October 21, 2012
Draft Order: Vital Industry Companies To Receive Cyberthreat Info
April Flowers for redOrbit.com — Your Universe Online
We hear about hackers and cyber attacks on companies almost daily it seems. Everyone from Sony to the CIA has been attacked by hackers, most of which seem to be teenagers or young adults. But what if the attacks weren't by teenagers or disgruntled employees aimed at corporate America? What if, instead, they were terrorist attacks aimed at destroying the computer-dependant infrastructure of our country?
In popular culture, this type of attack is called a "fire sale," and was immortalized in Bruce Willis' Live Free or Die Hard movie. According to documents obtained by The Associated Press this week, a new White House executive order is addressing the possibility of a fire sale attack.
The directive requires U.S. spy agencies to share the latest intelligence about cyberthreats with the companies that operate electric grids, water plants, railroads and other vital industries to protect them from electronic attacks.
The Obama administration has expressed growing concern that Iran could be the first country to employ cyberterrorism against the United States. Defense Secretary Leon Panetta says the military is ready to retaliate if the U.S. is hit by cyberweapons. The military might be ready, but the country is poorly prepared to prevent such a comprehensive attack, which could damage or destroy critical services that are part of everyday life.
So far, the White House has declined to confirm when the president will sign the order.
A Presidential executive order is a directive that has the full force of law and has been used by presidents since 1789.
The Department of Homeland Security will be in charge of organizing the information-sharing network to rapidly distribute sanitized summaries of top-secret intelligence reports. These reports, known as tear lines, will be about known cyberthreats that identify a specific target. The owners and operators of essential businesses will be able to block potential attackers with these tear line reports.
This organized approach for sharing information is widely viewed as essential for any plan to protect U.S. computer assets from terrorist groups, foreign nations and domestic hackers. Information sharing networks already in place are focused on very specific industries, such as the finance sector, and so far haven't been terribly successful.
Even with this perceived need, the executive order has generated stiff opposition from Republicans who view it as a unilateral move, bypassing Congress' legislative authority. The GOP argues this would impose undue mandates on businesses. This is not the first presidential executive order to be thought of as overstepping authority.
According to administration officials, Congress failed this past summer to pass cybersecurity legislation, leaving critical infrastructure companies vulnerable to a serious and growing threat and making this executive order necessary. Other information-sharing provisions have been included in conflicting bills that have moved through both the House and Senate, but efforts to get a final measure through both houses collapsed over concerns that the Senate bill would expand the federal government's regulatory power. There were also concerns that it would unduly increase costs for businesses.
While legally binding, the White House acknowledges that an executive order is not going to be enough and legislation is needed to create the necessary changes to improve the country's digital defenses and provide protection from liability for companies affected by such an attack.
This is not the first draft of the executive order. The information-sharing provisions are the most significant change to the undated draft. The new iteration retains a section requiring Homeland Security to identify vital systems that would "reasonably result in a debilitating impact" in the case of a cyber attack. Other provisions direct federal agencies to determine whether existing cyber security regulations are adequate and establish a program to encourage companies to adopt voluntary security standards.
The Pentagon, the National Security Agency (NSA), the director of national intelligence and the Justice Department will work directly with Homeland Security to quickly establish the information-sharing mechanism. Selected employees at each of the critical infrastructure companies will receive security clearances that will allow them to receive the information. Any privacy or civil liberties risks engendered by the order will have to be assessed by federal agencies.
Though there will be no requirement to do so, the order asks businesses to reciprocate with information about cyber attacks or cyber threats.
Even without the order, the NSA has already been sharing cyber threat information on a limited basis with companies that have contracts with the Defense Department because these companies work with sensitive data about weapon systems and technologies. As a result of this, they are frequently the targets of cyberspying.
The loss of information is secondary to the fear of infrastructure attacks by an enemy with the proper know-how and the havoc that would result. Such fire sale scenarios could include high-speed trains being put on collision courses, blackouts that last days or perhaps even weeks or chemical plants that inadvertently release deadly gases.
Panetta illustrated the possible dangers by pointing to the Shamoon virus, which destroyed thousands of computer systems owned by Persian Gulf oil and gas companies. Shamoon was extremely effective, spreading quickly through networked computers and wiping out files by overwriting them, and then replacing them with the image of a burning U.S flag. The attack rendered more than 30,000 computers useless. The U.S. belives Iranian hackers were behind these attacks.
NSA spokeswoman Caitlin Hayden said the administration is consulting with Congress and private sector officials as the order is being drafted.
"Given the gravity of the threats we face in cyberspace, we want to get this right in addition to getting it done swiftly," she said.