President Obama has spent much of the past two months focused on citizen security through gun control. Today, he is expected to focus on the security of the nation's critical infrastructure (CI) through a long-anticipated executive order promoting better information sharing on cyberthreats between government and private industry.
But a number of security experts said that while the order will carry some symbolic significance, it will do little to improve protection of the nation's infrastructure from cyber intrusions. That would require legislation, the experts said, noting that several attempts to pass cybersecurity legislation failed last year.
Stewart Baker, former general counsel at the National Security Agency (NSA) and a past assistant secretary for policy at the Department of Homeland Security (DHS), told Reuters that the order amounted to "a down payment on legislation," but added, "whether it will provide practical protection from cyber attacks is still in doubt."
Baker told CSO Online that the order doesn't seek to improve sharing from industry to government, but moves in the other direction -- from government to industry -- by making it easier for those in critical infrastructure industries to get security clearances.
"[It's] a modest step, because there are plenty of clearances for private industry today, so the [executive order] won't have any real effect on information sharing in either direction," he said.
Mark Jaycox, an attorney with the Electronic Frontier Foundation (EFF), agrees that the tools and laws already exist for such information sharing, but he said he still thinks the order will improve things because it will "further strengthen the fact that companies can already share information with the government and vice versa."
But Jacob Olcott, principal at Good Harbor Consulting and past counsel and lead negotiator on comprehensive cybersecurity legislation to Sen. Jay Rockefeller (D-WVa.), said the problem is not a lack of information sharing, but "cyber hygiene."
He cited a Verizon study finding that 97% of breaches could be avoided through simple or intermediate controls. "Classified threat information is not useful for a company that isn't regularly patching its systems," he said.
Numerous reports during the past week have said the president would issue the order on Wednesday morning at a briefing at the U.S. Department of Commerce.
Based on various leaked versions of the order, it is expected to put the Department of Homeland Security (DHS) in charge of organizing an information-sharing network in which government would distribute classified, sanitized summaries of intelligence reports about possible cyberthreats aimed at specific targets.
Reuters reported that besides making it easier for those in the private sector to get classified information, the order will "make companies work with the National Institute of Standards and Technology to come up with sector-specific standards for cybersecurity and then will require companies to engage with their regulators to decide how those standards are implemented."
Sign up for Computerworld eNewsletters.