Hopes for federal cybersecurity standards fading

Cybersecurity is clearly on the agenda of both Congress and President Obama. But it is just as clearly not at the top of their list.

The prospects this year for federal cybersecurity standards governing private-sector operators of critical infrastructure, either through legislation or presidential executive order, are fading.

Analysts and legislative insiders say it is unlikely that legislation, in the form of the U.S. Senate's 2102 Cyber Security Act (CSA), will make it through a lame-duck Congress.

Randy Sabett, an attorney with ZwillGen and an information security expert, called it "very unlikely."

"[Cybersecurity] is a very complex topic and we still have fundamental differences between the various sides," he said. "Add into that the election, the budget and sequestration, and the host of other issues facing Congress and [cybersecurity action] doesn't have much of a chance."

Stewart Baker, a partner at Steptoe & Johnson and former assistant secretary for policy at the Department of Homeland Security, agrees. He told Jennifer Martinez of The HillÃ'Â that "the timing is bad [and] the amount of work that has to be done in the lame duck is so substantial."

[See also:Ã'Â Insecure industrial control systems, hacker trends prompt federal warnings]

Ã'Â Leslie Phillips, communications director for the Senate Homeland Security and Government Affairs Committee, confirmed that Sen. Joseph Lieberman (I-Conn.), a cosponsor of the CSA legislation, is also doubtful about its prospects.

"The Senator, by nature an optimistic man, puts the odds of passing comprehensive cybersecurity legislation in the lame duck session at less than 50-50," Phillips told The Hill.

While the Obama administration began in early September to circulate a draft executive order that would implement some of the goals of the CSA, Department of Homeland Security (DHS) Secretary Janet Napolitano said after a speech last week that the president had not even reviewed the latest draft of that order.

Napolitano added that the administration would prefer that Congress pass cybersecurity legislation, rather than issue the executive order.

And then there is the election. If President Obama wins a second term, and Congress fails to act, there is still a chance he could issue the order sometime between mid-November and the end of December.

But if he loses, the order is in trouble. "I don't think an executive order on this topic by a president that's just been defeated is likely,"Ã'Â Baker said.

Some in the security community wonder if either legislation or an executive order is necessary. Joel Griffin, writing in SecurityInfoWatch, argues that information sharing between government and private operators of critical infrastructure should already be happening.

"Wasn't that the whole point of the DHS's establishment of fusion centers across the country to create a place where federal, state and local authorities could meet to discuss potential threats, be it physical or cyber?"Ã'Â Griffin wrote. "The intelligence shared amongst these agencies should logically be passed onto security and management personnel at critical infrastructure sites if there is a credible threat."Ã'Â

He added that if the fusion centers aren't performing that function, there is no point in setting up a parallel system for shared intelligence on cyber threats. "The last thing we need is more needless regulations that keep law enforcement and the private sector more concerned about being in compliance than with actually dealing with the issue," he wrote.

But Baker said the fusion centers have focused on intergovernmental information sharing and not on public-private sharing. "Using fusion centers to share cybersecurity information with the private sector is a new idea. I'm not convinced it's the right solution," he said.

Sabett said information sharing and self-regulation have been tried for more than a decade without success. But he said he supports an approach that uses existing mechanisms like the fusion centers. "If the activity and information from the fusion centers and other sources can be coordinated by the Information Exchange Framework [proposed] in the leaked executive order, we could wind up with a system that actually functions well," he said.

"That is a huge 'if,' however," Sabett said, "since for over a decade no comprehensive models for information sharing have worked well."

Yet another hurdle to agreement on either legislation or an executive order is what is designated as critical infrastructure. While there is general agreement that it includes the financial, energy, transportation and communications sectors, Sabett said "the number of difficult and controversial calls will likely outnumber the easy calls."

"Couple that with the potentially cascading effects from a cyberattack, and there are things that today don't seem like critical infrastructure, but will tomorrow," he said.

Read more about malware/cybercrime in CSOonline's Malware/Cybercrime section.

Join the CSO newsletter!

Error: Please check your email address.

Tags Cybersecurity Act of 2012applicationscybersecurity legislationlegalU.S. Department of Homeland SecuritysoftwareObama Administrationdata protectioncybercrimecongressData Protection | Malware

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Taylor Armerding

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts