Although its specific contents are secret, the administration let it be known through its usual media outlet that President Obama has signed a Presidential Policy Directive, number 20, in October. It gave more clarity to Defense and civilian agencies on how they could respond to cyber attacks. It defines what agencies with cyber operations capabilities can do outside of their own firewalls.
PPD 20, which the Washington Post reported builds on a 2004 document, follows a speech warning of a cyber Pearl Harbor threat given in New York last month by Defense Secretary Leon Panetta. Outsiders can only presume PPD 20 gives, at least to DOD, the authority to go on the cyber-attack if the threat to U.S. cyber assets becomes serious enough.
The cybersecurity policy picture has failed to gel all that much. Some sort of cybersecurity legislation is still theoretically possible, although Senate Majority Leader Harry Reid declared the Lieberman-Collins bill dead. Minority Leader Mitch McConnell said not so fast, but the alternative bill from Republican Senators Chuck Grassley and John McCain takes out the regulatory authority of Homeland Security for private-sector cybersecurity. That authority is at the crux of the disagreement on legislation, so it’s hard to tell what sort of bill would bridge the two sides, much less gain the president’s signature.
So now everyone waits for an executive order to come from the White House. How this can mandate something that industry must do I can’t imagine. It is likely to ask DHS to set up some sort of voluntary guidelines and up the amount of information sharing it does with industry, but it can’t compel a regulation. That would probably take two years. And an E.O. can’t grant prosecution immunity from disclosures that might result from industry sharing information with the government.
Events keep reminding the community of the need for some sort of cooperation. In the last few weeks, major banks have been hit with attempts at denial of service attacks, although no funds have been stolen above the ongoing base level of funds taken by phishing and man-in-the-middle attacks. The conflict in the Middle East as Israel has tried to stop the constant rocket fire from Gaza resulted in the self-styled hacktivist group Anonymous publishing attack kits aimed at disrupting Israeli cyberspace. Earlier, the oil industry in Saudi Arabia was struck by a worm that forced Aramco to replace 30,000 PCs. No well or refinery was blown up, but it may have been a warning from Iran that it, too, can play the cyber warfare game.
Meanwhile, in their latest annual report on cybersecurity threats, researchers at Georgia Tech list the global supply chain as one of the biggest. Specifically, parts or software embedded in network and other IT gear that could contain spying or disruptive capability. The Georgia Tech people did have a little good news. They think the mobile device threat is overstated. Malware exists in the wild targeted at Android devices. But vetted app stores and ease of all removal from smart phones means the ecosystem makes mobile devices mostly safe.