Register

Forgot Password

Site FAQ

Home > IT Answers > Security > What impact will President Obama’s cybersecurity order have on the industry?

Michael Tidmarsh

14,060 pts.

What impact will President Obama’s cybersecurity order have on the industry?

cybersecurity, Security

President Obama issued his long awaited Cybersecurity executive order which is aimed at improving public-private information sharing. However, many skeptics believe this order won't get anything done. Do you think Obama's executive order will go through? What impact will it have on the Cybersecurity industry?

Software/Hardware used:

ASKED: February 15, 2013 7:46 PM

UPDATED: February 26, 2013 3:00 PM

RELATED QUESTIONS

Answer Wiki:

This directive, like most others coming out of Washington these days, will prove to be yet another compliance burden that businesses will face. Interestingly, looking through Obama's Cybersecurity Near Term Actions, most of these things have already been put in place in some form: FISMA, InfraGard, the myriad of federal and state privacy/security regulations, the NIST Special Publications and CSRC resources to name a few. They're just not being used or enforced. And, something we often see, instead of using existing resources and enforcing existing laws, politicians prefer to create new ones. It helps justify their existence. Obama's Near Term Actions also lay the groundwork for further government regulations on business. Death by a thousand cuts that only business owners and leaders fully understand. Bureaucrats wanting more and more control of the economy and people will talk the talk - as if they're the information security experts - to push these types of initiatives. Perhaps we'll see some infrastructure security improvements at the federal government level long-term. However, I suspect this order - or any one following it - will have minimal impact on information risk in this country as a whole. Why? Because people who are careless, overworked, under-qualified, cash-strapped, risk-ignorant, and so on will continue to look past the information security basics and keep doing things like:

Trust that cloud providers are always doing the right thing
Use phones and tablets without a trace of security enabled
Leave firewalls configured with no passwords and weak rules
Continue to overlook the value of whole disk encryption for laptops
Forget to set passwords on their database servers
Writing code that enables SQL injection
Ignore patches from Microsoft, Adobe, Oracle (Java) and other vendors
Choose to believe that basic vulnerability checks using a "PCI-capable" scanner is all that's needed to find the flaws in servers, databases, web applications, mobile apps, or any other system with an IP address or URL

I could go on and on but you get my point. Obama nor any politician is going to truly fix these things. How about letting the free market decide which businesses survive? I strongly believe that any such "cybersecurity" directive out of Washington is not about information security. It's about control. They can continue layering on all this showy bureaucracy but I'm just not buying it.

This directive, like most others coming out of Washington these days, will prove to be yet another compliance burden that businesses will face.

Interestingly, looking through Obama's <a href="http://www.whitehouse.gov/cybersecurity">Cybersecurity Near Term Actions</a>, most of these things have already been put in place in some form: FISMA, InfraGard, the myriad of federal and state privacy/security regulations, the NIST Special Publications and CSRC resources to name a few. They're just not being used or enforced. And, something we often see, instead of using existing resources and enforcing existing laws, politicians prefer to create new ones. It helps justify their existence.

Obama's Near Term Actions also lay the groundwork for further government regulations on business. Death by a thousand cuts that only business owners and leaders fully understand.

Bureaucrats wanting more and more control of the economy and people will talk the talk - as if they're the information security experts - to push these types of initiatives. Perhaps we'll see some infrastructure security improvements at the federal government level long-term. However, I suspect this order - or any one following it - will have minimal impact on information risk in this country as a whole.

Why? Because people who are careless, overworked, under-qualified, cash-strapped, risk-ignorant, and so on will continue to look past the <a href="http://securityonwheels.blogspot.com/search/label/back%20to%20basics">information security basics</a> and keep doing things like:

<ul>
	<li>Trust that cloud providers are always doing the right thing</li>
	<li>Use phones and tablets without a trace of security enabled</li>
	<li>Leave firewalls configured with no passwords and weak rules</li>
	<li>Continue to overlook the value of whole disk encryption for laptops</li>
	<li>Forget to set passwords on their database servers</li>
	<li>Writing code that enables SQL injection
</li>
	<li>Ignore patches from Microsoft, Adobe, Oracle (Java) and other vendors</li>
	<li>Choose to believe that basic vulnerability checks using a "PCI-capable" scanner is all that's needed to find the flaws in servers, databases, web applications, mobile apps, or any other system with an IP address or URL</li>
</ul>
I could go on and on but you get my point. Obama nor any politician is going to truly fix these things. How about letting the free market decide which businesses survive?

I strongly believe that any such "cybersecurity" directive out of Washington is not about information security. It's about control. They can continue layering on all this showy bureaucracy but I'm just not buying it.

Last Wiki Answer Submitted: March 1, 2013 8:26 pm by Kevin Beaver

11,040 pts.

All Answer Wiki Contributors: Kevin Beaver

11,040 pts. , Michael Tidmarsh

14,060 pts.

To see all answers submitted to the Answer Wiki: View Answer History.

RSS - Discussions Help

Discuss This Question:

_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

POSTED: Feb 15, 2013 11:51 PM (GMT)

IMO, the impact will depend on content of upcoming reports and their followups. The reports need to be publicized. Without appropriations and clear legal directions, little will be accomplished. Appropriate publicity will be required to get matching appropriate Congressional action. For now, we can only wait and see. — Tom

TomLiotta

110,135 pts.

POSTED: Feb 22, 2013 9:05 AM (GMT)

There doesn’t appear to be anything in the Executive Order that can alter or add to any compliance burden. However, there is indeed a probability that added compliance regulations will come out of any legislation that might follow based on reports that were ordered. And there would be little compliance burden at all if ‘critical infrastructure’ was not seriously vulnerable. The combination of vulnerabilities, motivations to exploit them and serious risk to life and property any when exploits are effected, argue in favor of additional compliance efforts. — Tom

TomLiotta

110,135 pts.

Ask a Question

Browse IT Answers by Topic

>>VIEW ALL TAGS

Community Blog | About Us | Contact Us | FAQ | Terms of Use | DMCA Policy

TechTarget provides enterprise IT professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective IT purchase decisions and managing their organization's IT projects - with its network of technology-specific Web sites, events and magazines.
All Rights Reserved, Copyright 1999-2013, TechTarget | Read our Privacy Policy
Questions and Answers Index 1 | Questions and Answers Index 2 | IT Topics Index 1 | IT Topics Index 2 | Blogs Index | Blogs Tags