President Obama, ahead of his State of the Union address Feb. 12, signed an executive order that calls on the owners and operators of critical U.S. infrastructure to “improve cyber-security information sharing and collaboratively develop and implement risk-based standards.”
The order also called on the Department of Homeland Security to recommend ways to mitigate security attacks and, among other tasks, for the secretary of homeland security to direct the development of a cyber-security framework that includes a “set of standards, methodologies, procedures and processes that align policy, business and technological approaches to address cyber risks.” To the fullest extent possible, the framework will also “incorporate voluntary consensus standards and industry best practices,” said the order.
“We know hackers steal people’s identities and infiltrate private emails. We know foreign countries and companies swipe our corporate secrets. Now our enemies are also seeking the ability to sabotage our power grid, our financial institutions, our air traffic control systems,” Obama said during his address. “We cannot look back years from now and wonder why we did nothing in the face of real threats to our security and our economy.”
On Feb. 13, the National Institute of Standards and Technology (NIST) responded, saying in a statement that toward the agenda of creating a cyber-security framework, it has issued requests for information from the relevant parties.
“The Framework will not dictate one-size-fits-all solutions, but will instead enable innovation by providing guidance that is technology-neutral and recognizes the different needs and challenges within and among critical infrastructure sectors,” NIST said in its statement.
NIST’s comment underscores how an order like this—designed to protect infrastructure that, if incapacitated, could damage the nation’s security, economy or public health—could be voluntary.
“If an auto manufacturer makes a car and it’s defective, there are ways to show liability. In the world of information, that’s harder to do. The best practices just aren’t there. We don’t have as much practice at it as we do at things like building cars and flying airplanes,” Ron Gula told eWEEK, offering further explanation.
Gula is a former National Security Administration cyber-security chief and currently the CEO of network security provider Tenable, which counts the Department of Defense, Apple and Amazon among its clients.
Obama Cyber-Security Order a Good First Step, Experts Say
Regarding threats to critical infrastructure, he said he doesn’t expect a cinema-quality “catastrophic” event, but he does believe an agenda of heightened security is worthwhile.
Gula explained that 2012 saw the highest-ever number of data-loss public disclosures, but that it was many small companies that had been hit. The big companies, with security measures in place, had remained secure, proving that investments in cyber-security pay off, he said.
“That’s why I think this is a good thing,” he said of the order. “Progress is going to happen.”
However, the voluntary program of information sharing that the order calls for is tricky, in that it requires a certain balance to be struck, said Daren Orzechowski, a partner in the international law firm White & Case.
“The executive order leaves much of the work around balancing individual privacy rights and the nation’s cyber-security interests to further agency action for creating a voluntary cyber-security framework and program,” Orzechowski said in a statement. “We therefore need to stay tuned for the real details.”
Lawrence A. Pingree, Gartner research analyst and director, said there’s also some wait-and-see in what will result from the request for greater information sharing.
“The real question is [whether this will] result in an actual improvement in security by sharing intelligence with the private sector,” Pingree told eWEEK. “Largely, we don’t know if the classified intelligence will be better than the intelligence we already have. I think we, as security practitioners and researchers, are all on the edge of our seats.”
The consensus regarding the order seems to be that, at the very least, it can only help.
“Like all of us, the Obama administration has seen countries like Iran, North Korea and China demonstrate a willingness to hack into a widening scope of organizations that may grow to encompass critical infrastructure in the future, if the trends continue,” Dan Guido, co-founder and CEO of information security company Trail of Bits, told eWEEK.
“The executive order will help keep us ahead of where we need to be, so we’re prepared when these attacks become more of a reality,” Guido said. “Declassification of threat information and protections for sharing information should help shift incentives over the long term.”