by Paul Rubell, Esq.
Witness today’s risks of cyber crime. Hackers, bad actors and foreign governments have long had the ability to assault our Nation. Current events have opened citizens’ eyes to the reality of the cyber threat. It is remarkable how the public has either forgotten or turned a blind eye to well-known security breaches such as those at Target and Yahoo. It has taken a national election for the public to recognize that the specter of data breaches is not theoretical and that its ramifications extend far beyond credit card data.
In February 2016, President Obama signed an Executive Order that established a nonpartisan Presidential Commission on Enhancing National Security. Four countervailing premises spurred the Executive Order. First, the advent of advanced and interconnected technologies benefit the country and its economy. Second, these benefits pose significant security challenges and threats. Third, individual privacy rights need to be protected. Fourth, despite the risks, we need to encourage breakthroughs in new technologies to solve many of the problems that the world faces. The executive order stated that its foundation was laid:
“in order to enhance cybersecurity awareness and protections at all levels of Government, business, and society, to protect privacy, to ensure public safety and economic and national security, and to empower Americans to take better control of their digital security…”
With those grand goals in mind, the Commission issued its report in December 2016, after the election and prior to Inauguration Day. Its “Report on Securing and Growing the Digital Economy” addressed ten sweeping topics: federal governance, critical infrastructure, cybersecurity research and development, cybersecurity workforce, identity management and authentication, Internet of Things, public awareness and education, and state and local government cybersecurity, insurance, and international issues. The Commission recommended to the incoming President that the White House needs to be the locus for government and private-sector security initiatives.
Shortly after the President took office in January 2017, he stated that:
“I will hold my Cabinet secretaries and agency heads accountable, totally accountable for the cybersecurity of their organizations which we probably don’t have as much, certainly not as much as we need”
With that in mind, an Executive Order entitled “Strengthening U.S. Cyber Security and Capabilities” was drafted but never signed. A few weeks later, in February 2017, a revised Executive Order was proposed, called “Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure“. As before, this proposed order has neither been signed nor released publicly. Unlike prior efforts to combat cyber risk, this latest draft order focuses on the federal government’s internal cyberspace efforts to deter malicious attacks and protection the country from them. The draft Order was designed to call upon all federal agencies to modernize their internal IT (information technology) systems and coordinate and cooperate with each other. In addition, the head of each agency was to be responsible for his/her agency’s cybersecurity initiatives. The buck is not to be passed down the ladder to the agency’s CIO. I have stated for many years that the corner office in private industry as well as the public sector is the place where cyber responsibility must reside. The CEO is the only person who should direct his/her company’s Twitter feed, oversee its Facebook page or ensure the security of personal customer data. The new President appears to share that view by placing the onus of cyber responsibility on agency chiefs, not subordinates.
However this latest draft Executive Orde
r was met with criticism from industries that are considered central to national infrastructure, including telecommunications, banks, energy, water and public transportation. These industries would have been subjected to additional government requirements beyond those imposed upon other private sector businesses. As a result of this push back, the President has withheld signing the Executive Order.
With this backdrop in place, a noted Cyber Policy Task Force issued its own recommendations to the new Administration. Its report “From Awareness to Action: A Cybersecurity Agenda for the 45th President” states that many of America’s current cyber policies are antiquated. The recommendations call for the development of an international cybersecurity strategy, increasing transparency so that the public becomes aware of data breaches, evaluates the pros and cons of encryption, and addresses IoT (Internet of Things) risks to global cyberstability.
At the V4 Cybersecurity Conference held at Google Headquarters in Washington, DC on March 7, 2017, Rudolph Giuliani recommended that companies should subject themselves to attacks on their IT infrastructure by “red teams” of outside firms that specialize in penetrating security vulnerabilities. So-called “white knight” hacking can be a good way for companies to test and strengthen their internal cyber defenses.
The Internet has become part of our nation’s infrastructure, just like roads, bridges and the power grid. We await the President’s cybersecurity Executive Order with eagerness because it has never been more important to ensure the safety of our country’s infrastructure.