The White House’s long-awaited, and much anticipated, Executive Order to improve the cybersecurity of critical infrastructure is far from an answer to the lack of congressional action on the issue, and more about doing something to spur change.
The order and corresponding Presidential Policy Directive-21 detail a “whole of government approach” to creating standards and improving information sharing with critical infrastructure owners and operators, which include water, power, communications and financial services.
“Given the threats we are facing across our nation from cyber that could disrupt critical services, and the lack of legislation, that is why the president is issuing the Executive Order,” said a senior administration official, speaking on background, during a call with reporters Tuesday. “It directs federal agencies to use existing authorities and calls for increased cooperation with the private sector on critical infrastructure protection. We all can agree there is inadequate cybersecurity and the critical infrastructure poses the greatest threat so it requires new partnerships and capabilities.”
The order is split into three main parts.
Insight by ServiceNow: IT practitioners provide insight into the low-code, no-code surge that is democratizing transformation in this exclusive executive briefing.
The administration pushed for comprehensive cybersecurity legislation last year that would have taken more of a regulatory approach to requiring owners and operators to take specific steps to protect their networks. But opposition from mostly Republican lawmakers, the U.S. Chamber of Commerce and other industry experts caused the legislation to fail in the Senate.
The House passed several different bills, including an update to the Federal Information Security Management Act and the Cyber Intelligence and Sharing Protection Act (CISPA). But the Senate, going for a comprehensive bill that included FISMA and information sharing provisions, decided against the piecemeal approach.
“The prospect of a bill is uncertain so the administration must take action,” the administration official said during the call. “An Executive Order is not a substitute for legislation. This is not the end of the conversation. It’s really the beginning of it. It started last fall with engagements with agencies, members of Congress, think tanks, academia and industry. All their input was vital in crafting the EO, and we incorporated other suggestions from the Commission on Cybersecurity for the 44th President and the House cybersecurity working group.”
President says legislation still is needed
President Barack Obama called for more attention and focus on cybersecurity across the country, especially from Congress, in his State of the Union address Tuesday night.
|DHS responsibilities under the EO|
“We know hackers steal people’s identities and infiltrate private e-mail. We know foreign countries and companies swipe our corporate secrets. Now our enemies are also seeking the ability to sabotage our power grid, our financial institutions, and our air traffic control systems,” he said. “We cannot look back years from now and wonder why we did nothing in the face of real threats to our security and our economy. Now, Congress must act as well, by passing legislation to give our government a greater capacity to secure our networks and deter attacks.”
White House officials emphasized the Executive Order is based on voluntary standards and participation by industry. Under this type of directive, the president cannot mandate companies do anything but what’s required in the law.
While the EO and PPD assign responsibilities to nearly every agency, the National Institute of Standards and Technology and the Homeland Security Department are carrying the biggest loads.
NIST will lead the effort to create the voluntary cyber framework.
Another senior administration official said NIST issued a request for information Tuesday asking for industry and other expert input to begin the process to create the framework.
“The RFIs will ask about the core things that will make up the framework,” the official said. “The work we’ve done with the electric grid maturity model will be informative to this process. The initial period will be to get comments, and throughout the year, we will go through the regular NIST process by holding a series of workshops to get industry to share thoughts. So, in the end, industry will take up and run the framework themselves.”
The first official said the White House is not proposing one framework for every critical infrastructure, but separate ones that will be flexible and collaborative to encourage innovation and not lock the critical infrastructure providers into one technology. The goal is to take advantage of national and international standards and give companies lot of flexibilities to determine how to implement best practices.
Reaction to order is mixed
Bob Dix, vice president of government affairs and critical infrastructure protection for Juniper Networks and the chairman of the partnership for critical infrastructure security, said the order falls short.
“Like many across the various sectors of industry, we remain concerned about the use of an Executive Order and the potential of unrealistic expectations that it will be able to achieve meaningful impact in addressing the ongoing impediments to improving the detection, prevention, mitigation and response to cyber events that may become incidents of national and even global consequence,” he said. “Such a capability will require effective collaboration with the private sector to achieve timely, reliable, and actionable situational awareness. Absent a legislative remedy to address legal, policy, and liability issues necessary to improve bi- directional collaboration, a substantial gap in these efforts will remain.”
Dix added the administration’s continued focus on new and expanded regulatory authorities will impede progress toward the shared mission of protecting the nation against cyber attacks.
Alan Paller, director of research at the Sans Institute, also expressed disappointment with the order.
“The shocker was that, in the very last version, at the insistence of industry lobbyists, the White House took out all elements that would have made attacks against the United States less effective and harder to launch,” he said. “There was fear among sophisticated attackers, evidenced by a very big escalation of attacks in the last 8-9 months, that the U.S. might quickly implement the basic controls that will stop most known cyber attacks used for espionage — both economic and military. I expect all of those attack communities that might have been worried are breathing a sigh of relief and shaking their heads in wonder that the United States government leaders could be so completely in the thrall of corporate interests that they would leave their military and financial future in harm’s way.”
Several members of Congress and TechAmerica praised the Executive Order, but called for legislation to deal with the challenging issues such as liability protection for companies.
“The cybersecurity Executive Order issued this evening is a prudent step forward and, hopefully, a catalyst to Congress finding common ground on the issues,” said Shawn Osborne, president and CEO of TechAmerica, in a release. “We look forward to the next steps in working with Congress. Information sharing and liability protection are an essential component, which must be part of any final legislative package.”
Sen. Tom Carper (D-Del.), chairman of the Homeland Security and Governmental Affairs Committee and one of the co-authors of the comprehensive cyber bill that didn’t make it through Congress last year, said in a release the order is an important step, but more needs to be done.
“That’s why I am committed to continuing to work with my colleagues on both sides of the aisle, the administration and stakeholders to build on this Executive Order to pass comprehensive cybersecurity legislation as soon as possible,” he said. “The first step in that effort will be holding a hearing on this Executive Order and the broader cyber threat, something that I hope my colleagues and I are able to do in the coming weeks.”
DIB pilot to expand
New legislation surely will have to tackle both the information sharing challenge, specifically around liability protection as well as how much, or if any, regulation is needed by the government on critical infrastructure providers.
The White House made it clear that the Executive Order couldn’t and doesn’t address these more challenging issues around information sharing.
“We have to make sure we are following the existing authorities in this space and we can’t mandate something in this space that way,” said the first administration official. “We’re not trying to reinvent the wheel. There is a lot of great standards out there but sometimes there are conflicting standards and we need to come to an agreement on what are the best practices in order to better protect systems.”
Under the order, DHS will expand the number of companies the government shares classified and unclassified cyber threat information with. DHS also will figure how best to expedite security clearances and bring in private sector experts to help on the Defense Industrial Base pilot, which DoD transferred to DHS in 2012.
“This is about enabling the sharing of classified information in a way that continues to protect that information and enables the broader use of it to protect critical infrastructure,” the first official said. “It also directs agencies to increase the volume, timeliness and nature of the information, especially when we have evidence that a company is under attack or threat.”
The official said privacy and civil liberties, the third section of the order, is marbled throughout the efforts of the government.
“The Chief Privacy Officer and the Officer for Civil Rights and Civil Liberties of the Department of Homeland Security shall assess the privacy and civil liberties risks of the functions and programs undertaken by DHS as called for in this order and shall recommend to the secretary [of DHS] ways to minimize or mitigate such risks, in a publicly available report, to be released within one year of the date of this order,” the Executive Order stated.
The order has been in the works since last fall and came together after major outreach to industry and other experts, the first official said. The administration met with more than 200 companies and trade organizations representing more than 6,000 companies.
“We’ve been pushing the edge of what is normally acceptable under EO,” the official said. “We’ve had a tremendous amount of outreach and we have factored in that outreach in the development of the EO.”