Cybersecurity Executive Order Can Only Do So Much; New Legislation Needed, Official Says
As cybersecurity legislation designed to mitigate the damage being done by network intrusions in the private sector faltered in the 112th Congress last year, news emerged that President Barack Obama would create an executive order to fill some of the gaps that lawmakers couldn’t.
That caused a great deal of consternation in some quarters, particularly in the business communities where regulations are generally not welcome.
The executive order was released Feb. 12 and arrived with generally little controversy.
Michael Daniel, national cybersecurity coordinator and special assistant to the president, said, “Unfortunately, executive orders are not magical. They don’t suddenly give us powers we don’t have and subvert the will of the Congress.”
“We think … the only way we can make progress on cybersecurity is to do a better job of sharing with the private sector,” Daniel said at an Armed Forces Communication and Electronics Association cybersecurity conference.
The order called for the expansion of the Defense Industrial Base Information Sharing Program, in which companies alert the Defense Department to attacks on their systems, and it, in turn, sends out reports on the new threats to all participants. This, however, is voluntary. The order calls for the expansion of the program into other critical economic sectors.
It also calls on the National Institute of Standards and Technology to develop “a framework of cybersecurity practices to reduce cyber risks to critical infrastructure.”
Daniel said the administration has heard the private sector’s call for more security clearances in their organizations, so it ordered the Department of Homeland Security to expedite applications.
There is a delicate balance when pushing out reports to those who need to see them, he noted.
“There is no way you can give a clearance to everybody who needs to understand cybersecurity and operates critical infrastructure,” so the government must be able to take some risks when sending out reports.
The government must increase the volume, timeliness and quality of the threat information it puts out, he said.
“When you share information too broadly, sometimes it can lose its value. Your adversaries learn of it and they change their tactics and it is no longer useful,” he said. “At the same time, if we don’t share information at all, it is very rarely useful.”
There are not a lot of controversial items in the order, said Dave Frymier, chief information security officer at Unisys. There is one order for the DHS secretary to begin a process to identify critical infrastructure such as dams and utilities that should be protected. This would be a specific list of companies and utilities, not just a general identification of different sectors, he said.
“That is something that has to be done anyway. If you look at a risk analysis process, defining the assets that you have to protect is the first step,” Frymier said.
But the order allows for companies who don’t want to be designated as “critical” to ask to be taken off the list, Frymier noted. There must be a process in place for them to “request reconsideration,” on their status, the order said.
As for expanding the defense industrial base program, “you get some useful stuff out of that,” Frymier said. “From a corporate perspective, that helps you find infected systems and once you know they are there, you can move to remediate them.”
Daniel said one concern the administration heard prior to the executive order’s release was that there not be any more committees or organizations stood up.
There are plenty of existing structures, he said. Some industries have regulatory oversight bodies. And DHS has set up critical infrastructure coordinating councils.
“The organizations already exist. There is no need for any more,” he said.
Information sharing under such a voluntary regime will only succeed if companies want to participate, Daniel said. They will need incentives. The executive branch could find out what the private sector wants, but legislation could provide more. He hoped Congress would pass new laws this year. Such items as liability protection for sharing information can’t be instigated by an executive order, he noted.
Frymier said: “The administration has taken it about as far as they can given what they can do as the executive branch of the government.” Regulations with more teeth or more specific information sharing would have to come from Congress.
House Intelligence Committee Chairman Rep. Mike Rogers, R-Mich., and ranking member Rep. C.A. Dutch Ruppersberger, D-Md., will introduce a bill identical to the “Cyber Intelligence Sharing and Protection Act” (H.R. 3523) that passed the House 248-168 in April. The Senate version died in the waning days of the 112th Congress.
Daniel said, “What we think we will see is a vibrant voluntary cybersecurity program. We think there are enough companies out there that recognize the threat, that appreciate the risk to them. It may not be a short-term risk — it may be longer term — but it is a risk nonetheless.”
Photo Credit: Thinkstock