It's official: American corporations are now at risk from cyber warfare operations. The new executive order signed by the first ever cyber wartime president, Barack Obama, shortly before the State of the Union address on Tuesday evening authorizes government agencies to share intelligence with private companies. In the executive order's eight pages, the President requests the voluntary creation of a "framework" for intelligence to be passed on from the government to private parties. The flow of intelligence is strictly from government to corporate America—in no ways are companies obligated to share data with the government except for network-specific data from critical infrastructure that contains no personal information.
Protracted intellectual property theft, electronic surveillance, and Internet-based sabotage of American firms is one of the hallmarks of the new cyber war. American companies are being targeted by hackers with a growing arsenal of cheap weapons and varying degrees of state affiliations from multiple countries. These systematic attacks are happening because the companies are American and not because of any specific products or services they offer.
"Now, we know hackers steal people's identities and infiltrate private emails. We know foreign countries and companies swipe our corporate secrets. Now our enemies are also seeking the ability to sabotage our power grid, our financial institutions, our air traffic control systems," President Obama said in the State of the Union address on Tuesday. "That's why, earlier today, I signed a new executive order that will strengthen our cyber defenses by increasing information-sharing and developing standards to protect our national security, our jobs, and our privacy."
The executive order does not list which industries will be offered intelligence by the United States government, but it supports the idea that government alone isn't equipped to win a cyber war. Instead, the document merely describes "private sector entitites," with a separate distinction made for critical infrastructure firms. According to the text of the executive order, critical infrastructure consists of systems "so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters." Commercial information technology products and consumer information technology services are explictly excluded from critical infrastructure—sorry Facebook.
Whatever the executive order's undescribed framework will look like, the Commerce Department is directed to publish a preliminary version within 240 days. Under the order's provisions, the Department of Homeland Security is required to publish a report on any possible privacy or civil liberties risks within a year, plenty of time for the public to grow even more accustomed to the idea of a new war fought by private contractors.
With that said, no major concerns have been raised about privacy concerns resulting from the government-private sector information sharing dictated by the executive order. "The president’s executive order rightly focuses on cyber security solutions that don’t negatively impact civil liberties. For example, greasing the wheels of information sharing from the government to the private sector is a privacy-neutral way to distribute critical cyber information," the ACLU's Michelle Richardson said in a statement.
However, the cybersecurity executive order could be superseded by a much more regressive bill from the legislative branch. The CISPA Cybersecurity Bill was reintroduced to Congress today by Reps. Mike Rogers (R-MI) and Dutch Ruppersberger (D-MD). CISPA's provisions as currently written (PDF) would give Internet service providers wide latitude to report unusual user activity to the government. President Obama threatened to veto the bill last year.
[Image: U.S. Army]