Cyberspace Executive Order Skirts Mandates on Private Sector
The order calls for the expansion of the Defense Industrial Base Information Sharing Program, in which companies alert the Defense Department to attacks on their systems, and it, in turn, sends out reports on the new threats to all participants. This, however, is a voluntary program. The order calls for the expansion of the program into other critical economic sectors.
It also calls on the National Institute of Standards and Technology to develop “a framework of cybersecurity practices to reduce cyber risks to critical infrastructure.”
There are not a lot of controversial items in the order, said Dave Frymier, chief information operations systems at Unisys. There is one order for the secretary of homeland security to begin a process to identify critical infrastructure such as dams and utilities that should be protected. This would be a specific list of companies and utilities, not just a general identification of different sectors, he said.
“That is something that has to be done anyway. If you look at a risk analysis process, defining the assets that you have to protect is the first step,” Frymier said.
But the order allows for companies that don’t want to be designated as “critical” to ask to be taken off the list, Frymier noted. There must be a process in place for them to “request reconsideration” on their status, the order said.
As for expanding the defense industrial base program, “you get some useful stuff out of that,” Frymier said. “From a corporate perspective, that helps you find infected systems and once you know they are there, you can move to remediate them.”
Larry Clinton, president of the Internet Security Alliance, said in a statement: “If the administration truly engages the private sector in developing an economically sustainable system to promote greater cybersecurity, this could be a game changing moment.
“But if the talk of partnership and incentives is just a rhetorical facade for the same approach that has failed in the Senate for the past three years, then this so-called ‘new policy’ will leave us where we are now: without a coherent policy in the face of ever more sophisticated cyberthreats to our nation,” Clinton added.
He counted the broadened information sharing program among the “potential positives” in the executive order.
A White House statement accompanying the release of the executive order said, “The administration continues to believe that legislation is needed to fully address this threat. Existing laws do not permit the government to do all that is necessary to better protect our country.”
Frymier agreed. “The administration has taken it about as far as they can given what they can do as the executive branch of the government.” Regulations with more teeth or more specific information sharing would have to come from Congress.
House Intelligence Committee Chairman Rep. Mike Rogers, R-Mich., and ranking member C.A. Dutch Ruppersberger, D-Md., will introduce a bill identical to the “Cyber Intelligence Sharing and Protection Act” (H.R. 3523) that passed the House 248-168 in April. The Senate version died in the waning days of the 112th Congress.
Rogers said, “It is time to stop admiring this problem and deal with it immediately. Congress urgently needs to pass our cyberthreat information sharing bill to protect our national security, our economy and U.S. jobs.”
House Homeland Security Chairman Rep. Michael McCaul, R-Texas, said in a statement that he will be submitting his own bill, and said he had concerns about the executive order.
“I am concerned that the order could open the door to increased regulations that would stifle innovation, burden businesses, and fail to keep pace with evolving cyberthreats. Our first priority must be to ‘do no harm.’”
Photo Credit: iStockphoto