Do we really need a cybersecurity executive order?

Despite pleas from lawmakers asking the White House to leave the responsibility of drafting legislation that adequately addresses the nation’s cyber threats to Congress, it appears that President Obama has grown tired of waiting. The Associate Press recently reported that the Obama administration has drafted a cybersecurity executive order that is in the process of being finalized.

One of the order’s major initiatives would direct the Department of Homeland Security to organize an information sharing network that would provide companies in the critical infrastructure sector (power plants, water treatment facilities, railroads, etc.) with access to intelligence reports about known threats.

The administration’s concerns about the vulnerabilities we face from cyberspace are valid, but shouldn’t this type of information sharing already be occurring? Wasn’t that the whole point of the DHS’ establishment of fusion centers across the country to create a place where federal, state and local authorities could meet to discuss potential threats, be it physical or cyber? The intelligence shared amongst these agencies should logically be passed onto security and management personnel at critical infrastructure sites if there is a credible threat.

Of course, the fusion center concept hasn’t been without detractors. A report recently released by a Senate subcommittee found that these fusion centers did little to promote intelligence sharing and were wasting taxpayer dollars by spending thousands on unneeded equipment. However, I’m sure this broad characterization doesn’t define how all fusion centers operate and that some have actually shared meaningful information.

It does beg the question, however, if fusion centers aren’t already getting the job done by and large, then why bother to essentially setup a similar system to share intelligence on potential cyber threats. The last thing we need is more needless regulations that keep law enforcement and the private sector more concerned about being in compliance than with actually dealing with the issue. Most organizations, especially those involved with or that own critical infrastructure assets, are already well aware of the dangers that lurk on the Internet.

"Trying to regulate the Internet and cyber security is going to be tough. I do think that critical infrastructure has an obligation first and foremost to protect themselves and secondly, to do the best they can to work with our partners in the public sector to protect the nation when we can provide valuable information to do that. I’m not sure that really works in a regulatory environment," Richard Douglas, general manager of corporate security and fire protection for United States Steel Corporation, told SIW in a recent interview. "You can’t point at one thing and say 'do X, Y and Z.' You just can’t do it when the speed of government is significantly slower than the speed of data and information, especially in cyberspace. I don’t know how they’re going to regulate and manage to keep up. How do you enforce it? How do you decide what is critical infrastructure?"

Douglas raises an interesting point. Defining what sites and assets are considered to be critical infrastructure will be at the heart of any executive order or legislation on cybersecurity. Who’s going to decide what organizations make the cut and why? Come hell or high water though, it seems cybersecurity regulation is inevitable.