President Obama is expected to sign an executive order that would require private companies that operate critical infrastructure to get their cyber defenses in order. Congress has tried, and failed, to pass legislation aimed at voluntarily creating a system of national standards, and all manner of cyber exploitation and attacks keep coming. Though virtually every actor in the debate believes that some sort of legislation is necessary, corporate America is split in two about how much risk they ought to be required to assume. Within most companies, IT teams push for more elaborate defenses and for disclosure of problems; general counsels counsel silence, and customer service executives complain about cyber architecture that is too costly and would put them at a competitive disadvantage.
The news reports about these executive orders suggest that the system will be "voluntary," but in effect, it won't be. The government can easily require that any company that wishes to do any business with it must comply with the new regime. No pay, no play. By identifying and defining just what counts as "critical" infrastructure is also a way to compel participation.
One complex question that may be answered is how much data a company is required to give the government if it detects a cyber threat, and how much information the government can share with a company if IT detects a cyber threat. The National Security Agency tends to the really big nodes that handle critical infrastructure, and it likes to over classify just about everything. But companies, reasonably, want instantly updated information about the threat environment. Even though most big companies that handle Very Big tasks for country's infrastructure do some sort of classified work for the government and thus have employees who are cleared to see the information, there is no way to distribute it.
What happens if a company that handles Internet infrastructure detects within your own browsing history the signature of a major virus or an attack? Almost certainly, it will be required to act on the information in a way that includes the transmission of your data to the government. Whether it can and will be anonymized is an open question. How long the government can retain it is also an open question. (There is a whole set of other rules for criminal and intelligence matters).
It's not just browsing history: What if the virus or attack is encoded within your medical records? Would your hospital be required to turn them over?
It would be great to see a Big Debate about all of this. An executive order might spur one.
