Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?



Obama Executive Order Does Not End Calls for Cybersecurity Legislation

U.S. President Barack Obama’s decision to sign an executive order on cybersecurity has not quelled the debate regarding the necessity of legislation.

U.S. President Barack Obama’s decision to sign an executive order on cybersecurity has not quelled the debate regarding the necessity of legislation.

“For the most part the executive order is looking to implement frameworks that better enable voluntary cooperation across the public and private sector, especially as it relates to critical infrastructure, however it doesn’t really address…how to deal with organizations that willingly neglect basic security procedures,” said Amrit Williams, CTO of Lancope. “I am not convinced that legislation is the best approach to ensure a base level of security and instead think that the focus should be on enabling better cooperation, information sharing, and incentives for organizations that meet certain requirements.”

Executive Order on Cybersecurity

Inside the executive order is a call to expand the voluntary Enhanced Cybersecurity Services program as well as for the granting of security clearances for personnel at critical infrastructure companies are expedited. There is also a provision directing the National Institute of Standards and Technology (NIST) to lead the development of a framework of cybersecurity best practices and standards for critical infrastructure providers.

But what is missing from the order, and what could be in legislation, is specifics.

“Future cyber security legislation needs to set a clear standard for information sharing between the private and public sector to ensure there is meaningful dialogue about cyber threats,” said Entrust President and CEO Bill Conner. “Legislation needs to clearly articulate not only when information should be shared, but also what information should be shared. I think federal agencies may be less hesitant to share information with enterprise if legislation provides them with a clear directive on how to communicate critical cyber security information.”

There are many items that remain to be resolved by the government agencies through cooperation with the private sector, said Joram Borenstein, senior director of product marketing at NICE Actimize. These include a risk-based identification of critical infrastructure and the adoption of the best practices from NIST.

“Much of the legislation needed is to enable the statutory framework to best execute against the Executive Order – allowing government departments as well as private industry to collaborate as well as grant powers to certain regulatory bodies to draft appropriate regulation,” said Ben Knieff, also of NICE Actimize. “So, much is about the ability to fulfill the order and respond to the recommendations/standards as it is to go beyond it.”

Advertisement. Scroll to continue reading.

Legislation often tends to be too far behind the actual threats, said Knieff, who is director of fraud product marketing.

“This is why a risk-based approach that requires organizations to effectively evaluate threats and appropriately respond tends to work well,” he said. “Using a risk-based approach allows the legal framework to stay in place while the expectation is to stay abreast of the risk and respond accordingly.”

The debate about legislation is far from academic. The signing of the executive order came after multiple attempts to pass legislation failed in 2012, with opposition coming from a variety of corners, from privacy rights advocates to the business community.

“Legislation is the wrong approach, unless we are focusing on malicious intent or gross negligence on the part of an organization,” Williams told SecurityWeek. “Not only due to the changing nature of the threat, but also because the focus of compliance initiatives…has been looking at an organization’s ability to implement security controls on top of commercial technologies. One problem with this approach is that the majority of technologies companies implement are inherently insecure, not only the myriad vulnerabilities in enterprise software but also protocols that enable the Internet itself. The issue with legislation is it penalizes the consumer of technology as opposed to the folks that develop technology.”

A more effective approach for the government to take may be to offer incentives, some experts have said. In the executive order, the secretary of Homeland Security is tasked with working with other agencies to establish a voluntary program to implement the NIST framework. In order to speed adoption, officials are directed to come up with incentives to encourage companies to get involved in the program.

Just how effective incentives are however can be influenced by the industry, said Knieff.

“Financial institutions, for example, have a hard dollar cost associated with cybercrimes and cybersecurity lapses in fraud and lost business – and are constantly under attack. Other entities may not have as a direct a cost – or may be attacked much less frequently, so less incentive to harden security. Fines and penalties are one of the tools immediately at the disposal of legislators/regulators – particularly when they cannot change other incentives easily.”

Most organizations want to do the right thing and are making great efforts to ensure they protect their intellectual property, their customer private data and their own infrastructures, Williams said.

“We need to start creating incentives for organizations to do more, just as we have done with the rebates on the adoption of more energy efficient technologies or tax incentives for organizations that participate in supporting non-profits,” he said.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The three primary drivers for cyber regulations are voter privacy, the economy, and national security – with the complication that the first is often...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...


Out of the 335 public recommendations on a comprehensive cybersecurity strategy made since 2010, 190 were not implemented by federal agencies as of December...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...


US National Cybersecurity Strategy pushes regulation, aggressive 'hack-back' operations.

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...

Application Security

Microsoft on Tuesday pushed a major Windows update to address a security feature bypass already exploited in global ransomware attacks.The operating system update, released...

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...