Most readers of this blog already know that President Obama released an executive order last week on the topic of cybersecurity. The actual text of the executive order, along with the text of the more detailed Presidential Policy Directive / PPD-21, offer a glimpse into the future of our cybersecurity battles in America over the next few years.
I have waited almost a week to comment so that I could summarize global reaction to these new edicts. As I mentioned before the executive order came out, new guidance on cybersecurity was almost inevitable for a variety of reasons. Well now the federal government’s sector-specific agencies have their marching orders, and like it or not, it appears to be time for critical infrastructure owners and operators to get on board the ship and do more to address weaknesses and raise the bar on cyber protections.
But before I provide my opinion of the EO, let’s take a look at the full range of diverging viewpoints regarding what policy was issued. On the one end of the spectrum, several experts have strongly condemned the EO and PPD-21 as overreach and bad cyber policy. For example, here are some headlines and brief excerpts worth examining:
Obama’s Cybersecurity Executive Order Falls Short – Heritage Foundation
“… The order uses a standard-setting approach to improve cybersecurity. However, such a model will only impose costs, encourage compliance over security, keep the U.S. tied to past threats, and threaten innovation.
While the EO does take some positive steps in the area of information sharing, these steps are hamstrung by the EO’s inability to provide critical incentives such as liability protection. As a result, this order could result in few modest changes, or it could result in substantial negative effects….”
Just as negative, is a leading cyber industry expert Richard Stiennon and author over at Forbes blogs:
PPD-21: Extreme Risk Management Gone Bad - Forbes Magazine Online
“On Tuesday, February 12, 2013, President Obama issued Presidential Policy Directive 21: Critical Infrastructure Security and Resilience. PPD 21 represents my worst nightmare: the misguided mantra of management consultants writ large. How large? The entire Federal juggernaut is to be roped into a tangle of coordination, data exchange, R&D, and risk management to address ephemeral threats to critical infrastructure. It even stretches around the world to include governments that may host critical facilities and assets of the United States….”
Meanwhile, on the other extreme, there are calls for stronger regulations, more teeth and more aggressive government mandates and action.
Too Little Too Late: Obama’s Cybersecurity Executive Order is Way Under-Par - ABI Research in London
“… The U.S. President’s Executive Order on ‘Improving Critical Infrastructure Cybersecurity’ signed yesterday failed massively to address the burning requirements for securing the American nation. Although the Order proposes an information sharing platform and a cybersecurity framework, these solutions are weak and lack the bite that would make it effective….”
Cybersecurity Executive Order Short on Action, Long on Voluntary Initiatives - Dennis Fisher at Kaspersky Lab
“The executive order that President Barack Obama signed yesterday in advance of his State of the Union Address contains a lot of provisions for information sharing on attacks and threats on critical infrastructure, and also calls for the development of a framework to reduce cybersecurity risks in federal agencies and critical infrastructure. What the order does not include are any mandates, required changes or a plan for significant action….”
Obama's Cybersecurity Order Weaker Than Previous Proposals - Gerry Smith, Huffingtonpost.com
“President Barack Obama said during his State of the Union address Tuesday that he had signed an executive order aimed at protecting government and businesses from what he called "the rapidly growing threat from cyberattacks."
But the order he signed on Tuesday was significantly weaker than what his administration had proposed two years ago, leaving out a key provision that experts have said was needed to protect the country's most vital computer systems….”
But some sources say that the President got things right.
Obama presses Congress with cyber security executive order - Mike Hoffman, Defense Tech
“President Obama signed an executive order to increase America’s defenses against cyber security before highlighting the need for it in his State of the Union Tuesday.
The Executive Order will work together with the Presidential Policy Directive on Critical Infrastructure Security and Resilience that the White House also released today….”
Obama Cybersecurity Executive Order A First Step, But More Is Needed, Some Say - Brian Prince, Dark Reading
“… The executive order requires federal agencies to provide unclassified reports regarding threats to U.S. companies being targeted in a timely manner. It also expands the Enhanced Cybersecurity Services program, with the goal of enabling near-real-time sharing of cyberthreat information to participating critical infrastructure companies, and directs the National Institute of Standards and Technology (NIST) to lead the development of a framework of cybersecurity practices to reduce threats to critical infrastructure….”
My View on the Cyber EO?
In my role as Michigan’s Chief Security Officer (CSO), I want to reinforce the view that we need bipartisan legislation on cybersecurity which addresses the best way forward for protecting critical infrastructure as a nation. I see positive aspects to the new EO, especially the provisions on more information sharing. The State of Michigan will be working closely with the U.S. Department of Homeland Security as partners in protecting our nation from cyberattacks.
At the same time, I also understand the criticisms that many in our industry have articulated. I certainly believe that more will need to be done to safeguard our critical infrastructure. The effectiveness of these provisions will depend on the follow-on actions taken by the public and private sectors.
State and local governments are watching closely as the federal government implements this EO and PPD-21. Government officials at all levels are asking, how will this affect my government? We also have a major role in critical infrastructure protection, and we coordinate with our private sector partners in each sector.
This will be a very pivotal year for cybersecurity. I look forward to learning more about plans and gauging the pulse of the nation on cybersecurity from federal and private sector partners next week at RSA in San Francisco.
What are your views on the new cybersecurity EO and PPD-21?