Cyber Security Hotting Up
With the launch of CyberHive occurring this afternoon at 1855 First Avenue in San Diego (see the San Diego Business Journal cover story article), I felt it appropriate to post the cybersecurity article below.
Emphasis in red added by me.
Brian Wood, VP Marketing
Cyber Security Executive Order Looms
If there’s one thing that everyone could agree on it’s this: Cyber security has emerged as a huge issue in the U.S., and industry and government both need to do more. But everything is political these days, evidenced by controversial cyber security bill that was voted down last month. That thumbs-down vote was merely the latest in a line of defeats anytime cyber security legislation has been brought up.
Now, in a partial reawakening of the dead proposal from last month, the current administration plans to issue a cyber security executive order sometime in February, most likely in the second half of the month, after the State of Union address. The cyber order would essentially create “a voluntary program in which companies operating crucial infrastructure would agree to meet a set of cybersecurity standards developed, in part, by the government,” reports TheHill.com.
In some ways, it’s been a shame that Congress hasn’t been able to pass a law in the face of extreme, bi-partisan need. But apart from the executive order, another opportunity is coming. Another bi-partisan bill is expected to be introduced this month. Some sort of Congressional action would be in keeping with global trends.
Bloomberg notes that, “According to the draft European Commission directive, banks, stock exchanges, hospitals and transportation companies would have to adopt more stringent network security standards in coordination with an appointed regulator in each member country. The directive would require critical infrastructure companies to tell regulators about significant cyber incidents and could require them to make a public disclosure. That’s stricter than rules in the U.S., which don’t make companies disclose serious breaches unless they involve personal identifying information like Social Security numbers or credit card data. Even those requirements vary by state.”
The upshot here is that there will likely be a lot of regulations and codes for U.S. companies, especially big companies, to follow. Hopefully, they will be safer for the effort. -Jim
Obama Said Near Issuing Executive Order on Cybersecurity
President Barack Obama will issue an executive order aimed at bolstering U.S. cybersecurity as soon as next week, according to two former White House officials briefed on the administration’s plans.
The executive order, expected to be released after Obama’s Feb. 12 State of the Union address, sets up a voluntary program of cybersecurity standards for companies operating vital U.S. infrastructure, according to the former officials, who asked to not be named because the order hasn’t been issued yet.
The administration has been drafting an executive order on computer security since at least last fall, before the Senate failed in its second attempt to pass Obama-backed legislation to create cyber standards for companies. Obama has said critical assets such as water-treatment plants and railway systems serving millions of people are vulnerable to hackers and need greater protection.
The administration is preparing the order amid recent cyber attacks including the security breach of a U.S. Federal Reserve website, intrusions at the New York Times and other newspapers attributed to Chinese hackers, and denial-of-service attacks that disrupted websites of U.S. banks.
The order directs federal agencies to consider incorporating the cybersecurity standards into existing regulations, according to the officials. It directs the government to share more information about computer threats with the private sector and issue more security clearances allowing industry representatives to receive classified information, the officials said.
Caitlin Hayden, White House spokeswoman, declined to comment on the timing or substance of a potential executive order.
Administration officials including Homeland Security Secretary Janet Napolitano have continued to encourage lawmakers to act, saying only Congress has the authority to make statutory changes to improve cybersecurity.
By early March, Director of National Intelligence James Clapper is to release his annual assessment of threats to U.S. national security, which in recent years has pointed to the growing risks of cyber attacks against the U.S. and its allies.
Republicans and the U.S. Chamber of Commerce, the nation’s largest business lobby, opposed the Obama-backed cybersecurity bill last year, saying voluntary standards would amount to de facto regulations that would burden industry and fail to keep pace with evolving computer threats.
House Intelligence Committee Chairman Mike Rogers, a Michigan Republican, and the panel’s top Democrat, C.A. “Dutch” Ruppersberger of Maryland, said they will reintroduce a cybersecurity bill on Feb. 13. The measure, passed by the House last year, would give companies legal protections for sharing cyber threat information with each other and the government, and allow the government to provide classified threat data to the private sector.
“This is clearly not a theoretical threat — the recent spike in advanced cyber attacks against the banks and newspapers makes that crystal clear,” Rogers said in an e-mailed statement today. “We need to provide American companies the information they need to better protect their networks from these dangerous cyber threats.”
The Obama administration last year threatened to veto Rogers’s bill, saying it wouldn’t shield the nation’s critical infrastructure or protect the privacy of consumer data that might be shared by companies.
In the Senate, Democratic committee leaders introduced a measure last month pledging to work together on cybersecurity in the new Congress. The measure says Congress should develop a public-private system to defend U.S. infrastructure and establish mechanisms for sharing cyber threat information.
The co-sponsors include Tom Carper of Delaware, chairman of the Homeland Security and Governmental Affairs Committee; Jay Rockefeller of West Virginia, head of the Senate Commerce Committee, and Dianne Feinstein of California, who leads the Senate Intelligence Committee. All three were sponsors of the bill blocked by Senate Republicans last year.
Obama in October signed a separate directive authorizing the National Security Agency and other military units to take more aggressive action to defeat attacks on government and private computer systems.
The European Union announced its own cybersecurity plan yesterday, which could affect a wide swath of multinational companies that operate there.
According to the draft European Commission directive, banks, stock exchanges, hospitals and transportation companies would have to adopt more stringent network security standards in coordination with an appointed regulator in each member country. The directive would require critical infrastructure companies to tell regulators about significant cyber incidents and could require them to make a public disclosure.
That’s stricter than rules in the U.S., which don’t make companies disclose serious breaches unless they involve personal identifying information like Social Security numbers or credit card data. Even those requirements vary by state.
European disclosure requirements may affect U.S. companies with international operations, Stewart Baker, a former assistant secretary at the Department of Homeland Security, said in an e- mail.
“If and when adopted, it will be a game changer,” Baker said.
“It covers banks, aviation, and Internet companies, including cloud and e-commerce providers,” said Baker, who is now a partner at Steptoe & Johnson LLP in Washington. “If companies are required to report breaches in Europe, they won’t be able to avoid reporting breaches in the U.S. as well.”
Carper: Expect White House cyber security order after State of the Union
Senate Homeland Security and Governmental Affairs Committee Chairman Tom Carper (D-Del.) said the White House has signaled that it will likely introduce its cybersecurity order in the second half of February, following President Obama’s State of the Union address.
After the White House releases the cyber order — which it has been crafting over the last several months — Carper said he plans to hold a joint hearing with the Commerce and Intelligence committees to discuss the measures included in the order. Carper said he wants to hear from administration officials and stakeholders’ feedback as well.”The administration is going to proffer next month an executive order, we think in the second half of February,” Carper told The Hill.”I think the smart thing for us to do would be to receive it, to read it, and I raised this as a possibility with [Commerce Committee] Chairman Sen. Jay Rockefeller [D-W.Va.] today: Maybe the relevant committees do a joint hearing … and invite the administration to come in, explain the executive order, and invite other folks to come in and react to the executive order,” Carper said.
The White House began drafting the executive order after Congress failed to pass cybersecurity legislation last year. The administration has argued that the cybersecurity threat facing the United States is too great for it not to take action while Congress grapples with passing legislation.
The executive order builds off a section in a cybersecurity bill that was co-sponsored by Rockefeller, Carper and Sens. Joe Lieberman (I-Conn.), Susan Collins (R-Maine) and Dianne Feinstein (D-Calif.), which was ultimately blocked by Senate Republicans. The cyber order would create a voluntary program in which companies operating crucial infrastructure would agree to meet a set of cybersecurity standards developed, in part, by the government.
The administration was expected to issue the executive order this month, but it’s been kept under wraps. White House Cybersecurity Coordinator Michael Daniel and other administration officials have engaged in an outreach effort with various industry groups, such as the U.S. Chamber of Commerce and the National Cable and Telecommunications Association, over the last few months to receive their feedback about what should be included in the cyber order.
A White House spokeswoman declined to comment on the timing of the executive order.
Carper said he doesn’t anticipate that his committee will re-introduce the same cybersecurity bill from last year, but he intends to repeat the Homeland Security Committee’s efforts to put forward a joint bill with the Commerce and Intelligence committees.
Cybersecurity will likely resurface on Congress’s radar this year after major U.S. banks and newspapers, such The New York Times and The Wall Street Journal, have suffered a spate of cyberattacks. Defense officials have also issued warnings about Iran and China’s cyber capabilities.
“I think the goal should be for the relevant committees to try to jointly introduce a common bill, and I hope not a bill with just Democratic sponsorship,” Carper said. “That would be my goal, maybe not achievable, [but] that’s my goal.”