In his State of the Union address, President Barack Obama explained why he was issuing an executive order to protect critical U.S. networks from cyberthreats: “We cannot look back years from now and wonder why we did nothing in the face of real threats to our security and our economy.”
What he meant, but was perhaps too polite to say, was that in light of the ineptitude and cowardice Congress has shown on this matter, year after year, an executive order is probably the best we can hope for right now. As recent cyberattacks on the Federal Reserve, the Department of Energy, half a dozen major banks and a slew of media companies make clear, however, it won’t be adequate for very long.
Good news first. Although imperfect, Obama’s executive order takes some small steps toward better security. It instructs federal agencies to share more unclassified cybersecurity information with private companies, expands a program for sharing classified threat data, and includes some privacy measures -- such as applying Fair Information Practice Principles -- that have put civil-liberties groups at ease. It also orders the Department of Homeland Security to expedite security clearances for employees at companies that are part of critical infrastructure, such as the power grid, transportation networks and the financial system.
Finally, the order instructs the National Institute of Standards and Technology to create a cybersecurity framework for addressing risks, which companies could voluntarily comply with.
That last measure sounds weak, but it could turn out to be very important, for two reasons.
First, voluntary standards may do some good on their own: Companies that don’t comply could open themselves to civil lawsuits if their defenses are breached, and those that do comply might have some liability protection under tort law.
Second, the framework that the institute develops could become a model for the flexible mandatory standards that we really need, and that Congress must put in place.
Without the force of law, companies in critical areas will simply never spend enough money protecting themselves -- lawsuits or no. A Bloomberg Government study of 172 organizations found that they would collectively need to spend $46.6 billion, a 774 percent increase from current spending, to repel 95 percent of potential attacks. In the absence of federal standards, companies that increase their security spending sufficiently are at a competitive disadvantage. And every company that slacks off can put a lot of people at risk.
A smarter federal approach would be to mandate cybersecurity standards while allowing companies to decide how best to meet them. This would harness the power of the market by letting businesses compete to secure themselves at the lowest cost. Congress has had the chance to pass legislation along these lines before, and, unfortunately, repeatedly buckled to pressure from business groups.
With this in mind, the institute’s framework should remain “technology neutral,” meaning that companies could buy or build whatever security technology they want, so long as they can show that it repels attacks adequately. And it should focus on making the standards flexible. For instance, it could require that critical companies install security patches and updates on their equipment, and that they “whitelist” approved applications, but not mandate step-by-step procedures or specific hardware and software.
Such a framework could go a long way toward assuaging companies’ fears that a heavy-handed government agency that knows nothing about their business will one day force them to take measures that don’t make sense. Instead, they would be working with industry regulators to meet the security standards however they want, with the knowledge that their competitors must do the same.
The rest is up to Congress. In addition to imposing mandatory security standards, new legislation should clarify liability issues for companies that suffer security breaches, and provide more legal certainty to businesses that share threat information with the government. It should also build on the privacy safeguards the president outlined.
In the meantime, we’re left to hope the executive order can provide adequate defense for a while. From the White House to the Defense Department to private-sector experts around the world, the people who know the most about cybersecurity have in recent years issued ever more lurid warnings about the threats we face. New evidence of alarming intrusions into our digital grid surfaces every day. And the intruders are only growing more sophisticated. Someday soon, when a truly destructive attack occurs, none of us will be able to say we weren’t warned.
To contact the Bloomberg View editorial board: firstname.lastname@example.org.