Secondo voci recenti, riportate ieri anche dal Washington Post, l’Amministrazione Obama, in risposta al fallimento del c.d. “Cybersecurity Bill” sarebbe sul punto di emanare un nuovo Executive Order in materia di sicurezza informatica con l’obiettivo di ottenere, su base volontaria, la più ampia adesione possibile ai più elevati standard di sicurezza nel settore delle infrastrutture critiche.
Tra le altre cose, l’ordine esecutivo istituirebbe un Cybersecurity Council interministeriale:
[…] The four-page draft order, whose contents were described to The Washington Post by several officials this week, is in the early stages, and completion could take months, officials said.
Under the draft, an interagency Cybersecurity Council would be led by the Department of Homeland Security. It would have representatives from the Commerce, Defense, Treasury, Energy and Justice departments as well as from the Director of National Intelligence’s Office.
The council would take intelligence on cyberthreats and translate it into guidance that would be used to develop security standards. It might also prioritize the industry sectors that need the most attention, though no decision has been made on that issue.
The standards, along with best practices, would be written by the National Institute of Standards and Technology, an arm of the Commerce Department, in collaboration with the private sector. Companies would determine what technologies to use to improve cybersecurity.
The creation of clear standards — especially if there is widespread adoption — may help create a market for cybersecurity insurance, officials said. Before insurance underwriters issue a policy, they would have to ensure that firms had met the standards.
The voluntary approach is not a panacea, said one administration official, who spoke on the condition of anonymity to discuss internal deliberations. “We still think it should be mandated,” he said. But “it’s better than sitting around and waiting for legislation.”[…]
Some national security experts said the voluntary approach misses an opportunity. If the administration does not mandate standards in some areas, “they’re timid,” said Richard A. Clarke, a White House counterterrorism and cybersecurity adviser under the Bill Clinton and George W. Bush administrations.
He said the president can require standards in sectors where executive branch agencies have authority to enforce them. The Transportation Security Administration, for instance, has authority to regulate pipeline security, he said. The Coast Guard can regulate the security of communications systems at ports. The Federal Railway Administration, he said, can regulate the security of freight and passenger railroad operations.
“If the president has authority to create mandatory standards in some industries and he doesn’t use those,” Clarke said, “then the administration is not serious.”
Clarke also questioned why any company would comply with voluntary standards.
Indeed, some business advocates said even the establishment of voluntary standards is problematic. “Any voluntary approach by this administration is intended to be mandatory,” said Jody Westby, a cybersecurity consultant, noting that officials have stated that that is their goal. “It’s the camel’s nose under the tent. The next thing we know, it’s regulation. This has the potential to be incredibly costly to implement.”
Real changes will not be driven by government, said Jacob Olcott, a cyber expert with Good Harbor Consulting. “They’re going to come from lawsuits, from investors and shareholders asking specific and pointed questions.”
Nonetheless, “a cyber executive order is the best possible option left on the table,” even if just for voluntary standards, said Eric Chapman, associate director of the University of Maryland Cybersecurity Center. “Obstruction is high in Congress, and it’s not realistic that a bill will be acted upon by both bodies before February.”