Questions loom about Obama's cybersecurity plans
With opposition growing to reported plans by President Obama to issue an Executive Order to bolster cybersecurity within the nation's critical infrastructure, the main question now is whether the White House will plow ahead with the idea or drop it quietly in an election year.
Last week, Techdirt published what it said was a leaked draft version of Obama's planned order for critical infrastructure protection. The 19-page document outlines broad security objectives for all government agencies.
Without offering many specifics, the draft order calls for a revised, more secure federal architecture and the development of a nationwide situational awareness capability for cybersecurity. The draft order also calls for the development of an information exchange network to speed up the sharing of threat information between private industry and the government.
The proposed order puts the Department of Homeland Security (DHS) in charge of planning, coordinating and implementing the changes. It requires sector-specific federal agencies to work with critical infrastructure owners and regulatory entities to develop security guidelines and metrics for measuring progress.
The contents of the draft executive order are similar to the provisions of a White House-backed bill called the Cybersecurity Act. The bill is currently stalled in the Senate because of objections from Republicans who see it as being too prescriptive and giving the DHS too much enforcement authority in commercial cybersecurity matters.
The White House has said it is considering an executive order because Congress has been unable to pass meaningful cybersecurity legislation at a time when critical infrastructure assets are under growing threat from foreign adversaries and criminal hackers.
Those who back the plan say White House intervention is necessary because of Congress's inaction. They dismiss the notion that private industry can regulate itself in a responsible way and argue that a mandate is the best way forward.
"The U.S. is on the cusp of major cyber conflict around the world," said Alan Paller, director of research with the SANS Institute. He pointed to a recent attack on Saudi Arabian oil giant Saudi Aramco that disabled 30,000 PCs, as an example of the threats faced by American companies. "Had it been Exxon, you would be writing headlines saying 'cyber warfare' with exclamation points," Paller said.
"Leaving business to its own compliance regimes has put the nation at risk," he added. "This is one of those cases where government involvement is necessary. Any more hands-off behavior will be pure negligence."
That position is shared by James Lewis, director and senior fellow at the Center for Strategic and International Studies in Washington. "I think they need an [executive order]," Lewis said. "Congress is fouled up and the private sector will not provide adequate security."
Lewis is among those who developed a set of cybersecurity recommendations for the Obama Administration four years ago.
Critics, though, fear that such an order will result in unnecessary government involvement in commercial cybersecurity matters. Those opposed to the plan say any Obama order will introduce little that hasn't been in place for years. In a highly charged election year, many have been quick to point to the move as an example of a White House trying to run things through mandate rather than via the legislative process.
"The draft executive order is toothless and will do nothing to improve the security of critical infrastructure, while adding to the confusion and burden," said Richard Stiennon, chief research analyst at IT Harvest.
In a Washington Post editorial last week, Sen. John McCain (R-Ariz) and two other senators who sponsored a Republican alternative to the Cybersecurity Act, slammed the idea of an executive order. "Unilateral action in the form of government mandates on the private sector creates an adversarial relationship instead of a cooperative one," the senators wrote. "Skirting congressional action by issuing an executive order is neither appropriate nor effective."
The senators went on to tout the Republican bill as a better alternative to the Cybersecurity Act.
The Heritage Foundation, a conservative policy and research analysis group, has a similar view. "We are a country that works through a legislative process. The idea that a President can trump a legislative proves just because things haven't worked out the way he wanted, is not good," said Paul Rosenzweig, a visiting fellow at the foundation.
For Gartner analyst John Pescatore, the biggest problem with an order is that it brings nothing new by way of standards or controls. Pescatore said the best way to improve security is by leveraging the government's enormous buying power.
"The government should be saying, 'for all the Internet connectivity services we buy, we want denial-of-service attacks filtered out, we want all malware filtered out. When we buy apps, we want higher levels of security,'" Pescatore said. "The best thing that government can do is drive the market to the next level."
Those familiar with what's going on in Washington behind the scenes say the recent opposition is giving the White House pause. There are two forces in the White House on the matter, said one source who requested not to be named. One group is rethinking whether the executive is such a good idea, he said. The other faction wants to act much more affirmatively than anybody expects, he said.
"They are in mortal combat," the source said.
Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed. His e-mail address is firstname.lastname@example.org.
Read more about cyberwarfare in Computerworld's Cyberwarfare Topic Center.