This week figures to be a high-profile time for cybersecurity on Capitol Hill. Reports say President Barack Obama will issue a long-awaited executive order shortly after tonight’s State of the Union address, while another stab at getting the controversial CISPA cybersecurity bill signed into law could make its way to Congress tomorrow as well. The president is expected to discuss the executive order during tonight’s address.
Twice last year, lawmakers failed to approve bills that would establish information security and data protection standards for critical infrastructure systems. The second swing and miss last fall led to rampant speculation the Obama administration would issue an executive order after the November presidential election.
The order is expected to focus on bolstering the security posture of utilities and lay out a minimum security standard for providers of SCADA and industrial control system equipment. Other areas of the bill will cover information sharing and designate how private companies can have easier access at security clearances in order to consume and share classified attack and vulnerability information, a Reuters report said last week.
Meanwhile, House Intelligence Committee chair Mike Rogers (R-MI) and Dutch Ruppersberger (D-MD) will send CISPA to Congress again tomorrow, The Hill reported. CISPA outlines information sharing proposals, and focuses on protecting private sector firms when it comes to sharing threat data with the industry and government and how the government should feed that information to the rest of the private sector. Senate Democrats last month urged Congress to develop a public-private information sharing pipeline, as well.
CISPA, opponents said, is broadly written and that the scope of information shared with the government could extend beyond threat data. They also fear it doesn’t do enough to protect the privacy of those sharing data.
Twice the Cybersecurity Act of 2012 failed to get through Congress last year. The bill, pushed by Sen. Joe Liberman (I-CT) and Susan Collins (R-Maine), was derailed in the Senate in August and again in November for a variety of reasons. The November vote was 51-47; some believe the bill failed because it would put too much of a financial burden on utilities, for example, to bring networks managing critical infrastructure up to a minimum security standard. Others argued that the tug of war between intelligence agencies over control of cybersecurity had a hand in bringing the bill to its knees. Still others argued that government should stay out of private business concerns and that the private sector has the capability to secure its networks from attack.
The landscape, however, indicates otherwise. Since last September, major U.S. banks have had to deal with intermittent denial-of-service attacks taking some consumer services offline. Government agency websites and services have also been attacked and taken down, and data breaches continue unabated.
At last week’s Kaspersky Lab annual Security Analyst Summit, experts presented research on critical infrastructure systems, demonstrating new vulnerabilities in popular gear used in building management systems and other manufacturing and critical infrastructure equipment.