The simultaneous denial of service attacks on the three largest U.S. banks which occurred two weeks ago were reported to have originated in Iran. After years of stealth cyber attacks on American interests, U.S. intelligence officials recently publicly accused China of cyber espionage of American high-tech data for their own economic gain. The head of U.S. Cyber Command has stated that there has been a twentyfold increase in cyberattacks on critical infrastructure from 2009 to 2011. With the need for national cybersecurity more evident now than ever before, the White House announced that it is close to completing a new cybersecurity executive order to address this critical issue.
The cybersecurity executive order has not yet been issued but is expected to have a number of elements. It would establish a voluntary program in which critical infrastructure companies such as those that own electric grids, water systems, and transportations systems, would elect to comply with government issued security standards. The order would direct federal agencies to develop cybersecurity guidelines for owners of critical infrastructure facilities, and would authorize the creation a new cybersecurity council at the Department of Homeland Security with representatives from the Department of Defense, Justice Department, Director of National Intelligence and the Department of Commerce. The cybersecurity executive order is expected to have some elements similar to the Cybersecurity Act of 2012, a bill recently quashed in the Senate after drawing opposition from business lobbying groups, primarily the U.S. Chamber of Commerce, that argued that the legislation would grant the government overarching influence over private businesses and impose regulations that would be too onerous for businesses to comply with.
The anticipated executive order will not accomplish everything that the administration seeks in terms of a cybersecurity plan. According to Janet Napolitano, the Secretary of the Department of Homeland Security, the executive order cannot provide liability protections for companies that are victims of cyber attacks or increase penalties for cybercrime, and thus legislation is still needed. How close we are to developing a policy that balances national security, consumer privacy, and commercial interests remains to be seen, though the new cybersecurity executive order expected to be issued by the White House may provide some insight.