Will it end up as shelf ware as others have?
Yesterday, (2/12/12) President Obama signed an Executive Order for improving the security of America's critical infrastructure, defined as physical or virtual assets and systems the destruction of which would have a debilitating impact on security, national economic security, public health or safety.
Though not law, this EO does require specific action on the part of agencies such as DHS (Department of Homeland Security.) The key milestones include:
- Within 120 days, the functional relationships between DHS and other federal government related to critical infrastructure resilience and security must be described.
- Within 150 days, the public-private info-sharing model must be assessed and recommendation for its improvement made.
- Within 2 years, the national critical infrastructure security and resilience research and development plan must be completed.
Notwithstanding any of the above, any measures taken must protect US citizens' civil liberties and privacy.
This EO is the result of nearly 15 years of ineptitude and partisan gridlock in Congress. Last year alone there were two cyber security bills presented; neither could muster the support to be passed. In 2011, Rep. Jim Langevin (D-R.I.) introduced what was, in my opinion, an excellent and comprehensive cybersecurity bill that empowered DHS to regulate the security of private networks deemed part of America's critical infrastructure. There are reports that he will re-introduce this bill in 2013 -- I hope he does!
The EO is symbolic in nature; however, it at least forces action and assessment, which is the first step toward enlightenment. Once we understand our threats and the risks posed, we can make informed recommendations and take appropriate action. There will be the conspiracy theorists that claim this is the first step toward intelligence agencies being able to spy on US citizens. Ridiculousness.
This is a long over-due step that's finally been taken to protect our utilities, military networks, and communications systems, which are under constant attack. This country is being pilfered of its intellectual property and military information. There is evidence of nations hacking commercial enterprises with targeted attacks at an individual. The largest Saudi Arabian oil company had 3,000 PC's disabled in cyber attack "warning" that could have done much worse. We need to put in place measures to monitor and prevent cyber security attacks, and the only way to do that effectively is to mandate it. Voluntary sharing between private and government entities doesn't work; we've tried it, we failed. The mandates don't have to be oppressive, either, but they should leverage technology to help automate some of the prevention, monitoring, and reporting. This EO will serve as a stepping stone to help us move away from the phony paper audits of FISMA (Federal Information Security Management Act), which is a joke. Paper audits?!?! It's 2013, people -- wake up!