The debate about how best to protect the nation from hypothetical dire, impending cyber attacks on infrastructure, which government officials and military leaders have been warning of for years, is far from settled in Washington. In fact, President Obama's recent move to sign an executive order on cybersecurity creating a program for intelligence agencies to share classified information they have on so-called national "cyber threats" with the private sector is now being criticized by leading telecom company participants. AT&T and Verzion say the President's order improperly excludes consumer tech companies like Google, Apple, and Microsoft from the list of those eligible to receive, and held responsible to act upon, the government's threat information.
"Hell yeah, email is critical."
Bloomberg on Tuesday spelled out the complaints of these telecom giants, quoting Verizon's vice president of national security policy Marcus Sachs as saying: "If email went away this afternoon, we would all come to a stop. Hell yeah, email is critical."
At issue is a part of the President's order that explains what the government considers to be "critical infrastructure at greatest risk." The order specifically says that the Secretary of Defense "shall not identify any commercial information technology products or consumer information technology services under this section," which would seem to leave out Google, Microsoft, Apple and basically any other consumer-facing tech company.
The President appeared to acknowledge as much when he first introduced the order in the State of the Union address on February 12th, asking Congress to pass new cybersecurity legislation on top of his order that could be extended to include these companies. Two lawmakers in the House of Representatives introduced new legislation that would do so: a revived version of last year's controversial bill CISPA, which is due to be debated in markup hearings in April. Verizon and AT&T reiterated their support for CISPA, but the White House hasn't publicly come out for or against it.
Why would telecom companies care who else would be considered "critical" under the White House's new program?
Even without CISPA, telecom companies such as Verizon and AT&T, who also deal with consumers, are already considered critical infrastructure at risk under the President's order, based on prior information the White House provided to The Verge. The question is just why telecom companies would care who else would be considered "critical" under the White House's new program, especially if CISPA will end up covering everyone anyway? As it turns out, the answer may not actually have much to do with national security, according to analysts.
"The telcos want the software producers to be liable for vulnerabilities," wrote James Lewis, director for the technology program at the Center for Strategic and International Studies, in an email to The Verge. "This is a longstanding fight between the telcos and companies like Microsoft. The telcos also want companies like Google to face the same regulatory burden they face."
That's because in addition to letting the government share more previously classified information with a few sectors in private industry — communications, utilities, transportation — the President's cybersecurity order also specifically paves the way to impose new regulations on these companies. The order calls upon federal agencies to "determine if current cybersecurity regulatory requirements are sufficient given current and projected risks," and that if "deemed to be insufficient," the agencies issue revised and presumably stricter regulations for private sector companies participating in the program by January 2014. If the telecom companies have to abide by these new rules, they want the tech companies like Google and Microsoft to have to follow suit, according to Lewis.
"If Gmail went down, the country wouldn't grind to a halt," Lewis wrote. "If the telecom backbone or the electric grid went down, there could be much more serious disruption. That's probably what the White House was thinking."
"The telcos want the software producers to be liable for vulnerabilities."
Indeed, the President's cybersecurity order may be the only national framework in place to provide information about cyber attacks for a while. Sources close to the White House have privately told The Verge they aren't happy with the new version of CISPA due to concerns about consumer privacy. That means even if CISPA passes the House of Representatives in the coming months, the White House could move to issue a veto threat like it did the last time CISPA gained traction.