One day after unveiling a long-awaited executive order concerning a wide-range of cybersecurity concerns, President Barack Obama’s top cybersecurity advisers admit that the order only goes so far in dealing with pressing Internet security needs. They say that the order is only a “down payment” and no substitute for permanent congressional legislation on the matter.
“We cannot look back years from now and wonder why we did nothing in the face of real threats to our security and economy,” President Obama said in reference to his executive order and the urgency to act during his State of the Union address before a joint session of Congress on Tuesday night.
Michael Daniel, special assistant to the president and White House cybersecurity adviser, told reporters and congressional staffers at a Commerce Department briefing on Wednesday that the executive order, and a companion Presidential Policy Directive (PPD-21), “rest on three pillars”:
Both documents build on numerous cybersecurity measures already in use within the government, dating back to Homeland Security Presidential Directive 7 (HSPD-7) signed during the previous Bush administration. Daniel describes the philosophy behind the most recent order as a “whole of government” approach designed to engage all agencies in a stepped-up effort to secure the nation’s digital infrastructure. In addition, Daniels says, the executive order reflects the work of “a number of other stakeholders,” primarily during last fall’s push to gain passage of comprehensive cybersecurity legislation on Capitol Hill.
“You can see reflections of the House Republican Task Force on Cybersecurity, and the ‘CSIS [Center for Strategic and International Studies] Task Force on Cybersecurity for the 44th Presidency,’ and an enormous number of stakeholders, whether from think tanks or industry, included in these documents,” he maintains. The CSIS document, drafted in 2003, is a bipartisan report prepared prior to the president’s first term, and it is said to be a popular White House reference document on the topic of cybersecurity.
Addressing the information sharing plank of the executive order, Gen. Keith Alexander, USA, commander, U.S. Cyber Command, and director, National Security Agency/chief, Central Security Service, pressed the case for improved information sharing between government and the private sector. “The order tackles one of the toughest challenges of cybersecurity: How do we harden these networks, when across industry and government, most of these networks are in various states of disarray?” Gen. Alexander cites recent distributed denial of service attacks on numerous Wall Street firms, Saudi Aramco’s production facilities and even attacks attributed to the Chinese on American media companies as evidence of the urgent need for better information sharing. And he stresses that industry has a key role to play in the implementation of the newly signed executive order. “The systems and assets that the nation depends on for our economy and for our national defense are overwhelmingly owned and operated by industry,” he says.
Outlining how information sharing is to take place under the executive order, Jane Holl Lute, deputy secretary of Homeland Security and the agency’s top official specializing in cybersecurity matters, says, “It requires federal agencies to produce unclassified reports on threats to U.S. companies if we have information indicating a U.S. company is the target of a cyberthreat.” She adds that these reports are to be shared “in a timely manner.” The executive order also expands the sharing of classified information beyond the defense industrial base, allowing companies outside of this sector to participate in the program. Lute says much of the information is derived from a variety of programs already in place for cybersecurity of .gov computer networks.
The executive order mandates that a voluntary “framework” of cybersecurity standards be developed by the National Institute of Standards and Technology (NIST). This plank of the order builds upon NIST’s existing authority and experience in handling such things as developing standards for federal and military personnel identification, and key aspects of securing civilian federal .gov networks.
Dr. Patrick Gallagher, under secretary of Commerce and director of NIST, says the framework emphasizes a “layered approach, which brings together stakeholders from across government and industry. It is a set of practices, standards and guidance, that if implemented effectively, would achieve a desired level of cybersecurity, performance and system resilience.” He adds that the success of the framework depends on how industry chooses to implement and adopt key aspects of the cybersecurity framework, again repeating that the majority of the assets defining the network are owned by the private sector.
Privacy and civil liberties protections under the cybersecurity order are to be based on the existing Fair Information Practice Principles, policies already administered by the Federal Trade Commission that define the gathering and use of consumer information. Agencies are also under mandate to conduct a review of existing cybersecurity efforts and regulations.
The cybersecurity executive order is being issued as Congress prepares to revisit the subject. Daniel considers the executive order and presidential directive as “only just a down payment” on the country’s cybersecurity needs. “We still need legislation to deal with the critical aspects of cybersecurity,” he says. “We look to Congress to develop legislation that can pass both houses of Congress and that the President can sign.”
Sen. Tom Carper (D-DE), chairman of the Senate Homeland Security and Governmental Affairs Committee, issued a statement supporting the executive order and indicating that he plans to hold hearings on a re-introduced cybersecurity bill similar to that approved in the Senate last session, sometime in the next month. Carper’s House counterpart, Rep. Michael McCaul (R-TX), chair of the House Homeland Security Committee, says in his statement that he welcomes the White House executive order, but he says it is lacking in “necessary liability protections that industry needs to freely share threat information with the federal government in a joint effort. Without protections and incentives to adopt industry-led best practices, such programs will be ineffective and carry consequences for entities that choose to participate.” McCaul says that he also expects to hold hearings this spring on his panel’s draft of cybersecurity legislation in the coming weeks.