“America must … face the rapidly growing threat from cyber-attacks. Now, we know hackers steal people’s identities and infiltrate private emails. We know foreign countries and companies swipe our corporate secrets. Now our enemies are also seeking the ability to sabotage our power grid, our financial institutions, our air traffic control systems. We cannot look back years from now and wonder why we did nothing in the face of real threats to our security and our economy.”
President Barack Obama, State of the Union Address, Tuesday, February 12, 2013
Just before delivering his State of the Union address, President Obama signed an Executive Order aimed at increasing information sharing between the government and private-sector businesses in order to move the issue of cybersecurity protection. The goal of the order is to achieve a “partnership with owners and operators of critical infrastructure to improve cybersecurity information sharing…” by developing and promoting a new cybersecurity framework. The framework will partner critical infrastructure with sector-specific agencies to increase the flow of cybersecurity information between the government and private industry. See the White House blog posts at http://www.whitehouse.gov/blog/2013/02/13/improving-security-nation-s-critical-infrastructure?utm_source=related
How will the Executive Order Potentially Affect You?
(1) The “Enhanced Cybersecurity Services” program is a voluntary program among federal agencies aimed at de-classifying information about cybersecurity threats and sharing that information with eligible private-sector businesses. Establishing the program will require industry involvement to determine what types of information will be most helpful in combatting cyber security threats. The a accompanying presidential policy directive identifies 16 critical infrastructure sectors with which the federal government aims to “increase the volume, timeliness, and quality of cyber threat information shared…” and targets such industries as financial services, utilities and healthcare.
(2) The order calls for the government to develop a “baseline framework” to reduce cyber risk. This work will be led by the director of the National Institute of Standards and Technology. The framework will attempt to align “policy, business, and technological approaches” in combatting cyber risk. The framework will also include a “voluntary consensus…and industry best practices…” Since the framework will be built around industry best practices it follows that it could become the standard for measuring cybersecurity programs.
(3) The order requires the Secretary of Homeland Security (“Secretary”) and agencies to create a voluntary program to promote the adoption of the framework by creating incentives for private-sector businesses. If targeted industries are receptive to the voluntary framework this definitely increases the odds that the baseline will be a measuring stick for all cybersecurity programs within those industries.
Other Measures in the Executive Order
The Order also requires agencies to establish safeguards based on the Fair Information Practice Principles to protect the customer information that companies may share with the government and calls for the Chief Privacy Officer and the Officer for Civil Liberties of the Department of Homeland Security to release a report assessing the privacy and civil liberties risks of the program.
The Secretary is also charged with identifying critical infrastructure at the greatest risk. “Greatest risks” means that if a cybersecurity incident occurred it could “reasonably result in catastrophic regional or national effects on public health or safety, economic security, or national security.” This list will be updated on an annual basis and will not specifically identify commercial information technology products or consumer information technology services.
In addition, agencies that are responsible for regulating the security of critical infrastructure are required to work with Department of Homeland Security, Office of Management and Budget and National Security staff to determine if current cybersecurity regulatory requirements are sufficient, if not what actions need to be adopted to mitigate cyber risk and whether the agencies have regulatory authority to adopt the preliminary cybersecurity framework. If the agencies find that they do not have the appropriate authority to adopt the framework they must identify what additional authority is required.
Finally, agencies are required to work with private-sector business owners and operators of critical infrastructure and determine which businesses, if any, are subject to “ineffective, conflicting, or excessively burdensome” cybersecurity requirements.
Cybersecurity concerns have been at the forefront of much debate and congressional leaders such as Senator Rockefeller have been trying to push legislation forward, but have not been successful. Last month Sen. Rockefeller introduced the Cybersecurity and American Cyber Competitiveness Act of 2013 and this month the House is slated to reintroduce the Cyber Intelligence Sharing and Information Act (CISPA) which passed the House last year.
Developments and information regarding this Executive Order and potential Congressional action continue and you can find updates here. We will also be presenting a webinar on how to prepare your business, so stay tuned for the date/time.