Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Executive order on cybersecurity coming, but is it only a 'down payment on legislation'?

Taylor Armerding | Feb. 14, 2013
Based on leaked versions of the order, the White House is expected to put DHS in charge of organizing an cyberthreats information-sharing network

Baker said those standards could have value. "In the real world, these 'voluntary' standards will be quasi-mandatory, because companies that don't meet them could face lawsuits after suffering a breach," he said. "They will also provide some liability protection for industry, since under tort law, following government standards is a good way to rebut claims of negligence."

The fundamental question, of course, is whether the order will make the public and private sector more secure, both from attack and from espionage aimed at stealing intellectual property. And experts are generally dubious about that as well.

Joe Weiss, managing partner at Applied Control Solutions and a critical infrastructure expert, said flatly, "It's not going to work."

Weiss said he is adamant partly because the leaders of utilities have "checked the box," to be in compliance with government security standards, but little else.

Besides that, "they don't trust the government," he said, adding that there is no need for an order to let government share information on threats. "They're already doing that," he said.

Roger Thornton, CTO of AlienVault, said: "It is very hard for many of us in the private sector to trust that the feds have significantly better threat information that they are willing to share," he said. "Researchers at hundreds of private organizations like ours are routinely catching attacks and infiltrations backed by states, particularly China and even the U.S. or its allies."

"The ways the government can help most are in the things that it can do exclusively, such as treaties with foreign governments to limit cyber attacks and aid in joint law enforcement," he said. "To assert that government's involvement and training is necessary for private industry to accurately identify, assess, and respond to threats is frankly a somewhat arrogant position to take."

Weiss, who said he has documented more than 75 electric industry control system cyber incidents, said those incidents are, "real, numerous and growing."

"However, the electric industry and NERC (North American Electric Reliability Corporation) generally have been silent on disclosing control system cyber incidents even within the industry," he said.

The executive order is also not expected to stem the flood of espionage intrusions by China. The Washington Post's Ellen Nakashima reported recently that sources familiar with the most recent National Intelligence Estimate -- a classified document -- told her that the Chinese have been hacking the U.S. energy, finance, information technology, aerospace and automotives sectors for the past five years.

"The assessment does not quantify the financial impact of the espionage, but outside experts have estimated it in the tens of billions of dollars," the report said.

But Harvard Law School professor Jack Goldsmith, writing on the Lawfare blog, noted that the options for the U.S.Ã'Â are few and weak.

 

Previous Page  1  2  3  Next Page 

Sign up for CIO Asia eNewsletters.