Twitter Facebook Google RSS
 
National Defense > Blog > Posts > Cyberspace Executive Order Skirts Mandates on Private Sector

2/13/2013

Cyberspace Executive Order Skirts Mandates on Private Sector
By Stew Magnuson



Fears that President Obama would impose mandates on the private sector in the aftermath of Congress’ failure to pass cybersecurity legislation did not come to pass Feb. 12 when he signed an executive order to improve critical infrastructure networks.
 
The order calls for the expansion of the Defense Industrial Base Information Sharing Program, in which companies alert the Defense Department to attacks on their systems, and it, in turn, sends out reports on the new threats to all participants. This, however, is a voluntary program. The order calls for the expansion of the program into other critical economic sectors.
 
It also calls on the National Institute of Standards and Technology to develop “a framework of cybersecurity practices to reduce cyber risks to critical infrastructure.”
 
There are not a lot of controversial items in the order, said Dave Frymier, chief information operations systems at Unisys. There is one order for the secretary of homeland security to begin a process to identify critical infrastructure such as dams and utilities that should be protected. This would be a specific list of companies and utilities, not just a general identification of different sectors, he said.
 
“That is something that has to be done anyway. If you look at a risk analysis process, defining the assets that you have to protect is the first step,” Frymier said.
 
But the order allows for companies that don’t want to be designated as “critical” to ask to be taken off the list, Frymier noted. There must be a process in place for them to “request reconsideration” on their status, the order said.
 
As for expanding the defense industrial base program, “you get some useful stuff out of that,” Frymier said. “From a corporate perspective, that helps you find infected systems and once you know they are there, you can move to remediate them.”
 
Larry Clinton, president of the Internet Security Alliance, said in a statement: “If the administration truly engages the private sector in developing an economically sustainable system to promote greater cybersecurity, this could be a game changing moment.  
 
“But if the talk of partnership and incentives is just a rhetorical facade for the same approach that has failed in the Senate for the past three years, then this so-called ‘new policy’ will leave us where we are now: without a coherent policy in the face of ever more sophisticated cyberthreats to our nation,” Clinton added.
 
He counted the broadened information sharing program among the “potential positives” in the executive order.
 
A White House statement accompanying the release of the executive order said, “The administration continues to believe that legislation is needed to fully address this threat. Existing laws do not permit the government to do all that is necessary to better protect our country.”
 
Frymier agreed. “The administration has taken it about as far as they can given what they can do as the executive branch of the government.” Regulations with more teeth or more specific information sharing would have to come from Congress.
 
House Intelligence Committee Chairman Rep. Mike Rogers, R-Mich., and ranking member C.A. Dutch Ruppersberger, D-Md., will introduce a bill identical to the “Cyber Intelligence Sharing and Protection Act” (H.R. 3523) that passed the House 248-168 in April. The Senate version died in the waning days of the 112th Congress.  
 
Rogers said, “It is time to stop admiring this problem and deal with it immediately. Congress urgently needs to pass our cyberthreat information sharing bill to protect our national security, our economy and U.S. jobs.”
 
House Homeland Security Chairman Rep. Michael McCaul, R-Texas, said in a statement that he will be submitting his own bill, and said he had concerns about the executive order.
 
“I am concerned that the order could open the door to increased regulations that would stifle innovation, burden businesses, and fail to keep pace with evolving cyberthreats. Our first priority must be to ‘do no harm.’”

Photo Credit: iStockphoto
Posted at 1:58 PM by Stew Magnuson | Permalink | Email this Post | Comments (1)

Comments

Re: Cyberspace Executive Order Skirts Mandates on Private Sector

This sounds like a very good initiative once there is no hidden agenda by the administration. It is important for the document relating to the order to be made available to enable a carful study of its contents by businesses and IT professionals.
Paul Beckles at 2/15/2013 5:54 PM

Add Comment
Items on this list require content approval. Your submission will not appear in public views until approved by someone with proper rights. More information on content approval.

Name: *

eMail *

Comment *

Title

Attachments

Name: *


eMail *


Comment *


 

Refresh
Please enter the text displayed in the image.
The picture contains 6 characters.

Characters *

  

Legal Notice *

NDIA is not responsible for screening, policing, editing, or monitoring your or another user's postings and encourages all of its users to use reasonable discretion and caution in evaluating or reviewing any posting. Moreover, and except as provided below with respect to NDIA's right and ability to delete or remove a posting (or any part thereof), NDIA does not endorse, oppose, or edit any opinion or information provided by you or another user and does not make any representation with respect to, nor does it endorse the accuracy, completeness, timeliness, or reliability of any advice, opinion, statement, or other material displayed, uploaded, or distributed by you or any other user. Nevertheless, NDIA reserves the right to delete or take other action with respect to postings (or parts thereof) that NDIA believes in good faith violate this Legal Notice and/or are potentially harmful or unlawful. If you violate this Legal Notice, NDIA may, in its sole discretion, delete the unacceptable content from your posting, remove or delete the posting in its entirety, issue you a warning, and/or terminate your use of the NDIA site. Moreover, it is a policy of NDIA to take appropriate actions under the Digital Millennium Copyright Act and other applicable intellectual property laws. If you become aware of postings that violate these rules regarding acceptable behavior or content, you may contact NDIA at 703.522.1820.

 

 

Bookmark and Share