Obama Cyber-Security Order a Good First Step, Experts Say

President Obama's executive order on critical infrastructure cyber-security asks for better information and more sharing. Until then, we wait.

President Obama, ahead of his State of the Union address Feb. 12, signed an executive order that calls on the owners and operators of critical U.S. infrastructure to "improve cyber-security information sharing and collaboratively develop and implement risk-based standards."

The order also called on the Department of Homeland Security to recommend ways to mitigate security attacks and, among other tasks, for the secretary of homeland security to direct the development of a cyber-security framework that includes a "set of standards, methodologies, procedures and processes that align policy, business and technological approaches to address cyber risks." To the fullest extent possible, the framework will also "incorporate voluntary consensus standards and industry best practices," said the order.

"We know hackers steal people's identities and infiltrate private emails. We know foreign countries and companies swipe our corporate secrets. Now our enemies are also seeking the ability to sabotage our power grid, our financial institutions, our air traffic control systems," Obama said during his address. "We cannot look back years from now and wonder why we did nothing in the face of real threats to our security and our economy."

On Feb. 13, the National Institute of Standards and Technology (NIST) responded, saying in a statement that toward the agenda of creating a cyber-security framework, it has issued requests for information from the relevant parties.
"The Framework will not dictate one-size-fits-all solutions, but will instead enable innovation by providing guidance that is technology-neutral and recognizes the different needs and challenges within and among critical infrastructure sectors," NIST said in its statement.

NIST's comment underscores how an order like this—designed to protect infrastructure that, if incapacitated, could damage the nation's security, economy or public health—could be voluntary.

"If an auto manufacturer makes a car and it's defective, there are ways to show liability. In the world of information, that's harder to do. The best practices just aren't there. We don't have as much practice at it as we do at things like building cars and flying airplanes," Ron Gula told eWEEK, offering further explanation.

Gula is a former National Security Administration cyber-security chief and currently the CEO of network security provider Tenable, which counts the Department of Defense, Apple and Amazon among its clients.