Do we really need a cybersecurity executive order?

Oct. 26, 2012
Obama administration in process of finalizing draft

Despite pleas from lawmakers asking the White House to leave the responsibility of drafting legislation that adequately addresses the nation’s cyber threats to Congress, it appears that President Obama has grown tired of waiting. The Associate Press recently reported that the Obama administration has drafted a cybersecurity executive order that is in the process of being finalized.

One of the order’s major initiatives would direct the Department of Homeland Security to organize an information sharing network that would provide companies in the critical infrastructure sector (power plants, water treatment facilities, railroads, etc.) with access to intelligence reports about known threats.

The administration’s concerns about the vulnerabilities we face from cyberspace are valid, but shouldn’t this type of information sharing already be occurring? Wasn’t that the whole point of the DHS’ establishment of fusion centers across the country to create a place where federal, state and local authorities could meet to discuss potential threats, be it physical or cyber? The intelligence shared amongst these agencies should logically be passed onto security and management personnel at critical infrastructure sites if there is a credible threat.

Of course, the fusion center concept hasn’t been without detractors. A report recently released by a Senate subcommittee found that these fusion centers did little to promote intelligence sharing and were wasting taxpayer dollars by spending thousands on unneeded equipment. However, I’m sure this broad characterization doesn’t define how all fusion centers operate and that some have actually shared meaningful information.

It does beg the question, however, if fusion centers aren’t already getting the job done by and large, then why bother to essentially setup a similar system to share intelligence on potential cyber threats. The last thing we need is more needless regulations that keep law enforcement and the private sector more concerned about being in compliance than with actually dealing with the issue. Most organizations, especially those involved with or that own critical infrastructure assets, are already well aware of the dangers that lurk on the Internet.

"Trying to regulate the Internet and cyber security is going to be tough. I do think that critical infrastructure has an obligation first and foremost to protect themselves and secondly, to do the best they can to work with our partners in the public sector to protect the nation when we can provide valuable information to do that. I’m not sure that really works in a regulatory environment," Richard Douglas, general manager of corporate security and fire protection for United States Steel Corporation, told SIW in a recent interview. "You can’t point at one thing and say 'do X, Y and Z.' You just can’t do it when the speed of government is significantly slower than the speed of data and information, especially in cyberspace. I don’t know how they’re going to regulate and manage to keep up. How do you enforce it? How do you decide what is critical infrastructure?"

Douglas raises an interesting point. Defining what sites and assets are considered to be critical infrastructure will be at the heart of any executive order or legislation on cybersecurity. Who’s going to decide what organizations make the cut and why? Come hell or high water though, it seems cybersecurity regulation is inevitable.

Sponsored Recommendations

Shutdown averted as Biden signs seven-week spending bill

President Joe Biden signed a short-term spending bill to avert a partial government shutdown starting Sunday after a dramatic turn of events Saturday that saw the House quickly...

Knightscope receives two more K5 expansion contracts for casinos

These two new ASRs bring the total robots under contract to 5, which include deployments in Las Vegas, Nevada; Council Bluffs, Iowa; and Aurora, Illinois.

ISACA adds new credentialing pathway as part of its new CMMI model upgrade

Successfully completing this course also opens the gateway to advanced CMMI training, equipping professionals with the prerequisites required for more specialized courses in the...

Barrier1 features expanded portfolio of crash rated, storefront safety bollards at NACS 2023

On display and available for demonstration at Barrier1 booth# B5205 is the Tomcat S10 Storefront Bollard, a crash-rated bollard designed to stop a 5,000lb vehicle traveling at...