The Commercial Appeal
Business groups urge White House to rethink cyber security order
Posted: March 5, 2013 6:23 PM
WASHINGTON — Telecommunications companies want President Obama’s administration to rethink a decision that may exempt Google’s Gmail, Apple’s iPhone software and Microsoft’s Windows from an executive order on cybersecurity.
Obama’s Feb. 12 order says the government can’t designate “commercial information technology products or consumer information technology services” as critical U.S. infrastructure targeted for voluntary computer security standards.
“If email went away this afternoon, we would all come to a stop,” said Marcus Sachs, vice president of national security policy at Verizon Communications, the second-largest U.S. phone company. “Hell yeah, email is critical.”
Technologies used in personal computers, software and the Internet “are the lifeblood of cyberspace,” Sachs said. “If you exclude that right up front, you take off the table the very people who are creating the products and services that are vulnerable.”
Obama’s order is aimed at areas such as power grids, telecommunications and pipelines. The goal is to protect “systems and assets whose incapacitation from a cyber incident would have catastrophic national security and economic consequences,” White House spokeswoman Caitlin Hayden said in an email. “It is not about Netflix, Twitter, Facebook, and Snapchat.”
Under the executive order, the Department of Homeland Security is to identify critical infrastructure, translating the order’s broadly worded information technology exclusions into specific guidelines.
The order expands a government program for sharing classified information about computer threats with defense contractors and Internet-service providers and calls for computer security standards for companies in critical industries. While adherence to the standards is to be voluntary, the executive order tells federal agencies that directly regulate affected industries to consider binding rules.
Telecommunications and cable companies don’t want to face regulatory burdens and costs that aren’t shared by technology companies, David Kaut, a Washington-based analyst with Stifel Nicolaus & Co., said in an interview.
“The telecom community is concerned the tech industry is going to get a free pass here,” Kaut said. “You have an ecosystem and only the network guys are going to get submitted to government scrutiny.”
Critical infrastructure such as power grids rely on information technology, Verizon’s Sachs said. Such technology should be part of the solution to U.S. cybersecurity, he said.
Obama’s order isn’t meant to “get down to the level of products and services and dictate how those products and services behave,” said David LeDuc, senior director of public policy for the Software & Information Industry Association, a Washington trade group that lobbied for the exclusions.
If countries impose differing security guidelines for technology products and services, such actions can amount to a type of trade barrier if rules are written to favor their own companies, LeDuc said.
Samantha Smith, a Google spokeswoman, Michelle Hinrichs, a spokeswoman for Microsoft, Steve Dowling of Apple, and Jodi Seth of Facebook all declined to comment.
“The nation’s cybersecurity policy framework should be structured in a way that takes into account the shared responsibility of the entire Internet ecosystem,” Ed Amoroso, chief security officer at AT&T, the biggest U.S. phone company, said in a Feb. 15 email reacting to Obama’s order.
Telecommunications companies think the order’s exclusions may leave out technologies that play a vital role in the total security picture, Stewart Baker, a former Homeland Security Department official, said in an interview.
“If you’re attacking people, you go for the weakest link and the weakest link is often some commercial product,” said Baker, a Washington-based partner at the law firm Steptoe & Johnson.
Twitter said Feb. 1 that hackers may have gotten access to data on 250,000 users of its microblogging site. Facebook, operator of the largest social network, said Feb. 15 that some of its employees’ laptops were infected after visiting a mobile developer’s site.
Apple said Feb. 19 some of its internal Mac systems were affected by a malicious software attack. Microsoft, the largest software maker, said Feb. 22 a small number of its computers were infected by malware in an attack similar to those against Facebook and Apple.
Obama, in announcing the executive order in his State of the Union speech, said the U.S. needs to boost cyber defenses for vital U.S. facilities.
“We know hackers steal people’s identities and infiltrate private e-mail. We know foreign countries and companies swipe our corporate secrets,” Obama said. “Now our enemies are also seeking the ability to sabotage our power grid, our financial institutions, and our air-traffic-control systems.”
Obama’s executive order mirrors parts of a Senate bill that was blocked last year by Republicans who said the standards would be burdensome to industry. Lawmakers are working on new legislation.
The Internet Association, a trade group whose members include Google, Facebook, and Amazon.com, urged the White House and Congress to “ensure that all Internet services are not subject to regulation,” the group’s president, Michael Beckerman, said in an e-mailed statement.
The Obama administration and Google opposed revisions to an international telecommunications treaty negotiated at a United Nations conference in Dubai last year, saying new language related to cybersecurity and other topics could open the door to Internet regulation and censorship by other countries.