The morning before his State of the Union Address, President Obama signed the executive order Improving Critical Infrastructure Cybersecurity.
Good news — the U.S. Government is getting some needed leadership on the subject. Fearfully intoning “digital Pearl Harbor” over and over may be politically useful for congressmen, but accomplishes nothing. This order, on the other hand, has a chance of doing good.
That is, if it is handled correctly. I see some ways that this could go wrong.
I’m happy to see that it specifies that its goals should be met while promoting privacy and civil liberties. The American Civil Liberties Union and the Electronic Frontier Foundation agree. The protection of privacy and civil liberties isn’t specified until Section 5, after the lengthier Section 4 and its discussion of classification and clearances, but at least it’s mentioned. As the ACLU and EFF point out, the privacy and civil liberty goals are a big improvement on CISPA and other flawed attempts at legislation.
Here’s what I would worry about: this Executive Order calls for the “timely production of unclassified reports of cyber threats” while addressing “the need to protect intelligence and law enforcement sources, methods, operations, and investigations.” This seems to invite the further classification of data, which costs a lot of money, time, and effectiveness.
Then it goes on to say that the Secretary of Homeland Security “shall expedite the processing of security clearances to appropriate personnel employed by critical infrastructure owners and operators.” As reported by FAS and described in Wired, in October 2011 the number of people holding security clearances in the U.S. topped 4.8 million, a little over 1.5% out of a population of not quite 314 million (and that’s including children, prisoners, and everyone else).
So the plan is to investigate and issue more clearances, so that the same department that brought us the TSA and their Freedom Gropes can inform the Internet backbone operators about things happening on Internet backbones?
I also hope that DHS allows some pros to explain Internet technology to them. DHS compiled a National Asset Database in 2006, listing critical national sites at risk of terrorist attack. They came up with 8,591 supposedly critical assets in the state of Indiana, more than any other state, including the Amish Popcorn Factory with its five employees and gravel-road-only access. Plus Old McDonald’s Petting Zoo in Alabama, the Kangaroo Conservation Center in Georgia, 1,305 casinos, and a number of Wal-Marts and sporting goods stores. Ask NBC, the Baltimore Sun, and the Congressional Research Service if you think I’m making this up.
A Presidential Executive Order concentrates on themes and very high-level goals. This one prints onto just over five pages. We need to make sure that the details, and there will be a lot of them, fill in the needed pieces. Openness is going to be a critical component.
Our infrastructure is “out there”, it has to be. Your smart phones communicate over VoIP using the same Internet as everything else. When we put some of our data in the cloud, we must maintain access and keep that data safe. Learning Tree’s Cloud Security Essentials course shows what we can do, and where we have to trust the cloud operators, in order to make all this happen as safely as possible.