President Obama is expected to sign an executive order that would require private companies that operate critical infrastructure to get their cyber defenses in order. Congress has tried, and failed, to pass legislation aimed at voluntarily creating a system of national standards, and all manner of cyber exploitation and attacks keep coming. Though virtually every actor in the debate believes that some sort of legislation is necessary, corporate America is split in two about how much risk they ought to be required to assume. Within most companies, IT teams push for more elaborate defenses and for disclosure of problems; general counsels counsel silence, and customer service executives complain about cyber architecture that is too costly and would put them at a competitive disadvantage.
The news reports about these executive orders suggest that the system will be “voluntary,” but in effect, it won’t be. The government can easily require that any company that wishes to do any business with it must comply with the new regime. No pay, no play. By identifying and defining just what counts as “critical” infrastructure is also a way to compel participation.