The nation does not deserve a cybersecurity solution that is rushed through by executive order. The current draft cyber executive order is being seen by some as a long-awaited panacea for the “lack” of motivation of critical industry to secure itself. This is ridiculous.
Presently, the reason for businesses not sharing information on cyber intrusions has little to do with motivation or laziness. It has to do with the financial and business choices made by management. If reporting an intrusion will hurt your company, and will do little or nothing to help others, why do it? If a major company thinks that sharing information exposes them to damage on the stock market, or that it will be too late in providing the relevant attack data to companies in a similar sector, it provides little incentive to share.
Add to that the concern that proprietary information might become exposed through Freedom of Information Act (FOIA) requests once it becomes “government property.” Finally, add that sharing that information may put those companies at risk for litigation by anyone affected by that sharing, and you can see who is at fault for the lack of sharing. It is not business.
It is important to note that an executive order cannot add some of these critical protections; only legislation can. A cyber executive order falls far short and, if anything, slows down Congress, which now has to navigate new regulations and executive standards.
Do we need to improve cybersecurity? Absolutely, yes. Should the government play a role in that improvement effort? Without a doubt, yes. How can we square this circle?
First, any new law must provide businesses with protection from the above-mentioned concerns without telling them exactly which cybersecurity approach to take. Businesses need to be incentivized to do better security, but this does not mean tax breaks or other monetary benefits. No business should expect to be “paid” to protect itself, but they do need to be assured that making the right policy decision on security will not cost them money (beyond the investment) in litigation or needless public shame, and that the risk they take in sharing will actually be beneficial to others.
The cyber executive order offers little beyond the pride in “doing something” (and doing it before Election Day) and a new set of standards. The claim that these will all be voluntary and will not result in a new bureaucratic and regulatory superstructure is so transparently thin as to be a joke. Such a move might make politicians happy, but it will add little additional security.
A cybersecurity executive order is poor policy, Mr. President—we can do better.