Obama Readies Unilateral Move on Cybersecurity
WASHINGTON – A long-running effort to protect critical infrastructure in the U.S. from cyber attacks collapsed in Congress last year. Despite this setback, different groups have continued their calls for more action in the wake of continuous threats, paving the way for the Obama administration to take the lead on cybersecurity policy – perhaps in an executive order that could come early this year.
After Congress first rejected the Cybersecurity Act of 2012 in August, the Obama administration immediately began drafting an executive document, known as Presidential Policy Directive 20. The White House argued that the danger of a devastating cyber attack against the U.S. was just too great for the executive branch to ignore it. The executive order, unlike the bill, does not need congressional approval, which will undoubtedly open the debate about the directive’s constitutionality.
The executive order will offer voluntary guidelines and a strict set of standards that will help government “more effectively secure the nation’s critical infrastructure by working collaboratively with the private sector,” White House spokeswoman Caitlin Hayden told the Washington Times.
The cybersecurity bill, first introduced by Sens. Joe Lieberman (I-Conn.) and Susan Collins (R-Maine) in February, called for the creation of a council to develop standards for certain industries such as utilities, pipelines, and financial service companies labeled as “critical infrastructure.” It also aimed to encourage industry to share information with the government about cyber-threats spotted on their networks.
After months of negotiations with privacy and civil liberty groups and industry representatives, the Senate introduced a revised version of the bill last summer. In the hopes of winning over the opposition, the bill’s co-sponsors significantly watered it down, making the cybersecurity standards optional.
Despite disagreements over specific measures, the legislation attracted widespread bipartisan support in the Senate. Many senators agreed with the major provisions of the bill that sought to strengthen the nation’s barriers against cyber attacks. But a rift emerged between the legislators believing that a new regulatory program was necessary because of the private sector’s failure to adequately protect its networks, and those doubting the efficacy of more government regulation in achieving its intended objective.
Back in August, Republicans and business groups strongly opposed the bill that would have imposed minimum standards of security on companies in key industries, claiming it was unwarranted government regulation. After the bill fell short to pass in August, Senate Majority Leader Harry Reid voted against it in a procedural move so that he could bring the bill back to the floor in November.
During the lame-duck session, the Senate came close to passing cybersecurity legislation. But a motion to move forward on the bill failed to secure the 60 votes needed to bring the bill up for passage.
“The bill that was and is most important to the intelligence community was just killed, and that’s cybersecurity,” Reid told the Hill after the vote. “Whatever we do for this bill, it’s not enough for the U.S. Chamber of Commerce. So everyone should understand cybersecurity is dead for this Congress. What an unfortunate thing, but that’s the way it is.”
Opposition to the bill made some legislators break ranks with their party. Four Democrats – Sens. Max Baucus (Mont.), Mark Pryor (Ark.), Jon Tester (Mont.) and Ron Wyden (Ore.) – voted against the motion in November. Three Republicans – Sens. Collins, Olympia Snowe (Maine), and Scott Brown (Mass.) – joined their Democratic counterparts in favor of the bill.
A rival version, the SECURE IT Act, introduced by Sen. John McCain (R-Ariz.) and a group of Senate Republicans in March, focused on improving the sharing of information about cyber-threats, but it did not include any measures aimed at creating security standards for critical infrastructure. The bill failed to gain traction in Congress and among civil liberty groups, including the American Civil Liberties Union.
Many government officials lamented the Cybersecurity Act’s failure. Sen. Daniel K. Akaka (D-Hawaii), senior member of the Senate Committee on Homeland Security, expressed his disappointment that the Senate “once again failed to put partisan differences aside and pass the critical bill.” Defense Secretary Leon Panetta also expressed his disappointment with the Senate for failing to allow the country to enhance its ability to protect itself against threats.
Panetta warned last year of the possibility of a “cyber Pearl Harbor.” He told business leaders attending a meeting of the Business Executives for National Security that the country is increasingly vulnerable to foreign computer hackers who could attack the country’s transportation system, government, financial networks, and power grid.
In a recent report, the Department of Homeland Security (DHS) estimated that more than 40 percent of all reported cyber attacks on critical infrastructure in 2012 targeted the energy sector. Many of the incidents reported to the DHS targeted information that could facilitate remote access and unauthorized operation.
Sustained cyber attacks targeting the websites of a dozen U.S. banks, including Wells Fargo, JP Morgan Chase, and Bank of America, exemplify the growing threat to the financial sector. What makes these attacks suspicious is that they are not carried by opportunists trying to steal data or money, but instead by experts keen on creating significant disruptions. Computer-security specialists say that the attacks showed a level of sophistication that exceeded that of amateur hackers, making it more likely that they were orchestrated by a nation.
“There is no doubt within the U.S. government that Iran is behind these attacks,” former Commerce and State Department official James A. Lewis told the New York Times this month. According to Lewis, the attacks are probably in retaliation for previous cyber attacks on Iran as well as sanctions imposed on the country.
After the intensifying wave of attacks, major U.S. banks have turned to the National Security Agency for technical assistance in an effort to protect their computer systems, the Washington Post reported.
The banks’ request follows a similar push by a trade group for more collaboration between the private sector and government. The Business Roundtable, which represents the chief executive of top U.S. companies, has recently called on Congress to pass legislation aimed at improving the sharing of information between government and industry so companies can thwart cyber attacks quickly. The group, however, cautioned against a “static compliance based regime” that would undermine a more dynamic solution based on information sharing.
Before the Senate vote in November, Lieberman warned of the possibility of an executive order issued by the president if the Senate voted against moving the bill forward. Reid also noted that the order would fall short of what the bill could accomplish, including liability protection that would protect companies from legal action if they are hit by a cyber attack.
In a letter sent to the president in October, a group of Republican senators urged Obama to work with Congress on cybersecurity legislation instead of acting unilaterally in a way that “will solidify the present divide” among stakeholders. The White House is expected to roll out the executive order as early as the end of this month.
As new leaders assume command of the congressional committees in charge of cybersecurity legislation, the prospects of reviving the debate have begun to emerge. A coalition of Senate Democrats, led by longtime cybersecurity legislation supporter Sen. Jay Rockefeller (D-W.Va), introduced on Wednesday a new resolution tackling the issue. “The new Congress has a real opportunity to reach needed consensus on bipartisan legislation that will strengthen our nation’s cybersecurity,” the senators said in a joint statement announcing the bill, called the Cybersecurity and American Cyber Competitiveness Act of 2013.
The new bill outlines legislative intent but does not provide any specific solutions beyond some recommendations to improve collaboration between the private sector and the federal government.
This guy has to be held on a short leash … he’s also spending 1.6 million taxpayers dollars flying around to get his own way with the immigration bill efforts! That’s totally unacceptable to say the least. Enough is enough; Obama seems to have gone bonkersville on the absolute monarchy trail. WTF?!!!!!
What we really need is for the private sector to get its’ collective head out of the sand and spend a few dollars on cyber security. If you don’t think it could happen here but would like to see what it might look like, get a copy of Clancy’s “Threat Vector.” Should wake you up, besides being very entertaining.
I’m sure lots of bad things can happen. What I don’t trust, is Obama won’t be the one causing it.
“Never let a crisis go to waste”
So far, he hasn’t. Past performance is indicative of future potential in his case.
The Dream Act and Cybersecurity bill can’t make it through Congress, so a President takes it upon himself to unilaterally effect at least portions of those bills ?
I didn’t know federal government was authorized to work that way, one guy imposing the rules.
Sounds like a monarchy.
“Cybersecurity” sounds great, but there was significant opposition in the business community to adding yet more layers of government regulation. The Reddit co- founder Aaron Swartz who recently committed suicide spoke rather eloquently against the legislation.
Can’t systems be strengthened & tightened without, yet another, insertion of government into the process ?
Nobody alive knows completely what’s legal and illegal anymore, what with the onslaught of government interference in everything. Can’t anything good happen in American society without these yahoos ?
This legislation is, for all intents and purposes, irrelevent, outside of any overreach questions. Two items to consider:
1. Many, if not all, of the industries identified are already regulated with cybersecurity standards already in place. In addition, the signficant organizations are also reviewed by regulatory bodies to include the FFIEC, FERC, and the SEC. These reviews include IT folks. The standards for the review are, for the most part either directly to implicitly referance NIST standards. So the framework, and maybe the actual processes, are already in place.
2. Govermental or even industry standards are, in generally ineffective. Consider the challanges related to the Payment Card Industry Data Security Standards. We still encounter data breaches even for the organizations that have been audited for compliance without reported exception. (Same will likely be true with HITECH) Detailed govermental standards create an environment where one can be reasonably secure OR state that one meets the govement standards irrespective of reality.
Would it not be interesting for a goverment to work within an existing set of organizations to meet real risks. Although, creating new functions, roles, and laws is always SO much more fun. And looks better in mailers to local citizens.
Frustrated security/controls geek
HAVC
Would it not be interesting for a goverment to work within an existing set of organizations to meet real risks.
Sounds too much like hard work to the grandstanding politicians.
Optics trump substance every time.
The real problem with cyber security is you are always one step or more behind the bad guys. First, all OS and major pieces of software have security vulnerabilities if for no other reason than the complexity of the code. Did the designers see every possible user interaction? Now add poorly written or woefully obsolete code. Another various forms of social engineering to trick users into giving out information they should not.
Also, remember the IRS standard for proper data protection did not include encrypting SSN and when South Carolina’s tax payer database was hacked the IRS compliant security meant that tax payer SSN’s were plain text.
The real problem is that a government run solution will be woefully inadequate because of the ti me lag to issue new regulations assuming there no other major issues such as incompetence. The best practices are always evolving in cyber security.
An ongoing problem is that the purse strings are controlled by people who often do not understand cyber security. They do not understand it is an ongoing process that will never end. Some of the problem is proper software design, proper network design, appropriate user access, and ongoing user training. Unfortunately all of these are evolving.
The problem with legislation or diktat is that it fundamentally assumes the problem will not change in the future because both will tend to lock in current (hopefully best) practices some of which will be inadequate in the near future. Unfortunately the crystal ball can not tell one which ones will be inadequate.
Your point about lag time is compounded by the fact that businesses cannot afford to get out ahead of the regulators even if there is a pressing need to do so, because whatever they put in place may not meet subsequent regulations and have to be scrapped at great expense. Meanwhile they are in compliance, even if vulnerable.
‘…a set of standards that will help government “more effectively secure the nation’s critical infrastructure by [unilaterally controlling] the private sector”’
Just a slight change to clarify the language and intent of the statement.
Every seemingly disparate topic seems to boil down to one thing, control.
Chris Dodd of Dodd-Frank, the guy who got the sweetheart loan deals from his buddy Angelo Mozilla at Countrywide, was a big ‘cybersecurity’ guy. Drove him nuts (he was well on his way already) that something, anything, could be going on outside of Congressional purview.
Abraham Lincoln’s re-assertion of the nation’s founding ideas, that it is the people who are the masters of Congress and the courts, falls on deaf ears.
“Good intentions will always be pleaded for every assumption of authority. It is hardly too strong to say that the Constitution was made to guard the people against the dangers of good intentions. There are men in all ages who mean to govern well, but they mean to govern. They promise to be good masters, but they mean to be masters.”
~Daniel Webster – (1782-1852), US Senator
Just like China, North Korea, Islamic nations, and India as well Obama would bring in the legislation, to police and censor the web, for these are essential tactics for ‘staying in power’
Just like China, North Korea, Islamic nations, and India as well Obama would bring in the legislation, to police and censor the web, for these are essential tactics for ‘staying in power’!
We stand in awe of emperor obi-i-won as he readies his “executive order” generator. It’s good to be the king (emperor).
I am reminded of one meeting between private sector engineers, my guys, and federal regulators, perhaps twenty people sitting around a conference table, focusing on a very technical topic. I started the meeting by outlining the topic, the options, and then my suggestion: we would jointly select the most technically quantified experts, from government, private industry, and academia, let them discuss things for a day, or so, alone, then reassembly and listen to them.
You would have thought I had declared World War III. I did not realize the central issue was power. Who held the whip?
This, and a zillion other reasons is why electricity costs so much. The same process goes on in all technical areas.
It is a shame that the US government is making a play for our networks like China or Iran does in their countries. NEVER give the government the kill switch, ever.
Why can’t the government ever come up with some recommendations, especially for Nuke Power, major power grid control centers, top secret installations and their contractors etc.. and call it a day.
Does every bill have to create 2-10 new “agencies” to write rules. Consist of thousands of pages and be nearly un-readable etc..
When it comes to free flow of speech and ideas the government should never have the whip!
Any chance Congress can just draft an order of its own placing Obama under arrest and deporting him back to Kenya? Future generations will be grateful…..
Read Tom Clancy’s Threat Vector and try not to panic. I know that those that favor security over freedom will have neither, but holy cr*p is that book scary regarding the Chicoms and cybersecurity.
What I don’t trust is the hidden unConstitutional fine print that will be buried in the executive order. Apparently unrelated things snuck in. Call me paranoid, call me crazy, but post-election Obama Unleashed is itching to make in-roads into controlling the Internet and conservative news websites. I trust nothing he does, and I sense censorship brewing any time Owebama and the Internet are mentioned in the same sentence. He’s already taking shots at Fox, and that 60 Minutes love fest with Hillary was vomitous.If we aren’t careful, soon that is all the news we peasants will be able to see concerning our Dear Leader.
And Congress will do nothing to stop legislation by EO. The Left will cheer him on and the media will sing praise as a good cult follower should.
Corbettreport Calling Out The Hypocritical, War-Loving Left
http://www.youtube.com/watch?v=A3_hFYucgYY
This is getting ridiculous. Executive orders serve the purpose of directing the executive branch to carry out existing law in a specific way — they do not in any way make new law. A president who makes new law through executive order is a president who has committed a high crime against the constitution. Why does everyone keep pretending the the won is able to make his own laws? You or I could pronounce our own laws with as much legal credibility as his have. Hello…congress? What will it take for you to take action against this man – does he have to start picking you off one by one?