Cybersecurity Policy Is Sliding Sideways

Bridge between industry and government

Although its specific contents are secret, the administration let it be known through its usual media outlet that President Obama has signed a Presidential Policy Directive, number 20, in October. It gave more clarity to Defense and civilian agencies on how they could respond to cyber attacks. It defines what agencies with cyber operations capabilities can do outside of their own firewalls.

PPD 20, which the Washington Post reported builds on a 2004 document, follows a speech warning of a cyber Pearl Harbor threat given in New York last month by Defense Secretary Leon Panetta. Outsiders can only presume PPD 20 gives, at least to DOD, the authority to go on the cyber-attack if the threat to U.S. cyber assets becomes serious enough.

The cybersecurity policy picture has failed to gel all that much. Some sort of cybersecurity legislation is still theoretically possible, although Senate Majority Leader Harry Reid declared the Lieberman-Collins bill dead. Minority Leader Mitch McConnell said not so fast, but the alternative bill from Republican Senators Chuck Grassley and John McCain takes out the regulatory authority of Homeland Security for private-sector cybersecurity. That authority is at the crux of the disagreement on legislation, so it’s hard to tell what sort of bill would bridge the two sides, much less gain the president’s signature.

So now everyone waits for an executive order to come from the White House. How this can mandate something that industry must do I can’t imagine. It is likely to ask DHS to set up some sort of voluntary guidelines and up the amount of information sharing it does with industry, but it can’t compel a regulation. That would probably take two years. And an E.O. can’t grant prosecution immunity from disclosures that might result from industry sharing information with the government.

Events keep reminding the community of the need for some sort of cooperation. In the last few weeks, major banks have been hit with attempts at denial of service attacks, although no funds have been stolen above the ongoing base level of funds taken by phishing and man-in-the-middle attacks. The conflict in the Middle East as Israel has tried to stop the constant rocket fire from Gaza resulted in the self-styled hacktivist group Anonymous publishing attack kits aimed at disrupting Israeli cyberspace. Earlier, the oil industry in Saudi Arabia was struck by a worm that forced Aramco to replace 30,000 PCs. No well or refinery was blown up, but it may have been a warning from Iran that it, too, can play the cyber warfare game.

Meanwhile, in their latest annual report on cybersecurity threats, researchers at Georgia Tech list the global supply chain as one of the biggest. Specifically, parts or software embedded in network and other IT gear that could contain spying or disruptive capability. The Georgia Tech people did have a little good news. They think the mobile device threat is overstated. Malware exists in the wild targeted at Android devices. But vetted app stores and ease of all removal from smart phones means the ecosystem makes mobile devices mostly safe.

Share and Enjoy:
  • RSS
  • Facebook
  • Twitter
  • LinkedIn
  • Google Bookmarks
  • Add to favorites
  • PDF
  • Print

About the author

Tom Temin has written 486 posts for

Thomas R. Temin - Editor in chief of FedInsider and brings 30 years of publishing experience in media and information technology. Tom is also co-host of The Federal Drive with Tom Temin and Amy Morris, a weekday morning news and talk program on WFED AM 1500 in Washington D.C.

Comments are closed.


HP Government Summit, April 2, 2014, Reagan Building in Washington DC - Click to register.

© Copyright 2013, Hosky Communications Inc. Developer: dreamfaction