Wednesday, February 13, 2013

Tidbits: Executive Order on Cybersecurity; CISPA redux; NPR discussion of "hacking back"

President Obama's Executive Order on Cybersecurity

President Obama, in his SOTU speech last night, explicitly mentioned cybersecurity and the need for more action on protecting the nation on that front (through information sharing, etc.). The President's Executive Order can be found here: Executive Order -- Improving Critical Infrastructure Cybersecurity. The Presidential Policy Directive associated with the Executive Order (PPD-21) can be found here: PRESIDENTIAL POLICY DIRECTIVE/PPD-21.

I think it is too early to tell the impact that the Executive Order will have, but overall, I do not think it is close to an overreach. Jody Westby at Forbes disagrees: Obama's Cybersecurity Action Reaches Too Far. For another take on the EO (from Information Week), see: White House Cybersecurity Executive Order: What It Means

The Re-introduction of the Cyber Intelligence Sharing and Protection Act

As expected:

Chairman Mike Rogers and Ranking Member C.A. Dutch Ruppersberger re-introduced H.R. 624, the Cyber Intelligence and Sharing Protection Act, their bipartisan cyber threat information sharing legislation, to help American businesses better protect their computer networks and corporate trade secrets from advanced cyber attacks.   The bill that was introduced today is identical to the “Cyber Intelligence Sharing and Protection Act” (H.R. 3523) that passed the House by a strong bipartisan vote of 248-168 in April 2012.
The full text of the bill can be found here: CISPA 2013 - H.R. 624

For some varying perspectives on CISPA, see:

Controversial cyber bill CISPA returns to Congress for debate, same as before - The Verge

Lawmakers: CISPA Will Help Battle Cyber Attacks From China, Iran - PC Magazine

Congress Is Trying to Kill Internet Privacy Again - Rolling Stone

NPR Discusses Hacking Back

NPR recently had a discussion about "hacking back," or more euphemistically, "proactive response" to cyberattacks; the story can be found here (with a link to the audio): Victims Of Cyberattacks Get Proactive Against Intruders 

I found a particular section in the article about hacking back to be telling of the legal implications of such tactics:
A turn toward more aggressive actions against cyberattackers, however, could be risky. Because the source of a cyberattack is often hard to identify, counterattacking is not always well-advised. 
"I will guarantee you there will be lots of mistakes made," said Rep. Mike Rogers of Michigan, chairman of the House Permanent Select Committee on Intelligence, speaking at a recent cybersecurity conference at George Washington University. "I worry about the private sector engaging in offensive [activities] ... because a lot of things are going to go wrong." 
Companies that want to go on the offense against their cyber-adversaries need to consider the legal risks such actions would involve. 
"I have only found one or two lawyers ... who have said, 'Let's consider pursuing some kind of offensive response,' " says Richard Bejtlich, chief security officer at Mandiant, a cyber-consultancy. "The corporate legal structure is very conservative when it comes to what we can allow someone to do."

My previous summation/aggregation of articles regarding the legality of hacking back can be found here: Hacking Back: are you authorized?


  1. The entire executive order (a) is only establishing a framework (b) only applies to critical government infrastructure and (c) is specifically required to respect privacy and civil liberties. It's what CISPA/SOPA should have been.