The Obama administration on Wednesday unveiled a long-awaited executive order intended to bolster cybersecurity by hardening the computer networks that control the nation’s power grid, financial and transportation systems, and other “critical infrastructure.”
The move comes after the White House tried, and failed, to get tough cybersecurity legislation through Congress last year. Though the executive order cannot compel firms to comply – only legislation can do that – the voluntary standards are an attempt at least to do what is possible to address US vulnerabilities to cyberattack.
But the order largely fell short of many experts’ expectations for what could be done, even voluntarily. While some say it is better than nothing, others wonder why the Obama administration has not done more to stress how urgently some vital systems need to be upgraded.
“I had hoped, and have hoped for years, the US government would come out and say the [control systems] that run the critical infrastructure are insecure by design and must be upgraded or replaced ASAP,” says Dale Peterson, president of Digital Bond, a Sunrise, Fla., industrial cybersecurity company. “It's hard to believe 11-1/2 years after 9/11 that the US government has not even used the bully pulpit to make a difference.”
What the order does do is attempt to induce companies that own critical assets to voluntarily improve their own security. The order:
- Increases sharing of timely threat information, digital signatures, and reports between the Department of Homeland Security (DHS) and willing companies, including the issuance of security clearances to critical infrastructure operators.
- Expands a much-touted Department of Defense Enhanced Cybersecurity Initiative that shares threat and protection information with defense contractors to include key infrastructure companies.
- Creates a new Critical Infrastructure Partnership Advisory Council in which DHS would help orchestrate cybersecurity upgrades for critical infrastructure.
- Calls on the National Institute of Standards and Technologies to oversee development of a “cybersecurity framework” to reduce cyber risks to critical infrastructure. The DHS would then work with specific federal agencies to persuade companies to become involved and upgrade their systems.
In unveiling the initiative in his State of the Union speech Tuesday, President Obama was blunt about the current cyber threat.
“Now our enemies are also seeking the ability to sabotage our power grid, our financial institutions, and our air traffic control systems,” Mr. Obama said. “We cannot look back years from now and wonder why we did nothing in the face of real threats to our security and our economy.”
One threat is that another nation could perpetrate a Stuxnet-style attack on the US. Stuxnet, the powerful cyberweapon unleashed on Iran’s nuclear fuel centrifuge facility at Natanz, is reported to have destroyed at least 1,000 of the machines and set the program back as many as two years. Such weapons, targeted at civilian systems, could likely wreak havoc on the US power grid.
Businesses welcomed Obama's move.
“We need help from government that only government can provide, including intelligence information to counter growing threats,” said Ajay Banga, president of MasterCard Worldwide, who also chairs the Business Roundtable Information and Technology Committee, in a statement. The Business Roundtable represents CEOs of leading US companies across the economy. “We are encouraged that the Executive Order will facilitate additional information sharing between government and the private sector.”
Business Roundtable President John Engler sounded a cautionary note on any bill that might subsequently emerge from Congress. “We urge Congress to advance narrow legislation that complements the information-sharing goals of the Executive Order,” he said in a statement.
But experts say cybersecurity needs go far beyond information sharing.
“I'm not sure why the government thinks information sharing is a panacea,” says Robert Huber co-founder of Critical Intelligence, an Idaho Falls-based industrial control systems security firm. “The government themselves have quite a bit of cyber-threat intelligence, classified and otherwise, and yet they are compromised regularly. So are the majority of the defense industrial base contractors and financial institutions, and they already participate in industry and government information-sharing agreements and partnerships.”
The White House pushed Congress for more sweeping reforms last year. One bill that would have mandated that critical infrastructure companies comply with federal standards died in August. Another that incorporated a voluntary approach intended to woo Republican support also failed under intense opposition by Sen. John McCain (R) of Arizona and the US Chamber of Commerce, which said the measure would be a burden on business.
The order won’t scare potential cyber enemies, says Alan Paller, director of research at the SANS institute, a cybersecurity educational organization.
“I expect all of those attack communities that might have been worried [about the order] are breathing a sigh of relief and shaking their heads in wonder that the United States government leaders could be so completely in the thrall of corporate interests that they would leave their military and financial future in harm’s way,” he says.
But others took a somewhat brighter view.
“Voluntary standards will do a lot,” says Stewart Baker, a lawyer and former senior official at the National Security Agency and the Department of Homeland Security. “In the real world, these ‘voluntary’ standards will be quasi-mandatory, because companies that don’t meet them could face lawsuits after suffering a breach. They will also provide some liability protection for industry, since under tort law, following government standards is a good way to rebut claims of negligence.”
Moreover, the order is really just “the latest in a fifteen-year parade” of five different White House documents addressing cybersecurity across three presidencies, writes Jason Healey, director of the Cyber Statecraft Initiative at the Atlantic Council, a international diplomacy think tank, in his blog.
“These actions are worthwhile on their own, but are only a small step as executive orders do not create policy, just implement it through new actions,” he adds. “The new cybersecurity actions are accordingly limited, targeted on improving only critical infrastructure, still unlikely to make a significant dent in America’s long term cyber problems, unless backed by far more sustained attention than previous efforts.”