President Obama authorized a plan to bolster threat information sharing and the creation of voluntary security guidelines for critical infrastructure protection.
The president issued an executive order to approve the creation of a voluntary framework for threat sharing, ordering the National Institute of Standards and Technology (NIST) to create an incentivized set of voluntary security guidelines for the protection of networks connected to critical infrastructure facilities. The Presidential Policy Directive was much anticipated by IT security experts, who say the plan was needed after too many failed attempts by legislators to get information security bills passed in Congress.
"We know foreign countries and companies swipe our corporate secrets," Obama said in his State of the Union address Tuesday night. "Now our enemies are also seeking the ability to sabotage our power grid, our financial institutions, and our air traffic control systems. We cannot look back years from now and wonder why we did nothing in the face of real threats to our security and our economy."
[Related: Cyberwar: The Digital Age's Dark Side]
The order builds on Obama's threat information sharing strategy laid out in December, directing the federal government to work with executives at companies that provide or support critical infrastructure to improve information sharing on security threats. It authorizes expedited security clearances for some private-sector employees who provide critical infrastructure protection.
The plan also authorizes the Secretary of Homeland Security to work with other federal officials to create voluntary security standards that promote security and resilience of the nation's critical infrastructure.
A series of incentives will be created to encourage private-sector owners of critical infrastructure facilities to adopt the standards.
The Department of Homeland Security will evaluate capabilities and address threats and vulnerabilities that impact critical infrastructure. In addition,it will establish critical infrastructure centers that will provide situational awareness capability and information about emerging trends and imminent threats that impact critical infrastructure.
Officials have been talking about the need for information threat sharing and critical infrastructure protection over the past decade, but constant news about cyberespionage activity and nation-state-driven attacks has reignited the discussion. It reached a peak in recent months, with The New York Times breach illustrating the threat of targeted attacks that security experts believe are driven by nation-state-funded hacking groups. The Aurora attacks, believed to be delivered by the Elderwood cybercriminal group, remained stealthy and persisted on corporate systems for many months, spying on specific individuals before it was detected.
NEXT: Experts Say Information Sharing Is Two-Way StreetThe Stuxnet Trojan illustrated the risk posed to critical infrastructure facilities despite being somewhat isolated from the Internet. Stuxnet was designed to disrupt the complex operations at an Iranian uranium enrichment facility. Signs have surfaced that information gathering has increased the threat against power plants, oil and chemical refineries and the infrastructure serving as the backbone to the financial industry.
Flame, a highly sophisticated cyberespionage attack toolkit, was detected on the systems of individuals in Lebanon, Syria, Sudan and Israel. Shamoon, Duqu and Gauss were designed to target specific individuals and steal as much data from their systems as possible. Google and other private-sector companies also were targeted by nation-state groups.
Industry groups and security experts praised the executive order, calling it an important step in increasing the discussion and getting Congress to take action on meaningful legislation, creating a law that frees private-sector companies to share threat information with federal officials. They say that for threat information sharing to work, information needs to be reliable and actionable, with significant data flowing from both the government and the private sector.
The government needs to measure the threats and vulnerabilities and provide meaningful data, said William Hugh Murray, a longtime security industry veteran and consultant based in New Cannan, Conn. Security vendors and Internet service providers have plenty of threat intelligence data, but the government often fails to provide specific information about the threats it perceives, Murray said.
"The government screams loudly about things that from my perspective are not attributable and lack depth," Murray said. "We've already got so much information that we don't know what to do with it all so I don't think it's a lack of intelligence we've got right now, the problem is that managing all of this security stuff is really hard."
Other experts agree with Murray, pointing out that defending intellectual property and sensitive systems isn't difficult due to a lack of threat intelligence -- the difficulty lies in complex, interconnected systems and many basic security issues. Critical systems are plagued with gratuitous connections, poor authentication and weak and default passwords, not a lack of intelligence, they say.
BITS, the technology policy division of The Financial Services Roundtable, a trade group for financial institutions, issued a statement calling the executive order a step forward. The organization said it supports legislation that increases sharing of threat data and analysis between private- and public-sector organizations.
"The passage of cybersecurity legislation clarifying the legal authority to share threat information is essential. We look forward to working with Congress to achieve this goal," said Paul Smocer, president of BITS.
Tom Cross, research director at network security firm Lancope, said critical infrastructure protection is an imperative as attacks such as Stuxnet demonstrate how plant equipment can be disrupted.
"There are a variety of interconnection points that find their way into these networks as they grow, to provide access to data and keep software updated, and malicious software can cross these interconnection points," Cross said. "The U.S. government has access to information about attack activity and best practices that operators need to adequately protect themselves. However, the devil is in the details."
PUBLISHED FEB. 13, 2013