“Earlier today, I signed a new executive order that will strengthen our cyber defenses by increasing information sharing, and developing standards to protect our national security, our jobs, and our privacy”. This is what President Barack Obama told the US Congress, and the American people, during his February State of the Union address. It was significant because Obama dedicated roughly two paragraphs of the speech to cybersecurity-related issues, a first of its kind for an address of this nature.
The order contained two key elements, as Infosecurity reported at the time. It directed the government to share cyber threat information with critical infrastructure owners, while also asking government agencies to develop a voluntary security framework for businesses to adopt.
The information sharing aspects of the order break down into two areas as well, with mandatory flow of non-classified information, whereas classified information will be given to critical infrastructure operators on a need-to-know basis, when there is a known specific threat targeting their sector.
So why was this order necessary? First and foremost was failure of the Cybersecurity Act of 2012 in the Senate, and opposition to the Cyber Intelligence Sharing and Protection Act (CISPA) in the House of Representatives – including objections from the Obama administration about what it considered a lack of adequate privacy protections in CISPA.
“It’s what the administration thought they could legitimately glean from both the House bill, which was about information sharing, and the Senate bill, which was about standards”, says Bruce deGrazia, president of GHS Advisors, and former Assistant Deputy Undersecretary of Defense.
The Cybersecurity Act failed, deGrazia asserted, because two groups in the Senate opposed it: “One believed that anything other than truly voluntary standards (i.e., so voluntary that they are not mentioned in the bill) would be too much of a burden on the private sector.” The other group believed that the bill would not sufficiently protect privacy.
He is also quick to point out the limitations of an executive order versus legislation from Congress. “An executive order does mandate certain actions, but it can only mandate actions within the federal government”. On its face, and in a legal sense, there is no mandate for private sector cybersecurity standards in the order.
Raising Awareness
Signing the executive order was the right thing to do if you ask Hord Tipton, executive director of (ISC)². He has reviewed the order and contends that, at the very least, it keeps attention focused on the topic of cybersecurity in critical infrastructure, even if the order is less comprehensive than a legislative mandate from Congress. “You can’t criticize the administration for balancing a little politics and at the same time getting something done that keeps attention on the subject”, he commented.
Tipton agrees with a premise set out early in the order that threats to critical infrastructure are one of the nation’s most serious security challenges. “They are coming from the world over”, he added. There are some omissions that Tipton takes issue with, however, including the lack of an international component for nations to collaborate on things like cyber rules of conduct, and no mention at all about the importance of training people for cybersecurity-related positions.
Tom Ridge, former Pennsylvania governor and Secretary of the Department of Homeland security, believes the order maintains a healthy level of awareness about critical infrastructure-related cybersecurity. “Anytime the president of the United States is in the headlines talking about cybersecurity, I think that’s a good thing”, he recently told an audience at the RSA Conference in San Francisco. “But for the president to have to sign an executive order directing the federal government to give unclassified information when a risk is directed toward a specific target is almost incredulous to me – that the president has to tell them to do what you and I would think they would do naturally”.
Voluntary vs Mandatory
One of the key components of the order is the establishment of a voluntary consensus framework on security standards, to be led by scientists at the National Institute for Standards and Technology (NIST) in conjunction with recommendations from executive agency leadership. The key word here is ‘voluntary’, because it was the Cybersecurity Act’s lean toward mandatory standards that originally drew the ire of the American business community. Even after these standards were proposed as voluntary in a revised version of the bill, it still wasn’t enough to placate both the business interests and the privacy advocates.
The former DHS Secretary takes issue with inconsistencies in the executive order, which from the outset speaks of “voluntary standards” but also makes reference to “imposing requirements – presumably on the private sector companies operating” in certain areas under the watchful eye of sector-specific regulatory bodies. “It’s just troubling to me”, Ridge surmised, but nonetheless sees the order as a “foundation” for creating a cybersecurity framework at the national level – but not an overall long-term solution.
There are mixed views among those I consulted with about whether the private sector would readily adopt standards that are voluntary. The tipping point seems to be perspective, and whether you have a background in the private sector as opposed to experience in public service.
“It’s nicer to have things be voluntary, because when people submit, they will likely do it with the right attitude”, remarked Sue Milton, president of ISACA’s London Chapter. I asked her if the private sector typically takes it upon themselves to adopt voluntary standards – such as those set out in the executive order. “They do, if they feel it’s in their common interests”, she responded. “After a while, if there is a critical mass that adopts it, then it becomes the standard.”
Milton added that in some cases, there is a value to voluntary compliance, as organizations may not do business with those that do not conform to the standard. Further, a premium can become attached to voluntary compliance because an organization adheres to a particular code of conduct.
Others with experience in the US government expressed a less optimistic view. Take, for example, the observations of Tipton, who is also a former CIO for the US Department of Interior.
“Now, I’m a former regulator”, he jokingly prefaces, admitting he is a bit biased when it comes to arguments over mandatory and voluntary standards. “I have gone through several years of arguing with several large companies, and to some extent government interests, as to exactly what kind of standards should be developed”. The issues, as he sees it, crop up around whether they should be performance-based standards, or design-based. “Companies don’t like when you prescribe what the remedies and controls are”, he said. “They would rather you tell them what should be protected, and then leave it up to them to protect it”.
The appropriate response, in his view, lies somewhere in between the wishes of the regulator and those of the business community. “If you leave it totally up to companies to design the controls, then you will have numerous sets – you can’t put all of the trust on the companies’ side”. Tipton wishes the executive order had gone further, beyond calling for voluntary cybersecurity standards. “Voluntary to me is a framework that will always have holes in it.”
Bruce deGrazia, a CISSP who supported the failed Cybersecurity Act of 2012, largely agrees with this assessment. “In my experience as a lawyer working on regulatory issues, the private sector will simply not adopt voluntary standards”, he contended. “In the private sector, companies that adopt standards have done so in reaction to attacks on their own networks, or have a very firm belief they will be a target – but that’s a very small percentage”. In contrast, deGrazia noted, defense sector firms will adopt the government’s voluntary standards as a matter of practice, but very few outside it will follow suit.
Certain provisions in the executive order could be leveraged against the private sector as a type of de facto compliance, especially concerning access to government contracts and the American public’s kitty. Within 120 days of the order being issued, it mandates the head of government agencies to determine “whether or not the voluntary standards can be incorporated into contracting regulations”. It would allow agencies – for example, the Department of Defense – to make mandatory the achievement of certain cybersecurity standards as a requirement for successful contracting bids. “And that’s where the hammer comes”, deGrazia affirmed.
The Global Perspective
An executive order issued by the President of the United States is limited in reach, as it technically applies only to the US federal government. The reality, however, is quite different, especially taking into account that the vast majority of critical infrastructure in the US is privately operated, and in many cases by foreign firms.
Furthermore, the issue of security in this area is hardly a local one, as pointed out by Amar Singh, CISO of News International and chair of ISACA London’s Security Advisory Group. Singh has personally reviewed the order and, in his opinion, fully supports its vision to secure critical infrastructure. “It’s not only a US issue – it’s a global one”, he told me. “It’s a big problem that affects nearly every nation.”
Singh also applauds the order for its awareness benefits. “It’s always good when people like President Obama, on a regular basis, highlight this as a concern. It gives folks like me, even on the other side of the pond, impetus to take notice because if the US is taking this seriously, then we should also.”
He believes the US has the ability to lead a movement toward increased security for critical infrastructure, a concern shared by the government in the UK, where he is based. “But the US is making the right kind of noise at the moment”, Singh admitted.
"Voluntary to me is a framework that will always have holes in it" |
Hord Tipton, (ISC)² |
ISACA’s Milton is unsure whether potential impacts on European-based firms have been contemplated at this point. “It hasn’t made the headlines here, or made it to the board level”, she said of the order. “I would suspect that people in Europe are looking for something a bit more concrete”, such as comprehensive legislation. “But clearly, those who participate in the US market really need to start taking heed earlier rather than later.”
Milton also leveled equal praise on Obama for his leadership role on cybersecurity. “I think he’s made it extremely explicit and upfront: government has to play a leading role to coordinate the response, reduce the threats, and manage the threats to critical infrastructure more effectively. By being this explicit, it really is a new approach in the war on cyber threats. These threats are so global, so a response even at the national level is quite fragmented.”
A comprehensive national approach is nonetheless necessary, Milton said, to establish a baseline for how stakeholders in the critical infrastructure framework must contribute to the overall security of the ecosystem.
Uncertain Future
One of the main objections to the executive order approach is the uncertainty it creates; it applies only to the federal government and lacks the teeth of comprehensive legislative policy. Both the Cybersecurity Act and CISPA have been brought up again for consideration by Congress, and all of the people I spoke with for this article agreed that the executive order was a short-term solution for cybersecurity in critical infrastructure. Or, as Tom Ridge described it, a “foundation” for creating a cybersecurity framework at the national level – and not an overall long-term solution.
This level of uncertainty indeed presents problems, according to Singh. “Many nations have long-term strategies for cyber warfare, cyber readiness, and cyber resiliency”, he observed. In more ‘democratic’ nations, he continued, “there is always the uncertainty involved with a particular piece of legislation being overturned. The danger is that, if the government changes, will the next administration come up with something else?”
Absent Congressional action, overturning the executive order is technically feasible. Nevertheless, according to deGrazia, “most executive orders stay” when the administration turns over, and he sees no reason why this one would be any different.
Regardless of the political wrangling over Congressional versions of the bill, deGrazia believes there is widespread acknowledgement that a problem exists with respect to critical infrastructure cybersecurity.
“Whoever the next president is, they would likely only amend the executive order, but by that time I believe there will be legislation”, he predicts. He affirmed this not only because there is a sense of urgency to take action, but also because the potential exists for a cyber attack on critical infrastructure over the short term that would be a catalyst for immediate action.
The last word on the matter goes to Hord Tipton, who identifies positive aspects in the status quo. “In some ways the executive order could actually be better than watered down legislation, because it allows you to take laws and regulations already on the books and apply them with more rigor than in the past”.
When asked about the prospects of comprehensive cybersecurity legislation from Congress, Tipton does his best to remain optimistic. “I know they are still trying”, noting that he has met with several congressional offices recently about the possibility. “They are still listening, they are still working on it, and they realize it’s a high priority. They haven’t’ given up on it – so let’s keep hoping”.
Tipton believes it beneficial to have clear and comprehensive legislative action on critical infrastructure cybersecurity policy, but lamented the direction the debate has taken. “It has shifted from a bi-partisan issue to a political one”, he said. “It’s become a Right vs Left battle.”