wfedstaff | April 18, 2015 4:15 am
The White House added one more piece to the ever complex cybersecurity puzzle Wednesday in the form of yet another executive order.
But the biggest hole in this effort — legislation — may still come from Congress by Memorial Day.
Michael Daniel, the White House cybersecurity coordinator, said he’s more optimistic than ever about Congress passing and President Barack Obama signing substantial cybersecurity legislation.
The House and Senate are working their respective versions of a cyber information sharing bill through the process.
Insight by Carahsoft: Learn how the FedRAMP PMO and its partners believe the end result of many of ongoing initiatives is a better, faster and cheaper cloud security program by downloading this exclusive ebook.
David Grannis, the minority staff director of the Senate Intelligence Committee, said he expects the Senate and House to debate and vote upon their own versions of cyber information sharing bills toward the end of April.
“The legislations on both sides are quite similar. The differences are not structural. They have to do more with exactly how you require or permit or shape different things,” he said during a speech at the Center for Strategic and International Studies (CSIS) in Washington. “I know for the Senate, and I believe for the House, there will be a fairly open amendment process. I think what is most likely to happen, both chambers will pass a bill. There will be discussions to see whether or not it will be possible to come to an agreement, and then send it back and forth outside of formal conference. But the goal here is to get the best product at a reasonable speed.”
Another tool in the tool box
Optimism aside, Daniel said the Obama administration has said if Congress will not act on legislation, then it will take as much executive branch action as possible.
That’s why the President issued the new Executive Order giving the departments of State, Treasury and Justice the authority to recommend sanctions against people or organizations responsible for or involved in a “significant” cyber attack against the nation.
It’s also why Obama signed off on the cyber information sharing order from February as well as executive actions over the last year.
Daniel said the executive orders, new constructs such as the Cyber Threat Intelligence Center (CTIC) and public-private partnership efforts are part of broader interagency efforts to raise the level of awareness about cybersecurity across the government and within critical infrastructure sectors.
Daniel said for many agencies, cybersecurity is relatively new and emerging mission, which is why the administration is building the toolset and the organizational and policy capabilities to go after the bad guys to combat these constant attacks.
The sanctions EO is the latest tool from the White House. It’s focused on attacks by people or organizations, which directly are responsible for or benefit from a cyber attack against the nation’s critical infrastructure, a wide scale disruption of computer networks, the theft of trade secrets, or aiding or embedding those stolen goods or as part of the other two attack vectors.
The sanctions, which would name the targets, seize their U.S. funds and ban them from the American financial system, would also apply to “a corporation that knowingly profits from stolen trade secrets,” the White House said. U.S. intelligence and law enforcement officials have long possessed evidence that state-owned companies in China and elsewhere are complicit in economic cyber- espionage that targets the intellectual property of Western companies, but they have largely been unable to act on it.
“This is a new authority for us. We don’t have a specific set of targets at this time because we felt it was important to get this authority in place to enable us to both deal with any future incidents that might occur that rise to this level, but also as a piece of deterrence for those that have been thinking they can hide behind borders where there are weak governments, weak cyber laws or governments that aren’t willing to cooperate,” Daniel said at the CSIS event. “This is really a tool that is designed for us to use in cases where we don’t believe our existing tools of diplomacy, law enforcement and others are adequate or appropriate. It’s not one we expect to be using every day. But it is one that we anticipate we will be able to use in a very targeted and judicious manner.”
Significant and malicious
Daniel added the EO is not targeted at any one region or country because the White House wanted to give the agencies flexibility because attack attribution is difficult ascertain most of the time.
He said the EO isn’t focused on just those doing the hacking or cyber attacks, but also those who are funding the bad actors.
“If you are talking about sanctions, they need to be used in the pursuit of our national level interest and used carefully and judicially,” Daniel said. “So the reason for the word ‘significant’ is that this is not something that is meant to be used to promote the narrow interests of anyone particular U.S. company. It has to be something that actually rises to a level of national concern.”
The order also calls out attacks that are not only significant, but malicious too.
Daniel said they wanted to choose a term that doesn’t lock them into an “attack” or others that could be debated, but a term that encompasses a wide range of theft or intrusion or other bad behaviors.
While Daniel wouldn’t comment on how the process to determine when and upon whom to apply sanctions, he said the administration is considering targets for possible penalties.
He said there is an interagency process to look at entities or organizations that State, Treasury and Justice may designate for sanctions under this EO.
The need for an executive order that applies to sanctions isn’t a new item on the administration’s cyber checklist.
Driving the point home
Daniel said the order, which has been in the works for some time, gives the government a set of authorities the administration didn’t previously possess.
The administration also is realizing the chances of an attack against the nation’s critical infrastructure is real, growing and probably already happened.
And, the growing number of cyber attacks against a host of U.S. companies ranging from Target to JPMorganChase to Sony are examples of what led the administration down this sanctions EO path.
Daniel said the hack against Sony Pictures helped push the order along.
“The Sony Pictures incident drove home the point that we needed to make sure we had this tool available to us in order to continue expanding that array of options that we have to respond to those kinds of incidents,” he said. “I wouldn’t say it is direct response to that, but it certainly shaped our thinking about the need to ensure we had this capability.”
In response to the attack on Sony Pictures, which the government blamed on North Korea, the White House imposed sanctions against 10 people and three organizations with close ties to the government which allegedly were involved in the attack.
Daniel said the EO is not trying to get ahead of a potential or real cyber attack that is coming. He said the White House has no indicators of an imminent hack.