Since the collapse of the Congressional attempt to pass the Cybersecurity Act of 2012 there has been mounting pressure for the Obama Administration to “do something”, that something being the imposition of a regulatory regime to protect critical infrastructure.
But the Cybersecurity Act of 2012 failed because it was fatally flawed.
On Friday, Federal News Radio reported that they had obtained a copy of a proposed Executive Order that would attempt, through executive fiat – as Steve Bucci at the Heritage Foundation terms it– to impose most of the measures called for by Senators Lieberman and Collins.
Bucci raises an important point:
“[Regulation] is exactly the wrong approach for dealing with a fast-moving and incredibly dynamic field like cybersecurity. Give hackers—whether working for themselves or for another nation-state—a static standard, and they will waltz around it and have their way with the target entity.”
Congress has gone through several dozen cybersecurity bills in the last three years, not to mention the failed attempt to pass a data breach law which dates back to 2005. Even as they revise and re-write, there have been dramatic changes in the defensive posture of our critical infrastructure providers. Effective changes.
Let’s look at the proposed Executive Order as revealed by Federal news Radio. There are ten sections of the draft. Most of them call for nebulous voluntary information sharing or requirements that DHS create frameworks within three months. I can just see the scramble that will occur, and the watered down frameworks that will result, after multiple extensions to the due date are granted.
Binding the Department of Homeland Security to ISPs and phone companies is a slippery slope and they have resisted sharing information because of the legal liabilities due to privacy violations.
You can predict where the anti-SOPA movement will come down on this issue. So, the draft Executive Order attempts to remove those liabilities. But those “liabilities” are privacy protections, and any attempt to bypass them will be perceived as an egregious extension of the Patriot Act.
The last thing we need is another hastily designed and open-to-interpretation framework. Look at the regulatory burden that Sarbanes-Oxley created for publicly traded companies. The only section of SOX that touches on cybersecurity mandates the use of a cybersecurity framework such as ITIL or COBIT, yet public companies are still suffering constant successful breaches.
The good news is that while Congress dithered, the IT security industry developed. As Bucci points out, cybersecurity is dynamic. As new threats have developed– from cyber crime, to nation state espionage, to weaponized malware targeting uranium gas centrifuges– the industry has reacted.
There are now tools that collect intelligence, identify previously unknown attack attempts, and alert network operators to successful intrusions, giving them the ability to track down and eradicate them. Major security vendors already gather threat intelligence from hundreds of thousands of deployed devices.
New firms are even actively infiltrating and gathering information from hacker and cyber criminal forums. Cutting edge businesses that I have visited in the financial and technology sectors and the Defense Industrial Base (DIB) have developed their own methodologies that turn traditional IT risk management frameworks on their head. Instead of an asset and vulnerability approach –as proposed in all cyber legislation to date– these new methodologies focus on the threats.
The rapid uptake represented by 100% annual growth rates indicated that without a single regulation or Executive Order the problem is being addressed.
Forcing utility operators, banks, and earth resources companies to comply with frameworks based on outmoded asset and vulnerability methodologies will distract them from implementing threat based defenses. The draft Executive Order, if issued, will do much more harm than good.