Simply Security - News, Views, and Opinions from Trend Micro

Posted on September 11th, 2012 in Government Policy by Simply Security | Be the first to comment | Tags: Government Policy

Experts are divided on whether an executive order could solve lingering cybersecurity issues.

Between phishing scams, social engineering and data breaches, there are plenty of digital threats for consumers and business professionals to worry about. However, another side effect of the increasingly connected world is that much of the infrastructure in the United States has been integrated with the web. When it comes to things like the power grid, malware transforms from a simple annoyance into a legitimate national security threat.

According to PCWorld columnist Charley Ripley, part of the cybersecurity problem stems from the fact that much of the nation's infrastructure is managed by supervisory control and data acquisition (SCADA) systems.

"The SCADA systems that drive and control much of the critical infrastructure are archaic, legacy systems that are simply not designed with security in mind," Ripley wrote. "SCADA systems used to be on separate, isolated networks that provided some inherent degree of security by obscurity. As these legacy systems are connected to and managed through the Internet, though, they are increasingly at risk."

Ripley pointed to several SCADA vulnerabilities that have already been identified and exploited by attackers, including the vulnerabilities that led to Stuxnet's disruption of an Iranian nuclear facility in 2011.
Although sophisticated threats like Stuxnet have emerged, putting cybersecurity in the consciousness of U.S. government and businesses alike, issuing truly effective legislation has been another barrier to protecting web-connected infrastructure.

"Legislation aimed at strengthening the nation’s critical infrastructure defense has stalled out. The Cybersecurity Act of 2012 is essentially dead in the water after stiff opposition from Republicans," Ripley added. "Opponents feel the bill gives too much power to the Department of Homeland Security and adds unnecessary government regulations that would get in the way of running businesses efficiently."

Internet security via executive order?

A recent CSO Online article pointed out that cybersecurity legislation failures have prompted some U.S. senators to call on President Obama to issue an executive order. The article highlighted comments from several industry experts, who said cybersecurity presents unique challenges that an executive order may struggle to address.

Jacob Olcott, a principal at Good Harbor Consulting and former Senate staffer told CSO Online that legislation often fails to address critical security issues because provisions have to be made to pacify Senators in both political parties. However, an executive order isn't necessarily an ideal answer either, because the president doesn't have the authority to create new requirements for unregulated industries.

Most experts agreed that some sort of legislation must pass to standardize the way critical infrastructure is managed and improve information sharing between the public and the private sectors. The debate revolves around how much power the government should have in enforcing those guidelines and how much help the government should offer organizations in upgrading their systems. For example, one point of contention is whether the government should simply provide incentives for organizations that meet a set of prescribed security goals or, alternatively, increase regulation to effectively force upgrades.

CSO also spoke with Joel Harding, a retired military intelligence officer and information operations expert, who said issuing an executive order may even create additional problems. Harding expressed concerns that an executive order would fail to please both parties and could create the perception that the president is abusing his power. However, he said it may at least set the stage for developing more meaningful legislation in the future.

Security News from SimplySecurity.com by Trend Micro