The Complex

So what's Mitt Romney's take on cyber security?

With the third and final presidential debate fast approaching, Killer Apps thought it would be a good idea to take a quick look at the candidates' stances on cyber security.

While we haven't heard much from either side on cyberwarfare or threats during the race for the White House, the Obama administration's take on cyber security has become pretty clear in recent months. Mitt Romney has been pretty quiet on the matter, other than saying in this white paper that he will order an interagency review on the government's approach to cyber security "prevent duplication, maximize information sharing, and bind together the disparate competencies of these agencies." He has also said he will look to update the Bush-era national cyber security strategy that was first drafted in 2003.

"Mitt Romney has promised to make cybersecurity a top priority early in his administration," said a campaign spokeswoman when Killer Apps asked if the candidate has more detailed plans than what was outlined in the white paper. "He will order the formulation of a national cybersecurity strategy, to deter and defend against the growing threats of militarized cyber-attacks, cyber-terrorism, and cyber-espionage. Once the strategy is formulated he will determine how best it can be implemented."

The White House has been pushing Congress to pass the Cyber Security Act of 2012, penned by Sens. Joe Lieberman (I-CT.) and Susan Collins (R-ME) that has been stalled since August. In the meantime, the White House is hustling to put together an executive order that would likely establish minimal cyber security standards for private companies involved in critical infrastructure and foster increased communication between those companies and the government about cyber threats.

The Pentagon has also become aggressive in lobbying the public about what it says is the threat of physically destructive cyber attacks and it has recently begun to discuss its offensive cyber capabilities in an effort to send a message to its allies and adversaries that the United States can and will fight back in the digital domain. And let's not forget the alleged involvement of U.S. security assets in a number of cyber weapons and spy tools that have been unleashed in the Middle East during the Obama administration (though work on some of them began during the presidency of George W. Bush).

Bottom line, the Obama White House appears to be hinting at the notion of military cyber deterrence -- anchored by the Pentagon's offensive capabilities, but combined with its push to make its networks able to survive a full-on cyber attack from a country like Russia or China -- all while  pushing the private sector to strengthen its online defenses.

Given the growing importance of cyber to U.S. national security, and the recent spate of cyber attacks against American critical infrastructure providers and Middle Eastern oil companies, "it seems very peculiar that presidential candidates are quiet on these issues," Jarno Limnell, director of cyber security at the IT security firm Stonesoft, told Killer Apps on Oct. 18. "I haven't seen a lot from the Romney side but I have noted that he has criticized Obama for being overly reliant on defensive capabilities."

One indicator that may provide insight into what could become the key differences between Obama and Romney's stances on cyber strategy is the two parties' takes on recent cyber security legislation.

The White House insists that any cybersecurity legislation must contain provisions restricting what type of information is collected about private citizens and how that information may be used by the government (something that a Republican-sponsored cyber security bill in the House doesn't contain to the same extent as the Senate bill). Senate Republicans -- in a stance backed by business interests such as the U.S. Chamber of Commerce -- stalled Lieberman and Collins's bill, citing concerns that the minimal network security standards that it mandated for banks, utilities, transportation companies and other so called critical infrastructure providers, are burdensome and unnecessary  regulation.

Wikimedia Commons

National Security

White House still working on cyber exec order despite renewed push for legislation

The White House is continuing to work with lawmakers and other "key players" to craft an executive order aimed at securing the country's privately-owned critical infrastructure from cyber attacks despite the Senate Majority Leaders' plan to hold a vote on cybersecurity legislation next month.

"We have held sessions with both House and Senate staffers to talk about actions that executive departments and agencies can take, including a possible executive order," a National Security Council spokeswoman told Killer Apps on Oct. 17. "We're essentially, still in deliberating and consulting phase wanting to make sure that anything we put together for the president's considerations takes into account of these key stakeholders" on Capitol Hill and in the private sector.

These comments come several days after Sen. Majority Leader Harry Reid (D-Nev.) announced that he plans to bring last summer's cybersecurity bill sponsored by Sens. Joe Lieberman (I-Ct.) and Susan Collins (R-Maine.) to the Senate floor for a vote next month.  The bill, known as the Cyber Security Act of 2012, stalled in early August amidst objections by Republicans opposed to the minimal cyber security standards it would establish for critical infrastructure providers. Republicans claimed the security standards would be burdensome to businesses and would not be able to keep up with the ever-changing nature of cyber threats.

"Secretary Panetta has made clear that inaction is not an option," said Reid on Oct. 13. "I will bring cybersecurity legislation back to the Senate floor when Congress returns in November. My colleagues who profess to understand the urgency of the threat will have one more chance to back their words with action, and work with us to pass this bill."

While Reid acknowledged concerns of his legislative colleagues who have criticized the White House for crafting an executive order, (read more on that here) he encouraged a two-pronged approach (perhaps race is a better way to describe it) between the White House and Congress meant to quickly establish cybersecurity standards for critical infrastructure providers.

"Some of my colleagues have suggested that the President should delay further action to protect America from this threat until Congress can pass legislation," said Reid. While "cybersecurity is an issue that should be handled by Congress, but with Republicans engaging in Tea Party-motivated obstruction, I believe that President Obama is right to examine all means at his disposal for confronting this urgent national security threat."

In addition to establishing minimal security standards for banks, utilities, transportation and communications firms, Lieberman and Collins' bill allows rapid information sharing between businesses and the government, protects businesses from lawsuits for inappropriately sharing private citizens information and it restricts the type of information that could be collected about U.S. citizens and how it could be used. 

Just yesterday, Maryland Democrat Sen. Barbara Mikulski said that a newfound sense of urgency amongst lawmakers about cyber security has increased the chances that the Lieberman-Collins bill will pass in November.

Here's what the White House said about its executive order on Oct. 5:

We are exploring ways for Executive Branch Departments and Agencies to more effectively secure the nation's critical infrastructure by working collaboratively with the private sector. We are considering an Executive Order (EO) as one way to improve such collaborative efforts. However, an EO is not a substitute for new legislation. While an EO doesn't create new powers or authorities, it does set policy under existing law.

We believe that cybersecurity best practices should be developed in partnership between government and industry. For decades, industry and government have worked together to protect the physical security of critical assets that reside in private hands, from airports and seaports to national broadcast systems and nuclear power plants. There is no reason we cannot work together in the same way to protect critical infrastructure cyber systems upon which so much of our economic well-being, national security, and daily lives depend.

Our intent is to focus on and address the nation's critical infrastructure, whose incapacitation from a cyber incident would have grave national security and economic consequences. Since most companies aren't critical infrastructure, we are only looking at a small subset of the companies in the U.S.  We believe that companies driving cybersecurity innovations in their current practices and planned initiatives can help shape best practices across critical infrastructure. Companies needing to upgrade their security would have the flexibility to decide how best to do so using a wide range of innovative products and services available in the marketplace. We remain committed to incorporating strong privacy and civil liberties protections into any initiative to secure our critical infrastructure.

The process of developing an Executive Order will take time, as we believe that it must take into account the views of our partners in the private sector and the Congress. We have started reaching out to both the private sector and Congress and we look forward to gaining their input. Given the gravity of the threats we face in cyberspace, we want to get this right in addition to getting it done swiftly.

Wikimedia Commons