Hopes for federal cybersecurity standards fading
Prospects for legislation or presidential executive order before the end of the year look dubious
October 30, 2012 — CSO — Cybersecurity is clearly on the agenda of both Congress and President Obama. But it is just as clearly not at the top of their list.
The prospects this year for federal cybersecurity standards governing private-sector operators of critical infrastructure, either through legislation or presidential executive order, are fading.
Analysts and legislative insiders say it is unlikely that legislation, in the form of the U.S. Senate's 2102 Cyber Security Act (CSA), will make it through a lame-duck Congress.
Randy Sabett, an attorney with ZwillGen and an information security expert, called it "very unlikely."
"[Cybersecurity] is a very complex topic and we still have fundamental differences between the various sides," he said. "Add into that the election, the budget and sequestration, and the host of other issues facing Congress and [cybersecurity action] doesn't have much of a chance."
Stewart Baker, a partner at Steptoe & Johnson and former assistant secretary for policy at the Department of Homeland Security, agrees. He told Jennifer Martinez of The Hill that "the timing is bad [and] the amount of work that has to be done in the lame duck is so substantial."
Leslie Phillips, communications director for the Senate Homeland Security and Government Affairs Committee, confirmed that Sen. Joseph Lieberman (I-Conn.), a cosponsor of the CSA legislation, is also doubtful about its prospects.
"The Senator, by nature an optimistic man, puts the odds of passing comprehensive cybersecurity legislation in the lame duck session at less than 50-50," Phillips told The Hill.
While the Obama administration began in early September to circulate a draft executive order that would implement some of the goals of the CSA, Department of Homeland Security (DHS) Secretary Janet Napolitano said after a speech last week that the president had not even reviewed the latest draft of that order.
Napolitano added that the administration would prefer that Congress pass cybersecurity legislation, rather than issue the executive order.
And then there is the election. If President Obama wins a second term, and Congress fails to act, there is still a chance he could issue the order sometime between mid-November and the end of December.
But if he loses, the order is in trouble. "I don't think an executive order on this topic by a president that's just been defeated is likely," Baker said.
Some in the security community wonder if either legislation or an executive order is necessary. Joel Griffin, writing in SecurityInfoWatch, argues that information sharing between government and private operators of critical infrastructure should already be happening.
"Wasn't that the whole point of the DHS's establishment of fusion centers across the country to create a place where federal, state and local authorities could meet to discuss potential threats, be it physical or cyber?" Griffin wrote. "The intelligence shared amongst these agencies should logically be passed onto security and management personnel at critical infrastructure sites if there is a credible threat."
He added that if the fusion centers aren't performing that function, there is no point in setting up a parallel system for shared intelligence on cyber threats. "The last thing we need is more needless regulations that keep law enforcement and the private sector more concerned about being in compliance than with actually dealing with the issue," he wrote.
But Baker said the fusion centers have focused on intergovernmental information sharing and not on public-private sharing. "Using fusion centers to share cybersecurity information with the private sector is a new idea. I'm not convinced it's the right solution," he said.
Sabett said information sharing and self-regulation have been tried for more than a decade without success. But he said he supports an approach that uses existing mechanisms like the fusion centers. "If the activity and information from the fusion centers and other sources can be coordinated by the Information Exchange Framework [proposed] in the leaked executive order, we could wind up with a system that actually functions well," he said.
"That is a huge 'if,' however," Sabett said, "since for over a decade no comprehensive models for information sharing have worked well."
Yet another hurdle to agreement on either legislation or an executive order is what is designated as critical infrastructure. While there is general agreement that it includes the financial, energy, transportation and communications sectors, Sabett said "the number of difficult and controversial calls will likely outnumber the easy calls."
"Couple that with the potentially cascading effects from a cyberattack, and there are things that today don't seem like critical infrastructure, but will tomorrow," he said.
Read more about malware/cybercrime in CSOonline's Malware/Cybercrime section.
Other stories by Taylor Armerding