Reports: Obama Signs Classified Cybersecurity Directive4:22 PM EST Thu. Nov. 15, 2012
President Obama has reportedly signed a classified directive establishing guidelines to protect the nation's computer networks.
According to the Reuters and other media outlets quoting an unpublished administration document, the objective is to undertake the "least action" necessary to defend against attacks and protect the national security. The reports say that there is no change to government authority, but that "principles and processes" regarding the use of various cyber tools have been specified, or at least recommended.
The new policy apparently specifies that government agencies must first engage law enforcement or traditional network defense techniques before bringing the military into the discussion and eventual response.
[Related: Cybersecurity Bill Fails in US Senate]
The president apparently signed the document in mid-October.
"This is a natural and normal attempt by government to protect private industry and government infrastructure in cyberspace," said Rob Rachwald, director of security strategy at Imperva. "We've seen massive DDoS attacks, presumably from Iran, targeting U.S. banks. It was clear that this was a nation-state attack, and it's entirely appropriate for government to take a role in responding to this. If this directive takes us closer in this direction, then that's a very good outcome that is probably at least four years overdue."
Others, however, feel that the administration is ill-equipped to make such a move, and will have no impact on fending off DDoS attacks, or virtually any other type of exploit.
"It's not going to do anything to keep us more secure," said Jody Westby, CEO of Global Cyber Risk, LLC, in Washington, D.C. "They're trying to get through the door to have more access to business communications. I think it's just going to open the door to litigation over whether [the president] has the authority to do whatever is in his executive order. I think they want more authority to gather information. They're looking at what they can tell businesses to do, and that's an unwarranted intrusion."
The U.S. approach to cybersecurity has been heavily scrutinized this year. On Aug. 2, the U.S. Senate defeated a comprehensive piece of legislation known as the Lieberman Collins bill, by a vote of 52 to 46. Intended to stimulate investment in cybersecurity R&D, better protect critical infrastructure, define public/private cooperation and grant authority to the Department of Homeland Security to lead the government's cybersecurity efforts, the legislation was widely opposed by the Republicans, the U.S. Chamber of Commerce and privacy advocates who claimed that the bill placed too much regulatory authority in the hands of the government. Proponents of the bill claim that the terms were necessary to protect the nation's critical infrastructure and computer networks, but opponents claimed that the requirements were too restrictive of business and had negative effects on personal privacy.
NEXT: Multiple Warnings
The one common denominator among those in favor of the Lieberman Collins bill and those opposed to it seems to be an emphasis on public-private cooperation.
"We need to modernize our cybersecurity laws, for sure," said Andrew Jaquith, chief technology officer, Perimeter e-Security. "Government needs to work with private industry, especially the critical infrastructure sectors. We need to have better sharing without necessarily feeling that you can be sued for disclosing a vulnerability or sharing information. ... So there needs to be some sort of a shield in place in order to get that level of cooperation."
A new round of legislation is not expected before the new Congress is seated.
Meanwhile, Iran, China and other countries have been widely suspected of conducting military operations against the U.S. and against U.S. interests. These concerns are further elevated by extensive speculation that the U.S. and Israel were behind cyberattacks waged against Iran in an effort to eliminate that country's purported nuclear weapons program.
Other warnings have come from ranking administration officials, including U.S. Defense Secretary Leon Panetta and Homeland Security Secretary Janet Napolitano. Meanwhile, General Keith Alexander, who commands the military's Cyber Command, has repeatedly called for increased latitude to conduct activities to defend against potential cyber attacks, leveraging his personnel based at Fort Meade.
PUBLISHED NOV. 15, 2012