President Obama's executive order on cybersecurity is a good first step, but it lacks teeth and a lot of it hinges on the execution, said several former and current government officials during a panel discussion on the topic at RSA Conference 2013.
The executive order is a good response to the rising threats posed to critical infrastructure facilities and their networks, the vast majority -- up to 90 percent by some estimates -- of which are owned by the private sector, said panelists as part of a discussion on the executive order. It sends a message to legislators that, by 2014 at least, they need to take action, said James Lewis, a senior fellow and director of the public policy program at Washington-based think tank Center for Strategic and International Studies.
"Congress is the motor for the U.S. government and Congress isn't working," Lewis said speaking to a room of hundreds of security professionals and other RSA Conference attendees. "There's a sense that there is a real need, and the president needed to step in."
Lewis led the discussion with Michael Chertoff, the former secretary of homeland security, and Michael Daniel, currently the White House cybersecurity coordinator. The executive order could have an impact on some channel partners if they are providing products and services to organizations that are regulated, because those privately owned entities that have control systems regulated by government agencies, such as those under the FAA, must adhere to the new framework being developed. But, the vast majority of the facilities are in private hands, Chertoff said.
"I think that we're in a race against time," said Chertoff, currently chairman and co-founder of the Chertoff Group, a global security advisory firm. "There will have to be some tough decisions about how much convenience is sacrificed for security."
President Obama issued the cybersecurity executive order Feb. 12, following his State of the Union speech. It came following failed attempts by Congress to pass meaningful legislation, experts say. Meanwhile cyberattacks are increasing in frequency and sophistication, prompting some to question the nation's ability to defend against an attack or respond and recover from one.
The executive order is built on three pillars: information sharing, privacy and a framework for standards. The federal government will focus on improving the volume, quality and timeliness of the information it shares to the private sector. It's issuing security clearances to individuals at some critical infrastructure facilities to share classified information and protect the source of the information, Daniel said.
"The hard work will be implementing the executive order and policy directive, and we need to watch that we stay on track for that," said Daniel, who was appointed by Obama as White House cybersecurity coordinator in May.
NEXT: Order Is A "Down Payment" For LegislationThe executive order also focuses on baking-in the Federal Information Processing Standards, a longstanding document that describe technology standards for use with government contractors and vendors that work with agencies. It calls for periodic public reporting on how the order is being executed and protecting privacy and civil liberties. The National Institute of Standards and Technology (NIST) will establish a framework for how critical infrastructure facilities, contractors and their partners can use industry best practices for protecting data and networks from attacks.
"It's a down payment on legislation," Daniel said. "It cannot direct agencies to do things that they don't already have statutory ability to do in the first place."
Exactly how much of an impact the document will have is yet to be seen. The cybersecurity executive order is a good start by underscoring the urgency that legislators have to address the problem, Chertoff said. There is a limit to what can be done with an executive order with organizations that are not covered by regulation, making the document voluntary.
"We have to do something because things are happening now, they are getting worse and will get worse still," Chertoff said. "It's by no means a full investment in what we need to do in the area of cybersecurity."
There are a lot of legal and bureaucratic issues that have made information sharing a difficult process, despite a program in place for the defense industrial base to share information that would normally be classified, Chertoff said. Some businesses say legal restrictions limit their role in sharing attack data, he said.
"No one is going to want to invest and pay attention and record instances of cyberattacks if they think all they are doing is teeing themselves up for a legal assault, which will wind up bankrupting them," Chertoff said.
PUBLISHED FEB. 26, 2013