Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

3/5/2013
10:34 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

White House Cybersecurity Czar: New Executive Order A 'Down Payment'

Michael Daniel says President Obama's Executive Order on Cybersecurity sets the stage for cybersecurity legislation for protecting critical infrastructure

SAN FRANCISCO -- RSA CONFERENCE 2013 -- The White House's top cybersecurity official here last week confirmed what experts had been speculating since President Obama issued an executive order for shoring up the security of critical infrastructure earlier this month: The order lays the groundwork for still-needed cybersecurity legislation.

"The executive order is really a down payment -- a down payment on a lot of the hard work that [has been done]," Michael Daniel, special assistant to the president and cybersecurity coordinator, told attendees during a special White House forum session on the executive order at the RSA Conference. "There are things the executive order can't do, such as direct agencies to do things they don't already have [the authority] to do in the first place.

"We definitely need Congress to act and update our laws so we can see progress in cybersecurity," he said.

[Industrial control systems vendors are starting to patch security bugs, but actually installing the fixes can invite more trouble. See The SCADA Patch Problem.]

Daniel says the president has taken a personal interest in cybersecurity, as have his top staffers, signaling just how important an issue it is in the national interest, as well as globally. "Within the White House itself, you can see the president is personally interested in this issue, as well as the chief of staff and the national security adviser. It has become a lot of the focus of our policy efforts," he said. "Internationally, you can see this, too. It's now not just about engineering arrangements ... it's an issue of statecraft and international diplomacy."

Meanwhile, the threat is escalating, he noted. "The attack surface continues to grow" with more network-attached devices, he said, and the attackers are becoming more sophisticated. "It's not just simple worms and viruses anymore," and the malware is harder to detect and is more dangerous, he said.

"It's not just website defacements or even denial-of-service attacks, but moving up to actual destructive attacks, things like what happened with Saudi Aramco this past summer," Daniel said. "All of these trends mean the environment is getting more dangerous, and that's why the president felt compelled to act in this space. The level of the threat simply demanded it."

The executive order is based on three "pillars," he said: information-sharing, privacy, and a framework of standards.

[Obama's executive order focuses on information sharing and works toward the establishment of cybersecurity standards, but some question whether it goes far enough. See Obama Cybersecurity Executive Order A First Step, But More Is Needed, Some Say.]

Daniel said the executive order is aimed at improving the amount of, quality of, and timeliness of threat information the federal government shares with the private sector. "We're focusing on where the government has specific threat information related to companies or assets or systems so we do a better job at pushing out that information to those particular entities that have been targeted, and we're going to do that in a classified and unclassified level," he said.

A key component here is expanding the information-sharing process it uses with the defense industrial base to "all critical infrastructure sectors," he said. "This program enables us to use particularly classified information and classified signatures in a way that enables [us] to give that information and protect critical infrastructure, but still protect sources of and methods used by which those signatures were derived."

Daniel said privacy and cybersecurity go hand in hand. "Privacy and cybersecurity are really two sides of the same coin. You can't have privacy these days without good cybersecurity," he said.

The framework/standards piece of the executive order is more about best practices, he said. The order calls for the National Institute of Standards and Technology (NIST) to interface with private industry to determine how to take existing security best practices and get them adopted more widely across the nation's critical infrastructure, he said. A preliminary framework is due from NIST in eight months, and a final framework in one year, he said.

"This is not about technology or techniques. It's about best practices for cybersecurity that are already out there and making sure all critical infrastructure is following those," he said. "It has to be industry-driven. It won't work unless we get heavy participation and enthusiasm from industry."

One the security framework is finalized, the U.S. Department of Homeland Security will launch a voluntary program for adoption of the framework. Also in the works are incentives for companies to adopt it, he said.

Regulatory bodies, meanwhile, will have to review their current regulations and requirements to determine whether they are in line with the framework. If so, they "don't need to do anything else," he said. But if there are any gaps or conflicts, they must align them, which may or may not require new regulations, depending on the issues, he said.

The executive order requires periodic reviews of the framework given the rapid pace of change in the threat landscape, he said.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Commentary
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
Edge-DRsplash-11-edge-ask-the-experts
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
News
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-24376
PUBLISHED: 2021-06-21
The Autoptimize WordPress plugin before 2.7.8 attempts to delete malicious files (such as .php) form the uploaded archive via the "Import Settings" feature, after its extraction. However, the extracted folders are not checked and it is possible to upload a zip which contained a directory w...
CVE-2021-24377
PUBLISHED: 2021-06-21
The Autoptimize WordPress plugin before 2.7.8 attempts to remove potential malicious files from the extracted archive uploaded via the 'Import Settings' feature, however this is not sufficient to protect against RCE as a race condition can be achieved in between the moment the file is extracted on t...
CVE-2021-24378
PUBLISHED: 2021-06-21
The Autoptimize WordPress plugin before 2.7.8 does not check for malicious files such as .html in the archive uploaded via the 'Import Settings' feature. As a result, it is possible for a high privilege user to upload a malicious file containing JavaScript code inside an archive which will execute w...
CVE-2021-24379
PUBLISHED: 2021-06-21
The Comments Like Dislike WordPress plugin before 1.1.4 allows users to like/dislike posted comments, however does not prevent them from replaying the AJAX request to add a like. This allows any user (even unauthenticated) to add unlimited like/dislike to any comment. The plugin appears to have some...
CVE-2021-24383
PUBLISHED: 2021-06-21
The WP Google Maps WordPress plugin before 8.1.12 did not sanitise, validate of escape the Map Name when output in the Map List of the admin dashboard, leading to an authenticated Stored Cross-Site Scripting issue