Cybersecurity executive order can only do so much; new legislation needed, official says.

• Author: Magnuson, Stew
• Position: Homeland Security News

* As cybersecurity legislation designed to mitigate the damage being done by network intrusions in the private sector faltered in the 112th Congress last year, news emerged that President Barack Obama would create an executive order to fill some of the gaps that lawmakers couldn't.

That caused a great deal of consternation in some quarters, particularly in the business communities where regulations are generally not welcome.

The executive order was released Feb. 12 and arrived with generally little controversy.

Michael Daniel, national cybersecurity coordinator and special assistant to the president, said, "Unfortunately, executive orders are not magical. They don't suddenly give us powers we don't have and subvert the will of the Congress."

"We think ... the only way we can make progress on cybersecurity is to do a better job of sharing with the private sector," Daniel said at an Armed Forces Communication and Electronics Association cybersecurity conference.

The order called for the expansion of the Defense Industrial Base Information Sharing Program, in which companies alert the Defense Department to attacks on their systems, and it, in turn, sends out reports on the new threats to all participants. This, however, is voluntary. The order calls for the expansion of the program into other critical economic sectors.

It also calls on the National Institute of Standards and Technology to develop "a framework of cybersecurity practices to reduce cyber risks to critical infrastructure."

Daniel said the administration has heard the private sector's call for more security clearances in their organizations, so it ordered the Department of Homeland Security to expedite applications.

There is a delicate balance when pushing out reports to those who need to see them, he noted.

"There is no way you can give a clearance to everybody who needs to understand cybersecurity and operates critical infrastructure," so the government must be able to take some risks when sending out reports.

The government must increase the volume, timeliness and quality of the threat information it puts out, he said.

"When you share information too broadly, sometimes it can lose its value. Your adversaries learn of it and they change their tactics and it is no longer useful," he said. 'At the same time, if we don't share information at all, it is very rarely useful."

There are not a lot of controversial items in the order, said Dave Frymier, chief information security officer...