Executive order on cybersecurity coming, but is it only a 'down payment on legislation'?
Based on leaked versions of the order, the White House is expected to put DHS in charge of organizing an cyberthreats information-sharing network
February 13, 2013 — CSO — President Obama has spent much of the past two months focused on citizen security through gun control. Today, he is expected to focus on the security of the nation's critical infrastructure (CI) through a long-anticipated executive order promoting better information sharing on cyberthreats between government and private industry.
But a number of security experts said that while the order will carry some symbolic significance, it will do little to improve protection of the nation's infrastructure from cyber intrusions. That would require legislation, the experts said, noting that several attempts to pass cybersecurity legislation failed last year.
Stewart Baker, former general counsel at the National Security Agency (NSA) and a past assistant secretary for policy at the Department of Homeland Security (DHS), told Reuters that the order amounted to "a down payment on legislation," but added, "whether it will provide practical protection from cyber attacks is still in doubt."
Baker told CSO Online that the order doesn't seek to improve sharing from industry to government, but moves in the other direction -- from government to industry -- by making it easier for those in critical infrastructure industries to get security clearances.
"[It's] a modest step, because there are plenty of clearances for private industry today, so the [executive order] won't have any real effect on information sharing in either direction," he said.
Mark Jaycox, an attorney with the Electronic Frontier Foundation (EFF), agrees that the tools and laws already exist for such information sharing, but he said he still thinks the order will improve things because it will "further strengthen the fact that companies can already share information with the government and vice versa."
But Jacob Olcott, principal at Good Harbor Consulting and past counsel and lead negotiator on comprehensive cybersecurity legislation to Sen. Jay Rockefeller (D-WVa.), said the problem is not a lack of information sharing, but "cyber hygiene."
[Also see: Fed stays secretive after Anonymous hack]
He cited a Verizon study finding that 97% of breaches could be avoided through simple or intermediate controls. "Classified threat information is not useful for a company that isn't regularly patching its systems," he said.
Numerous reports during the past week have said the president would issue the order on Wednesday morning at a briefing at the U.S. Department of Commerce.
Based on various leaked versions of the order, it is expected to put the Department of Homeland Security (DHS) in charge of organizing an information-sharing network in which government would distribute classified, sanitized summaries of intelligence reports about possible cyberthreats aimed at specific targets.
Reuters reported that besides making it easier for those in the private sector to get classified information, the order will "make companies work with the National Institute of Standards and Technology to come up with sector-specific standards for cybersecurity and then will require companies to engage with their regulators to decide how those standards are implemented."
Baker said those standards could have value. "In the real world, these 'voluntary' standards will be quasi-mandatory, because companies that don't meet them could face lawsuits after suffering a breach," he said. "They will also provide some liability protection for industry, since under tort law, following government standards is a good way to rebut claims of negligence."
The fundamental question, of course, is whether the order will make the public and private sector more secure, both from attack and from espionage aimed at stealing intellectual property. And experts are generally dubious about that as well.
Joe Weiss, managing partner at Applied Control Solutions and a critical infrastructure expert, said flatly, "It's not going to work."
Weiss said he is adamant partly because the leaders of utilities have "checked the box," to be in compliance with government security standards, but little else.
Besides that, "they don't trust the government," he said, adding that there is no need for an order to let government share information on threats. "They're already doing that," he said.
Roger Thornton, CTO of AlienVault, said: "It is very hard for many of us in the private sector to trust that the feds have significantly better threat information that they are willing to share," he said. "Researchers at hundreds of private organizations like ours are routinely catching attacks and infiltrations backed by states, particularly China and even the U.S. or its allies."
"The ways the government can help most are in the things that it can do exclusively, such as treaties with foreign governments to limit cyber attacks and aid in joint law enforcement," he said. "To assert that government's involvement and training is necessary for private industry to accurately identify, assess, and respond to threats is frankly a somewhat arrogant position to take."
Weiss, who said he has documented more than 75 electric industry control system cyber incidents, said those incidents are, "real, numerous and growing."
"However, the electric industry and NERC (North American Electric Reliability Corporation) generally have been silent on disclosing control system cyber incidents even within the industry," he said.
The executive order is also not expected to stem the flood of espionage intrusions by China. The Washington Post's Ellen Nakashima reported recently that sources familiar with the most recent National Intelligence Estimate -- a classified document -- told her that the Chinese have been hacking the U.S. energy, finance, information technology, aerospace and automotives sectors for the past five years.
"The assessment does not quantify the financial impact of the espionage, but outside experts have estimated it in the tens of billions of dollars," the report said.
But Harvard Law School professor Jack Goldsmith, writing on the Lawfare blog, noted that the options for the U.S. are few and weak.
"Analysts have said that the administration's options include formal protests, the expulsion of diplomatic personnel, the imposition of travel and visa restrictions, and complaints to the World Trade Organization," and then observed, "Wow, that will have the Chinese quaking in their boots," he said, quoting Nakashima.
Part of the problem, he wrote, is that military strikes against China is not practical, nor are economic sanctions, given the interdependence of the two economies. Finally, he wrote, the U.S.'s hands are not entirely clean either.
"We spy on the Chinese (though not in the private sector in the same way as the Chinese) and promote hacktivism against the Chinese as well," he wrote. "So in truth we have little leverage beyond the weak steps being considered."
Read more about critical infrastructure in CSOonline's Critical Infrastructure section.
Other stories by Taylor Armerding