Citing a “rapidly growing threat from cyberattacks,” President Obama said last night that he has issued an executive order that would strengthen the computerized defenses of the United States. The order will increase information sharing and coöperation among government agencies and companies, and establish standards for responding to threats. Both are considered important components of effective cyber defense.
“We know hackers steal people’s identities and infiltrate private e-mails. We know foreign countries and companies swipe our corporate secrets. Now our enemies are also seeking the ability to sabotage our power grid, our financial institutions, our air traffic control systems,” Obama said in his State of the Union address.
The action comes as attacks on government agencies and infrastructure are apparently on the rise (see “Old Fashioned Control Systems Make U.S. Power Grids, Water Plants a Hacking Target”).
The number of attacks reported to the U.S. Department of Homeland Security’s cybersecurity response team grew 52 percent to 198 in 2012, the team recently said. The statements also follow the recent disclosure of attacks on media outlets including the New York Times, the Wall Street Journal, and the Washington Post.
Despite the threat described by Obama, no legislation has been passed in Congress; in recent years about 80 bills have been written with some component of cybersecurity, but none have become law.
A key challenge is that much of the nation’s information technology infrastructure is owned and controlled by private companies. This makes it tricky to specify what constitutes adequate security and to know what kinds of attacks are emerging in different sectors (see “Moore’s Outlaws”).
The executive order is meant to fill the legislative void by improving coöperation among government agencies and companies. It applies to a subset of industries—including communications, energy, financial, and chemical sectors—that are considered critical to national security, the economy, and public health and safety.
The order directs the Department of Homeland Security to establish a voluntary program wherein critical infrastructure operators adopt cybersecurity practices shaped by the National Institute of Standards and Technology together with security companies. The DHS is then meant to work with other agencies and industry groups to implement those practices. The order also calls for an analysis of how communication between the federal government and private companies can be improved.
The executive order sets forth a series of milestones, including a description of relationships established between agencies within 120 days, the development of a situational awareness capability for critical infrastructure within 240 days, and a research and development plan within two years.
Obama indicated that legislation is still needed to mandate stronger protection. “Congress must act as well, by passing legislation to give our government a greater capacity to secure our networks and deter attacks,” he said during the address. “This is something we should be able to get done on a bipartisan basis.”
The president did not, however, mention the issue of countermeasures, or cyberweapons, which are apparently already used by government agencies and contractors (see “Welcome to the Malware Industrial Complex”).