As you have undoubtedly heard by now, President Obama has signed an executive order regarding cybersecurity. This was done ostensibly to protect infrastructure, like the electrical grid, from cyberattacks or worse yet cyberterrorism. You can read the entire executive order at the White House web site. The second sentence essentially spells out the problem: The cyber threat to critical infrastructure continues to grow and represents one of the most serious national security challenges we must confront. Scary stuff.
The government plan to deal with this problem concerns mostly the sharing of information. The excutive order states: It is the policy of the United States Government to increase the volume, timeliness, and quality of cyber threat information shared with U.S. private sector entities so that these entities may better protect and defend themselves against cyber threats
Apparently, the government plans to tap people in the private sector who have special talents for dealing with these threats. The order goes on to say: In order to maximize the utility of cyber threat information sharing with the private sector, the Secretary of Homeland Security shall expand the use of programs that bring private sector subject-matter experts into Federal service on a temporary basis. These subject matter experts should provide advice regarding the content, structure, and types of information most useful to critical infrastructure owners and operators in reducing and mitigating cyber risks.
The order also gets into privacy and civil liberties protections by stating that agencies shall coordinate their activities under this order with their senior agency officials for privacy and civil liberties and ensure that privacy and civil liberties protections are incorporated into such activities.
The organization responsible for setting the baseline framework for reducing cyber risk to critical infrastructure is none other than the National Institute of Standards and Technology. The framework will include a set of standards, methodologies, procedures, and processes that align policy, business, and technological approaches to address cyber risks. When completed, the Secretary, in coordination with Sector-Specific Agencies, will establish a voluntary program to support the adoption of the Cybersecurity Framework by owners and operators of critical infrastructure and any other interested entities.
So who is perpetrating these attacks on critical U.S. infrastructure? A glance at Google results for “cyber attacks on U.S.” reveals that hackers are suspected or known to be from countries like Iran and China. The origins of some attacks, though, are still a mystery. Not surprisingly, some attacks still fall under the denial-of-service category, a technique that has been around for quite a while, but still is difficult to defend against.
As for an official response to this latest executive order, the only one I’ve seen so far is from the Edison Electric Institute, which said the following:
The Edison Electric Institute (EEI) shares the President’s goal of protecting critical infrastructure from cyber attacks. As the only industry subject to mandatory and enforceable cybersecurity standards, the electric power sector already is taking significant steps to protect the electric grid and to work closely with the government to prevent, detect, and respond to cyber threats. The Executive Order represents another step toward improving government-industry coordination, but it does not preclude the need for congressional action to address statutory changes that will improve information sharing and access to classified information that the private sector needs to serve as the first line of defense in the protection of its critical infrastructure. EEI and its members look forward to continuing to work with the Administration and Congress to address this national security priority.