Right before he took to the microphone for his State of the Union address in February, President Obama signed an executive order (EO) that aims to strengthen the country's critical infrastructure security by primarily getting government agencies and private companies to share information on attacks and potential cyber threats. The information-sharing provisions introduced were joined by other directives, including one pushing for the creation of frameworks that would help critical infrastructure operators and owners to work together to shrink the risks they all face.
Since the EO's release, plenty of industry players have bemoaned its shortcomings alongside just about as many others who say the decree showcases a U.S. president finally pushing forward with some real cyber security initiatives for the country to embrace. And then there are those who, like me, think that offering up more general guidelines that organizations ought to follow is all well and good, but without any meaningful and enforceable requirements then, really, what's the point?
Who could argue that establishing national cyber security standards for the critical infrastructure to consider isn't a right step? And since the U.S. Congress has proved inept pretty much on all fronts, including enacting cyber security legislation, then thank you Barack Obama for filling the void, right? But, in order for principles set forth in an EO to actually come to fruition, legislation must be enacted to support it. Mandates, not suggestions, on what parts organizations play to enhance data security and improve the channels through which they can do so cooperatively and in concert provide the stuff for substantive change. If we were blessed with intelligent, bipartisan lawmakers as opposed to the many myopic ones with which we currently are cursed, thoughtful proposals would usher forth to include calls to action, liability protections, incentives to participate and, likely, enforcement mechanisms that all would work together to compel private and public entities to safeguard the country from growing cyber threats and potential attacks.I understand the need for a national approach to cyber security and an understanding of some ways of getting there, but sans incentives and enforcement, chances are it will just be business as usual. The marketplace will figure it out, some say. But, many sectors haven't been able to do so without regulation. As well, quite a few critical infrastructure companies still enlist poor data security practices, thereby supporting an argument to impel action through regulatory mandates.
For now, some congressional leaders have taken the EO to mean that the Cyber Intelligence and Sharing Protection Act (CISPA) should be reinstated. Hence, a cringe-inducing proposal for the bill has resurfaced thanks to Reps. Mike Rogers, R-Mich., and Dutch Ruppersberger, D-Md. No matter that the Senate skipped the act once before because of outcries about potential privacy infringements. Lawmakers who support it say it's needed to codify cyber threat intelligence sharing among critical infrastructure players, and will not include the potential sharing of citizens' private information. Groups like the ACLU disagree.
So, this is the best we have – documents and debates that typify still more documents and debates in the future. In the meantime, all comers can carry on launching APT and other attacks on our critical systems. When massive mayhem ensues, maybe then the many parties charged with safeguarding them will just get on with it.