WASHINGTON, Feb. 13 (UPI) — U.S. President Barack Obama’s cybersecurity executive order has set in motion structural reforms its backers hope will be readily embraced by the U.S. corporate sector.
But security industry analysts say more needs to be done to achieve full compliance or willing participation by industries and businesses involved with numerous stages of infrastructural security in the United States and, by extension, other parts of the world.
Before his State of the Union address Tuesday, Obama signed an executive order meant to address U.S. cybersecurity needs in the face of “real threats.”
He warned that the country’s enemies were “seeking the ability to sabotage our power grid, our financial institutions and our air traffic control systems.”
Although the executive order requires business and industry to cooperate with government efforts, the onus for producing comprehensive legislation falls back on Congress, which failed to clinch bipartisan agreement on a tough cybersecurity bill.
In response to Obama’s executive order, lawmakers said the Cyber Intelligence Sharing and Protection Act, which passed the House of Representatives by a strong bipartisan vote of 248-168 last April, was being reintroduced in a renewed effort to give muscle to the cybersecurity measures.
“It is time to stop admiring this problem and deal with it immediately,” U.S. Rep. Mike Rogers, R-Mich., chairman of the House Permanent Select Committee on Intelligence, said. “Congress urgently needs to pass our cyberthreat information sharing bill to protect our national security, our economy, and U.S. jobs.”
“American industry is under attack, costing our country and our economy billions of dollars and thousands of jobs,” committee member Rep. C A. “Dutch” Ruppersberger, D-Md., said. “We need to do everything we can to enable American companies to defend themselves against these devastating cyberattacks.
“Our bill does just that by permitting the voluntary sharing of critical threat intelligence while preserving important civil liberties,” he said.
Obama’s order instructed the National Institute of Standards and Technology, part of the U.S. Commerce Department, to work with both government agencies and business to draw up standards and practices and share both classified and unrestricted information with victims of cyberattacks.
The order expands the voluntary Enhanced Cybersecurity Services program to enable near real-time sharing of cyberthreat information to help participating critical infrastructure companies in their cyber protection efforts.
But because the order isn’t a law it lacks powers to compel industry to effect change.
Obama acknowledged the problem and called on Congress to hasten legislation “to give our government a greater capacity to secure our networks and deter attacks.”
In May 2009, Obama declared the country’s digital infrastructure a strategic national asset and made protecting the infrastructure a national priority. But more time must elapse before an effective framework is in place.
The directive says the development of the functional relationships within the Department of Homeland Security and other government agencies related to critical infrastructure security and resilience will be completed within 120 days.
An assessment of the existing public-private partnership model and recommended options for improving the partnership must be finished within 150 days.
The timeline calls for an updated National Infrastructure Protection Plan within 240 days. It also calls for the completion of a national critical infrastructure security and resilience research and development plan within two years.
Israel says it has begun operating a special defense control center staffed by 20 Israeli soldiers to tackle cyberattacks.
“Few countries have this kind of ability,” a defense source told The Jerusalem Post. “This is a part of the Israel defense force’s readiness to ensure continuity of conventional operations. This continuity is based on cybersecurity.”
The source described the center as a “nerve center for defense,” adding it has “impressive command capabilities.”
The newspaper quoted an unnamed source as saying “in this world, time has no significance — an attack can be launched immediately — and neither does distance. The attacker can be anywhere.”
A European cybercrime center opened in The Hague, Netherlands, in January. The European Union is proposing to require all its companies including utilities and hospitals to report cyberbreak-ins.
European companies oppose the requirement, arguing such reporting would damage their business. U.S. corporate lobbying based on similar arguments is said to have influenced the outcome in Congress so far of lawmakers’ moves to bring in tougher cybersecurity laws.
Copyright 2013 United Press International, Inc. (UPI).