Push Ahead of Cyber Security Legislation

The rise in global security incidents, diminished budgets and downsized security programs have left organizations to deal with security risks that are neither well-understood nor consistently addressed. Executives around the world feel confident that they’re winning the high-stakes game of information security despite the growing number of obstacles, according to The Global State of Information Security^® Survey2013 by PwC U.S. in conjunction with CIO and CSO magazines.

“Security models of the past decade are no longer effective. Today’s rapidly evolving threat landscape represents a danger that shows no signs of diminishing, and businesses can no longer afford to play a game of chance,” says Mark Lobel, a principal in PwC’s Advisory practice. “Companies that want to be information security leaders should prepare to play a new game – one that requires advanced skills and strategy to win against emerging threats.”

If you thought corporate and physical security were challenging enough, they have nothing on information security in the age of cyber crime. The above quoted study of more than 12,000 business and technology executives points to “the lack of information security leadership as a serious obstacle to an effective information security strategy in their organizations.” And on its heels appears to be a relatively toothless Executive Order to improve the digital defense of critical infrastructure, voluntarily.

A short history: in November 2012, the Senate failed to pass legislation mandating cyber security to prevent against a “Cyber Pearl Harbor” as Secretary of Defense Leon Panetta noted during a speech in October 2012, discussing U.S. critical infrastructure. The Senate killed the legislation in large part due to U.S. Chamber of Commerce opposition to the voluntary standards, viewing them as a back door to regulation and one that would quickly fall out of date with evolving threats.

That prompted the White House to move ahead with an Executive Order (EO 13587). However, most critical infrastructure is privately owned, limiting the Executive Order’s impact because it can only ask for voluntary participation among most of the targeted power plants and water systems. Further, it excludes commercial products from being ‘cyber security compliant’ (undefined) and leaves it to the individual government agencies to determine if changes to procurement procedures are necessary. There is also discussion of creating incentives for vendors to be ‘cyber compliant’ or awarding preferential status to those that are compliant.

Further, a key sticking point in the Senate legislation was the information sharing among government and private sector organizations. While the legislation encouraged government and companies to share information about cyber threats, the Obama Administration promised to veto legislation that did not safeguard the privacy of that shared consumer data. So, while information sharing has been identified as a core element of cyber defense, it will not happen without protections for those doing the sharing.

Well, if you have read this far, you have the sense of all the things the Executive Order does not do. So, what does it do?

It does outline orders for certain agencies to take a proactive role. At the core, NIST will be charged with developing a cyber security framework. And DHS will produce unclassified reports on specific, targeted threats (similar to OSAC’s information sharing policy). And a system for tracking and reporting cyber security incidents would be developed on a multi-agency level. And maybe the most important outcome is the recognition of the problem and getting leaders across silos to discuss threats, vulnerabilities and mitigation strategies. And from signing to publication at the government agency level, the goal is 605 days.

In summary, do not sit tight waiting for this Executive Order to be signed. Rather, corral your peers across the enterprise and lead the charge because the folks on the other side of your firewall are charging ahead too. With only 21 percent of Security 500 CSOs managing Cyber Security for their enterprises, this is an outstanding career opportunity for leaders with security subject matter expertise to lead. After all, nature abhors a vacuum.

This article was previously published in the print magazine as "Nature Abhors a Vacuum."

Executive Order 13587 Near Term Actions

The President’s Cyberspace Policy Review identifies 10 near- term actions to support our cybersecurity strategy:

1. Appoint a cybersecurity policy official responsible for coordinating the Nation’s cybersecurity policies and activities.

2. Prepare for the President’s approval an updated national strategy to secure the information and communications infrastructure.

3. Designate cybersecurity as one of the President’s key management priorities and establish performance metrics.

4. Designate a privacy and civil liberties official to the NSC cybersecurity directorate.

5. Conduct interagency-cleared legal analyses of priority cybersecurity-related issues.

6. Initiate a national awareness and education campaign to promote cybersecurity.

7. Develop an international cybersecurity policy framework and strengthen our international partnerships.

8. Prepare a cybersecurity incident response plan and initiate a dialog to enhance public-private partnerships.

9. Develop a framework for research and development strategies that focus on game-changing technologies that have the potential to enhance the security, reliability, resilience and trustworthiness of digital infrastructure.

10. Build a cybersecurity-based identity management vision and strategy, leveraging privacy-enhancing technologies for the Nation.

ON DEMAND: Business-impacting events such as severe weather, man-made disasters, and supply chain disruption are increasing in frequency and making impacts around the globe.

In today's rapidly evolving security landscape, organizations face an ever-growing array of disruptive events, security threats and risks. Traditional reactive approaches to security intelligence often leave businesses vulnerable and ill-prepared to anticipate and mitigate emerging threats that could impact the safety of their people, facilities or operations.