Obama’s executive order leaves more questions than answers

I’ll be honest: Though I’m still digesting President Obama’s executive order to improve critical infrastructure cybersecurity, I’m a skeptic. I’ve seen too much dysfunction between the White House and Congress to ever expect real progress.

Oh, it’s not all bad in Washington. I think Mark Weatherford, undersecretary of cybersecurity for DHS, is doing a good job raising awareness in the private sector and reaching out to the next generation of cybersecurity warriors. I believe Howard Schmidt moved the needle in the right direction during his tenure as Obama’s cybersecurity advisor.

But when it comes to legislation and executive orders on this issue, I’ve seen a lot of Tom foolery. Let’s start with last year’s proposed Cyber Intelligence Sharing and Protection Act ( CISPA), which as originally written would have allowed excessive snooping on the part of the public and private sectors. More about that in one of my earlier posts,  “Need proof that CISPA stinks? Open your history books.” I was actually relieved when Congress failed to pass cybersecurity legislation in 2012, because as some smart people have written, sometimes the best thing that can happen is nothing.

As for Obama’s executive order, here’s how the White House is spinning it:

Today’s new Executive Order was developed in tandem with the Presidential Policy Directive on Critical Infrastructure Security and Resilience also released today. The Executive Order strengthens the U.S. Government’s partnership with critical infrastructure owners and operators to address cyber threats through: 

• New information sharing programs to provide both classified and unclassified threat and attack information to U.S. companies. The Executive Order requires Federal agencies to produce unclassified reports of threats to U.S. companies and requires the reports to be shared in a timely manner. The Order also expands the Enhanced Cybersecurity Services program, enabling near real time sharing of cyber threat information to assist participating critical infrastructure companies in their cyber protection efforts. 

• The development of a Cybersecurity Framework. The Executive Order directs the National Institute of Standards and Technology (NIST) to lead the development of a framework of cybersecurity practices to reduce cyber risks to critical infrastructure. NIST will work collaboratively with industry to develop the framework, relying on existing international standards, practices, and procedures that have proven to be effective. To enable technical innovation, the Cybersecurity Framework will provide guidance that is technology neutral and that enables critical infrastructure sectors to benefit from a competitive market for products and services.  

The Executive Order also: 

• Includes strong privacy and civil liberties protections based on the Fair Information Practice Principles. Agencies are required to incorporate privacy and civil liberties safeguards in their activities under this order. Those safeguards will be based upon the Fair Information Practice Principles (FIPPS) and other applicable privacy and civil liberties policies, principles, and frameworks. Agencies will conduct regular assessments of privacy and civil liberties impacts of their activities and such assessments will be made public. 

• Establishes a voluntary program to promote the adoption of the Cybersecurity Framework. The Department of Homeland Security will work with Sector-Specific Agencies like the Department of Energy and the Sector Coordinating Councils that represent industry to develop a program to assist companies with implementing the Cybersecurity Framework and to identify incentives for adoption.

• Calls for a review of existing cybersecurity regulation. Regulatory agencies will use the Cybersecurity Framework to assess their cybersecurity regulations, determine if existing requirements are sufficient, and whether any existing regulations can be eliminated as no longer effective. If the existing regulations are ineffective or insufficient, agencies will propose new, cost-effective regulations based upon the Cybersecurity Framework and in consultation with their regulated companies. Independent regulatory agencies are encouraged to leverage the Cybersecurity Framework to consider prioritized actions to mitigate cyber risks for critical infrastructure consistent with their authorities.

 I need to digest the raw language further before I draw my own conclusions. But I suspect the special interests have made a mess of the order. We know they’ve made a mess at the other end of Pennsylvania Avenue, and that makes me skeptical of what’s between the lines of Obama’s action.

If I’m proven wrong — if this order turns out to be the turning point in government efforts to improve cybersecurity — I’ll be right back here eating a plate of crow with a big smile on my face.

Until then, I urge you all to read this order carefully and have a frank discussion about the details.