Skip to footer

Why Obama's executive order on cybersecurity doesn't satisfy most experts

An executive order can only set voluntary cybersecurity standards for firms running America's 'critical infrastructure,' such as power grids. But some say Obama should be doing more.

|
J. Scott Applewhite/AP
President Obama gives his State of the Union address during a joint session of Congress on Capitol Hill in Washington Tuesday. He unveiled his plans to issue a cybersecurity executive order.
  • By Mark Clayton Staff writer

The Obama administration on Wednesday unveiled a long-awaited executive order intended to bolster cybersecurity by hardening the computer networks that control the nation’s power grid, financial and transportation systems, and other “critical infrastructure.”

The move comes after the White House tried, and failed, to get tough cybersecurity legislation through Congress last year. Though the executive order cannot compel firms to comply – only legislation can do that – the voluntary standards are an attempt at least to do what is possible to address US vulnerabilities to cyberattack.

But the order largely fell short of many experts’ expectations for what could be done, even voluntarily. While some say it is better than nothing, others wonder why the Obama administration has not done more to stress how urgently some vital systems need to be upgraded.

“I had hoped, and have hoped for years, the US government would come out and say the [control systems] that run the critical infrastructure are insecure by design and must be upgraded or replaced ASAP,” says Dale Peterson, president of Digital Bond, a Sunrise, Fla., industrial cybersecurity company. “It's hard to believe 11-1/2 years after 9/11 that the US government has not even used the bully pulpit to make a difference.”

What the order does do is attempt to induce companies that own critical assets to voluntarily improve their own security. The order:

  • Increases sharing of timely threat information, digital signatures, and reports between the Department of Homeland Security (DHS) and willing companies, including the issuance of security clearances to critical infrastructure operators.
  • Expands a much-touted Department of Defense Enhanced Cybersecurity Initiative that shares threat and protection information with defense contractors to include key infrastructure companies.
  • Creates a new Critical Infrastructure Partnership Advisory Council in which DHS would help orchestrate cybersecurity upgrades for critical infrastructure.
  • Calls on the National Institute of Standards and Technologies to oversee development of a “cybersecurity framework” to reduce cyber risks to critical infrastructure. The DHS would then work with specific federal agencies to persuade companies to become involved and upgrade their systems.

In unveiling the initiative in his State of the Union speech Tuesday, President Obama was blunt about the current cyber threat.

“Now our enemies are also seeking the ability to sabotage our power grid, our financial institutions, and our air traffic control systems,” Mr. Obama said. “We cannot look back years from now and wonder why we did nothing in the face of real threats to our security and our economy.”

One threat is that another nation could perpetrate a Stuxnet-style attack on the US. Stuxnet, the powerful cyberweapon unleashed on Iran’s nuclear fuel centrifuge facility at Natanz, is reported to have destroyed at least 1,000 of the machines and set the program back as many as two years. Such weapons, targeted at civilian systems, could likely wreak havoc on the US power grid.

Businesses welcomed Obama's move.

“We need help from government that only government can provide, including intelligence information to counter growing threats,” said Ajay Banga, president of MasterCard Worldwide, who also chairs the Business Roundtable Information and Technology Committee, in a statement. The Business Roundtable represents CEOs of leading US companies across the economy. “We are encouraged that the Executive Order will facilitate additional information sharing between government and the private sector.”

Business Roundtable President John Engler sounded a cautionary note on any bill that might subsequently emerge from Congress. “We urge Congress to advance narrow legislation that complements the information-sharing goals of the Executive Order,” he said in a statement.

But experts say cybersecurity needs go far beyond information sharing.

“I'm not sure why the government thinks information sharing is a panacea,” says Robert Huber co-founder of Critical Intelligence, an Idaho Falls-based industrial control systems security firm. “The government themselves have quite a bit of cyber-threat intelligence, classified and otherwise, and yet they are compromised regularly. So are the majority of the defense industrial base contractors and financial institutions, and they already participate in industry and government information-sharing agreements and partnerships.”

The White House pushed Congress for more sweeping reforms last year. One bill that would have mandated that critical infrastructure companies comply with federal standards died in August. Another that incorporated a voluntary approach intended to woo Republican support also failed under intense opposition by Sen. John McCain (R) of Arizona and the US Chamber of Commerce, which said the measure would be a burden on business.

The order won’t scare potential cyber enemies, says Alan Paller, director of research at the SANS institute, a cybersecurity educational organization.

“I expect all of those attack communities that might have been worried [about the order] are breathing a sigh of relief and shaking their heads in wonder that the United States government leaders could be so completely in the thrall of corporate interests that they would leave their military and financial future in harm’s way,” he says.  

But others took a somewhat brighter view.

“Voluntary standards will do a lot,” says Stewart Baker, a lawyer and former senior official at the National Security Agency and the Department of Homeland Security. “In the real world, these ‘voluntary’ standards will be quasi-mandatory, because companies that don’t meet them could face lawsuits after suffering a breach. They will also provide some liability protection for industry, since under tort law, following government standards is a good way to rebut claims of negligence.”

Moreover, the order is really just “the latest in a fifteen-year parade” of five different White House documents addressing cybersecurity across three presidencies, writes Jason Healey, director of the Cyber Statecraft Initiative at the Atlantic Council, a international diplomacy think tank, in his blog.

“These actions are worthwhile on their own, but are only a small step as executive orders do not create policy, just implement it through new actions,” he adds. “The new cybersecurity actions are accordingly limited, targeted on improving only critical infrastructure, still unlikely to make a significant dent in America’s long term cyber problems, unless backed by far more sustained attention than previous efforts.”

You've read  of  free articles. Subscribe to continue.
Real news can be honest, hopeful, credible, constructive.
What is the Monitor difference? Tackling the tough headlines – with humanity. Listening to sources – with respect. Seeing the story that others are missing by reporting what so often gets overlooked: the values that connect us. That’s Monitor reporting – news that changes how you see the world.
editor@csmonitor.com
Subscribe
Mark Sappenfield
Editor

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to CSMonitor.com.

Subscribe to insightful journalism

QR Code to Why Obama's executive order on cybersecurity doesn't satisfy most experts
Read this article in
https://www.csmonitor.com/USA/Politics/2013/0213/Why-Obama-s-executive-order-on-cybersecurity-doesn-t-satisfy-most-experts
QR Code to Subscription page
Start your subscription today
https://www.csmonitor.com/subscribe