Cybersecurity: Time to Act?

“America must … face the rapidly growing threat from cyber-attacks,” said President Barack Obama during the State of the Union address on February 12. “Now, we know hackers steal people’s identities and infiltrate private emails. We know foreign countries and companies swipe our corporate secrets. Now our enemies are also seeking the ability to sabotage our power grid, our financial institutions, our air traffic control systems. We cannot look back years from now and wonder why we did nothing in the face of real threats to our security and our economy.”

And with that the President announced that he had signed a new executive order aimed at strengthening U.S. cyber defenses, increasing information sharing, and developing standards to protect national security, jobs, and privacy. The Executive Order requires federal agencies to produce unclassified reports of threats to U.S. companies and requires the reports to be shared in a timely manner. The Order also expands the Enhanced Cybersecurity Services program, enabling near real time sharing of cyber threat information to assist participating critical infrastructure companies in their cyber protection efforts. The Order allows companies that oversee infrastructure like dams, electrical grids and financial institutions to join an experimental program that has provided government contractors with real-time reports about cyberthreats. It will also put together recommendations that companies should follow to prevent attacks, and it will more clearly define the responsibilities for different parts of the government that play a role in cybersecurity.

The Executive Order:

• Includes strong privacy and civil liberties protections based on the Fair Information Practice Principles. Agencies are required to incorporate privacy and civil liberties safeguards in their activities under this order. Those safeguards will be based upon the Fair Information Practice Principles (FIPPS) and other applicable privacy and civil liberties policies, principles, and frameworks. Agencies will conduct regular assessments of privacy and civil liberties impacts of their activities and such assessments will be made public.
• Establishes a voluntary program to promote the adoption of the Cybersecurity Framework. The Department of Homeland Security will work with Sector-Specific Agencies like the Department of Energy and the Sector Coordinating Councils that represent industry to develop a program to assist companies with implementing the Cybersecurity Framework and to identify incentives for adoption.
• Calls for a review of existing cybersecurity regulation. Regulatory agencies will use the Cybersecurity Framework to assess their cybersecurity regulations, determine if existing requirements are sufficient, and whether any existing regulations can be eliminated as no longer effective. If the existing regulations are ineffective or insufficient, agencies will propose new, cost-effective regulations based upon the Cybersecurity Framework and in consultation with their regulated companies. Independent regulatory agencies are encouraged to leverage the Cybersecurity Framework to consider prioritized actions to mitigate cyber risks for critical infrastructure consistent with their authorities.

The National Institute of Standards and Technology, an agency of the U.S. Department of Commerce, will work collaboratively with critical infrastructure stakeholders to develop the Cybersecurity Framework relying on existing international standards, practices, and procedures that have proven to be effective. The framework will provide guidance that is technology neutral and that enables critical infrastructure sectors to benefit from a competitive market for products and services.

On February 13, NIST announced it will issue a Request for Information (RFI) from critical infrastructure owners and operators, federal agencies, state, local, territorial and tribal governments, standards-setting organizations, other members of industry, consumers, solution providers and other stakeholders. NIST will use the input gathered to identify existing consensus standards, practices and procedures that have been effective and that can be adopted by industry to protect its digital information and infrastructure from the full range of cybersecurity threats. The framework will not dictate “one-size-fits-all” solutions, but will instead enable innovation by providing guidance that is technology neutral and recognizes the different needs and challenges within and among critical infrastructure sectors. NIST will ask organizations to share their current risk management practices; use of frameworks, standards, guidelines and best practices; and other industry practices. NIST plans to hold workshops over the next several months to collect additional input and will complete the framework within one year.

The RFI will request additional information on a number of core practices NIST views as applicable across industry, for example:

• Encryption and key management—With multiple encryption tools in use at any given organization, how does one protect, store and organize encryption keys?
• Asset identification and management—How does an organization determine which assets need protection and their value?
• Security engineering practices—How does an organization design its systems to meet security needs?

In addition to the Executive Order, the White House released a Presidential Policy Directive on Critical Infrastructure Security and Resilience. The Directive -- a rewrite of the nation's longstanding, broad critical-infrastructure strategy -- establishes national policy on critical infrastructure security and resilience. This endeavor is a shared responsibility among the Federal, state, local, tribal, and territorial (SLTT) entities, and public and private owners and operators of critical infrastructure ("critical infrastructure owners and operators"). The directive also refines and clarifies the critical infrastructure-related functions, roles, and responsibilities across the Federal Government, as well as enhances overall coordination and collaboration. The Federal Government, the Directive states, also has a responsibility to strengthen the security and resilience of its own critical infrastructure, for the continuity of national essential functions, and to organize itself to partner effectively with and add value to the security and resilience efforts of critical infrastructure owners and operators.

The White House is pointing at six key deliverables for the effort:

1. Development of a description of the functional relationships within the Department of Homeland Security and across the Federal Government related to critical infrastructure security and resilience within 120 days.
2. Completion of an assessment of the existing public-private partnership model and recommended options for improving the partnership within 150 days.
3. Identification of baseline data and systems requirements for the Federal Government to enable efficient information exchange within 180 days.
4. Development of a situational awareness capability for critical infrastructure within 240 days.
5. Update the National Infrastructure Protection Plan within 240 days.
6. Completion of a national critical infrastructure security and resilience research and development plan within 2 years.

Measures considered most important by cybersecurity experts — like minimum requirements for how crucial infrastructure should be protected — were not included in the Order because they require Congressional approval. The Administration's call for voluntary cybersecurity standards lacks incentives. Absent a new law, the White House isn't easily able to encourage widespread business participation — instead, the order urges federal agencies to explore the sort of carrots they can offer in the interim. There also are barriers to the sort of unfettered information sharing backed by White House leaders, congressional lawmakers and private-sector executives. The obstacles are particularly pronounced for businesses that want to share with other businesses, and there's no liability protection from lawsuits. Cybersecurity experts say the equipment used by companies overseeing the nation’s critical infrastructure is notoriously outdated and insecure because it was not built with the potential for a serious cyberattack in mind.

“The executive order is about information sharing — it does not even begin to address the real problem, which is that these systems are completely insecure,” said Dale Peterson, the founder of Digital Bond, a security firm that focuses on infrastructure. He added: “I’m amazed that 11 ½ years after 9/11, the government hasn’t even had the courage to say, ‘You need to replace this insecure equipment.’ If you get on these systems, they have no security and you can do whatever you want.”

“Now Congress must act as well,” said President Obama during the State of the Union address, “by passing legislation to give our government a greater capacity to secure our networks and deter attacks. This is something we should be able to get done on a bipartisan basis.”

Only Congress can revise federal hiring authority to attract new cyber experts to the government's ranks — a problem, particularly, for the Pentagon as it seeks new cyber expertise. Administration officials said it would be imperative for Congress to pass legislation to safeguard the government's own computer systems from attack. “Executive action alone cannot create the new tools and authorities needed to meet the Nation’s collective cybersecurity challenges,” wrote Michael Daniel, the Special Assistant to the President and Cybersecurity Coordinator. “The Administration continues to urge Congress to pass legislation to more fully address our Nation’s cybersecurity needs.” The thinking behind the Executive Order is that taking one year to achieve consensus with industry on voluntary information-sharing and security controls will enable new laws to immediately take effect, whenever Congress acts. What the order really amounts to is a starting gun on the renewed push by the White House to get a new cybersecurity bill through Congress this year.

"I think it's worth highlighting that an executive order is not magical. It doesn't create new power or authorities for any government agency," said Andy Ozment, a senior director for cybersecurity at the White House. "Instead, it's an expression of the president's strategic intent." "It's, again, critical to highlight that this is not a substitute for legislation. We need comprehensive cybersecurity legislation," he added. "We cannot do everything under our existing authorities."

"This executive order is only a downpayment on what we need to address this threat," National Security Agency Director Keith Alexander said during an event at the Commerce Department to discuss the administration's action. "This executive order can only move us so far and is not a substitute for legislation."

President Obama may have forced Capitol Hill’s hand, writes Tony Romm for Politico, but it doesn’t mean lawmakers are finished fighting over the country’s digital defenses. Substantial policy differences between both parties and chambers remain. Senate Democrats and Republicans continue to quarrel over the need for government to set any new security standards for critical infrastructure — the very battle that scuttled the chamber’s cybersecurity legislative efforts in 2012. Congressional supporters of robust cybersecurity reform saw significant benefit in the President’s action. Sen. Tom Carper (D-DE), the new leader of the Senate Homeland Security and Governmental Affairs Committee, said the action is justified after the White House “waited for all of last year to see if we could get our act together … and we were unable to do that.” Some Republicans immediately blasted the Executive Order: Sens. John McCain (R-AZ), John Thune (R-SD), and Saxby Chambliss (R-GA), veterans of the 2012 fight, criticized the President for signing the document ahead of his annual address. House Republicans, including Reps. Mike McCaul (R-TX) and Mac Thornberry (R-TX), offered similar criticisms. Those members still pledged to return to the legislative drafting table this year.

On February 13, the leaders of the House Intelligence Committee reintroduced the Cyber Intelligence Sharing and Protection Act (CISPA), a bill that passed the House in the last Congress but which President Obama threated to veto. The bill was resoundingly criticized by internet privacy and freedom activists, including the Electronic Frontier Foundation and Fight for the Future, who said that it did not contain enough restrictions on how companies and the government could share personal user information. Already, Fight For the Future has set up a new CISPA protest website http://cispaisback.com/ encouraging users to email Congress against the bill. Meanwhile, AT&T, Verizon (PDF) and the telecommunications lobbying group USTelecom all declared their support for the revival of CISPA.

CISPA would:

• Allow the Federal government to provide classified cyber threat information to the private sector to help American companies better protect themselves from advanced cyber threats;
• Empower American businesses to share cyber threat information with others in the private sector and enable the private sector to share information with the government on a purely voluntary basis, all while providing strong protections for privacy and civil liberties;
• Provides liability protection for companies acting in good faith to protect their own networks or share threat information.

The bill’s major sponsors, House Intelligence Committee Chairman Mike Rogers (R-MI) and Ranking Member C.A. Dutch Ruppersberger (D-MD), point to the bill’s protections for privacy and civil liberties:

• Narrow definitions that permit only the voluntary sharing by the private sector of a limited category of information—cyber threat information—and only for cybersecurity purposes;
• Strict restrictions on the government’s use, retention, and searching of any data voluntarily shared by the private sector;
• Provisions permitting individuals to sue the government in federal court for violations of the bill’s privacy restrictions;
• Requiring the independent Intelligence Community Inspector General to conduct a detailed review of the government’s use of any information voluntarily shared by the private sector, and provide an unclassified report to Congress;
• A sunset for the bill’s authorities in five years, requiring Congress to carefully review the use of the authorities provided under the legislation to determine whether they should be extended or modified.

The bill has 112 co-sponsors in the House.

Back in January, Senate Commerce Committee Chairman Jay Rockefeller (D-WV), Senate Intelligence Committee Chairman Dianne Feinstein (D-CA), and Senate Homeland Security Committee Chairman Tom Carper (D-DE) introduced a bill, the Cybersecurity and American Cyber Competitiveness Act (S 21), to secure the United States against cyber attack, to improve communication and collaboration between the private sector and the Federal Government, to enhance American competitiveness and create jobs in the information technology industry, and to protect the identities and sensitive information of American citizens and businesses. The bill calls for the enactment of bipartisan legislation to improve communication and collaboration between the private sector and the federal government to secure the United States against cyber attack, enhance the competitiveness of the United States and create jobs in the information technology industry, and protect the identities and sensitive information of U.S. citizens and businesses by:

• enhancing the security and resiliency of public and private communications and information networks against cyber attack;
• establishing mechanisms for sharing cyber threat and vulnerability information between the government and the private sector;
• developing a public-private system to improve the capability of the United States to assess cyber risk and prevent, detect, and respond to cyber attacks against critical infrastructure such as the electric grid, the financial sector, and telecommunications networks;
• promoting research and development investments and professional training;
• preventing and mitigating identity theft;
• enhancing U.S. diplomatic capacity and public-private international cooperation to respond to emerging cyber threats;
• expanding resources for investigating and prosecuting cyber crimes in a manner that respects privacy rights and civil liberties and promotes U.S. innovation; and
• maintaining robust protections of the privacy of U.S. citizens and their online activities and communications.

The question remains: can Congress get anything done? Earlier this month, former House Homeland Security Committee counsel Kevin Gronberg said Congress is unlikely to pass a comprehensive cybersecurity reform bill this year, largely because public concern about computer hacking doesn’t sway elections. He suggested that prospect is likely to change only after an event involving major property damage, casualties and a direct connection to malicious network activity. “As of yet, cyber still does not win votes,” said Gronberg, who stepped down after the 2012 election. “It will always be one of those issues that politicians will be able to push aside [in favor of] the issue of the day -- such as sequestration,” he said. “That's how these Congress members keep their jobs."

We’ll be tracking the progress of both cybersecurity bills on Benton’s legislation tracker as well as developments in cybersecurity. In the meantime, we’ll see you in the Headlines. http://benton.org/headlines