Obama Cybersecurity Executive Order Expected Tomorrow

This week figures to be a high-profile time for cybersecurity on Capitol Hill. Reports say President Barack Obama will issue a long-awaited executive order shortly after tonight’s State of the Union address, while another stab at getting the controversial CISPA cybersecurity bill signed into law could make its way to Congress tomorrow as well. The president is expected to discuss the executive order during tonight’s address.

CybersecurityThis week figures to be a high-profile time for cybersecurity on Capitol Hill. Reports say President Barack Obama will issue a long-awaited executive order shortly after tonight’s State of the Union address, while another stab at getting the controversial CISPA cybersecurity bill signed into law could make its way to Congress tomorrow as well. The president is expected to discuss the executive order during tonight’s address.

Twice last year, lawmakers failed to approve bills that would establish information security and data protection standards for critical infrastructure systems. The second swing and miss last fall led to rampant speculation the Obama administration would issue an executive order after the November presidential election.

The order is expected to focus on bolstering the security posture of utilities and lay out a minimum security standard for providers of SCADA and industrial control system equipment. Other areas of the bill will cover information sharing and designate how private companies can have easier access at security clearances in order to consume and share classified attack and vulnerability information, a Reuters report said last week.

Meanwhile, House Intelligence Committee chair Mike Rogers (R-MI) and Dutch Ruppersberger (D-MD) will send CISPA to Congress again tomorrow, The Hill reported. CISPA outlines information sharing proposals, and focuses on protecting private sector firms when it comes to sharing threat data with the industry and government and how the government should feed that information to the rest of the private sector. Senate Democrats last month urged Congress to develop a public-private information sharing pipeline, as well.

CISPA, opponents said, is broadly written and that the scope of information shared with the government could extend beyond threat data. They also fear it doesn’t do enough to protect the privacy of those sharing data.

Twice the Cybersecurity Act of 2012 failed to get through Congress last year. The bill, pushed by Sen. Joe Liberman (I-CT) and Susan Collins (R-Maine), was derailed in the Senate in August and again in November for a variety of reasons. The November vote was 51-47; some believe the bill failed because it would put too much of a financial burden on utilities, for example, to bring networks managing critical infrastructure up to a minimum security standard. Others argued that the tug of war between intelligence agencies over control of cybersecurity had a hand in bringing the bill to its knees. Still others argued that government should stay out of private business concerns and that the private sector has the capability to secure its networks from attack.

The landscape, however, indicates otherwise. Since last September, major U.S. banks have had to deal with intermittent denial-of-service attacks taking some consumer services offline. Government agency websites and services have also been attacked and taken down, and data breaches continue unabated.

At last week’s Kaspersky Lab annual Security Analyst Summit, experts presented research on critical infrastructure systems, demonstrating new vulnerabilities in popular gear used in building management systems and other manufacturing and critical infrastructure equipment.

Suggested articles

Discussion

  • mbarbere on

    A wide variety of tools and standards are available for private critical infrastructure companies to  manage their risk. NIST SP 800 series are widely known about and readily available. Additionally, the Department of Homeland Security has the Cyber Security Evaluation Tool (CSET) that is geared toward SCADA and ICS.

    Establishing a risk based governance structure is difficult. If this executive order unleashes an awareness campaign towards developing an understanding that risk based decision making should now be the de facto standard for senior management, I will enthusiastically support it. However, if this executive order demands that DHS march into private critical infrastructure companies and demands they turn over security to DHS's untrained bureaucrats, it will be met with considerable resistance.

    The government has a role in helping private industry in their security goals. It should direct them on the right path as NIST has been doing since 2002. Experts should be available for consultation and training. That should be the end of their involvement.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.