Here We Go Again: Latest Draft Of White House Cybersecurity 'Executive Order' Is Leaked

from the why-do-we-need-this-again? dept

Back in September, we posted a leaked version of a draft for a cybersecurity executive order that the White House had been passing around, mainly to try to force Congress into passing a cybersecurity law. With the last ditch attempt by Senator Harry Reid to move that process forward failing, it took exactly a week for the White House to revise its draft exec order, and start passing it around on November 21st. And, today, that new draft leaked as well. You can see the full draft here or embedded below.

It's basically more of the same. It insists that there's a problem without providing any real evidence of that. Much of the order focuses on increasing information sharing among and between different government agencies. As expected, it's designed to encourage private companies, who are "owners and operators of critical infrastructure" to "participate, on a voluntary basis, in the Enhanced Cybersecurity initiative." This is part of what had people so concerned about the various bill proposals: whether or not companies would get broadly defined as "owners and operators of critical infrastructure" and then be forced or pressured into sharing private information, all in the name of "cybersecurity!"

And, of course, what is "voluntary" when it's the federal government, often means what is likely to put you in a very uncomfortable position if you don't participate. In fact, the executive order makes this somewhat explicit:
The Secretary shall coordinate establishment of a set of incentives designed to promote participation in the Program. Within 90 days of the date of this order, the Secretary and the Secretaries of Treasury and Commerce each shall make recommendations separately to the President... on what incentives can be provided to owners and operators of critical infrastructure that participate in the Program, under existing law and authorities, and what incentives would require legislation, including analysis of the benefits and relative effectiveness of such incentives.
So, yeah, "voluntary" belongs in quotes.

As for what counts as "critical infrastructure," well it basically involves various government agencies coming up with a list and then the government telling companies: "hey, you're critical infrastructure."
The Secretary, in coordination with Sector-Specific Agencies, shall confidentially notify owners and operators of critical infrastructure identified under subsection (a) of this section that they have been so identified, and ensure identified owners and operators are provided with relevant threat information.
There is one oddity snuck into that subsection (a):
The Secretary shall not identify any commercial information technology products under this section.
I'm not quite sure what that means within this context (so feel free to chime in and explain it if you do know...). Is it suggesting that this only applies to other forms of infrastructure? If so, that would ease the concerns of a number of tech companies, who were worried that they'd be listed as "critical infrastructure" under a broad reading of any rule.

The exec order does include a shout out to protecting civil liberties, though you wonder how much that will matter in practice:
Agencies shall coordinate their activities under this order with their senior agency officials for privacy and civil liberties and ensure that privacy and civil liberties protections are incorporated into such activities based upon the Fair Information Practice Principles and other applicable privacy and civil liberties policies, principles and frameworks.
They also say that any programs will be reviewed by the Chief Privacy Officer and the Officer for Civil Rights and Civil Liberties to ensure that the program isn't causing any problems in those areas. For what it's worth, apparently the administration has been also reaching out to a lot of people to get in on the executive order -- a process described as "highly unusual" for an executive order.

Either way, it's still frustrating that the order brushes over what the real problems are. It just handwaves that question away by insisting that we're under attack, without providing either (a) evidence or (b) notification on what laws are currently causing issues here. That's unfortunate.


Reader Comments (rss)

(Flattened / Threaded)

  1.  
    identicon
    Anonymous Coward, Nov 30th, 2012 @ 1:42pm

    The Secretary shall not identify any commercial information technology products under this section.

    If I read that correctly, it basically means they can't specifically call out a product as being critical, but they can cite particular functionality.

    For example, they can say "Interactive real-time teleconferencing is a critical system", but they can't say "Cisco products must be protected"

     

    reply to this | link to this | view in thread ]

  2.  
    identicon
    out_of_the_blue, Nov 30th, 2012 @ 1:59pm

    Re: "hall not identify any commercial information technology products"

    My bet is that's (also) to avoid something on the lines of: "Microsoft products are unreliable crap not only subject to malware attacks but actually inviting. -- And don't ever mention the NSA backdoors into it!"

     

    reply to this | link to this | view in thread ]

  3.  
    identicon
    Anonymous Coward, Nov 30th, 2012 @ 2:05pm

    Problem

    The order does not identify the problem because it is government paranoia, so they must protect themselves from imagined as well as real threats.

     

    reply to this | link to this | view in thread ]

  4.  
    icon
    Robert (profile), Nov 30th, 2012 @ 2:07pm

    Re: Re: "hall not identify any commercial information technology products"

    Makes sense, you don't want to draw attention to products that are in use, as this could result in providing a terrorist with direction.
    Terrorist0: Aha, the NSA says 3 Mile Island is using WindowsXP SP1, we know the vulnerabilities, we can turn off power or cause a melt-down. Those infidels will feel our wrath.
    Terrorist1: Yes, thank Allah Security listed what systems they use, I spent two days looking for vulnerabilities in Windows ME.

    In all seriousness, critical infrastructure would not be easily hacked into. It would be far easier to have people on the inside do the job. There's a quote I learned in Networks and Security in 4th year (paraphrased)"90% of the resources attempt to block people from getting in, while 90% of the theft occurs from the inside."

    The sad part, 90% of the population would believe the US Gov knows what they are doing :(

     

    reply to this | link to this | view in thread ]

  5.  
    identicon
    Loki, Nov 30th, 2012 @ 2:19pm

    You know, if government was really truly concerned about cybersecurity they'd stop trying to pass these bills. Government databases have repeatedly been shown to be among some of the least secure and/or most easily phished depositories around. If I were a hacker or foreign national, I'd just salivate at the idea of the US government collecting all this data in one place for me.

     

    reply to this | link to this | view in thread ]

  6.  
    icon
    droozilla (profile), Nov 30th, 2012 @ 2:42pm

    As usual, the real threats and terror are coming from DC, cyber or otherwise.

     

    reply to this | link to this | view in thread ]

  7.  
    identicon
    Inforwars, Nov 30th, 2012 @ 4:36pm

    Re: Problem

    More like the .GOV IS the problem!

     

    reply to this | link to this | view in thread ]

  8.  
    identicon
    Anonymous Coward, Nov 30th, 2012 @ 5:52pm

    " The Secretary shall not identify any commercial information technology products under this section.
    I'm not quite sure what that means within this context (so feel free to chime in and explain it if you do know...). "

    http://wikileaks.org/the-spyfiles.html
    If what is here happens to be true

    Perhaps what they mean are technologies sold or incorporated by "security" experts/companies, into major infrastructures, of the commercial variaty, such as isp's, or on a personal commercial sense, such as mobile phones, regarding hardware specifically, or software specific i.e. trojans/viruses

    Would this bill consider a nuclear power plant a major infrastructure?

     

    reply to this | link to this | view in thread ]

  9.  
    identicon
    Utility IT guy, Nov 30th, 2012 @ 7:55pm

    Their primary tarets

    The primary targets for this EO are those of us residing in the Utility (Power, Water, fuels), Medical, and Defense.

     

    reply to this | link to this | view in thread ]

  10.  
    identicon
    Anonymous Coward, Dec 1st, 2012 @ 11:14am

    Re: Their primary tarets

    Why would these need to be kept essentially off the record

     

    reply to this | link to this | view in thread ]

  11.  
    identicon
    dee preston, Dec 2nd, 2012 @ 8:23am

    why more why now

    This just shows the govt won't stop until they completely control the internet. That's the tip of the iceberg. We need to dismantle our present govt and take it back. WE the People are having treason committed upon us each and every day. The truth in 911 is a perfect example. We are not living in the USA any more. Our next generation is so F ed!! Dee

     

    reply to this | link to this | view in thread ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Save me a cookie
  • Note: A CRLF will be replaced by a break tag (<br>), all other allowable HTML will remain intact
  • Allowed HTML Tags: <b> <i> <a> <em> <br> <strong> <blockquote> <hr> <tt>
Follow Techdirt
A word from our sponsors...
Essential Reading
Techdirt Reading List
Techdirt Insider Chat
A word from our sponsors...
Recent Stories
A word from our sponsors...

Close

Email This