Last week, Democratic leaders made some minor news when they sent a letter to President Obama suggesting that he issue an executive order on Cybersecurity. Their position is that, since Congress seems to be at loggerheads over the issue, the president should take the opportunity to force action by issuing an Executive Order. In fact, Secretary of Homeland Security Janet Napolitano told a congressional committee that just such an order was in its final stages. So what might we see in this forthcoming order?
According to reports, the order will attempt to regulate sixteen “critical” industries. The guidelines will be voluntary, after a fashion. Compliance with the standards may determine eligibility for federal contracts. The White House has not made any secret about its intentions on Cybersecurity. In fact, the White House website lists ”Ten Near Term Actions to Support Our Cybersecurity Strategy.” Brevity prevents me from getting into a deep discussion about those actions here, but you can read them and draw your own conclusions.
The questions remain, however – 1) how stringent (read intrusive) will the requirements be?; 2) Will they be relevant to the threats in the landscape?; 3) How will compliance be policed? and 4) How much additional cost are we potentially adding our already stretched budgets?
Another question that merits examination is whether or not the standards will be redundant. Many industries are already straining under the weight of a variety of infosec requirements – whether industry-regulated or government mandated? Will another layer of regulation mean increased efficacy of data protection strategies and mandates or will it be just another layer of red tape?