Written by Rachel Ehrenfeld
American Center for Democracy
The Cybersecurity Framework, which was announced on February 12, 2014, by President Obama, has very little new to offer to the private sector. It’s only a guide to how everyone should be conceptualizing and communicating about cybersecurity concerns.
The report comes a year after the president first announced his Executive Order on “Improving Critical Infrastructure Cybersecurity” in his 2013 State of the Union address.
This framework is said to increase the cooperation between the government and the private sector. However, it fails to take the overall responsibility for addressing the vulnerabilities of the U.S. national security and economy to cybercrime, cybermanipulation of markets, denials of service, and theft of intellectual property.
Meanwhile, the number of cyber attacks of all sorts has increased exponentially. One recent estimate of the world-wide cost of cyber attacks to commerce puts the number at $3 trillion annually. Given where the money is, it’s sensible to assume that the U.S. economy bears the biggest single chunk of this cost.
There is plenty of blame to go around and meeting the cyber challenge has been substantially aggravated by the revelations of Edward Snowden and the controversy over the National Security Agency. However, several stumbling blocks are more important than the rest.
The first is the inability of our politicians, generally speaking, to decide the extent to which the Federal government should protect private sector companies from lawsuits after a cyberattack. Congress is divided, largely along party lines, on how much legal immunity to give companies. The White House refrains from taking a clear stand.
Congress is still trying, however. On February 5, the House Homeland Security Committee passed unanimously the National Cybersecurity and Critical Infrastructure Protection Act of 2013. However, this only codifies and provides oversight of the cybersecurity mission of the Department of Homeland Security and does not add regulatory authority. Instead of unifying forces to address this threat the Senate is reportedly working on its own Cyber Intelligence Sharing and Protection Act (CIPSA).
The second stumbling block is the slowness at which the administration is approaching the problem and its ineptitude in managing its own cybersecurity affairs.
President Obama’s Executive Order 13636, of February 2013, Improving Critical Infrastructure Cybersecurity, compelled the National Institute of Standards and Technology to produce, in a year, a framework for doing this. The framework appeared promptly on February 12, 2014, while the White House held a meeting with business leaders.
There is nothing in the framework, nor in anything the administration has had to say otherwise, regarding how to secure government/private-sector coordination on protecting critical infrastructure. All that the administration is doing is putting on a PR effort to encourage voluntary private-sector cooperation. However, Snowdon’s NSA exposés have increased the public sector’s reluctance to voluntarily give the government access to their networks.
As far as the administration is concerned, we’re still at the conceptual stage of addressing our cyber problems. For several years now, cyber experts, most notably groups assembled by ACD (see here), have addressed the cyber problem in terms of prescriptions for countering attacks. The expert community has had much to say in this regard. But while Congress calls for action, it is stymied without White House cooperation.
Why is the president dragging his feet on this issue, despite public utterances to the contrary? While it’s true that he can’t substantially influence, let alone coerce, the private sector without acts of Congress, he could surely whip the Federal bureaucracy into shape.
This has not been done, as was shown in spades in a recent minority report of the Senate Homeland Security and Governmental Affairs Committee, entitled: “The Federal Government’s Track Record on Cybersecurity and Critical Infrastructure.” The report was made public by the ranking minority member of the committee, Senator Tom Coburn, on February 4.
The minority report is based on some 40 audits of Federal agencies, but it focuses on the continuing cyber vulnerability of 6 of them: DHS, the Nuclear Regulatory Commission, the IRS, the Department of Education, the Department of Energy, and the Securities and Exchange Commission. Nonetheless, the report doesn’t fail to mention last February’s cyber attack on the national Emergency Broadcast System that caused television stations in Michigan, Montana, and North Dakota to broadcast zombie attack warnings!
All of the agencies above had serious deficiencies in their own cyber security systems, including the cyber portions of DHS, which are supposed to be in charge of looking out for the entire government. The simplest precautions and protocols, all well known by now, have been regularly ignored by DHS cyber troops. The NRC, which holds information on all nuclear facilities including reactors, waste storage facilities, uranium processing facilities and, perhaps most ominously the design and processes of nuclear material transport, was guilty of having sensitive data stored in unsecured drives, failure to report security breaches, and inability to keep track of its computers due to an inept corps of IT experts.
As far as the Department of Energy was concerned, the Western Area Power Administration, which serves 15 central and western states, conducted an audit that showed that
“’Nearly all’ of the 105 computers tested had at least one out-of-date patch; a public-facing server was configured with a default name and password, which ‘could have allowed an attacker with an Internet connection to obtain unauthorized access to an internal database supporting the electricity scheduling system.’ What’s more, officials at the agency ‘did not always identify and correct known vulnerabilities.’ One reason the IG cited: although officials ran vulnerability checks on their IT systems, they ran ‘less intrusive’ scans so as not to slow overall system performance. But those lightweight scans sometimes missed significant weaknesses.”
As if the news from the NRC and Western Area Power Administration isn’t grim enough, there are similar problems at the Securities and Exchange Commission. So much for the SEC’s touted team that monitors how markets build and manage key trading systems in its Trading and Markets Division. The “team” that is supposed to safeguard our markets from hackers and market manipulators.
According to Coburn’s report: “a 2012 investigation into the team found conduct which did not reflect a concern for security. Team members transmitted sensitive non-public information about major financial institutions using their personal e-mail accounts. They used unencrypted laptops to store sensitive information, in violation of SEC policy and contravening their own advice to the stock exchanges. Their laptops also lacked antivirus software. The laptops contained “vulnerability assessments and maps and networking diagrams of how to hack into the exchanges. … They [team members] also appeared to have connected laptops containing sensitive information to unprotected wi-fi networks at public locations like hotels, in at least one reported case, at a convention of computer hackers.”
On July 11, 2012, after “glitches” is the stock exchange caused suspension of trading, the Securities and Exchange Commission (SEC) finally issued Rule 613, the Consolidated Audit Trail (CAT), an audit system that will apply to mostly secondary market transactions in the NASDAQ National Market. CAT will capture all orders, including those made for customers or for the taxer’s own account. It will cover stocks listed on the exchange, but not over the counter options, currency trading, futures, bonds, etc. The Commission adopted Rule 613 more than two years later, in December 2013. However, the CAT audit will take place a day after the trading took place. Moreover, the system to facilitate such audit has yet to be chosen and it will take several more years before it can be implemented.
Coburn’s revelations strongly suggest that were government to be given full charge of U.S. economic security, our bureaucracy could not handle it. It cannot manage its own cybersecurity after years of purportedly being earnestly concerned about it. One wonders what will force the government to take the responsibility for protecting the nation’s cyber infrastructure from purposeful interferences.