Why Obama's executive order on cybersecurity doesn't satisfy most experts

“We need help from government that only government can provide, including intelligence information to counter growing threats,” said Ajay Banga, president of MasterCard Worldwide, who also chairs the Business Roundtable Information and Technology Committee, in a statement. The Business Roundtable represents CEOs of leading US companies across the economy. “We are encouraged that the Executive Order will facilitate additional information sharing between government and the private sector.”

Business Roundtable President John Engler sounded a cautionary note on any bill that might subsequently emerge from Congress. “We urge Congress to advance narrow legislation that complements the information-sharing goals of the Executive Order,” he said in a statement.

But experts say cybersecurity needs go far beyond information sharing.

“I'm not sure why the government thinks information sharing is a panacea,” says Robert Huber co-founder of Critical Intelligence, an Idaho Falls-based industrial control systems security firm. “The government themselves have quite a bit of cyber-threat intelligence, classified and otherwise, and yet they are compromised regularly. So are the majority of the defense industrial base contractors and financial institutions, and they already participate in industry and government information-sharing agreements and partnerships.”

The White House pushed Congress for more sweeping reforms last year. One bill that would have mandated that critical infrastructure companies comply with federal standards died in August. Another that incorporated a voluntary approach intended to woo Republican support also failed under intense opposition by Sen. John McCain (R) of Arizona and the US Chamber of Commerce, which said the measure would be a burden on business.

The order won’t scare potential cyber enemies, says Alan Paller, director of research at the SANS institute, a cybersecurity educational organization.

“I expect all of those attack communities that might have been worried [about the order] are breathing a sigh of relief and shaking their heads in wonder that the United States government leaders could be so completely in the thrall of corporate interests that they would leave their military and financial future in harm’s way,” he says.  

But others took a somewhat brighter view.

“Voluntary standards will do a lot,” says Stewart Baker, a lawyer and former senior official at the National Security Agency and the Department of Homeland Security. “In the real world, these ‘voluntary’ standards will be quasi-mandatory, because companies that don’t meet them could face lawsuits after suffering a breach. They will also provide some liability protection for industry, since under tort law, following government standards is a good way to rebut claims of negligence.”

Moreover, the order is really just “the latest in a fifteen-year parade” of five different White House documents addressing cybersecurity across three presidencies, writes Jason Healey, director of the Cyber Statecraft Initiative at the Atlantic Council, a international diplomacy think tank, in his blog.

“These actions are worthwhile on their own, but are only a small step as executive orders do not create policy, just implement it through new actions,” he adds. “The new cybersecurity actions are accordingly limited, targeted on improving only critical infrastructure, still unlikely to make a significant dent in America’s long term cyber problems, unless backed by far more sustained attention than previous efforts.”

Previous

1 | 2