The banking industry and outside observers weighed in Wednesday on a White House order that aims to bolster protection of the nation's critical infrastructure against cyberattack.
The directive, which President Obama signed Tuesday, seeks to encourage information sharing about cyber threats among national security officials and financial firms, utility companies and others who operate networks deemed vital to national security, the economy or public health. The edict also calls for adoption of a framework for cybersecurity that incorporates existing "consensus-based standards and industry best practices to the fullest extent possible."
A presidential policy directive that accompanied the order gives the Department of Homeland Security, federal agencies that oversee specific sectors of the economy, and owners of critical infrastructure roughly five months to assess current cooperation between the government and industry in the area of digital security and to recommend ways to improve "the effectiveness of the partnership in both the physical and cyber space."
The banking industry's top trade group welcomed the order but stressed that financial firms have long worked with regulators to protect both facilities and funds from cyberattack. "The order recognizes the role of primary federal regulatory agencies in determining the extent to which current cybersecurity regulatory requirements are sufficient," Frank Keating, chief executive of the American Bankers Association, said Wednesday in statement.
Keating added that the order "recognizes the value of leveraging existing expertise within sector-specific agencies to the greatest extent possible as the administration evaluates the need for enhanced standards."
The order, which mirrors a draft the White House floated last year, is expected to spur another push for cybersecurity legislation in Congress after failed attempts last year.
House Intelligence Committee Chairman Mike Rogers (R-Mich.) and Rep. Dutch Ruppersberger (D-Md.), the panel's ranking member, on Wednesday plan to reintroduce legislation that would encourage sharing of information between companies and government agencies about cyber threats.
A similar measure passed the House of Representatives in April, although the White House and privacy advocates said the bill failed to safeguard civil liberties sufficiently. The Senate, which twice tried last year to pass a cybersecurity bill, also is expected to revive work on the measure.
Legislation will be needed to give companies an incentive to share information, experts say. "The executive order is a down payment on more detailed legislative discussion," Amy Mushahwar, an attorney who specializes in data security at the law firm of Ballard Spahr, told American Banker. "It would be very difficult to get business to contribute to an information sharing network without liability protection, given that there are huge liability and brand management concerns when companies identify data threats that could result in a breach."
Some business groups are making a similar point. A representative of the nation's biggest financial firms on Wednesday praised the House bill, which business groups have said is needed to clarify their authority to share information. "While the executive order moves our nation forward, congressional action is needed to effect additional fundamental improvement," the Financial Services Roundtable said in a statement.
Some experts welcomed the order but cautioned that companies will need to consider carefully how to reinforce defenses against cyberattack. "Organizations and industries across the board will need to think about what and how to implement in the most effective manner while considering financial and/or organizational constraints," Jose Granado, Ernst & Young's America's practice leader for information security services, said in a statement.
"At the end of the day it's more than being about any one silver bullet type of technology," Joram Borenstein, senior director of product marketing at Nice Actimize, a maker of fraud prevention software, told American Banker. "That includes a lot of smart and interesting stuff, but it also includes a lot having to do with the non-sexy stuff. You need to have sufficient staffing, sufficient budget for these kinds of things, regular training and you need to on-board your employees the right way."