The DHS secretary appears to have been given wide latitude to designate critical infrastructure under the order, Ransom said. The language leaves open the possibility that a wide range of private sector entities from a spectrum of industries could get classified as critical infrastructure.
"What their view is going to be remains to be seen," he said.
The executive order's open-ended definition of critical infrastructure gives the DHS and sector specific federal agencies the ability "to cast a wide net in the process of identifying which companies and their associated assets and systems might be included within their statutory capacity," said John South, chief security officer at Heartland Payment Systems.
The key question though is whether broadening the list of companies will make much of a difference in heading off cybersecurity threats, South said.
Efforts to define critical infrastructure entities goes back as far as 1998 at least, he noted. Considerable progress has already been made in identifying information sharing capabilities of the sort described in the executive order, South added.
"Nothing in this directive clarifies what timely information sharing is and how this differs from where we are currently," he said. "If there is no substantive product that provides actionable, timely intelligence - regardless of how wide the net of critical infrastructure is cast - we haven't advanced very much."
Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan, or subscribe to Jaikumar's RSS feed . His e-mail address is email@example.com.
Read more about security in Computerworld's Security Topic Center.