Feds roll out cyber plan, say threat is escalating

Feb 13, 2:39 PM EST — WASHINGTON (AP) — Warn­ing that Amer­i­can com­pa­nies are the tar­get of an inten­sive cyber-espionage cam­paign, Pres­i­dent Barack Obama’s top secu­rity offi­cials on Wednes­day said they are strug­gling to defend the nation from attacks on its pri­vate com­puter net­works and called on Con­gress to pass leg­is­la­tion that would close reg­u­la­tory gaps.

Obama signed an exec­u­tive order ear­lier this week that relies heav­ily on par­tic­i­pa­tion from U.S. indus­try in cre­at­ing new vol­un­tary stan­dards for pro­tect­ing infor­ma­tion. The order also expands the government’s effort to share threat data with companies.

But law­mak­ers and cyber experts say that Obama’s direc­tive is miss­ing what U.S. busi­nesses need most: legal pro­tec­tion so they don’t get sued if they acknowl­edge they’ve been hacked or share threat data with com­peti­tors. That can only come from Con­gress, which hasn’t been able to agree on how to pro­tect busi­nesses and con­sumers alike.

“The gov­ern­ment is often unaware of mali­cious activ­ity tar­get­ing our crit­i­cal infra­struc­ture,” said Gen. Keith Alexan­der, head of the National Secu­rity Agency and U.S. Cyber Command.

“These blind spots pre­vent us from being in a posi­tion of help­ing crit­i­cal infra­struc­ture defend itself and it pre­vents us from know­ing when we need to defend the nation,” Alexan­der told indus­try and gov­ern­ment offi­cials at the Com­merce Department.

In Obama’s speech Tues­day, he said America’s ene­mies are “seek­ing the abil­ity to sab­o­tage our power grid, our finan­cial insti­tu­tions and our air traf­fic con­trol sys­tems. We can­not look back years from now and won­der why we did noth­ing in the face of real threats to our secu­rity and our economy.”

He added, “Now, Con­gress must act as well by pass­ing leg­is­la­tion to give our gov­ern­ment a greater capac­ity to secure our net­works and deter attacks.”

Obama’s exec­u­tive order has been months in the mak­ing and is the prod­uct of often-difficult nego­ti­a­tions with pri­vate sec­tor com­pa­nies that oppose any increased gov­ern­ment regulation.

Largely sym­bolic, the plan leaves sev­eral prac­ti­cal ques­tions unan­swered: Should a busi­ness be required to tell the gov­ern­ment if it has been hacked and U.S. inter­ests are at stake? Can a per­son sue her bank or water treat­ment facil­ity if those com­pa­nies don’t take rea­son­able steps to pro­tect her? If a pri­vate company’s sys­tems are breached, should the gov­ern­ment swoop in to stop the attacks — and pick up the tab?

Under the president’s new order, the National Insti­tute of Stan­dards and Tech­nol­ogy has a year to final­ize a pack­age of vol­un­tary stan­dards and pro­ce­dures that will help com­pa­nies address their cyber­se­cu­rity risks. The pack­age must include flex­i­ble, performance-based and cost-effective steps that crit­i­cal infra­struc­ture com­pa­nies can take to iden­tify the risks to their net­works and sys­tems and ways they can man­age those risks.

The order also calls for agen­cies to review their exist­ing reg­u­la­tions to deter­mine whether the rules ade­quately address cyber­se­cu­rity risks.

Con­gress has been strug­gling for more than three years to reach a con­sen­sus on cyber­se­cu­rity leg­is­la­tion. Given that fail­ure and the esca­lat­ing risks to crit­i­cal sys­tems, Obama turned to the order as a stop­gap mea­sure with the hope that law­mak­ers will be able to pass a bill this year. Lead­ers of the House Intel­li­gence Com­mit­tee on Wednes­day plan to rein­tro­duce their bill that encour­ages the gov­ern­ment to share clas­si­fied threat infor­ma­tion, empow­ers com­pa­nies to also share data and pro­vides pri­vacy and lia­bil­ity protections.

The White House says it believes cyber­se­cu­rity leg­is­la­tion is nec­es­sary to address gaps in the exec­u­tive order. But last year, the Obama admin­is­tra­tion threat­ened to veto the House bill after pri­vacy advo­cates warned that pro­vi­sions in the bill could dras­ti­cally expand gov­ern­ment surveillance.

Liz Gasster, a vice pres­i­dent at the Busi­ness Round­table, which rep­re­sents CEOs at such cor­po­ra­tions as Tar­get and Coca-Cola, said com­pa­nies prob­a­bly aren’t going to alert fed­eral offi­cials after being hacked — then turn around and share that infor­ma­tion with their com­peti­tors — “until com­pa­nies are given suf­fi­cient lia­bil­ity and anti-trust protections.”

Gasster and other indus­try rep­re­sen­ta­tives say busi­ness lead­ers know the cyberthreat is real and it would be in their favor to work closely with the fed­eral gov­ern­ment to pre­vent the next big attack, or at least deal with it more effectively.

“To them, it gets to the core of their busi­ness — their prof­itabil­ity,” Gasster said of the CEOs she represents.

Posted by Randa Wagner on Feb 13 2013. You can follow any responses to this entry through the RSS Feed. Both comments and pings are currently closed.