Other attempts to pass cyber-related legislation have not gone well, however. Bills aimed at improving information sharing and establishing standards for cybersecurity at private-sector owned critical infrastructure have stalled in Congress.
The White House continues to take interim steps that don’t require legislation. In fact, not long after McConnell spoke, the President issued an Executive Order on Improving Critical Infrastructure Cybersecurity, which called for government agencies to work with critical infrastructure owners and operators to establish a cybersecurity framework and to improve information sharing. Among other measures, the executive order directed DHS to expand its Enhanced Cybersecurity Services (ECS) program, a program established in 2012 to enhance the cybersecurity of critical infrastructure entities that voluntarily chose to participate. Under the program, DHS partnered with DoD to share cyberthreat indicators with critical infrastructure companies through Commercial Service Providers (CSPs) serving those companies.
Through ECS, DHS will be able to share information about new attack signatures and other means of detecting and mitigating cyberthreats with CSPs. However, a Government Accountability Office report on cybersecurity issued the same month as the executive order, notes that “According to DHS, a secure environment for sharing cybersecurity information, at all classification levels, is not expected to be fully operational until fiscal year 2018.”
While the executive order also calls for the development of technology neutral cybersecurity standards within one year, compliance would be voluntary, perhaps limiting the ultimate impact of any standards. The order does call for possible incentives to induce compliance.
The White House also announced a stepped-up effort to protect trade secrets of U.S. companies through stronger diplomatic efforts, stronger enforcement actions to catch those who steal trade secrets, greater efforts to encourage businesses to strengthen protections against theft, and outreach to educate the public.
The White House push for better information sharing addresses some of Connelly’s concerns, but the executive branch can only do so much. “An Executive Order signed by the President... does not take the place of legislation for the needed changes across the cyber security landscape,” McConnell said. “Legislation must address issues such as sharing sensitive government information with the private sector for better protection; standards for raising our collective cyber security posture; and incentives—such as liability protection—for industry members who voluntarily meet higher standards. Legislation also is required to provide appropriate authorities and direction to executive departments of government for improved coordination and cooperation to protect the nation.”
And without legislation, the issue of bureaucratic turf wars may continue to get in the way of the country’s ability to effectively fight the next cyberwar.