President Barack Obama on Feb. 12, along with his State of the Union address, released an executive order that creates a voluntary cybersecurity program intended to help protect critical infrastructure networks.
The order is intended to enhance the security and resilience of the nation’s critical infrastructure and to maintain a cyber environment that encourages efficiency, innovation, and economic prosperity while promoting safety, security, business confidentiality, privacy, and civil liberties.
“We can achieve these goals through a partnership with the owners and operators of critical infrastructure to improve cybersecurity information sharing and collaboratively develop and implement risk-based standards,” the order reads in part.
The order includes sections on policy coordination, cybersecurity information sharing, privacy and civil liberties protections, calls for the creation of a baseline framework to reduce cyber risk, and calls for the establishment of a voluntary program to support the adoption of the cybersecurity framework. Companies including electric utilities will be able to opt into that initiative, intended to outline best standards and practices for preventing attacks on networks.
Industry reaction came quickly.
The Edison Electric Institute (EEI) issued a statement Feb. 13 that praised the order as another step toward improving government-industry coordination, but emphasized that more still needs to be done.
“The Executive Order … does not preclude the need for congressional action to address statutory changes that will improve information sharing and access to classified information that the private sector needs to serve as the first line of defense in the protection of its critical infrastructure,” EEI’s statement read in part.
Another industry security expert contacted by TransmissionHub shared EEI’s concern.
Speaking on background, the expert called relying on an executive order for something as important as cybersecurity “a mistake that works to further diminish the importance of negotiation and collaboration within the Legislative branch of the government.”
While an order to join a voluntary program may seem ineffective on its face, NERC’S former chief security officer saw value in the approach.
“Voluntary does not have to be ineffective, especially if it enables the stakeholders to come together and be part of defining target performance,” Michael Assante, President and CEO of the National Board of Information Security Examiners, told TransmissionHub.
In fact, he said the approach can have benefits over a more traditional legislative approach.
“That type of framework has the capacity to be more agile over time in an effort to keep up with the dynamic nature of cybersecurity,” Assante said. “At the very least, this executive order will stimulate cybersecurity discussions from the plant floor to the board room in infrastructures that are not currently under mandatory standards. The longer-term benefits will come down to how the program is implemented and in turn embraced by asset owners and critical suppliers.”
Other experts predicted the order won’t do much for the electric industry which, as EEI pointed out in its response, is the only industry already subject to mandatory and enforceable cybersecurity standards.
“It’s not meant for control systems,” Joe Weiss, security expert and author of the book Protecting Industrial Control Systems from Electronic Threats, told TransmissionHub. “All this is going to do is create a false sense of security. That’s all it’s going to do.”
Weiss agreed with the principle that greater cooperation and coordination is needed, but added that the industry needs to be more candid in its discussions of the situations it has encountered. As an example, he pointed to a “lessons learned” document issued by NERC Feb. 8 that provided four case histories which, in information technology circles, he said would be considered denial-of-service events.
“Each of the four incidents has occurred elsewhere in the electric and other industries,” Weiss said. “In most cases, they were unintentional but it was not immediately obvious they were unintentional. In addition, there were cases where the similar incidents were caused maliciously.”
Three of the incident descriptions did not mention the word “cyber”, while the fourth stated it was “not a cybersecurity incident,” he said.
“What I can’t explain is what everyone’s asking: ‘What is Washington thinking?’ I don’t know,” he said, adding that many inside the Beltway “apparently haven’t read “The Emperor Wears No Clothes.’”