Risk
11/15/2012
03:01 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Congress Kills Cybersecurity Bill, White House Action Expected

White House looks primed to take action on its own after Congress again fails to pass cybersecurity legislation.

IW500: 15 Top Government Tech Innovators
IW500: 15 Top Government Tech Innovators
(click image for larger view and for slideshow)
Comprehensive cybersecurity regulatory reform failed yet again in the Senate on Thursday, but the White House is not waiting for Congress to act and will likely use an executive order to carry out some elements of the bill.

On Wednesday, Senate Republicans -- joined by a small group of Democrats -- again blocked the Cybersecurity Act of 2012 from coming to the Senate floor. Senate Minority Leader Mitch McConnell, R-Ky., attributed the opposition to a fast-tracked process and the failure to allow fully open amendments. Numerous national security officials have urged the bill's passage, but the U.S. Chamber of Commerce has repeatedly voiced strong opposition.

In response to the bill's failure, Senate Majority Leader Harry Reid, D-Nev., called the bill "dead for this Congress."

In a statement, Reid said: "A bill that was and is most important to national security was just killed and that's cybersecurity. I hope President Obama uses all the authority of the executive branch at his disposal to fully protect our nation from the cyber security threat."

The administration has already taken some actions. According to reports, President Obama in mid-October signed the classified Presidential Policy Directive 20, which sets new cyber defense standards for government agencies, including standards for defensive measures that might require agencies to reach outside their own networks.

The Obama administration has also prepared a draft executive order, which has been circulating for months, that would require additional steps to be taken. Now, it appears prepared to issue that order.

"Congressional inaction in light of the risks to our nation may require the administration to issue an executive order as a precursor to the updated laws we need," White House Cybersecurity Coordinator Michael Daniel said in a statement. "We think the risk is too great for the Administration not to act."

A draft version of the executive order would direct the National Institute of Standards and Technology to set cybersecurity standards for eighteen critical infrastructure industries. The Department of Homeland Security would encourage adoption of these standards, and agencies responsible for regulating critical infrastructure industries would be responsible for proposing potentially mandatory cybersecurity regulations for those industries.

Information sharing is another big piece of the draft order. The executive order would set up new information sharing mechanisms that will accelerate security clearances and limit use of proprietary information. The order would also require agencies to take appropriate steps to ensure privacy of shared information.

However, an executive order can't do it all. Despite urging the President to take action, Reid warned in a statement that an executive order "leaves much to be desired" because, for example, it cannot offer companies liability protection in the event of a cyber attack.

Whlie Reid declared the cybersecurity legislation dead for this Congress, McConnell said in a statement after the bill's failure that he hopes Congress will again take up the issue "sometime in December" after dealing with other important national security legislation.

Whatever the case, the persistence of the cyber threat is one reason that action may be needed soon. The annual report of the U.S.-China Economic and Security Review Commission, released on Wednesday, found that China in particular -- which the report called "the most threatening actor in cyberspace" -- continues to represent a serious and "increasingly potent" concern for companies and government agencies that hold potentially sensitive data.

"U.S. industry and a range of government and military targets face repeated exploitation attempts by Chinese hackers," the report said, fingering China in cyber espionage and cyber attacks aimed at the Department of Defense, NASA and U.S.-based companies like Lockheed Martin, Northrop Grumman and BAE Systems. In what the report called the "most significant example of malicious Chinese cyber activity," the report said that intruders "gained full functional control over networks at the [NASA] Jet Propulsion Laboratory."

The report noted that China continues to build up its cyber forces. "The Chinese military is refining and implementing strategies for the cyber domain," the report says, noting that the military and intelligence communities each have groups concentrating on cyber war and cyber espionage. "New developments suggest Chinese exploitation capabilities are improving significantly."

The report also noted that while American businesses are not necessarily able to "sufficiently manage the threat of Chinese cyber espionage" on their own, they remain afraid of sharing information about attacks with the government. Such concerns about sharing -- and about cyber attacks -- could be allayed by the President's forthcoming cyber executive order or by some sort of action on Capitol Hill. Just when the latter will come remains, at this point, anyone's guess.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This is a secure windows pc.
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.