President Obama issued an executive order (12 Feb 2013) addressing the need for a cybersecurity framework to protect the critical infrastructure of the United States. You can read the order here... In theory, it’s what we need. In practice, how long will it take before politicians weaken the order’s intent to the point that it becomes a meaningless script for staging a ” We really do care” position?
The order includes a directive for information sharing but leaves it to the various departments to decide who to notify, what to declassify, etc. Based on how slowly our bureaucrats move on anything, an attack will be long over and China will be manufacturing the stolen designs before a notice goes to the potential targets. Nothing in the order specifies process or technology needed to give timely notifications. Given how long it has taken the government to understand it has a security problem, the delays in achieving the president’s expected outcomes will likely last far into the next administration… where its eventual demise is highly probable.
The administration is looking for incentives to encourage critical infrastructure owners and operators to carry out recommendations the NIST is requested to formulate. Incentives? Incentives for public utilities, for example, will need to be a kick in the pants and the threat of jail time. If the operators of critical infrastructure really cared, we wouldn’t find ourselves in this mess. It wasn’t yesterday that security became an issue for anyone with a computer. There is no excuse for our current situation except heavy lobbying and political career survival practices.
I do hope there is progress on the president’s plan, but I’m not hopeful. My faith in business and government doing the right thing left the station long ago.