With the occurrence of near daily threats against the nation’s critical infrastructure (CI), cybersecurity continues to be a constant concern of owners and operators of CI, Congress and the Obama Administration. Responses to these significant threats require the consideration of both security and privacy issues. As evidenced by the recent hacking of the Associated Press (AP) Twitter account, which resulted in hundreds of millions of dollars in immediate stock market losses, and by the “Shamoon” virus attack in 2012– cybersecurity is an everyday problem.
C-Suite Executives, General Counsels, CIOs, CISOs and Government Affairs Executives need to keep a close eye on the implementation of the Executive Order, new cyber bills coming out of the Congress, potentially new SEC cyber requirements, and FTC enforcement of consumer protections as a result of these ongoing cyber-attacks.
Executive Order (EO)
The implementation of the EO by the White House continues to be a major focus for the energy and health care sectors, banking and financial institutions, information technology companies, and the remaining 16 sectors designated by the White House as “life-line” sectors.
The EO set out an aggressive timeline for agencies to meet. There are 11 major deadlines, four of which occur on June 12, with other major deadlines on July 12 and October 12.
U.S. Department of Commerce Cybersecurity Framework
The U.S. Department of Commerce (DOC) has been designated as the “convener” to work with CI to create a framework of voluntary cybersecurity standards. The National Institute of Standards and Technology (NIST) intends to submit draft recommendations to the public by October with a final draft due February 2014. Of the 16 sectors designated by the White House, less than half of those sectors filed comments in response to the NIST Requests for Information.
U.S. Department of Homeland Security (DHS)
At the same time, DHS, the lead agency for cybersecurity, has created eight working groups to implement the EO. These groups are focused on issues such as the identification of cyber-dependent infrastructure, situational awareness and information exchange. DHS is also looking at how to incentivize CI users to participate in the Voluntary Cyber Program once NIST has completed the Framework.
Incentives for Participation in the Cyber Voluntary Framework
The White House, DHS, DOC, and Congress are focused on incentives to ensure private sector participation in the voluntary cyber framework they are creating. It will be important for the private sector to help them understand and develop a structure that can meet the needs of both the private sector as well as the concerns of the Congress and the Administration.
Cyber Safety Act.
The Administration has discussed the creation of a possible Cyber SAFETY Act. This legislation could be similar to the Support Anti-terrorism by Fostering Effective Technologies (SAFETY) Act of 2002, which provides legal liability protections for providers of Qualified Anti-Terrorism Technologies.
Cyber-insurance has also been a hot topic for some time, with DHS convening groups to discuss options to expand this to the 16 critical infrastructure sectors with a focus on better understanding the marketplace and what more can be done.
Topics like appropriate privacy protections and restrictions, liability protections, tax incentives, and better public-private partnerships are all being discussed as well.
Both the White House and Congress believe that legislative action is still needed on cybersecurity. The House and Senate are working to follow up on their efforts last Congress to draft legislation related to cybersecurity.
Information Sharing and Critical Infrastructure.
The House has moved aggressively to pass four bills already this year and again took up the Cyber Intelligence Sharing and Protection Act (CISPA). The CISPA bill received a White House veto threat in 2012 and earned a similar veto threat again this year. Despite the fact that major changes were made to the bill, the Senate does not plan to take up this bill and will instead draft and introduce its own bill.
Anti-Hacking, Cyber Crimes and Racketeer Influenced and Corrupt Organizations (RICO) Reforms.
Both the House and Senate are also interested in anti-hacking and cyber-crime legislation. A recent Senate Judiciary Committee hearing focused specifically on these topics although the Senate has not indicated its status on legislation related to cyber-crimes. The House Judiciary Committee is working on a draft bill that would stiffen the penalties for cybercrimes and establish standards for companies to notify consumers when their personal data has been hacked.
The House Energy and Commerce Committee is concerned about cyber threats and security solutions in sectors like energy, banking and financial services as well as communications. The House Homeland Security Committee and the Senate are also working on their various cyber bills which we expect to see soon.
Securities and Exchange Commission (SEC) Compliance Issues
Could there be new Securities and Exchange Commission (SEC) cyber regulations coming out soon? Chairman Rockefeller continues to express concerns over the obligations of private sector companies to disclose cybersecurity risks. He sent a letter in April to newly installed Chairman of the Securities and Exchange Commission (SEC) Mary Jo White.
Media reports have confirmed that Chairman White sent a letter to the Senate on May 1 discussing the SEC’s review of current disclosure practices and overall compliance with the guidance. Chairman White indicated that the SEC is doing a review of companies of different sizes and began these efforts in early 2012. Disclosures from companies in their 10-K filings are on the rise while at the same time Congress continues to urge the SEC to issue formal guidance.
Federal Trade Commission (FTC) Enforcement Actions
The Federal Trade Commission (FTC) continues to focus on actions to protect consumers as a result of cybersecurity breaches. The FTC has initiated enforcement actions against Wyndham alleging their failure to protect their networks caused fraudulent charges to consumers accounts, stating “… the repeated security failures exposed consumers’ personal data to unauthorized access.” The FTC is also concerned about cybersecurity and the use of mobile devices, another emerging field of concern in the government.
“The landscape dictates that there are a host of policy, legislative, legal and compliance cybersecurity issues that affect every company—large or small. As with many things in the Washington landscape, participating early on in the decision making process is key to avoiding increased legal and regulatory compliance costs”