President Barack Obama’s directive last night requiring federal agencies and critical infrastructure owners to collaborate in reducing cyber risks is a good start but has some weak spots, according to security experts.
Obama’s cyber security order was announced Tuesday night during his State of the Nation address. The order requires federal government agencies to share cyber threat and vulnerability information with each other and with private companies. It calls for the creation of two national critical infrastructure centres to be operated by the Department of Homeland Security
to focus on physical infrastructure and on cyber infrastructure security.
The centre will be responsible for collecting, analyzing and disseminating threat information. The DHS centres will recommend prevention and mitigation measures from critical infrastructure prior to and during a cyberattack as well as assist in incident response and restoration efforts.
Some contents of Obama’s executive order are similar to those of a 2012 Cyber Security Act backed by the White House but still stuck in the Senate over objections from Republican law makers who see it as giving to much enforcement power on the DHS.
“We know how hackers steal people’s identities and infiltrate private emails,” Obama said in his speech. “Now our enemies are also seeking the ability to attack our power grid, our air traffic control system. We cannot look back years from now and ask why we did nothing to face real threats to our security and our economy.”
The effectiveness of the DHS centre will depend on the quality of threat information the government can share with private companies, said Lawrence Pingree, analyst for Gartner, in an interview with Computerworld.com.
Ottawa to spend $155 million on cyber security
Report: Canada’s cyber security falling short
The final version of the order was weaker that the draft version, according to Allan Peller, research director for the SANS Institute. He said draft versions of the order required businesses to develop voluntary practices for cyber security and assigning regulatory agencies to enforce them. The final version, Peller said, did not contain this provision.
The Financial Services Roundtable, which represents 100 of the largest financial companies in the U.S., also said the order needs legislation and bipartisan Congressional action is needed “to affect additional fundamental improvement.”