Before anyone starts chanting that the conspiracy theorists were bound to find something in the Cybersecurity Executive Order to attack for the sake of attacking, keep one thing in mind. I like the order as a whole. In many ways, it’s pretty impotent and stays in line with what privacy activists (myself included) had hoped for – a one-way street of information sharing that will allow public and private entities involved in critical infrastructure to better defend themselves. My hope was that the sharing would be even deeper, that there would be more tangible ways that the government could educate and empower at-risk networks.
Overall, the order was good. It stepped far away from the draconian levels of anti-privacy that CISPA would give the government. However, there are a couple of risks that should be noted.
In section 7b, for example, there is this statement:
To enable technical innovation and account for organizational differences, the Cybersecurity Framework will provide guidance that is technology neutral and that enables critical infrastructure sectors to benefit from a competitive market for products and services that meet the standards, methodologies, procedures, and processes developed to address cyber risks.
On the surface, this seems like a good thing and the beginning of the sentence sets it up to sound that way. It basically says that the government will not tell entities that they need to employ this security technology or that protocol, but that they will maintain a free market structure to empower companies to find alleviate cyber risks in their own way. The part that is implied but not directly addressed is that this opens the door to government oversight over an extremely wide-range of “solutions”. By being technology neutral, they are technically technology omnipresent. In other words, you can use the solution of your choosing, but the government will want a peek at the technology as well. No big deal, but it’s still a potential loophole through which the government can enter into systems and “snoop around” in the name of cybersecurity.
The same basic loophole pops up again in section 8d:
Within 120 days of the date of this order, the Secretary of Defense and the Administrator of General Services, in consultation with the Secretary and the Federal Acquisition Regulatory Council, shall make recommendations to the President, through the Assistant to the President for Homeland Security and Counterterrorism and the Assistant to the President for Economic Affairs, on the feasibility, security benefits, and relative merits of incorporating security standards into acquisition planning and contract administration.
Again, this allows a peek under the cybersecurity skirts of whatever measures an organization chooses to employ.
These are minor and I do not want to downplay the overall quality of the order. It is clear that they took into account the concerns of both privacy groups and objections from both sides of the political aisle when they drafted it. The language is appropriately broad while limiting the powers it provides. In reality, it doesn’t allow for any real “powers” at all. In that regard, it’s a win for privacy. The minor loopholes present are, well, minor. If there’s one point of skepticism to consider, it’s that the Cybersecurity Framework itself will need to be thoroughly examined. This executive order didn’t do much other than introduce a plan of action that will fly through the unofficial vetting process of privacy groups, political pundits, and tech bloggers universally.
The things that happen at the 120-day, 240-day, and 1-year marks are going to be the real reports to examine. If there are plans to expand the reach of government into our private lives, this wasn’t the venue for that. Ramming things down the throats of the American public is challenging today. To pull it off, the government must make us willing participants in small bits and pieces rather than all at once.
I remain skeptical but encouraged and hopeful.