If they initially exhaled a sigh of relief, opponents of the Cyber Security Act of 2012 didn’t have long to sit back. The administration is already crafting a new cybersecurity executive order. Proponents say the order is designed to help keep the federal government and critical infrastructure protected from electronic disruption and eavesdropping. Opponents of the move fear the executive branch will step too far.
Information sharing needs to be done in a very structured manner, with very specific provisions to protect privacy.
Howard Schmidt, former White House cybersecurity coordinator
As previously reported by SearchSecurity, Congress – including earlier this month- has repeatedly spurned opportunities to pass broad cybersecurity legislation. Now, sources have told SearchSecurity, that the administration has held discussions with representatives of the private sector that deliver critical infrastructure services. Such industries included power generation and distribution, telecommunication, and financial services. The goal is to craft a cybersecurity executive order that will improve critical infrastructure security, yet be amiable to industry. Not an easy task considering so many lobbyists and industry leaders have repeatedly opposed many key elements of the Cyber Security Act.
That leaves the question: is the security of the nation’s critical infrastructure better, or worse, off with the legislation failing to pass? Opinions are emphatically mixed.
“We are certainly not at the level of security we should be,” said Mark Rasch, director of cybersecurity and privacy consulting at Computer Sciences Corporation. “We can certainly see in the past were legislation has worked to some degree, and where it hasn’t worked,” said Rasch. “Consider HIPAA, which has driven some hospitals to spend more on security, while others still aren’t doing anything,” he said.
Others fear regulatory overreach. “Name the last piece of security or regulatory compliance regulation that actually did good,” said the CISO at a major software maker. “What will end up being created is Sarbanes-Oxley for everybody, and cybersecurity is such a fuzzy science that it’ll end up being a useless, expensive checklist that distracts from real security efforts,” he said.
One of the central elements of the legislation was to establish better information sharing processes between the private and public sectors. “The reality of sharing with the government is that it’s a waste of time,” said the CISO. “You share with them and they don’t provide any information back. They’re a one-way street,” he said.
However, the legislation – and potentially the pending executive order – would make it easier for the federal government to collect and share security information, supporters of the move said. “The information sharing was an important piece of the legislation, and it would address many of those concerns around privacy and receiving actionable information back from the government,” said Howard Schmidt, recent special assistant to the President, cybersecurity coordinator.
Schmidt explained that improved agency information sharing could provide intelligence from government law enforcement agencies to private companies, information aimed at stopping attacks currently underway. “Providing real-time information on attack specifics would go a long way to quickly reducing risk,” he said.
Any information sharing would also take into account the privacy concerns of private industry, Schmidt said. “Information sharing needs to be done in a very structured manner, with very specific provisions to protect privacy. It’s important not to double victimize organizations that have been breached with very specific protections of civil liberties and privacy,” Schmidt said.
However, with the Cyber Security Act failing to pass, many are now concerned about how such privacy protections will be addressed within any executive order. “The executive order will not be as broad as any legislation that would have passed. The order will primarily impact federal agencies, as well as businesses that sell goods and services to the government. There are limits to what can be done by executive order,” Schmidt said.
Richard Bejtlich, chief security officer at Mandiant, said there have been important steps the government has already taken that have improved the nation’s ability to detect and respond to advanced threats. These include the U.S. Office of the National Counterintelligence Executive naming both China and Russia as perpetrators of cyberespionage, federal intelligence agencies beginning to notify victim companies have had data stolen from other nations; and the Security and Exchange Commission prompting publicly traded companies to disclose information on digital intrusions.
“I would also like to see actions by the government to enhance all three initiatives, and add a requirement for "are you compromised" assessments of publicly traded companies and critical infrastructure,” Bejtlich said. “This should be done on an annual basis at minimum, by third parties to determine not if they are ‘vulnerable,’ but if they are currently or were recently compromised,” he said.
Ultimately, would both private industry and the government be more secure should wide-ranging cybersecurity legislation be passed? Most experts interviewed agreed that they would. “Attacks by nation-states against the critical infrastructure are different than normal attacks. The objective is different and the duration is different. In normal attacks someone is trying to steal something of value. But with critical infrastructure attacks the goal isn’t about stealing money, it could be about bringing down or disrupting an industry,” said Rasch.
About the author:
George V. Hulme writes about security and technology from his home in Minneapolis. You can also find him tweeting about those topics on Twitter at @georgevhulme.