Push Ahead of Cyber Security Legislation

January 2, 2013

The rise in global security incidents, diminished budgets and downsized security programs have left organizations to deal with security risks that are neither well-understood nor consistently addressed. Executives around the world feel confident that they’re winning the high-stakes game of information security despite the growing number of obstacles, according to The Global State of Information Security^® Survey2013 by PwC U.S. in conjunction with CIO and CSO magazines.

“Security models of the past decade are no longer effective. Today’s rapidly evolving threat landscape represents a danger that shows no signs of diminishing, and businesses can no longer afford to play a game of chance,” says Mark Lobel, a principal in PwC’s Advisory practice. “Companies that want to be information security leaders should prepare to play a new game – one that requires advanced skills and strategy to win against emerging threats.”

If you thought corporate and physical security were challenging enough, they have nothing on information security in the age of cyber crime. The above quoted study of more than 12,000 business and technology executives points to “the lack of information security leadership as a serious obstacle to an effective information security strategy in their organizations.” And on its heels appears to be a relatively toothless Executive Order to improve the digital defense of critical infrastructure, voluntarily.

A short history: in November 2012, the Senate failed to pass legislation mandating cyber security to prevent against a “Cyber Pearl Harbor” as Secretary of Defense Leon Panetta noted during a speech in October 2012, discussing U.S. critical infrastructure. The Senate killed the legislation in large part due to U.S. Chamber of Commerce opposition to the voluntary standards, viewing them as a back door to regulation and one that would quickly fall out of date with evolving threats.

That prompted the White House to move ahead with an Executive Order (EO 13587). However, most critical infrastructure is privately owned, limiting the Executive Order’s impact because it can only ask for voluntary participation among most of the targeted power plants and water systems. Further, it excludes commercial products from being ‘cyber security compliant’ (undefined) and leaves it to the individual government agencies to determine if changes to procurement procedures are necessary. There is also discussion of creating incentives for vendors to be ‘cyber compliant’ or awarding preferential status to those that are compliant.

Further, a key sticking point in the Senate legislation was the information sharing among government and private sector organizations. While the legislation encouraged government and companies to share information about cyber threats, the Obama Administration promised to veto legislation that did not safeguard the privacy of that shared consumer data. So, while information sharing has been identified as a core element of cyber defense, it will not happen without protections for those doing the sharing.

Well, if you have read this far, you have the sense of all the things the Executive Order does not do. So, what does it do?

It does outline orders for certain agencies to take a proactive role. At the core, NIST will be charged with developing a cyber security framework. And DHS will produce unclassified reports on specific, targeted threats (similar to OSAC’s information sharing policy). And a system for tracking and reporting cyber security incidents would be developed on a multi-agency level. And maybe the most important outcome is the recognition of the problem and getting leaders across silos to discuss threats, vulnerabilities and mitigation strategies. And from signing to publication at the government agency level, the goal is 605 days.

In summary, do not sit tight waiting for this Executive Order to be signed. Rather, corral your peers across the enterprise and lead the charge because the folks on the other side of your firewall are charging ahead too. With only 21 percent of Security 500 CSOs managing Cyber Security for their enterprises, this is an outstanding career opportunity for leaders with security subject matter expertise to lead. After all, nature abhors a vacuum.

This article was previously published in the print magazine as "Nature Abhors a Vacuum."

Executive Order 13587 Near Term Actions

The President’s Cyberspace Policy Review identifies 10 near- term actions to support our cybersecurity strategy:

1. Appoint a cybersecurity policy official responsible for coordinating the Nation’s cybersecurity policies and activities.

2. Prepare for the President’s approval an updated national strategy to secure the information and communications infrastructure.

3. Designate cybersecurity as one of the President’s key management priorities and establish performance metrics.

4. Designate a privacy and civil liberties official to the NSC cybersecurity directorate.

5. Conduct interagency-cleared legal analyses of priority cybersecurity-related issues.

6. Initiate a national awareness and education campaign to promote cybersecurity.

7. Develop an international cybersecurity policy framework and strengthen our international partnerships.

8. Prepare a cybersecurity incident response plan and initiate a dialog to enhance public-private partnerships.

9. Develop a framework for research and development strategies that focus on game-changing technologies that have the potential to enhance the security, reliability, resilience and trustworthiness of digital infrastructure.

10. Build a cybersecurity-based identity management vision and strategy, leveraging privacy-enhancing technologies for the Nation.

Mark McCourt is the publisher of Security magazine.

You must login or register in order to post a comment.

ON DEMAND: DevSecOps creates an environment of shared responsibility for security, where AppSec and development teams become more collaborative. With the right training and tools, developers can become more hands-on with security and, with that upskilling, stand out among their peers... however, they need the security specialists on-side, factoring them into securing code from the start and championing this mindset across the company.

ON DEMAND: The insider threat—consisting of scores of different types of crimes and incidents—is a scourge even during the best of times. But the chaos, instability and desperation that characterize crises also catalyze both intentional and unwitting insider attacks. Learn how your workers, contractors, volunteers and partners are exploiting the dislocation caused by today's climate of Coronavirus, unemployment, disinformation and social unrest.

Security Magazine

2020 September

This month in Security magazine, we bring you our 2020 Most Influential People in Security annual report, where we highlight 22 industry leaders, their path to security, careers, goals and guidance for future security professionals. Industry experts discuss the evolution of ransomware, houses of worship security, cybersecurity standards, security careers in investigations and the unifying power of security. Diane Ritchey, past Editor-in-Chief, says goodbye and thank you to our readers.

View More Create Account

Push Ahead of Cyber Security Legislation

Executive Order 13587 Near Term Actions

Recent Articles by Mark McCourt

A New Year's Prediction: The Internet of Things Changes Everything

As Risks Expand, So Does Security's Responsibility

How the Security Evolution Turns to Prediction

John Dailey: Life Happens Here

Gary Gagnon: Unique-ness

Security Magazine

2020 September

Push Ahead of Cyber Security Legislation

Executive Order 13587 Near Term Actions

Recent Articles by Mark McCourt

Related Articles

Report Abusive Comment