As revealed during President Barak Obama’s State of the Union Address last night, the White House released an Executive Order, Improving Critical Infrastructure Cybersecurity.
As the president highlighted in his speech, and departing Department of Defense Secretary Leon Panetta was warned, the ability of those with malicious intent—be they governments, terrorists or others who wish to do a wide range of institutions and facilities substantial harm—is no science fiction. The threats are very real, they are increasing in frequency and sophistication, and the ability, for example, to take down the power grid and disrupt communications in some ways makes virtual attacks more pernicious than physical ones because of their extensibility.
Since the devil will be in the details of how the order is executed, we’re going to have a few months to wait and see how this shakes out. The emphasis is justifiability on information sharing and public-private partnerships. From almost every corner of the stake holder community, the reaction has been positive, as in “it is about time…but.”
This is not unexpected, and the word “but” is the placeholder in politics for objecting to some or all of a policy before it is in forced, as well as for reserving the opportunity for providing “perfecting” suggestions.
This will be an evolving story with lots of opinions, including those that will be front and center in two weeks in San Francisco at the security industries annual RSA bash, making what already is going to be a fascinating event certainly a hotbed of national security conversation to say the least.
What you need to know about the Executive Order
The Executive order is worth a full read and probably a bookmark, but Sec. 4. Sets the context for the specifics that follow and is worth a thorough review:
Sec. 4. Cybersecurity Information Sharing. (a) It is the policy of the United States Government to increase the volume, timeliness, and quality of cyber threat information shared with U.S. private sector entities so that these entities may better protect and defend themselves against cyber threats. Within 120 days of the date of this order, the Attorney General, the Secretary of Homeland Security (the "Secretary"), and the Director of National Intelligence shall each issue instructions consistent with their authorities and with the requirements of section 12(c) of this order to ensure the timely production of unclassified reports of cyber threats to the U.S. homeland that identify a specific targeted entity. The instructions shall address the need to protect intelligence and law enforcement sources, methods, operations, and investigations.
(b) The Secretary and the Attorney General, in coordination with the Director of National Intelligence, shall establish a process that rapidly disseminates the reports produced pursuant to section 4(a) of this order to the targeted entity. Such process shall also, consistent with the need to protect national security information, include the dissemination of classified reports to critical infrastructure entities authorized to receive them. The Secretary and the Attorney General, in coordination with the Director of National Intelligence, shall establish a system for tracking the production, dissemination, and disposition of these reports.
(c) To assist the owners and operators of critical infrastructure in protecting their systems from unauthorized access, exploitation, or harm, the Secretary, consistent with 6 U.S.C. 143 and in collaboration with the Secretary of Defense, shall, within 120 days of the date of this order, establish procedures to expand the Enhanced Cybersecurity Services program to all critical infrastructure sectors. This voluntary information sharing program will provide classified cyber threat and technical information from the Government to eligible critical infrastructure companies or commercial service providers that offer security services to critical infrastructure.
(d) The Secretary, as the Executive Agent for the Classified National Security Information Program created under Executive Order 13549 of August 18, 2010 (Classified National Security Information Program for State, Local, Tribal, and Private Sector Entities), shall expedite the processing of security clearances to appropriate personnel employed by critical infrastructure owners and operators, prioritizing the critical infrastructure identified in section 9 of this order.
(e) In order to maximize the utility of cyber threat information sharing with the private sector, the Secretary shall expand the use of programs that bring private sector subject-matter experts into Federal service on a temporary basis. These subject matter experts should provide advice regarding the content, structure, and types of information most useful to critical infrastructure owners and operators in reducing and mitigating cyber risks.
As noted, the sections that follow have to do with more nuts and bolts regarding: consultative process, establishing baseline frameworks to reduce cyber risk of critical infrastructure, the establishment of a voluntary critical infrastructure cybersecurity program, creating the database of critical infrastructure assets at greatest risk, and procedures for adoption of the framework cited above.
Is this really enough?
The answer to the above, unfortunately, is that we won’t know actually until thanks to shared data we can understand the nature, velocity and severity of threats, and judge the effectiveness of counter-measures.
In fact, an interesting reaction to this already came from US Teleco PRedietn and CEO Walter B, McCormick Jr., who in a statement explained that,
“We’re pleased that the order reaffirms the importance of public-private partnerships in assessing and combatting threats, a strategy we believe is highly effective. But we recognize that a strong cybersecurity policy is best achieved through enactment of legislation that enables appropriate sharing of information between government and industry, such as the bipartisan bill co-sponsored by Reps. Mike Rogers, R-Mich., and C. A. Dutch Ruppersberger, D-Md., that passed the House last year and is being reintroduced today.”
What this certainly happens to be is a much needed nudge. Policy-making can be an arduous and time-consuming process, and time is of the essence on cyber security, which has unfortunately been very apparent for way too long. The Executive Order is a much needed step in getting the U.S. better prepared, and certainly better coordinated in terms of information sharing and collaboration between the government and the private sector.
The clock is now ticking on where we go with the details on this and on whether additional legislation will actually get passed.
As news warrants, this is obviously a topic we all will be hearing more about.
Edited by Braden Becker