On February 12, 2013, President Obama signed both an executive order and a presidential directive that together set forth the administration’s approach to two key cybersecurity related issues: (i) regulating critical infrastructure network security, and (ii) sharing cyber threat information between the public and private sectors. Together, the order and the directive represent a White House response to the congressional deadlock on cybersecurity legislation. While members of both parties have suggested that action on cybersecurity is a priority, separate bills advanced in the House and Senate in the last Congress have not yet been reconciled. While both the House and Senate bills contemplated new safeguards and exceptions to existing data privacy laws for businesses that share cybersecurity threat information with the government, both did so on different terms. In addition, the Senate bill asked the Department of Homeland Security (DHS) and regulatory agencies to work together to craft network security regulations that would be applied to critical private-sector infrastructure operators, while the House bill declined to add any new regulatory provisions. Conflicts over these different approaches have stalled legislative action and now have led the White House to issue the order and the directive to address the open issue. While further legislative action remains a possibility, national security and regulatory agencies have new marching orders in the interim.

The executive order discusses the cybersecurity of “critical infrastructure” — private sector systems and assets so vital to the United States that their incapacity or destruction would have a debilitating impact on security, the economy or public health. This definition has been imported from the USA PATRIOT Act and has previously been interpreted broadly in Homeland Security Presidential Directive 7 (HSPD-7) to include entities such as financial services providers, energy companies and health care providers. The presidential directive accompanying the executive order replaces HSPD-7 and broadens the set of critical infrastructure sectors even further, defining the new list to include...