EXECUTIVE SUMMARY – ASSESSING PRESIDENT OBAMA’S EXECUTIVE ORDER ON CYBER SECURITY
Upon realizing that comprehensive cyber security legislation to address the nation’s growing cyber security problem was unlikely to pass the Congress, President Obama issued an Executive Order on the subject in February 2013.
The Order marked a watershed moment in cyber security policy. For the first time, the head of a major power offered a unique approach to cyber security that departed from the traditional model wherein government would regulate industry behavior through mandates and prescriptions. Instead, the President outlined a partnership approach that could keep pace with the rapidly evolving threat while engaging industry, which owns and operates the vast majority of the critical infrastructure, to continually upgrade its cyber security on an economically sustainable basis.
The Order tracked many of the policy proposals that the Internet Security Alliance (ISA) had made in its 2008 report “The Cyber Security Social Contract,” a publication that was also the first and most cited source in the President’s 2009 “Cyberspace Policy Review.” However, the Executive Order went beyond broad policy statements and identified specific actions that the Executive Branch agencies would take to implement the principles outlined in the earlier policy papers.
In particular, the Executive Order called for NIST to develop a “Cybersecurity Framework” of standards based on input from the private sector. This Framework would then be available to critical infrastructure owners and operators for voluntary adoption. Several Executive Departments were also charged with developing incentives to promote the Framework’s adoption in lieu of regulatory mandates.
Now, roughly a year from the issuance of the Executive Order, it is appropriate to assess the progress that has been made under the Order and to assess whether the country’s security will likely be enhanced as a result of it. This paper offers five fundamental criteria that policy makers may use to analyze the progress made under the Order, and suggests actions that Congress and Administration officials may undertake to fulfill the promise of the Executive Order. The five key questions this paper examines are:
- Does the Framework meet the Cost Effectiveness criteria as required by the President’s Executive Order?
- Are we clear about what we are trying to do?
- Has enough work been done on the incentives called for in the Executive Order?
- Are we measuring our efforts appropriately and adequately?
- Has the work under the Executive Order addressed the most serious of our cyber threats?