Risk
11/15/2012
03:01 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Congress Kills Cybersecurity Bill, White House Action Expected

White House looks primed to take action on its own after Congress again fails to pass cybersecurity legislation.

IW500: 15 Top Government Tech Innovators
IW500: 15 Top Government Tech Innovators
(click image for larger view and for slideshow)
Comprehensive cybersecurity regulatory reform failed yet again in the Senate on Thursday, but the White House is not waiting for Congress to act and will likely use an executive order to carry out some elements of the bill.

On Wednesday, Senate Republicans -- joined by a small group of Democrats -- again blocked the Cybersecurity Act of 2012 from coming to the Senate floor. Senate Minority Leader Mitch McConnell, R-Ky., attributed the opposition to a fast-tracked process and the failure to allow fully open amendments. Numerous national security officials have urged the bill's passage, but the U.S. Chamber of Commerce has repeatedly voiced strong opposition.

In response to the bill's failure, Senate Majority Leader Harry Reid, D-Nev., called the bill "dead for this Congress."

In a statement, Reid said: "A bill that was and is most important to national security was just killed and that's cybersecurity. I hope President Obama uses all the authority of the executive branch at his disposal to fully protect our nation from the cyber security threat."

The administration has already taken some actions. According to reports, President Obama in mid-October signed the classified Presidential Policy Directive 20, which sets new cyber defense standards for government agencies, including standards for defensive measures that might require agencies to reach outside their own networks.

The Obama administration has also prepared a draft executive order, which has been circulating for months, that would require additional steps to be taken. Now, it appears prepared to issue that order.

"Congressional inaction in light of the risks to our nation may require the administration to issue an executive order as a precursor to the updated laws we need," White House Cybersecurity Coordinator Michael Daniel said in a statement. "We think the risk is too great for the Administration not to act."

A draft version of the executive order would direct the National Institute of Standards and Technology to set cybersecurity standards for eighteen critical infrastructure industries. The Department of Homeland Security would encourage adoption of these standards, and agencies responsible for regulating critical infrastructure industries would be responsible for proposing potentially mandatory cybersecurity regulations for those industries.

Information sharing is another big piece of the draft order. The executive order would set up new information sharing mechanisms that will accelerate security clearances and limit use of proprietary information. The order would also require agencies to take appropriate steps to ensure privacy of shared information.

However, an executive order can't do it all. Despite urging the President to take action, Reid warned in a statement that an executive order "leaves much to be desired" because, for example, it cannot offer companies liability protection in the event of a cyber attack.

Whlie Reid declared the cybersecurity legislation dead for this Congress, McConnell said in a statement after the bill's failure that he hopes Congress will again take up the issue "sometime in December" after dealing with other important national security legislation.

Whatever the case, the persistence of the cyber threat is one reason that action may be needed soon. The annual report of the U.S.-China Economic and Security Review Commission, released on Wednesday, found that China in particular -- which the report called "the most threatening actor in cyberspace" -- continues to represent a serious and "increasingly potent" concern for companies and government agencies that hold potentially sensitive data.

"U.S. industry and a range of government and military targets face repeated exploitation attempts by Chinese hackers," the report said, fingering China in cyber espionage and cyber attacks aimed at the Department of Defense, NASA and U.S.-based companies like Lockheed Martin, Northrop Grumman and BAE Systems. In what the report called the "most significant example of malicious Chinese cyber activity," the report said that intruders "gained full functional control over networks at the [NASA] Jet Propulsion Laboratory."

The report noted that China continues to build up its cyber forces. "The Chinese military is refining and implementing strategies for the cyber domain," the report says, noting that the military and intelligence communities each have groups concentrating on cyber war and cyber espionage. "New developments suggest Chinese exploitation capabilities are improving significantly."

The report also noted that while American businesses are not necessarily able to "sufficiently manage the threat of Chinese cyber espionage" on their own, they remain afraid of sharing information about attacks with the government. Such concerns about sharing -- and about cyber attacks -- could be allayed by the President's forthcoming cyber executive order or by some sort of action on Capitol Hill. Just when the latter will come remains, at this point, anyone's guess.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-4734
Published: 2014-07-21
Cross-site scripting (XSS) vulnerability in e107_admin/db.php in e107 2.0 alpha2 and earlier allows remote attackers to inject arbitrary web script or HTML via the type parameter.

CVE-2014-4960
Published: 2014-07-21
Multiple SQL injection vulnerabilities in models\gallery.php in Youtube Gallery (com_youtubegallery) component 4.x through 4.1.7, and possibly 3.x, for Joomla! allow remote attackers to execute arbitrary SQL commands via the (1) listid or (2) themeid parameter to index.php.

CVE-2014-5016
Published: 2014-07-21
Multiple cross-site scripting (XSS) vulnerabilities in LimeSurvey 2.05+ Build 140618 allow remote attackers to inject arbitrary web script or HTML via (1) the pid attribute to the getAttribute_json function to application/controllers/admin/participantsaction.php in CPDB, (2) the sa parameter to appl...

CVE-2014-5017
Published: 2014-07-21
SQL injection vulnerability in CPDB in application/controllers/admin/participantsaction.php in LimeSurvey 2.05+ Build 140618 allows remote attackers to execute arbitrary SQL commands via the sidx parameter in a JSON request to admin/participants/sa/getParticipants_json, related to a search parameter...

CVE-2014-5018
Published: 2014-07-21
Incomplete blacklist vulnerability in the autoEscape function in common_helper.php in LimeSurvey 2.05+ Build 140618 allows remote attackers to conduct cross-site scripting (XSS) attacks via the GBK charset in the loadname parameter to index.php, related to the survey resume.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Where do information security startups come from? More important, how can I tell a good one from a flash in the pan? Learn how to separate ITSec wheat from chaff in this episode.