During his annual State of the Union address on February 12, President Obama presented an executive order to protect U.S. critical infrastructure from cyber threats. “Our enemies are also seeking the ability to attack our power grid, our air traffic control system,” he said. “We cannot look back years from now and ask why we did nothing to face real threats to our security and our economy.”
The executive order encourages information sharing between private companies, which currently own and run most critical infrastructure in the U.S., and government agencies. Many companies are loath to share information about cyber breaches, as they believe that this will undermine their standing with customers and competitors. The order also aims to develop voluntary security standards and practices, while at the same time addressing privacy concerns. Many of these provisions were in last year’s failed cybersecurity legislation.
Although many in the private sector have criticized the substance of the executive order, Michael Chertoff, a former director of Homeland Security and EastWest Institute board member, praised the fact that it put the cybersecurity issue front and center on the national agenda. In a discussion with USA Today, Chertoff stated that the order’s requirements “represent a down payment in the protection of our nation's cyber infrastructure.”
Speaking to Computerworld, Gartner Analyst Lawrence Pringree expressed skepticism over the quality of shared intelligence that he asserts would do little to prevent cyber attacks. “It remains to be seen whether the government has useful intelligence that can help bolster commercial sector security,” he said.
Rob Beck, a critical infrastructure cybersecurity consultant with Casaba Security, had similar sentiments. He criticized the voluntary nature of the standards, saying that the order “doesn’t have any teeth; it has no backing,” he told CNN. “This is not going to have any measurable impact on anything.”
In an interview with CSO, Jacob Olcott, principal at Good Harbor Consulting, held that basic “cyber hygiene” measures are more effective than enhanced information-sharing measures. “Classified threat information is not useful for a company that isn’t regularly patching its systems,” he explained.
It is worth noting that, according to a recent Verizon-sponsored study, 97 percent of reported security breaches “were avoidable (at least in hindsight) without difficult or expensive countermeasures.”
The lack of trust between the public and private sector remains a major hurdle, especially as state-sponsored cyber attacks become ubiquitous.
“It is very hard for many of us in the private sector to trust that the feds have significantly better threat information that they are willing to share,” AlienVault CTO Roger Thorton told CSO. “Researchers at hundreds of private organizations like ours are routinely catching attacks and infiltrations backed by states, particularly China and even the U.S. and or its allies.”
China has been accused of producing a high volume of cyber attacks, including recent infiltration into major American newspapers; the Chinese government has yet to issue an official comment on the executive order.
Thorton went on to criticize the American government’s threat reduction capacity; he suggested that the government is more qualified to promote bilateral treaties and international cooperation. “To assert that government’s involvement and training is necessary for private industry to accurately identify, assess and respond to threats is frankly a somewhat arrogant position to take,” he added.
Yet, Dale Peterson, president of Florida-based Digital Bond, a cybersecurity company, told the Christian Science Monitor that Obama’s order was long-overdue. “I had hoped, and have hoped for years, the U.S. government would come out and say the [control systems] that run the critical infrastructure are insecure by design and must be upgraded or replaced ASAP,” he said. “It's hard to believe 11 and a half years after 9/11 that the U.S. government has not even used the bully pulpit to make a difference.”
A great deal of distrust and uncertainty about cyber threats continues to exist in the private sector. In the current climate, the EastWest Institute’s efforts to raise awareness and promote private-public collaboration on cybersecurity issues—including last year’s groundbreaking 3rd Worldwide Cybersecurity Summit in New Delhi—are a crucial part of the broader push for new approaches and solutions.