Most readers of this blog already know that President Obama released an executive order last week on the topic of cybersecurity. The actual text of the executive order, along with the text of the more detailed Presidential Policy Directive / PPD-21, offer a glimpse into the future of our cybersecurity battles in America over the next few years.
I have waited almost a week to comment so that I could summarize global reaction to these new edicts. As I mentioned before the executive order came out, new guidance on cybersecurity was almost inevitable for a variety of reasons. Well now the federal government’s sector-specific agencies have their marching orders, and like it or not, it appears to be time for critical infrastructure owners and operators to get on board the ship and do more to address weaknesses and raise the bar on cyber protections.
But before I provide my opinion of the EO, let’s take a look at the full range of diverging viewpoints regarding what policy was issued. On the one end of the spectrum, several experts have strongly condemned the EO and PPD-21 as overreach and bad cyber policy. For example, here are some headlines and brief excerpts worth examining:
Obama’s Cybersecurity Executive Order Falls Short – Heritage Foundation
“… The order uses a standard-setting approach to improve cybersecurity. However, such a model will only impose costs, encourage compliance over security, keep the U.S. tied to past threats, and threaten innovation.
While the EO does take some positive steps in the area of information sharing, these steps are hamstrung by the EO’s inability to provide critical incentives such as liability protection. As a result, this order could result in few modest changes, or it could result in substantial negative effects….”
Just as negative, is a leading cyber industry expert Richard Stiennon and author over at Forbes blogs:
PPD-21: Extreme Risk Management Gone Bad - Forbes Magazine Online
“On Tuesday, February 12, 2013, President Obama issued Presidential Policy Directive 21: Critical Infrastructure Security and Resilience. PPD 21 represents my worst nightmare: the misguided mantra of management consultants writ large. How large? The entire Federal juggernaut is to be roped into a tangle of coordination, data exchange, R&D, and risk management to address ephemeral threats to critical infrastructure. It even stretches around the world to include governments that may host critical facilities and assets of the United States….”
Meanwhile, on the other extreme, there are calls for stronger regulations, more teeth and more aggressive government mandates and action.
Too Little Too Late: Obama’s Cybersecurity Executive Order is Way Under-Par - ABI Research in London
“… The U.S. President’s Executive Order on ‘Improving Critical Infrastructure Cybersecurity’ signed yesterday failed massively to address the burning requirements for securing the American nation. Although the Order proposes an information sharing platform and a cybersecurity framework, these solutions are weak and lack the bite that would make it effective….”
Cybersecurity Executive Order Short on Action, Long on Voluntary Initiatives - Dennis Fisher at Kaspersky Lab
“The executive order that President Barack Obama signed yesterday in advance of his State of the Union Address contains a lot of provisions for information sharing on attacks and threats on critical infrastructure, and also calls for the development of a framework to reduce cybersecurity risks in federal agencies and critical infrastructure. What the order does not include are any mandates, required changes or a plan for significant action….”
Obama's Cybersecurity Order Weaker Than Previous Proposals - Gerry Smith, Huffingtonpost.com
“President Barack Obama said during his State of the Union address Tuesday that he had signed an executive order aimed at protecting government and businesses from what he called "the rapidly growing threat from cyberattacks."
But the order he signed on Tuesday was significantly weaker than what his administration had proposed two years ago, leaving out a key provision that experts have said was needed to protect the country's most vital computer systems….”
But some sources say that the President got things right.
Obama presses Congress with cyber security executive order - Mike Hoffman, Defense Tech
“President Obama signed an executive order to increase America’s defenses against cyber security before highlighting the need for it in his State of the Union Tuesday.
The Executive Order will work together with the Presidential Policy Directive on Critical Infrastructure Security and Resilience that the White House also released today….”
Obama Cybersecurity Executive Order A First Step, But More Is Needed, Some Say - Brian Prince, Dark Reading
“… The executive order requires federal agencies to provide unclassified reports regarding threats to U.S. companies being targeted in a timely manner. It also expands the Enhanced Cybersecurity Services program, with the goal of enabling near-real-time sharing of cyberthreat information to participating critical infrastructure companies, and directs the National Institute of Standards and Technology (NIST) to lead the development of a framework of cybersecurity practices to reduce threats to critical infrastructure….”
My View on the Cyber EO?
In my role as Michigan’s Chief Security Officer (CSO), I want to reinforce the view that we need bipartisan legislation on cybersecurity which addresses the best way forward for protecting critical infrastructure as a nation. I see positive aspects to the new EO, especially the provisions on more information sharing. The State of Michigan will be working closely with the U.S. Department of Homeland Security as partners in protecting our nation from cyberattacks.
At the same time, I also understand the criticisms that many in our industry have articulated. I certainly believe that more will need to be done to safeguard our critical infrastructure. The effectiveness of these provisions will depend on the follow-on actions taken by the public and private sectors.
State and local governments are watching closely as the federal government implements this EO and PPD-21. Government officials at all levels are asking, how will this affect my government? We also have a major role in critical infrastructure protection, and we coordinate with our private sector partners in each sector.
This will be a very pivotal year for cybersecurity. I look forward to learning more about plans and gauging the pulse of the nation on cybersecurity from federal and private sector partners next week at RSA in San Francisco.
What are your views on the new cybersecurity EO and PPD-21?
Daniel J. Lohrmann is an internationally recognized cybersecurity leader, technologist, keynote speaker and author.
During his distinguished career, he has served global organizations in the public and private sectors in a variety of executive leadership capacities, receiving numerous national awards including: CSO of the Year, Public Official of the Year and Computerworld Premier 100 IT Leader.
Lohrmann led Michigan government’s cybersecurity and technology infrastructure teams from May 2002 to August 2014, including enterprisewide Chief Security Officer (CSO), Chief Technology Officer (CTO) and Chief Information Security Officer (CISO) roles in Michigan.
He currently serves as the Chief Security Officer (CSO) and Chief Strategist for Security Mentor Inc. He is leading the development and implementation of Security Mentor’s industry-leading cyber training, consulting and workshops for end users, managers and executives in the public and private sectors. He has advised senior leaders at the White House, National Governors Association (NGA), National Association of State CIOs (NASCIO), U.S. Department of Homeland Security (DHS), federal, state and local government agencies, Fortune 500 companies, small businesses and nonprofit institutions.
He has more than 30 years of experience in the computer industry, beginning his career with the National Security Agency. He worked for three years in England as a senior network engineer for Lockheed Martin (formerly Loral Aerospace) and for four years as a technical director for ManTech International in a US/UK military facility.
Lohrmann is the author of two books: Virtual Integrity: Faithfully Navigating the Brave New Web and BYOD for You: The Guide to Bring Your Own Device to Work. He has been a keynote speaker at global security and technology conferences from South Africa to Dubai and from Washington, D.C., to Moscow.
He holds a master's degree in computer science (CS) from Johns Hopkins University in Baltimore, and a bachelor's degree in CS from Valparaiso University in Indiana.
Follow Lohrmann on Twitter at: @govcso
Building effective virtual government requires new ideas, innovative thinking and hard work. From cybersecurity to cloud computing to mobile devices, Dan discusses what’s hot and what works in the world of gov tech.