Is a Presidential Executive Order Coming on Cybersecurity?

Over the past few days, numerous news sources reported that President Obama is strongly considering an executive order on cybersecurity. It appears cybersecurity is becoming more political.

by / September 9, 2012 0

Over the past few days, numerous news sources reported that President Obama is strongly considering an executive order on cybersecurity. Here’s a sampling of the news reports:

BloombergBusinessweek: Obama Weighs Executive Order to Defend Against Cyber Attacks

“The program, to be managed by the Department of Homeland Security, would establish cybersecurity standards that companies could voluntarily adopt to better protect banks, telecommunication networks and the U.S. power grid from electronic attacks, the officials, who have seen the draft, said on condition of anonymity because the document hasn’t been made public….” White House draft cyber order promotes voluntary critical infrastructure protections

“The White House so far has failed to get a bill passed by both houses of Congress to improve the cybersecurity of the nation's critical infrastructure, so they want to take an alternative approach.

The administration has created a draft executive order detailing how, within its authority, it would improve the information assurance of the nation's critical infrastructure, such as the power grid and financial industries.

The draft EO includes eight sections, including the requirement to develop a way for industry to submit threat and vulnerability data to the government….” After CISPA's failure, White House considers executive order to implement cybersecurity law

“With Congress unable to pass legislation strengthening cybersecurity in the US, President Obama is taking matters into his own hands. The Hill reports that the White House has drafted an executive order establishing an opt-in program that lays out best practices for companies operating critical infrastructure, such as railways and the water supply….”

Should We Wait?

Meanwhile, there are other groups, members of Congress and industry experts that urge more patience while a bipartisan deal can be struck. They point out that there are strong differences of opinion on what steps to take to help resolve major deficiencies. Here are some of those voices:

The Foundry (Heritage Foundation blog by Steven Bucci): A Cybersecurity Executive Fiat Is a Very Bad Idea

“… Is it wise to proceed on this issue by unilateral executive action? Absolutely not!

First, why did the Cybersecurity Act of 2012 fail to pass? Was it political spite, or election year partisan wrangling? Some might think that, because they believe that anyone who disagrees with them is clearly motivated by power politics. This is ridiculous. The reason the bill did not pass was because there are reasonable and serious policy differences regarding how the nation should approach the growing challenge of cybersecurity. These differing camps are not at opposite ends of the political spectrum, but are spread throughout the American ideological landscape….”

Richard Steinnon, a globally recognized author and cybersecurity expert, also wrote “There is no need for a cybersecurity executive order,” in Forbes.

A Sense of Urgency

However, it appears that unless a very quick deal is struck with Congress, an executive order will be issued soon. Back in July, the President issued a rare op-ed piece in the Wall Street Journal, regarding the serious cybersecurity situation we face as a country. Here’s how President Obama begins:

In a future conflict, an adversary unable to match our military supremacy on the battlefield might seek to exploit our computer vulnerabilities here at home.

Last month I convened an emergency meeting of my cabinet and top homeland security, intelligence and defense officials. Across the country trains had derailed, including one carrying industrial chemicals that exploded into a toxic cloud. Water treatment plants in several states had shut down, contaminating drinking water and causing Americans to fall ill.

Our nation, it appeared, was under cyber attack. Unknown hackers, perhaps a world away, had inserted malicious software into the computer networks of private-sector companies that operate most of our transportation, water and other critical infrastructure systems.”

My View

While I am torn on this issue of an executive order, I certainly think cybersecurity action is needed soon. In a Governing Magazine article, Cyber Security Act’s Failure Leaves Infrastructure Vulnerable, by Steve Towns, I described my views in detail. Here’s one summary quote from the Governing Magazine Editor:

“Lohrmann, who now oversees all cyber and physical security for Michigan state government, won’t take political sides on the latest measure. But he’s adamant -- as are most other security professionals -- that more must be done to protect the nation’s critical infrastructure from attack.”

Trend: Cybersecurity Is Becoming Political

Which leads to the sad trend that I see developing now:  cybersecurity is becoming more political. wrote: “Democratic platform diverges with GOP on cybersecurity.” Here’s an excerpt:

“… The Democratic Party said it would continue this push to boost the security of the nation's critical computer systems and networks from hackers, terrorist networks and hostile countries looking to wreak damage against infrastructure that's key to public safety and the economy. 

"We will continue to take steps to deter, prevent, detect, and defend against cyber intrusions by investing in cutting-edge research and development, promoting cybersecurity awareness and digital literacy, and strengthening private sector and international partnerships," the platform reads. 

It's a far cry from the GOP platform approved at the party's convention last week. In their cybersecurity plank, Republicans argued that Obama's approach to cybersecurity has been too regulatory and reliant on defensive capabilities….” 

In summary, it appears that an executive order on cybersecurity is coming before our upcoming election day. We all want to know: What’s in that exec order? Will the actions taken last very long, and what’s next for cybersecurity in our nation? However, these questions may depend on how America votes on November 6.

What are your thoughts on an executive order on cybersecurity?

Dan Lohrmann Chief Security Officer & Chief Strategist at Security Mentor Inc.

Daniel J. Lohrmann is an internationally recognized cybersecurity leader, technologist, keynote speaker and author.

During his distinguished career, he has served global organizations in the public and private sectors in a variety of executive leadership capacities, receiving numerous national awards including: CSO of the Year, Public Official of the Year and Computerworld Premier 100 IT Leader.
Lohrmann led Michigan government’s cybersecurity and technology infrastructure teams from May 2002 to August 2014, including enterprisewide Chief Security Officer (CSO), Chief Technology Officer (CTO) and Chief Information Security Officer (CISO) roles in Michigan.

He currently serves as the Chief Security Officer (CSO) and Chief Strategist for Security Mentor Inc. He is leading the development and implementation of Security Mentor’s industry-leading cyber training, consulting and workshops for end users, managers and executives in the public and private sectors. He has advised senior leaders at the White House, National Governors Association (NGA), National Association of State CIOs (NASCIO), U.S. Department of Homeland Security (DHS), federal, state and local government agencies, Fortune 500 companies, small businesses and nonprofit institutions.

He has more than 30 years of experience in the computer industry, beginning his career with the National Security Agency. He worked for three years in England as a senior network engineer for Lockheed Martin (formerly Loral Aerospace) and for four years as a technical director for ManTech International in a US/UK military facility.

Lohrmann is the author of two books: Virtual Integrity: Faithfully Navigating the Brave New Web and BYOD for You: The Guide to Bring Your Own Device to Work. He has been a keynote speaker at global security and technology conferences from South Africa to Dubai and from Washington, D.C., to Moscow.

He holds a master's degree in computer science (CS) from Johns Hopkins University in Baltimore, and a bachelor's degree in CS from Valparaiso University in Indiana.

Follow Lohrmann on Twitter at: @govcso