Before anyone starts chanting that the conspiracy theorists were bound to find something in the Cybersecurity Executive Order to attack for the sake of attacking, keep one thing in mind. I like the order as a whole. In many ways, it's pretty impotent and stays in line with what privacy activists (myself included) had hoped for - a one-way street of information sharing that will allow public and private entities involved in critical infrastructure to better defend themselves. My hope was that the sharing would be even deeper, that there would be more tangible ways that the government could educate and empower at-risk networks. Overall, the order was good. It stepped far away from the draconian levels of anti-privacy that CISPA would give the government. However, there are a couple of risks that should be noted. In section 7b, for example, there is this statement:
To enable technical innovation and account for organizational differences, the Cybersecurity Framework will provide guidance that is technology neutral and that enables critical infrastructure sectors to benefit from a competitive market for products and services that meet the standards, methodologies, procedures, and processes developed to address cyber risks.
Within 120 days of the date of this order, the Secretary of Defense and the Administrator of General Services, in consultation with the Secretary and the Federal Acquisition Regulatory Council, shall make recommendations to the President, through the Assistant to the President for Homeland Security and Counterterrorism and the Assistant to the President for Economic Affairs, on the feasibility, security benefits, and relative merits of incorporating security standards into acquisition planning and contract administration.
