The President’s Executive Order acknowledges the need to secure our critical infrastructure. But cyber security is more than “information sharing” and “frameworks.”
President Obama explicitly mentioned cyber security. He said:
America must also face the rapidly growing threat from cyber-attacks. We know hackers steal people’s identities and infiltrate private e-mail. We know foreign countries and companies swipe our corporate secrets. Now our enemies are also seeking the ability to sabotage our power grid, our financial institutions, and our air traffic control systems. We cannot look back years from now and wonder why we did nothing in the face of real threats to our security and our economy.
That’s why, earlier today, I signed a new executive order that will strengthen our cyber defenses by increasing information sharing, and developing standards to protect our national security, our jobs, and our privacy. Now, Congress must act as well, by passing legislation to give our government a greater capacity to secure our networks and deter attacks.
Acknowledging a problem is a critical step in doing something about it. The fact that cyber security has been elevated to State of the Union level is a good thing. Of course, the President has mentioned cyber security in speeches and presentations before, so this is not necessarily a new development. In fact, it’s time for all of the talking among policy makers and politicians to lead to some real action in Washington—action that focuses on building security in.
The executive order that President Obama signed takes small steps along a familiar path—securing critical infrastructure. Boiled down to its essence, the executive order does two things: 1) underscores the importance of information sharing between the government and industry, and 2) kicks off the development of a risk management framework aimed at critical infrastructure to be spearheaded by DHS and NIST. What the executive order does not do is properly position building security in.
Ultimately it is Congress that will have to address cyber security through legislation. However, if future legislation continues to focus on “information sharing” and “frameworks” I’m afraid it won’t really get us anywhere interesting. The commercial world knows that the best way to address cyber security risk is to get in front of the problem by building our systems with security in mind.
A specific example can help. Our power grid and its components were not designed to be secure. Process control systems that manage our power plants are susceptible to very basic attacks. They need to be improved from a security perspective, not by blocking them with a firewall or bogging them down with anti-virus software, but rather by redesigning them with security in mind. This will be a big and expensive undertaking. The Stuxnet story shows what can happen when simple design and implementation risks are swept under the rug. No amount of information sharing or risk management exercises will help solve this problem. Only explicit security engineering will help.
We would like to see the government focus some attention on software security, security engineering, and building security in. We would like to extend the BSIMM data set to include government agencies so that objective measurement can be used to drive initiatives and determine progress. We stand ready to help.