As I read the President’s Executive order last week, I was amazed at how government officials can spend so much time preparing the public for a grand political statement that will benefit all Americans and then, when so much is expected, so little is gained.
As the CEO of a cyber security company, I was, on one hand, excited to see the government paying attention to the industry during the SOTU address, but on the other hand was left dismayed at the proposition put forth as everything mentioned was pretty much already in existence. Then, with the Cyber Security Summit taking place, I was hoping once again that some steps would be taken to demonstrate that the government would take the first steps in the path on developing a public/private relationship.
And once again, I was let down. Instead of a path ahead, or at least a vision, we got another executive order. Like all executive orders, this one does little to provide a unique path, mandate or a structure to achieve the end state, which is the voluntary cooperation and sharing of cyber threat data. This unilateral move, at a time when Congress is willing to address this issue and has several variations of cyber legislation ready to pass, only confuses the cyber security industry and accomplishes little. This executive order, like so many other pieces of proposed legislation, provides an honorable intent, but the execution deserves a lot more.
Lets look at the Executive Order piece by piece:
Section 1: The introduction of this order outlines the president’s vision: to get companies to share data. However, beyond that there is no meat. In order to get companies to cooperate they must see that there is a vision and that vision is completely thought out in terms of organizational responsibility, command and control, and concerns that companies have regarding liability and disclosure.
Section 2: The major concept outlined here is that the Secretary of Homeland Security creates Information Sharing and Analysis Organizations. This is a great concept, except for one thing: they already exist. As I stated in another blog, there are at least 15 Information Sharing and Analysis Centers (ISACs) that are organized along business sector lines: Financial, Maritime, Health Care etc. and have an industry mandate to share information within the sector and keep industries aware of new threat information (http://www.isaccouncil.org). If these entities exist, why doesn’t the executive order just state for DHS to utilize this system, instead of replicating this. At least with the ISACs, the current issue of trust is taken care of as they are a non-profit, industry supported system.
Section 3: Third, there is a very vague discussion of the establishment of a competitive process to establish an ISAO Standards Organization whose mission is to develop the business processes, contracts and all standards for an ISAO to be an approved entity to share information. If this effort is to attract the voluntary cooperation of US Companies to share cyber threat data, then the complexity outlined here is unnecessary. These are supposed to be volunteer, non-profit organizations. If that is so, minimal standards are necessary if the true intent is cooperation and trust.
Section 4: This section concerns the assignment of the mandate for the National Cyber Security and Communications Integrations Center (NCCIC), a subcomponent of DHS, to organize and work with the ISAOs. Currently the existing ISAC network already works with the NCCIC, so that structure is in place and not worthy of an executive order.
Section 5: Privacy and Civil Liberties Protection: In what should have been the most in depth portion of this order, we find….nothing. Vague words promising that only organizations engaged under this order (which means that other agencies with a cyber-security mandate are not affected) must do their best to identify how their organization’s work under this order would affect privacy and civil liberty and to ensure that “appropriate protections” are applied. Without a definition of “appropriate protections, nor of ensuring that these protections would apply to other agencies that would have access to the information that would need to be shared, this section only refers to the most critical issue outlined by business and does nothing to define what needs to take place.
Section 6: This section seems to refer to the modification of the National Industrial Security Program, or NISPOM. This program is managed by the Department of Energy and is basically the bible for companies to follow to maintain compliance with Government security programs and to retain the ability to access classified data. It seems that there is a lot of word-smithing here that could be misconstrued as attempts to get companies under the thumb of the intelligence community, but at its heart, its an attempt to get the system to be more receptive for companies that don’t have classified requirements to obtain that access. However, again, if DHS would work with the ISACs and just qualify them to obtain access, then we wouldn’t have to look at thousands of companies (at taxpayer expense) to spend time and resources to get access to government information.
In the end, the administration has gone on its own path to do absolutely nothing. Instead of coopting Congress, who is ready to move onto legislation (which I oppose) or to create a system that fosters trust through anonymity and non-attribution between the private and public sector, the President has independently proposed a system that replicates one that is already in place and in the end, provides absolutely no forward progress in addressing this critical issue.