Executive Order on Cybersecurity: Will It Spark Further Activity?

As Bruce Springsteen once sang, “you can’t start a fire without a spark.” With this in mind, President Obama issued an executive order on cybersecurity this week. Will this truly be a spark? To answer that question, it is worthwhile to start by describing what the executive order does. There are really three main points as the order: 1. Directs the Federal government (primarily DHS) to create a program for sharing non-classified cybersecurity intelligence with the private sector. 2. Asks NIST to create a set of standards and best practices for cybersecurity. 3. Suggests that the Feds create incentives to encourage private organizations to invest in cybersecurity. So will this executive order actually do anything or is it a day late and a dollar short? Well in a recent research survey, ESG asked 244 security professionals working at enterprise organizations (i.e. over 1,000 employees) what actions the Federal government should take in response to the wave of cyber attacks and Advanced Persistent Threats (APTs). Here is a comparison between the ESG research data and the executive order: • 45% of enterprise security professionals said that the Federal government should, “create better ways to share Federal and law enforcement security information with the private sector.” While there is still some work to do on the framework and process, the executive order nailed this one. • 41% of enterprise security professionals said that the Federal government should, “coordinate an APT task force composed of government cyber security experts, security researchers, and security technology vendors.” Hmm, good idea and this is certainly happening on an informal basis but there is no task force associated with the executive order. • 40% of enterprise security professionals said that the Federal government should, “enact more stringent cybersecurity legislation along the lines of PCI DSS.” The President suggested this as a next step – are you listening on Capitol Hill? • 35% of enterprise security professionals said that the Federal government should, “use diplomatic means to address APTs in the international community.” Important step but not part of the executive order. • 35% of enterprise security professionals said that the Federal government should, “provide funding for advanced research and development around cybersecurity.” While the President talked about investing in education, he did not make a specific recommendation as it relates to cybersecurity. Perhaps this shouldn't be part of an executive order but still a missed opportunity. • 34% of enterprise security professionals said that the Federal government should, “provide incentives to organizations that invest in cybersecurity.” He shoots, he scores – although this was a suggestion rather than a mandate. • 27% of enterprise security professionals said that the Federal government should, “provide funding for cybersecurity professional training and education.” Again, this fits with the general themes of the President’s position but the executive order does not do anything here. I believe it was Hunter S. Thompson who said, “Half of life is just showing up.” With his executive order this week, President Obama finally showed up and drew a line in the cybersecurity sand. So what’s next? Over the next few months will see if the President and Congress build upon this action or whether they continue dancing in the dark.