Lots of action and activity around cybersecurity in the last week, yet not much happened to actually increase protection of critical infrastructure. In fact, meaningful change is still a year off.
President Obama has shown a propensity for action when inaction grips Congress. Last week a long anticipated executive order aimed at critical infrastructure protection restarted a debate that had died down after cybersecurity legislation failed in the last session of Congress. The EO goes as far as the White House thought it could in the absence of legislation. It even merited a paragraph in the State of the Union speech.
Among other things, the EO:
- Gives the Homeland Security Department and the Intelligence Community 120 days to develop a plan to share classified threat reports with critical infrastructure operators. It builds on an EO from 2010 to make sure people in the electrical and other industries have the necessary clearance to receive these reports.
- Tells the DHS secretary to expand a “consultative process” between the government and Critical Infrastructure Partnership Advisory Council and other entities.
- Directs the National Institute of Standards and Technology to create draft cybersecurity standards within a “framework” surrounding critical infrastructure.
The framework in that last point is likely to contain the standards what would be mandated for industry should Congress pass a law giving the government regulatory power over private critical infrastructure owners and operators. It was precisely that issue – regulation – that doomed both of the two competing bills in the last session.
Industry still has time to formulate its responses to the supposedly voluntary call for information sharing and standards. The executive order gives the government nearly a year to develop improved plans for information sharing and the systems that support it. As for voluntary standards that NIST eventually develops, without a law they wouldn’t have much teeth.
As a practical matter, we should point out, many individual companies and many of the private sector associations such as the Edison Electric Institute already to exchange threat information with the federal government. I know of one software company in the encryption business that immediately notified the NSA when it was hacked and found a cooperative ear.
Now, apparently in response to the executive order, the backers of the House Republican-flavored Cyber Intelligence Sharing and Protection Act, or CISPA, reintroduced the bill last week. CISPA encourages information sharing between industry and the government, including the National Security Agency. The civil liberties-privacy crowd opposes CISPA because it grants immunity to companies that share private communications with federal agencies. But it lacks the regulatory authorities the White House and Senate Democrats insist on. The former Lieberman-Collins bill contained that element, which is needed to fully animate the Executive Order.
Senator Tom Carper of Delaware has replaced the retired Joe Lieberman as chairman of the Senate Homeland Security and Government Affairs committee. He also wants to see a cybersecurity bill, presumably with the regulatory provisions.
So in many ways the cyber scene is in a Groundhog Day mode, with the same points of disagreement as before. If Congress can figure out a way to address both the privacy issues and the liability protection concerns of industry, the issue of whether standards are voluntary or become part of some regulatory apparatus still remain.
For government agencies’ own cybersecurity practices, a more useful document is the newest draft revision of NIST Publication 800-53. This catalog of cyber best practices has new emphasis on advanced persistent threats, supply chain cyber issues, and insider threats – all concerns that have come to the forefront.