cybersecurity Framework, which will “include a set of standards, methodologies, procedures, and processes” for addressing potential cyber threats and cyber attack risks. See Sec. 7.
  2. It expands the Enhanced Cybersecurity Services program to “all critical infrastructure sectors,” meaning private companies providing cybersecurity protections for critical infrastructure — electrical grids, dams, power stations, air traffic control, water supply companies and financial institutions — will be provided with security clearances in order to get the latest information on potential cyber threats. See Sec. 4, (c).

As the Electronic Frontier Foundation has noted, the Executive Order “addresses the core aim of CISPA without granting expansive powers to companies or broad legal immunity.” And it includes an entire section dealing with “privacy and civil liberties protections.”

Writing in this publication, Ron Gula at Tenable called the EO “a step in the right direction for national cybersecurity” because it provides the federal government “a potential pathway to communicate its building knowledge of cyber attacks.”

What’s important about the Executive Order is that it’s information sharing in one direction only, as Digital Trends astutely points out. CISPA, on the other hand, allows for two-way information sharing from government to private companies, and vice versa.

The concern here is over who determines who is a cybersecurity threat and what information can be shared between a private company and the government about potential cyber threats. That two-way conversation worries many privacy advocates in a way that the more limited Executive Order doesn’t.

A general House debate on CISPA will likely examine where, and why, the legislation goes beyond Obama’s policy.

This is part three of a Technically Baltimore series on CISPA.

  • Part four will take a look at the telecommunications firms in support of CISPA, and how much money pro-CISPA groups have contributed to the national political campaigns of Congressmen Mike Rogers and Dutch Ruppersberger, the sponsor and co-sponsor, respectively, of the legislation.
-30-
Andrew Zaleski

Andrew Zaleski is a freelance journalist in Philadelphia and the former lead reporter for Technical.ly Baltimore. Before moving to Philadelphia in June 2014, he was a contributing writer to Baltimore City Paper and a Tech Check commentator for WYPR 88.1 FM, Baltimore city’s National Public Radio affiliate. He has written for The Atlantic, Outside, Richmond magazine, Washington City Paper, Baltimore magazine, Baltimore Style magazine, Next City, Grist.org, The Atlantic Cities, and elsewhere.

Profile   /   @ajzaleski   /   Send an email
Advertisement