The executive order also focuses on baking-in the Federal Information Processing Standards, a longstanding document that describe technology standards for use with government contractors and vendors that work with agencies. It calls for periodic public reporting on how the order is being executed and protecting privacy and civil liberties. The National Institute of Standards and Technology (NIST) will establish a framework for how critical infrastructure facilities, contractors and their partners can use industry best practices for protecting data and networks from attacks.
"It's a down payment on legislation," Daniel said. "It cannot direct agencies to do things that they don't already have statutory ability to do in the first place." Exactly how much of an impact the document will have is yet to be seen. The cybersecurity executive order is a good start by underscoring the urgency that legislators have to address the problem, Chertoff said. There is a limit to what can be done with an executive order with organizations that are not covered by regulation, making the document voluntary.
"We have to do something because things are happening now, they are getting worse and will get worse still," Chertoff said. "It's by no means a full investment in what we need to do in the area of cybersecurity."
There are a lot of legal and bureaucratic issues that have made information sharing a difficult process, despite a program in place for the defense industrial base to share information that would normally be classified, Chertoff said. Some businesses say legal restrictions limit their role in sharing attack data, he said.
"No one is going to want to invest and pay attention and record instances of cyberattacks if they think all they are doing is teeing themselves up for a legal assault, which will wind up bankrupting them," Chertoff said.
PUBLISHED FEB. 26, 2013