Last week President Obama signed an Executive Order in an attempt to strengthen the cybersecurity of critical infrastructure in the United States. This is an area much in need of improvement, but this Executive Order barely scratches the surface. The main points addressed by the order are to facilitate information sharing and to develop a Cybersecurity Framework.
To assist information sharing, the Order expands the voluntary Enhanced Cybersecurity Services Program to go beyond defense industrial information sharing to include other government sectors. This program enables near real time sharing of cyber threat information. The information is intended to assist participating critical infrastructure companies in better positioning to deal with cyber threats.
The National Institute of Standards and Technology (NIST) is being directed by the Order to work collaboratively with critical infrastructure stakeholders to develop a Cybersecurity Framework. This framework is to be based on existing international standards, practices, and procedures that have proven to be effective.
The Order also includes privacy and civil liberties protections. Agencies must follow the Fair Information Practice Principles along with other pertinent policies. They also must conduct regular assessments of the impact of their activities on privacy and civil liberties. These assessments will be made public.
The Department of Homeland Security is directed by the Order to work with Sector-Specific Agencies and Councils to develop a program to assist companies with implementing the Cybersecurity Framework, including incentives for adoption.
Per the Order regulatory agencies will use the Cybersecurity Framework to assess their cybersecurity regulations, determine if existing requirements are sufficient, and whether any existing regulations can be eliminated.
This is just an Executive Order so it has no force outside of Government and is lacking strong requirements for quick action. Some areas not covered but considered to be very important and woefully exposed includes minimum requirements for how crucial infrastructure such as power and water systems should be protected, or requirements on protecting the transfer of financial information. One of the main targets of Cyber attacks has been the systems (SCADA) used by companies overseeing the nation’s critical infrastructure. These systems are notoriously outdated and insecure as the infrastructure was put together before the potential for a serious cyberattack existed. Any actions in these areas require Congressional action.
In response, the House Intelligence Committee leaders Mike Rogers (R-Mich.) and Dutch Ruppersberger (D-Md.) re-introduced the Cyber Intelligence Sharing and Protection Act (CISPA). The intention of the bill is to remove legal barriers that prevent government and industry from effectively sharing information about cyber threats. This is the same bill that passed the House last year but failed in the Senate.
The main criticism of the bill has been that the broad language in CISPA would allow companies to send customers’ electronic communications to the intelligence community, such as the National Security Agency (NSA). The general feeling is the bill should include a measure that requires companies to strip personal information from cyber threat data before sending it to the government and that a civilian agency, like the Homeland Security Department, should oversee the information sharing. The Senate cybersecurity bill last year addressed both these issues by requiring that companies “make reasonable efforts” to remove sensitive personal information from data on cyber threats before they share it with the government and put civilian agencies in the role of overseeing the information sharing exchanges.
It is critical that actions be taken to better secure the U.S. cyber communications environment. The actions of the Executive Order and CISPA bill are a start, but much more is needed including guidelines on truly securing the transfer of information using tools such as DNSSEC or DANE. Secure64 can assist in providing a secure basis for protecting DNS traffic.