From CISPA to Obama’s executive order on national cybersecurity

During the last days worldwide internet community expressed great concern on the possibility of a reintroduction of The Cyber Intelligence Sharing and Protection act (CISPA)  before the US House by House Intelligence Committee Chairman Mike Rogers (R-Mich.) and ranking member Rep. Dutch Ruppersberger (D-Md.). The controversial cyber bill raised an heated debate, supporters believe it is an act to ensure the security of the national infrastructures meanwhile opponents sustain that it represents a threat to citizens’ privacy because the act will force any company to give away all the user’s data it collects if asked by the government. The decision to repeat the bill has been conditioned by recent events of cyber espionage campaign against US media agencies such as The New York Times and The Wall Street Journal and by the cyber attacks against many US organizations and agencies such as the Federal Reserve, U.S. banking and Department of Energy. Rogers argued vigorously the necessity to take action to mitigate continuous cyber offensives against  US networks to avoid serious damages for the nation.

 “This is clearly not a theoretical threat – the recent spike in advanced cyber attacks against the banks and newspapers makes that crystal clear,” “American businesses are under siege,”  “We need to provide American companies the information they need to better protect their networks from these dangerous cyber threats.  It is time to stop admiring this problem and deal with it immediately,”  “We’re talking about exchanging packets of information, zeroes and ones, if you will, one hundred millions times a second. So some notion that this is a horrible invasion of content reading is wrong. It is not even close to that.”,  Rogers said.

The bill has been prepared to respond to needs of intelligence agencies and law enforcement to collect information on cyber attacks and data breaches to allow investigation on cyber threats and to ensure the security of networks. The bill would also allow the government to provide classified data on cyber threats to private firms, and protect them from legal action in the course of sharing private information, this is possible through voluntary sharing of Internet traffic between private companies and the authorities. The bill was supported by corporates such as Intel, Oracle, Symantec, AT&T, Facebook, IBM, Verizon, and many others, CISPA would expire after five years, and requires congressional action to be renewed. The principal concerns are related to the operations conducted by foreign governments and state sponsored hackers that pack a powerful offensive against national networks, in particular US official fear the aggressive behavior of hostile countries such as Iran and North Korea and competitors such as Russia and China. The order has arrived after cybersecurity legislation failed to pass through Congress because it was judged no suitable to protect the nation’s critical infrastructure and guarantee at same time the privacy of consumer information that could be shared by companies. Many organizations of private citizens are on the warpath, the Fight for the Future, a non-profit group “working to extend the Internet’s power for good,” has published an online petition to express opposition to the bill. US Government is trying to sensitize population on the cyber warfare and risks related to a cyber attacks, the fear on an imminent cyber attacks against critical infrastructures is high, national cyber units and security experts have detected an intense probing of national networks by foreign states and according many specialists is just the tip of the iceberg. Janet Napolitano, head of Homeland Security in January warned that a “cyber 9/11”, which could cripple critical infrastructures such as telecommunication, water, electricity and gas, may be “imminent”. She argued before Congress to pass cyber bill:

“We shouldn’t wait until there is a 9/11 in the cyber world. There are things we can and should be doing right now that, if not prevent, would mitigate the extent of damage,” 

United States Secretary of Defense Leon Panetta has the same opinion and exposed his perplexities in various public interventions.

“An aggressor nation or extremist group could gain control of critical switches and derail passenger trains, or trains loaded with lethal chemicals,”  “They could contaminate the water supply in major cities, or shut down the power grid across large parts of the country.” Panetta declared.

Of course Panetta is in favor of CISPA, he added:  urged that the bill should be passed “to safeguard our national security.” But all the world was waiting for Obama’s decision, he is one of the heads of state that pay more attention to the issue of cyber security, all the worldwide IT community was waiting for a President’s executive order on the matter as announced by Bloomberg’s journalists, and the order was signed. The order has the primary goal to improve the network security of “critical infrastructure” of US, it assigns to the National Institute of Standards and Technology the responsibility of developing a framework of best practices for operators in critical sectors of the country  (e.g. industry, transportation, water and health) in the next 240 days. The Policy places at the base of the reform process the following three strategic principles:

• Enhance the level of security of national critical infrastructure and their resilience to cyber attacks through clear assumption of the roles and responsibilities of each governmental entity.
• Encourage and support an effective and efficient exchange of information on cyber threats, the information flow must involve both government and private actors.
• Developing a framework for analysis of data related to cyber threats and occurred incidents for any critical sector of the country, particular attention have to be reserved to emerging risks.

Also Department of Homeland Security is involved in the process driving voluntary program works with various agencies for the divulgation and adoption of best practices to ensure security of infrastructures. The very nature of an executive order is a demonstration of the urgency to protect the national critical infrastructures and to implement the envisaged retrenchment against the constant attacks that daily affect the US networks. The plan is certainly ambitious and difficult to implement within the time set by the government, but it is a tangible demonstration of its commitment, the strategy needs the active support of intelligence agencies and the effort of every citizen.

Pierluigi Paganini