February 10, 2013 By Dan Lohrmann
According to Bloomberg, President Obama plans to release an executive order on cybersecurity soon after the State of the Union address. The State of the Union address is scheduled for Tuesday, February 12.
The administration, which has been drafting the order for at least six months, plans to set up voluntary cybersecurity standards for owners and operators of critical infrastructure such as water treatment plants, electric utilities and railway systems.
Here’s an excerpt from the Bloomberg article:
“The administration is preparing the order amid recent cyber attacks including the security breach of a U.S. Federal Reserve website, intrusions at the New York Times and other newspapers attributed to Chinese hackers, and denial-of-service attacks that disrupted websites of U.S. banks.
The order directs federal agencies to consider incorporating the cybersecurity standards into existing regulations, according to the officials. It directs the government to share more information about computer threats with the private sector and issue more security clearances allowing industry representatives to receive classified information, the officials said.”
Recent European actions on cybersecurity
Meanwhile, eWeek and Theverge.com reported on European plans to toughen cybersecurity rules for their important infrastructure. Although the rules are draft at this point, the European Commission’s proposals are coming at an interesting time – showing international concern on cyber is now at an increased level.
“The threat of cyberattacks haven't just been a concern of the United States, either. The European Union announced a plan of its own yesterday, which would require stock exchanges, banks, hospitals, and other companies to conform to more rigorous network security standards — and could even require companies that control important infrastructure to disclose any attacks publicly. The European proposal is a draft at this point, but if adopted could require US companies that do international business to conform to the standards.”
The European rules would require an audit of all critical infrastructure, and according to one source, this could be very problematic to actually implement.
The Sophos security blog called the European plans a “nice try” – adding that we need, “more clarity on objectives and more specifics on implementation….”
Rogers: America is losing the cyber war
And perhaps the biggest news event of the past week came from the opinion column written for the Detroit Free Press by U.S. Representative Mike Rogers, who articulated the view that America is losing the cyber war vs. China. This article does an excellent job of explaining our current cyber situation in clear, compelling language:
“What is currently happening to American intellectual property may be the largest transfer of wealth in the history of the world. A senior intelligence official recently stated that the amount of stolen intellectual property is equal—and now exceeding-- to that of the entire library collection at the Library of Congress. This activity can no longer just be a cost of doing business with China. China is literally attempting to steal our way of life….
The U.S. government has classified cyber threat intelligence that, if shared with private sector, could help the private sector better defend its own networks. Currently, the vast majority of private sector does not have access to this vital data. Developed in close consultation with broad range of private sector companies, trade groups, privacy and civil liberties advocates, and the executive branch, the bill enjoys the support of virtually every sector of the economy.
With simple, targeted legislation we can make a common-sense change that would take an important step to protect American computer networks from cyber theft and cyber attacks…."
What’s different this time?
Of course, this is not the first time that cyber legislation and White House executive orders have been predicted. Last year, there were many predictions, including mine, of an impending executive order and the impact of possible new laws regarding cybersecurity standards for protecting critical infrastructure.
So what is different this time?
The reelection of President Obama as well as the increasing number and scope of cyberattacks against every sector of the U.S. economy will make more action from the federal government both necessary and inevitable. In my view, we simply cannot keeping doing the same things and expect different results.
I believe that U.S. Rep Rogers has it right. Our way of life in America is at stake. As a country, we love our smartphones, cloud computing, innovation and technology in general, but we need to be prepared to do more to protect all sectors of our economy from those who would do us harm. Since Congress seems unable to pass bipartisan legislation on cybersecurity, I am not surprised by this step from the White House. Get ready for an EO on cyber.
What are your thoughts? Is February, 2013, the right time for an EO on cybersecurity?
Building effective virtual government requires new ideas and hard work. Security professionals need to be enablers of innovation. From helpful Internet training to defending cloud computing architectures to securing mobile devices, Dan Lohrmann will cover what's hot and what's not in protecting your corner of cyberspace.