In short, with the Executive Order the president mandated increased information-sharing with the private sector (and that includes classified data about attacks and potential attacks that will be handed over to those in the private sector cleared to receive it); the creation of a “baseline framework to reduce cyber risk to critical infrastructure” that will “incorporate voluntary consensus standards and industry best practices, will “provide guidance that is technology neutral”, and will be reviewed and updated as necessary; and all this to be executed by keeping citizens’ privacy and civil liberties in mind.
The Presidential Policy Directive “establishes national policy on critical infrastructure security and resilience” as a “shared responsibility among the Federal, state, local, tribal, and territorial entities, and public and private owners and operators of critical infrastructure.”
Both documents have been lauded by some and criticized by others.
In the former camp stand the American Civil Liberties Union and the Electronic Frontier Foundation, who think that the Executive Order keeps in mind the protection for citizens’ privacy and civil liberties in a way that the previously defeated (and now reintroduced in Congress in practically the same form) Cyber Intelligence Sharing and Protection Act does not.
While CISPA would allow companies to share their users’ data with government agencies without worrying they could be sued because of it, the EO explicitly says that privacy and civil liberties protections will have to be incorporated into all activities undertaken by state agencies and departments aimed at fulfilling the plans laid out in the EO.
Of course, that works only if you trust the DHS’ internal privacy officer and the officer for civil rights and civil liberties to do a good job.
It should also be noted that the Secretary of Homeland Security will be tasked with identifying critical infrastructure, but that she (or he) “shall not identify any commercial information technology products or consumer information technology services.”
This means that, for the moment, companies like Facebook, Google, Twitter and others that have at their disposal a treasure trove of personal and behavioral information about private individuals will not participate in the voluntary sharing of information that might help with preventing cyber attacks – and that news should elicit a small sigh of relief from privacy advocates.
On the other hand, the same paragraph states that the critical infrastructure to be identified by the Secretary shall include that “where a cybersecurity incident could reasonably result in catastrophic regional or national effects on public health or safety, economic security, or national security.” The language used here is very broad, and could easily be used to include a great variety of businesses that most wouldn’t consider to be critical to national security. On the upside, they will be notified of the Secretary’s decision and can challenge it.
The same overly broad language is used throughout the documents. For example, cyber threats are never defined, so technically all kinds of attacks can be made to fit the category.
There are those who are surprised at what the EO doesn’t include: any reference to the desperately needed changes regarding the implementation of software and hardware security, and the necessity of building of secure systems from the get-go and replace current ones that are full of holes.
“The shocker was that, in the very last version, at the insistence of industry lobbyists, the White House took out all elements that would have made attacks against the United States less effective and harder to launch,” commented Alan Paller, director of research at the SANS Institute.
“There was fear among sophisticated attackers, evidenced by a very big escalation of attacks in the last 8-9 months, that the U.S. might quickly implement the basic controls that will stop most known cyber attacks used for espionage — both economic and military. I expect all of those attack communities that might have been worried are breathing a sigh of relief and shaking their heads in wonder that the United States government leaders could be so completely in the thrall of corporate interests that they would leave their military and financial future in harm’s way,” he added.
“It is the policy of the United States Government to increase the volume, timeliness, and quality of cyber threat information shared with U.S. private sector entities so that these entities may better protect and defend themselves against cyber threats,” states the EO.
Many are skeptical about whether the EO can achieve this. As always, theory is one thing, and practice is another. Without any real insight into the organizational and co-operational capabilities of the various U.S. departments and agencies, I can only speculate about its effectiveness.
In the meantime, let’s hope that the release of these documents will spur federal legislators into more conclusive action – after all, most of them said that they consider the EO and the PPD inadequate substitutes for Congressional action, i.e. concrete legislation.
As a sidenote, Jon Oltsik has an interesting summary on the results of an ESG survey that asked security professionals what actions the Federal government should take to prevent cyber attacks and block APTs, and on how their responses compare to what the EO put forth.