Page 1 of 2
President Obama has reportedly signed a classified directive establishing guidelines to protect the nation's computer networks.
According to the Reuters and other media outlets quoting an unpublished administration document, the objective is to undertake the "least action" necessary to defend against attacks and protect the national security. The reports say that there is no change to government authority, but that "principles and processes" regarding the use of various cyber tools have been specified, or at least recommended.
The new policy apparently specifies that government agencies must first engage law enforcement or traditional network defense techniques before bringing the military into the discussion and eventual response.
[Related: Cybersecurity Bill Fails in US Senate]
The president apparently signed the document in mid-October.
"This is a natural and normal attempt by government to protect private industry and government infrastructure in cyberspace," said Rob Rachwald, director of security strategy at Imperva. "We've seen massive DDoS attacks, presumably from Iran, targeting U.S. banks. It was clear that this was a nation-state attack, and it's entirely appropriate for government to take a role in responding to this. If this directive takes us closer in this direction, then that's a very good outcome that is probably at least four years overdue."
Others, however, feel that the administration is ill-equipped to make such a move, and will have no impact on fending off DDoS attacks, or virtually any other type of exploit.
"It's not going to do anything to keep us more secure," said Jody Westby, CEO of Global Cyber Risk, LLC, in Washington, D.C. "They're trying to get through the door to have more access to business communications. I think it's just going to open the door to litigation over whether [the president] has the authority to do whatever is in his executive order. I think they want more authority to gather information. They're looking at what they can tell businesses to do, and that's an unwarranted intrusion."
The U.S. approach to cybersecurity has been heavily scrutinized this year. On Aug. 2, the U.S. Senate defeated a comprehensive piece of legislation known as the Lieberman Collins bill, by a vote of 52 to 46. Intended to stimulate investment in cybersecurity R&D, better protect critical infrastructure, define public/private cooperation and grant authority to the Department of Homeland Security to lead the government's cybersecurity efforts, the legislation was widely opposed by the Republicans, the U.S. Chamber of Commerce and privacy advocates who claimed that the bill placed too much regulatory authority in the hands of the government. Proponents of the bill claim that the terms were necessary to protect the nation's critical infrastructure and computer networks, but opponents claimed that the requirements were too restrictive of business and had negative effects on personal privacy.