On February 12th 2013, President Obama signed an executive order to promote the sharing of classified information about threats on the nation’s critical infrastructure. One week later, Mandiant (threat detection company) released a report identifying their near certainty that a unit of the Chinese military was “one of the most prolific cyber espionage groups in terms of the sheer quantity of information stolen.”
What do these two events have in common? First, they both demonstrate the value of sharing information regarding cyber security breaches. The president’s order promotes the sharing of government information with private organizations responsible for managing our nation’s critical infrastructure. Mandiant based their conclusion on the information it gathered while helping 141 organizations respond to breaches purportedly perpetuated by the People’s Liberation Army (PLA’s) Unit 61398. This ability to see beyond the limits of the individual organization is key in being able to understand and respond to state sponsored cyber attacks. Mandiant’s advantage was from assisting clients who had been breached and understanding the nature of those cyber attacks.
President Obama is trying to give the same advantage to the private sector via his executive order by sharing the government’s data with the private sector. He is laying the framework so the private sector will also be able share its data with the government. Doing so through an executive order actually puts the government in a better position to be able to respond more effectively than proposed legislation would have. As Mark Jaycox, policy analyst and legislative assistant for the Electronic Frontier Foundation, points out in Wired Magazine unlike the proposed legislation an executive order cannot grant immunity. As a result private organizations will be less likely to dump all possible data on the government to acquire immunity, and they will be more circumspect in what they provide to the government. More wheat with less chaff will lead to better results.
But aside from these headline actions, both President Obama and Mandiant took a secondary action that is probably even more meaningful in terms of responding to cyber attacks more effectively.
President Obama released a presidential directive that directs the:
“General Services Administration, in consultation with DOD, DHS, and other departments and agencies as appropriate, shall provide or support government-wide contracts for critical infrastructure systems and ensure that such contracts include audit rights for the security and resilience of critical infrastructure.”
This supports the cyber security certification requirements that the Defense of Department will be releasing in the Fall of 2013. The most important component of the DoD’s pending requirements will be the requirement for continuous monitoring of protections for industrial control systems.
In conjunction with its report, Mandiant also released more than 3,000 indicators to expose and degrade the Chinese infiltration infrastructure and to allow organizations to bolster their defenses against its arsenal of digital weapons.
While we cannot be sure if President Obama was motivated by Chinese state sponsored attacks, Mandiant clearly was. And whatever the president’s motivations were, we as a nation are being pushed over the brink where improved information protections are no longer a discretionary goal but a mandatory requirement.
To read President Obama’s Executive Order, please visit:
Bio:
John Millican is a business-first manager with strong experience in driving value to the enterprise through IT and Information Security (IS). His experience is divided between positions in both industry and third party IT service and Information Security provision.
John developed and led the global Information Security team for Expedia Inc. as its Chief Information Security Officer and was VP of IT Operations for Hotwire.com. He also founded and led a twelve person independent IT/ Information Security service provider. Clients and employers have ranged from small wholesale/distributors to regional financial institutions and Fortune 1000 Internet-based companies. John’s most recent efforts have been focused on assisting clients with implementing Information Security programs, obtain ISO 27001 certification and to implement continual improvement methodologies within their organizations.
He is a Certified Information Systems Security Professional (CISSP) and was the first person to be certified by the SANS Institute for its core security programs – Windows Security, Unix Security, Intrusion Detection Analyst, Incident Handling and Firewall Analyst. Additionally, he was co-author of the SANS Security Essentials Toolkit.
John has a Bachelor of Science in Business Administration degree from the University of Akron.