Why Obama's executive order on cybersecurity doesn't satisfy most experts
An executive order can only set voluntary cybersecurity standards for firms running America's 'critical infrastructure,' such as power grids. But some say Obama should be doing more.
The Obama administration on Wednesday unveiled a long-awaited executive order intended to bolster cybersecurity by hardening the computer networks that control the nation’s power grid, financial and transportation systems, and other “critical infrastructure.”Skip to next paragraph
Subscribe Today to the Monitor
The move comes after the White House tried, and failed, to get tough cybersecurity legislation through Congress last year. Though the executive order cannot compel firms to comply – only legislation can do that – the voluntary standards are an attempt at least to do what is possible to address US vulnerabilities to cyberattack.
But the order largely fell short of many experts’ expectations for what could be done, even voluntarily. While some say it is better than nothing, others wonder why the Obama administration has not done more to stress how urgently some vital systems need to be upgraded.
“I had hoped, and have hoped for years, the US government would come out and say the [control systems] that run the critical infrastructure are insecure by design and must be upgraded or replaced ASAP,” says Dale Peterson, president of Digital Bond, a Sunrise, Fla., industrial cybersecurity company. “It's hard to believe 11-1/2 years after 9/11 that the US government has not even used the bully pulpit to make a difference.”
What the order does do is attempt to induce companies that own critical assets to voluntarily improve their own security. The order:
- Increases sharing of timely threat information, digital signatures, and reports between the Department of Homeland Security (DHS) and willing companies, including the issuance of security clearances to critical infrastructure operators.
- Expands a much-touted Department of Defense Enhanced Cybersecurity Initiative that shares threat and protection information with defense contractors to include key infrastructure companies.
- Creates a new Critical Infrastructure Partnership Advisory Council in which DHS would help orchestrate cybersecurity upgrades for critical infrastructure.
- Calls on the National Institute of Standards and Technologies to oversee development of a “cybersecurity framework” to reduce cyber risks to critical infrastructure. The DHS would then work with specific federal agencies to persuade companies to become involved and upgrade their systems.
In unveiling the initiative in his State of the Union speech Tuesday, President Obama was blunt about the current cyber threat.
“Now our enemies are also seeking the ability to sabotage our power grid, our financial institutions, and our air traffic control systems,” Mr. Obama said. “We cannot look back years from now and wonder why we did nothing in the face of real threats to our security and our economy.”
One threat is that another nation could perpetrate a Stuxnet-style attack on the US. Stuxnet, the powerful cyberweapon unleashed on Iran’s nuclear fuel centrifuge facility at Natanz, is reported to have destroyed at least 1,000 of the machines and set the program back as many as two years. Such weapons, targeted at civilian systems, could likely wreak havoc on the US power grid.
Businesses welcomed Obama's move.