President May Issue Executive Order On Cybersecurity
President Obama reportedly is drafting an executive order aimed at addressing the vulnerability of the nation's critical infrastructure to cyberattacks. The move essentially would be a work-around to the Cybersecurity Act of 2012, which was defeated in the Senate last month by Republicans who felt that the terms were too restrictive on business. In addition, some civil libertarian groups felt that the bill threatened privacy protections.
The Associated Press reportedly has obtained a draft copy of the president's proposed order, which apparently would establish a new counsel to oversee cybersecurity for the nation's critical infrastructure, under the Department of Homeland Security.
The panel likely would be made up of representatives from a number of government agencies, including the Department of Commerce's National Institute of Standards and Technology, the Department of Defense and the Department of Justice. It would be called upon to issue a report on the various threats to and vulnerabilities of the nation's critical infrastructure and make recommendations for their protection. These recommendations could include adjustments to current regulations, or the addition of new ones. More government agencies, as well as the business community, likely would be called upon to participate in the process.
A variety of experts have warned that much of the nation's critical infrastructure, including the power grid, gas pipelines and water supply and transportation systems, are controlled by systems that predate adequate information security. Or, the experts have said, the infrastructure has other flaws that make it highly vulnerable to attack by the range of sophisticated, weapons-grade malware now available to nation-states and, potentially, terrorist organizations or other groups.
[Related: Cybersecurity Bill Fails in Senate ]
While the validity of these concerns is widely acknowledged, there is substantial disagreement among lawmakers, and the political parties, as to the best way to mitigate the threat.
Sen. Dianne Feinstein sent a letter to President Obama last month urging him to move forward with an executive mandate.
"I strongly agree with your recent comments that urgent action is needed to defend U.S. government and private sector computer networks from cyberattack and espionage," she wrote. "Because our critical infrastructure, our financial hubs, and our ability to defend the Nation are at risk, we must take action to address these vulnerabilities as soon as possible. I therefore urge you to issue an Executive Order, or take other appropriate action, to advance the cybersecurity of our Nation’s critical infrastructure."
Meanwhile, the conservative Heritage Foundation opposes such a move. A blog by its Heritage Network, posted shortly after the bill was defeated, reads, in part, as follows:
"While we agree that reforms and improvements in cybersecurity are needed, it is important that we prudently consider the intended and unintended effects of any piece of legislation. The legislative process ensures the debate of ideas and allows alternative ideas. The executive order, on the other hand, eschews such open debate and instead imposes the President’s will with its weaknesses unmitigated by the legislative back-and-forth."
NEXT: Retaliation for Stuxnet?
Paul Henry, a security and forensic analyst with Lumension, contends that the government's approach to information security is inherently flawed by a dependence on outmoded technologies.
"For example, nearly every security requirement from the government has a line item for antivirus, but antivirus is effectively obsolete," he claimed. "If we are going to have guidance, that guidance needs to address more contemporary technologies such as application control and white listing. Firewalls are another example. The bad guys recognize that all they need to do is run their malicious applications over a port other than the one that is being blocked with a port-centric firewall. The requirements need to be in line with the current technologies. Those products are out there, but the government requirements fall behind the times."
Meanwhile, Andrew Jaquith, chief technology officer for Perimeter E-Security, indicates that the danger level requires immediate attention.
"I think we saw the last round of cybersecurity bills fall victim to partisan wrangling in the Senate," he said. "These bills tend to start off in the right place, they have good intentions, but they get watered down in the important places when the special interests try to replace meaningful aspects with stuff that doesn't matter. There's a lot of noise about having to certify security professionals, for example. But certification does not guarantee anything."
The keys include the ability to measure outcomes, which is often difficult in circumstances where security means that an event failed to occur, said Jaquith. More collaboration also needs to exist between the government and the private sector. "We need to have better sharing without necessarily feeling that you can be sued for disclosing a vulnerability, or sharing information eventually deemed sensitive. So there needs to be some sort of a shield in place in order to get that level of cooperation," said Jaquith.
Most experts agree that an attack upon critical national infrastructure is more than likely to happen.
"Our role in Stuxnet opens up Pandora's box," summarized Henry. "We've basically said that a cyberattack is equivalent to an act of war and could be met with any military response from the United States. But it's pretty clear that the United States was behind the Stuxnet attack against Iran, and people in glass houses probably should not throw stones. Any third world country with a grudge against the United States and an Internet connection has now learned that it is acceptable to promote your political viewpoint by launching a cyberattack. We did it. Why shouldn't they?"
PUBLISHED SEPT. 13, 2012