Obama to compromise on cybersecurity executive order

President Obama is reported to be willing to compromise on cybersecurity.

There have been continuing reports since early September that the president is preparing an executive order to implement some of the provisions of the 2012 Cyber Security Act (CSA), after it failed to come to a vote in the Senate in early August.

Department of Homeland Security (DHS) Secretary Janet Napolitano, in testimony before a Senate committee on Sept. 19, said while the order was still being vetted by various departments, that it would be issued as soon as a "few issues" were resolved.

Now, more than a month later, there are reports that a final draft is circulating that includes a major compromise to settle differences between those who want government to have free access to networks under attack, and those concerned about violations of privacy.

The Huffington Post's Richard Lardner reported that Associated Press obtained a copy of the draft order and released it last Saturday.

It includes a concession sought by Sen. Ron Wyden (D-OR) to include provisions proposed in the Cyber Intelligence Sharing and Protection Act (CISPA), which would allow for the sharing of Internet traffic information between the U.S. government and private sector companies, but only those involving critical infrastructure such as transportation and the electrical grid. Other private firms, including social media, would not be under the same mandate.

Another provision sought by privacy advocates would put the DHS, not the National Security Agency, in charge of the information-sharing network to distribute and "sanitized summaries of top-secret intelligence reports about known cyberthreats that identify a specific target," Lardner wrote.

"With these warnings, known as tear lines, the owners and operators of essential U.S. businesses would be better able to block potential attackers from gaining access to their computer systems," he wrote.

[Bill Brenner in Salted Hash:Ã'Â Third presidential debate - Both candidates flunk cybersecurity]

The reaction to the impending order has been mixed. Most Republicans oppose it, saying the president should not be bypassing Congress. Even Sen. Susan Collins (R-Maine), a co-sponsor of the CSA, said she did not think an executive order was appropriate.

However, Democratic Sens. Christopher Coons, of Delaware, and Richard Blumenthal, of Connecticut, sent a letter late last week to the White House calling on the president to issue an executive order "directing the promulgation of voluntary standards [by DHS.]"

It doesn't appear to be at the top of the agenda of either Obama or his Republican challenger, Mitt Romney, however. At Monday night's debate on foreign policy, the president said the word "cybersecurity" only once, in passing, and Romney mentioned "hacking" just once.

That was fine with Jason Healey, of the Atlantic Council, and a former White House security official. "First, cyber is not as pressing an international issue as most of the crises pressing on the president's time. No one has yet died from a cyberattack," he said. "Second, Romney did speak directly about pressuring China on intellectual property theft, which is the main cyber problem today."

The reaction from Healey and other security experts to the order itself is also mixed. Some argue that cybersecurity risks, while real, are not at the level of other threats to the nation. Bruce Schneier, on his blog Schneier on Security, criticized Defense Secretary Leon Panetta's recent speech warning of a "Cyber Pearl Harbor."

"It's difficult to have any serious policy discussion amongst the fear mongering," he wrote, adding that while there are real risks, addressing them does not require "heavy-handed regulation."

Good Harbor Consulting'sÃ'Â Jacob Olcott agrees. "Targeted information sharing with a small number of companies has proven to be a useful exercise," he said. "But these efforts are very difficult to scale. It's a worthy initiative, but it's also hard to imagine that this will be a success in the short term."

"Heavy-handed regulation is absolutely unnecessary,"Ã'Â he said.Ã'Â "In fact, the government would significantly improve private sector cybersecurity simply by enforcing existing securities laws that require companies to disclose material cyber risks and events to their shareholders."

Healey doesn't oppose an executive order. "This is all about such small items on the margins that getting too worried either way isn't really worth the trouble," he said.

"To fix cyber issues we need to make it so that it is easier to defend than to attack, globally," Healey said. "Sending a few tear line reports isn't going to solve that, but it's a start. Then again, if all we needed to make this happen was the say-so of the President, I wish we'd have done it 10 years ago."

But he is not entirely opposed to fear mongering. "If you're trying to convince people that they are insufficiently worried. I think Panetta can be right," Healey said. "But I still think that heavy-handed regulation isn't the right solution."

Read more about malware/cybercrime in CSOonline's Malware/Cybercrime section.

Join the CSO newsletter!

Error: Please check your email address.

Tags applicationsData Protection | Malwareobama2012 Cyber Security ActlegalsoftwareU.S Senatedata protectioncybercrimeDepartment of Homeland Security

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Taylor Armerding

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts