Page Loader Logo
Loading...
833-847-3280
Schedule a Call
Partner With Us

The President’s Executive Order on Information Sharing… An Unnecessary Act

As I read the President’s Executive order last week, I was amazed at how government officials can spend so much time preparing the public for a grand political statement that will benefit all Americans and then, when so much is expected, so little is gained.

As the CEO of a cyber security company, I was, on one hand, excited to see the government paying attention to the industry during the SOTU address, but on the other hand was left dismayed at the proposition put forth as everything mentioned was pretty much already in existence. Then, with the Cyber Security Summit taking place, I was hoping once again that some steps would be taken to demonstrate that the government would take the first steps in the path on developing a public/private relationship.

And once again, I was let down. Instead of a path ahead, or at least a vision, we got another executive order. Like all executive orders, this one does little to provide a unique path, mandate or a structure to achieve the end state, which is the voluntary cooperation and sharing of cyber threat data. This unilateral move, at a time when Congress is willing to address this issue and has several variations of cyber legislation ready to pass, only confuses the cyber security industry and accomplishes little. This executive order, like so many other pieces of proposed legislation, provides an honorable intent, but the execution deserves a lot more.

Lets look at the Executive Order piece by piece:

Section 1: The introduction of this order outlines the president’s vision: to get companies to share data. However, beyond that there is no meat. In order to get companies to cooperate they must see that there is a vision and that vision is completely thought out in terms of organizational responsibility, command and control, and concerns that companies have regarding liability and disclosure.

Section 2: The major concept outlined here is that the Secretary of Homeland Security creates Information Sharing and Analysis Organizations. This is a great concept, except for one thing: they already exist. As I stated in another blog, there are at least 15 Information Sharing and Analysis Centers (ISACs) that are organized along business sector lines: Financial, Maritime, Health Care etc. and have an industry mandate to share information within the sector and keep industries aware of new threat information (http://www.isaccouncil.org). If these entities exist, why doesn’t the executive order just state for DHS to utilize this system, instead of replicating this. At least with the ISACs, the current issue of trust is taken care of as they are a non-profit, industry supported system.

Section 3: Third, there is a very vague discussion of the establishment of a competitive process to establish an ISAO Standards Organization whose mission is to develop the business processes, contracts and all standards for an ISAO to be an approved entity to share information. If this effort is to attract the voluntary cooperation of US Companies to share cyber threat data, then the complexity outlined here is unnecessary. These are supposed to be volunteer, non-profit organizations. If that is so, minimal standards are necessary if the true intent is cooperation and trust.

Section 4: This section concerns the assignment of the mandate for the National Cyber Security and Communications Integrations Center (NCCIC), a subcomponent of DHS, to organize and work with the ISAOs. Currently the existing ISAC network already works with the NCCIC, so that structure is in place and not worthy of an executive order.

Section 5: Privacy and Civil Liberties Protection: In what should have been the most in depth portion of this order, we find….nothing. Vague words promising that only organizations engaged under this order (which means that other agencies with a cyber-security mandate are not affected) must do their best to identify how their organization’s work under this order would affect privacy and civil liberty and to ensure that “appropriate protections” are applied. Without a definition of “appropriate protections, nor of ensuring that these protections would apply to other agencies that would have access to the information that would need to be shared, this section only refers to the most critical issue outlined by business and does nothing to define what needs to take place.

Section 6: This section seems to refer to the modification of the National Industrial Security Program, or NISPOM. This program is managed by the Department of Energy and is basically the bible for companies to follow to maintain compliance with Government security programs and to retain the ability to access classified data. It seems that there is a lot of word-smithing here that could be misconstrued as attempts to get companies under the thumb of the intelligence community, but at its heart, its an attempt to get the system to be more receptive for companies that don’t have classified requirements to obtain that access. However, again, if DHS would work with the ISACs and just qualify them to obtain access, then we wouldn’t have to look at thousands of companies (at taxpayer expense) to spend time and resources to get access to government information.

In the end, the administration has gone on its own path to do absolutely nothing. Instead of coopting Congress, who is ready to move onto legislation (which I oppose) or to create a system that fosters trust through anonymity and non-attribution between the private and public sector, the President has independently proposed a system that replicates one that is already in place and in the end, provides absolutely no forward progress in addressing this critical issue.

Latest Posts

A transparent image used for creating empty spaces in columns
Welcome to today’s briefing on a crucial topic in the realm of cybersecurity: internal network penetration testing. Now, I know that the term might sound a bit intimidating but fear not. By the end of this discussion, you’ll have a solid understanding of what it…
A transparent image used for creating empty spaces in columns
 In the world of cybersecurity, there’s a misconception that a clean pen testing report means something was missed or the test wasn’t thorough enough. But here’s the truth: receiving a clean report from your penetration test is not only a positive outcome—it’s a testament…
A transparent image used for creating empty spaces in columns
Hey there, folks! Let’s get one thing straight: when MainNerve talks about penetration testing, we’re diving deep into the world of cybersecurity. But hey, we know what people think when we say “penetration testing.” So, buckle up because we’re about to compare pen testing to…
A transparent image used for creating empty spaces in columns
 In the fast-paced world of managed IT services, we know that time is money. Your clients rely on you to keep their systems secure, and you need partners who can deliver top-notch services without slowing you down. If you’re a Managed Service Provider (MSP)…
A transparent image used for creating empty spaces in columns
The primary purpose of performing a penetration test is to simulate real-world attacks on a computer system, network, or application. This is done by skilled cybersecurity professionals, who are tasked with identifying vulnerabilities and weaknesses that malicious actors could exploit. Their role is crucial in…
A transparent image used for creating empty spaces in columns
 If your business relies on older technology, you’ll want to listen up. We’re highlighting a critical weakness in many organizations’ defenses: legacy systems. What Are Legacy Systems? Legacy systems are outdated technologies that are no longer supported with updates or patches from their creators.…
contact

Our Team

Name(Required)
This field is for validation purposes and should be left unchanged.
quick links to

Our Services

On Load
Where? .serviceMM
What? Mega Menu: Services
201 E Pikes Peak Ave Suite 2025
Colorado Springs, CO 80903