During his State of the Union Address on Tuesday night, President Obama announced an Executive Order on Cyber-Security. The full text is available in many places, including Wired. I’d urge you to read it in full; it is short and well-written, as you might expect anything coming from this president (or his staff) to be.
The Order directs DHS to notify private companies in “critical infrastructure” sectors of any impending attacks by extending the Enhanced CyberSecurity Services program. To promote greater information-sharing, the Order provides a “safe harbor” to companies that share information with DHS. It directs the National Institute for Standards and Technology (NIST) to create a new “Cyber-Security Framework” to reduce risk in critical industries. And to evaluate the success of the program, the Order includes a series of regularly recurring opportunities to review and recommend new actions to take.
Understand that the President signed the Order because of lack of a Congressional alternative. Last year’s two dueling cyber-security bills died in session due to partisan wrangling. Republican senator John McCain objected to the initial bipartisan proposal, the CyberSecurity Act, because of the idea that government has a role to play in setting standards, which it clearly does. McCains’s alternative bill, the SECURE IT Act, preserved the CyberSecurity Act’s focus on information-sharing but watered down any additional regulatory oversight. The Order more closely resembles the McCain bill, if only by the necessity that the Order cannot ask agencies to do anything beyond what existing laws allow.
I reviewed the Executive Order and found a lot to like in it. But it’s lacking in important ways, too. Here’s what I liked:
- The scope of the proposed Cyber-Security Framework is comprehensive. The Framework will ostensibly “help owners and operators of critical infrastructure to identify, assess and manage cyber risk.” It will identify areas of improvement that can be addressed by the private sector, identify methods for reducing risk, and will recommend ways that companies can measure their success at implementing their programs. This is good. Critical infrastructure companies, particularly those in comparative security backwaters like utilities, need all of the help they can get.
- Materials shared by private sector are shielded from discovery. Section 5c of the order states that “Information submitted voluntarily in accordance with 6 U.S.C. 133 by private entities under this order shall be protected from disclosure to the fullest extent permitted by law.” What that means is that any information shared with the government can’t be obtained under a FOIA request, for example. The information could still be discovered in a private suit.
- NIST’s Cyber-Security Framework will incorporate industry standards. I have a lot of respect for the work NIST does. I know and have worked with many people in the agency. NIST also regularly collaborates with outside organizations such as the Center for Internet Security (CIS) and SANS. These groups are doing good work as clearing-houses for effective practices. It’s good to see the President explicitly ask NIST to “incorporate voluntary consensus standards and industry best practices to the fullest extent possible.”
- The Order offers wiggle-room to define what industries are “critical.” The specific sectors covered by the Order are not mentioned in the text, but the scope defines critical infrastructure as “systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, [or] national public health or safety.” One can easily imagine that the critical sectors are likely to include energy, utilities, and financial services. But transportation, pharma, and the defense-industrial base would qualify, too, depending on the how the President and his advisors see things. We’ll see how this evolves, but having flexibility here is important.
The President’s Cyber-Security Order is important because it puts an important stake in the ground in the absence of legislation. It recommends many important and fine things that we need more of, notably information sharing. But the Order also disappoints because it misses opportunities to do more. Some shortcomings are due to natural limits imposed on the Executive branch. The President cannot propose new regulation, for example. Others are failures of vision. Here are the four problem areas I see:
- Participation by private companies is voluntary. The Order directs DHS to initiate an information-sharing program with industry to give them advance warning of attacks, and to obtain relevant information from target companies. The Order also asks DHS to create “incentives designed to promote participation” in the program and to analyze whether those incentives have been effective. That sounds like a tacit admission that they won’t be effective. To be fair to the President, he has no power under existing laws to compel participation; by definition, he must rely on incentives, persuasion, and motherhood-and-apple-pie instincts. Come to think of it, maybe he should send private sector CEOs… apple pies. Until legislation is passed that mandates participation, apple pies might be the best he can do.
- Private companies that might have security insights aren’t included. Many large security companies have a significant amount of operational visibility into the day-to-day risks and attacks in critical infrastructure sectors. These include managed security services provides such as Symantec, IBM/ISS, Verizon, Dell SecureWorks and my company. They also include software and security companies that underpin large parts of the “trust infrastructure” that we all rely on, companies like RSA Security, Symantec (née VeriSign), Microsoft and Apple. Although one could file this in the “be careful what you wish for” category, it would seem odd that companies that control the keys to the many critical infrastructure kingdoms, or have visibility about what goes in or out of them, would not be in scope.
- Wrong-headed emphasis on technology neutrality. The Order takes pains to emphasize that any guidance issued by NIST should be technology-neutral so that companies can “benefit from a competitive market for products and services.” Never mind that this sentence makes no sense. The whole sentiment seems wrong to me, because cyber-security is one area where government should make specific recommendations about technologies. It is a fact that some technologies are better and safer choices than others. Divorcing the guidance from the technology turns NIST’s efforts into a big “process” exercise. Process is good, but fixing things is better. All the guidance in the world isn’t going to stop your wide-open Windows NT 3.5 SCADA systems from being owned if they haven’t been patched since 1995. I don’t want NIST to “name and shame” or “pick winners and losers,” but it should be prescriptive where possible. That’s not a technology-neutral activity.
- The framework will take too long to develop. NIST won’t finish its draft Cyber-Security Framework until mid-October. The final framework won’t come until February 2014. NIST offers plenty of vendor-neutral, technology-neutral guidance already, covering everything from risk assessment to metrics. It seems to me that existing materials could be easily re-packaged for critical industries without much effort. Let’s hope the dates are sandbagged, and that we will see drafts sooner than October.
Overall, though, President Executive Order for Improving Critical Infrastructure Cyber-Security is an important step forward. Let’s hope it prods Congress into passing something more permanent, prescriptive, and durable, with the regulatory powers DHS needs to get the job done.
Note: this article also appears on my company blog at silversky.com.