informa
News

Obama Cybersecurity Executive Order A First Step, But More Is Needed, Some Say

Obama's executive order focuses on information sharing and works toward the establishment of cybersecurity standards, but some question whether it goes far enough
When U.S. President Barack Obama signed the executive order on cybersecurity Tuesday, he ended the speculation surrounding whether his administration would press forward on cybersecurity after months of legislative false starts. How far this step goes toward improving security, however, depends on who is asked.

The executive order requires federal agencies to provide unclassified reports regarding threats to U.S. companies being targeted in a timely manner. It also expands the Enhanced Cybersecurity Services program, with the goal of enabling near-real-time sharing of cyberthreat information to participating critical infrastructure companies, and directs the National Institute of Standards and Technology (NIST) to lead the development of a framework of cybersecurity practices to reduce threats to critical infrastructure. According to NIST, the input it gathers will be used to identify standards and procedures that can be adopted by the industry.

Still, some experts say the order falls short of the lofty goals that could be accomplished through legislation, such as the Cybersecurity Act of 2012.

"Executive orders like this are generally not designed to address and tackle some of the big areas of comprehensive cyberlegislation," says John Vecchi, vice president of marketing for Solera Networks. "Rather, it will certainly serve as an instrument to apply pressure to Congress to pass more formal cybersecurity legislation. That legislation would then include a more concrete framework for government/private sector cybersecurity. It would also likely address some of the complex policy areas, such as industry incentives and liability protection that an executive order could not."

Such incentives, says Jose Granado, principal and security practice leader at Ernst & Young LLP, are critical for getting enterprises to make the right investments financially, organizationally, and pragmatically.

"Instead of constantly taking a 'stick-only' approach, why don't we also use a 'carrot' and reward those organizations through financial and other incentives for going above and beyond industry norms and 'doing it right' with respect to cybersecurity -- budgets, governance, strategy, talent, etc.," he says. "There will always be a need to have orders, standards, and legislation to keep the masses in line. If we can clearly demonstrate how good security is not only good risk management but also good business, we have a better chance to move the needle."

Historically, he says, three areas have hampered the effectiveness of efforts to improve information sharing: trust between private industry and government, a lack of specificity in threat alerts, and timing. If the number of security professionals eligible to obtain security clearance is increased along with the speed in which organizations can act, then the situation can improve.

"For information sharing to maximize its impact and truly increase our collective security posture, we must have 100 percent transparency and commitment from both sides not to hold back," he says. "The information provided must have enough industry specificity to be actionable, and it needs to be shared on a 'near-real-time' basis to allow organizations time to react."

While the order puts a focus on information sharing, however, missing from the directive are concrete actions for businesses to take to secure their networks -- which, according to Marble Security CTO Dave Jevans, is not a bad thing.

"I am pleased that it is not an attempt at a proscriptive approach to legislating cybersecurity," he tells Dark Reading. "The threats are moving so quickly that any legislation is bound to be two to three years behind the current threats. What this order does is to motivate the one thing that industry and government should be doing to better combat cyberattacks: share information in real-time."

Richard Li, vice president of strategy at Rapid7, argued that providing incentives for critical infrastructure providers to improve their cybersecurity based on risk assessments should be a key part of legislative efforts moving ahead.

"Our digital infrastructure is pervasive, with every major industry and service being dependent in some way on the technology grid," he says. "This grid is extremely vulnerable to attack."

"Investing in training skilled security analysts and engineers who can defend against cyberattacks will be critical," he adds. "The U.S. is expanding the Cyber Command to have 4,900 troops and civilians, up from 900. There are 58,000 troops in the U.S. Special Operations Command alone. As the battlefield evolves from traditional sea, air, and land battles to urban and cyberwarfare, we need to evolve our defenses and capability."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Recommended Reading: