President Obama’s “Executive Order – Improving Critical Infrastructure Cybersecurity” … available at http://www.whitehouse.gov/the-press-office/2013/02/12/executive-order-improving-critical-infrastructure-cybersecurity was a long time coming and, as my colleague Jason Healey pointed out in a column “Presidential Cyber Direction Looks Quite Familiar” posted on the Atlantic Council website at www.acus.org/print/74321 , the Executive Order is somewhat limited and very reminiscent of prior White House documents spanning some 15 years.
I was also struck by the similarity of the Executive Order to Presidential Decision Directive (PDD) 63 issued in May 1998. This PDD called for the United States having “the ability to protect the nation’s critical infrastructure from intentional acts that would significantly diminish the abilities of the Federal Government to perform essential national security missions …” There was an immediate response to the PDD and I was involved in the one by the Banking and Financial Sector. While the PDD required action in four areas, namely: information sharing, outreach, research and vulnerability analysis, the only area that really showed results was the information sharing area. This latter effort resulted in the formation of the FS-ISAC (Financial Services Information Sharing and Analysis Center), which was launched in October 1999 by then Treasury Secretary Larry Summers. I was on the team, led by Stash Jarocki, which made the FS-ISAC happen and become the model for other ISACs. The FS-ISAC has grown in strength and membership and remains the primary example of information sharing between government and the private sector.
The technology behind the FS-ISAC allows for authenticated sharing of anonymous private sector cybersecurity related information, as well as the distribution of information provided by the government to members of the financial services industry. The two-way sharing of information without compromising the sources has been proven to be feasible. Therefore it is disappointing that the latest Executive Order does not encourage such two-way sharing but only requires the government to come up with ways to distribute information to which they have access.
Since supposedly an estimated 80 percent or so of the national critical infrastructure is in private hands, it follows that private-sector organizations are likely to see the majority of threats, exploits, vulnerabilities and incidents related to cybersecurity in general. It makes no sense that this information not be shared among companies and with the government as long as the sources of that information are protected by anonymity if necessary. As mentioned above, the technology to achieve this was developed some 15 years ago. Until and unless we can overcome the resistance to, and concerns about, such collaboration, limited proposals to share information that will help defend the nation’s critical infrastructure from intentional or accidental acts of cyber compromise will not be sufficient. Cybersecurity is different from many other types of threat to the national wellbeing in that there are ways of sharing information and collaborating on responses to threats and exploits that threaten neither individual privacy nor corporate intellectual property and reputation.
This is a call for action to establish meaningful information sharing across the board so that we might address the problem. In a much more meaningful way.