Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

11/15/2012
03:01 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Congress Kills Cybersecurity Bill, White House Action Expected

White House looks primed to take action on its own after Congress again fails to pass cybersecurity legislation.

IW500: 15 Top Government Tech Innovators
IW500: 15 Top Government Tech Innovators
(click image for larger view and for slideshow)
Comprehensive cybersecurity regulatory reform failed yet again in the Senate on Thursday, but the White House is not waiting for Congress to act and will likely use an executive order to carry out some elements of the bill.

On Wednesday, Senate Republicans -- joined by a small group of Democrats -- again blocked the Cybersecurity Act of 2012 from coming to the Senate floor. Senate Minority Leader Mitch McConnell, R-Ky., attributed the opposition to a fast-tracked process and the failure to allow fully open amendments. Numerous national security officials have urged the bill's passage, but the U.S. Chamber of Commerce has repeatedly voiced strong opposition.

In response to the bill's failure, Senate Majority Leader Harry Reid, D-Nev., called the bill "dead for this Congress."

In a statement, Reid said: "A bill that was and is most important to national security was just killed and that's cybersecurity. I hope President Obama uses all the authority of the executive branch at his disposal to fully protect our nation from the cyber security threat."

The administration has already taken some actions. According to reports, President Obama in mid-October signed the classified Presidential Policy Directive 20, which sets new cyber defense standards for government agencies, including standards for defensive measures that might require agencies to reach outside their own networks.

The Obama administration has also prepared a draft executive order, which has been circulating for months, that would require additional steps to be taken. Now, it appears prepared to issue that order.

"Congressional inaction in light of the risks to our nation may require the administration to issue an executive order as a precursor to the updated laws we need," White House Cybersecurity Coordinator Michael Daniel said in a statement. "We think the risk is too great for the Administration not to act."

A draft version of the executive order would direct the National Institute of Standards and Technology to set cybersecurity standards for eighteen critical infrastructure industries. The Department of Homeland Security would encourage adoption of these standards, and agencies responsible for regulating critical infrastructure industries would be responsible for proposing potentially mandatory cybersecurity regulations for those industries.

Information sharing is another big piece of the draft order. The executive order would set up new information sharing mechanisms that will accelerate security clearances and limit use of proprietary information. The order would also require agencies to take appropriate steps to ensure privacy of shared information.

However, an executive order can't do it all. Despite urging the President to take action, Reid warned in a statement that an executive order "leaves much to be desired" because, for example, it cannot offer companies liability protection in the event of a cyber attack.

Whlie Reid declared the cybersecurity legislation dead for this Congress, McConnell said in a statement after the bill's failure that he hopes Congress will again take up the issue "sometime in December" after dealing with other important national security legislation.

Whatever the case, the persistence of the cyber threat is one reason that action may be needed soon. The annual report of the U.S.-China Economic and Security Review Commission, released on Wednesday, found that China in particular -- which the report called "the most threatening actor in cyberspace" -- continues to represent a serious and "increasingly potent" concern for companies and government agencies that hold potentially sensitive data.

"U.S. industry and a range of government and military targets face repeated exploitation attempts by Chinese hackers," the report said, fingering China in cyber espionage and cyber attacks aimed at the Department of Defense, NASA and U.S.-based companies like Lockheed Martin, Northrop Grumman and BAE Systems. In what the report called the "most significant example of malicious Chinese cyber activity," the report said that intruders "gained full functional control over networks at the [NASA] Jet Propulsion Laboratory."

The report noted that China continues to build up its cyber forces. "The Chinese military is refining and implementing strategies for the cyber domain," the report says, noting that the military and intelligence communities each have groups concentrating on cyber war and cyber espionage. "New developments suggest Chinese exploitation capabilities are improving significantly."

The report also noted that while American businesses are not necessarily able to "sufficiently manage the threat of Chinese cyber espionage" on their own, they remain afraid of sharing information about attacks with the government. Such concerns about sharing -- and about cyber attacks -- could be allayed by the President's forthcoming cyber executive order or by some sort of action on Capitol Hill. Just when the latter will come remains, at this point, anyone's guess.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Mobile Banking Malware Up 50% in First Half of 2019
Kelly Sheridan, Staff Editor, Dark Reading,  1/17/2020
Exploits Released for As-Yet Unpatched Critical Citrix Flaw
Jai Vijayan, Contributing Writer,  1/13/2020
Microsoft to Officially End Support for Windows 7, Server 2008
Kelly Sheridan, Staff Editor, Dark Reading,  1/13/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-7227
PUBLISHED: 2020-01-18
Westermo MRD-315 1.7.3 and 1.7.4 devices have an information disclosure vulnerability that allows an authenticated remote attacker to retrieve the source code of different functions of the web application via requests that lack certain mandatory parameters. This affects ifaces-diag.asp, system.asp, ...
CVE-2019-15625
PUBLISHED: 2020-01-18
A memory usage vulnerability exists in Trend Micro Password Manager 3.8 that could allow an attacker with access and permissions to the victim's memory processes to extract sensitive information.
CVE-2019-19696
PUBLISHED: 2020-01-18
A RootCA vulnerability found in Trend Micro Password Manager for Windows and macOS exists where the localhost.key of RootCA.crt might be improperly accessed by an unauthorized party and could be used to create malicious self-signed SSL certificates, allowing an attacker to misdirect a user to phishi...
CVE-2019-19697
PUBLISHED: 2020-01-18
An arbitrary code execution vulnerability exists in the Trend Micro Security 2019 (v15) consumer family of products which could allow an attacker to gain elevated privileges and tamper with protected services by disabling or otherwise preventing them to start. An attacker must already have administr...
CVE-2019-20357
PUBLISHED: 2020-01-18
A Persistent Arbitrary Code Execution vulnerability exists in the Trend Micro Security 2020 (v160 and 2019 (v15) consumer familiy of products which could potentially allow an attacker the ability to create a malicious program to escalate privileges and attain persistence on a vulnerable system.