On February 12, 2013 President Obama issued a new Executive Order focused on improving cyber security for critical infrastructure, by improving information sharing, creating a framework to reduce cyber risk, and identifying critical infrastructure that is at the greatest risk.
There are four key takeaways. First, many companies that do not believe they are part of the critical infrastructure will be considered critical infrastructure. Second, the government will be taking a more active role in attempting to have companies designated as critical infrastructure become more aware and compliant regarding cyber security. This will likely result in pressure on these companies to increase security (with resulting increases in spending) as the government will be attempting to have companies follow a cyber security framework that will be created. Third, information sharing continues to be a focus to address the cyber threat. Fourth, there are strategies that companies can use to help address these issues, and they are discussed below after the summary of the Executive Order.
Defining Critical Infrastructure
This is a definition that will go far beyond what people traditionally think of as “critical infrastructure” and executives must consider the impact of this Executive Order, and more importantly how they can help their companies address this risk.
DHS has previously identified 18 critical infrastructure Sectors: Food and Agriculture; Banking and Finance; Chemical; Commercial Facilities; Communications; Critical Manufacturing; Dams; Defense Industrial Base; Emergency Services; Energy; Governmental Facilities; Healthcare and Public Health; Information Technology; National Monuments and Icons; Nuclear Reactors, Materials and Waste; Postal and Shipping; Transportation Systems; and Water.
The Executive order may expand this list because the order focuses on any “systems or assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.” The Executive Order contemplates making this determination based upon a new risk-based assessment to identify critical infrastructure where a cyber security incident could “reasonably result in catastrophic regional or national effects on public health or safety, economic security, or national security.” The owners of businesses in the critical infrastructure will be notified that they have been deemed to be critical infrastructure, and the businesses have the opportunity to ask for reconsideration of this designation.
The first substantive focus of the Executive Order is information sharing, and as noted in prior posts by the Lares Institute, this is a critical issue as in many cases the public sector has better threat intelligence than the private sector, though the private sector is often the target of a cyber attack. There have been prior Executive Orders from both President Bush and President Obama related to information sharing, and this order again reiterates the need for the public sector to share non-classified information with the private sector to help address the cyber security problem. It also orders the Attorney General, the Secretary of Homeland Security, and the Director of National Intelligence to issue instructions consistent with this order to ensure the release of appropriate information to the private sector. Consistent with Executive Order 13549, there are also provisions focused on expediting the clearance process to enable information sharing.
Recognizing the need to build consensus and gather information, the Secretary of DHS is also required to establish a consultative process to coordinate improvements to the critical infrastructure.
Cyber Security Framework
Building upon that, the order also requires the Department of Commerce to direct NIST to create a framework to reduce cyber risk to the critical infrastructure in a way that establishes cross-sector security standards and guidelines. This is to provide a “a set of standards, methodologies, procedures, and processes that align policy, business, and technological approaches to address cyber risks” and will “incorporate voluntary consensus standards and industry best practices to the fullest extent possible.” There is to be a technology neutral framework that enables competition for addressing cyber risks. There is to be a public comment and review process, and there is to be a preliminary version of the framework released within 240 days of the order, and the final order is to be released within 1 year.
DHS is also required to, in coordination with other agencies, establish a voluntary program to support the adoption of the framework. In order to encourage participation, the order contemplates the creation of incentives to promote participation in the program.
Once the framework is created, there is to be a governmental review of the existing cyber security regulatory requirements to make sure that these regulations are sufficient given the current risks, and additional actions may be contemplated if the existing regulations are deemed insufficient.
Privacy and Civil Liberties
There was also a privacy and civil liberties focus, because the Executive Order mandates that the CPO and the Officer for Civil Liberties of DHS are to produce a public report regarding the privacy impact of these new requirements.
Information Sharing and Information Superiority
As noted in a prior post, Information Superiority and Information Sharing—A Solution for the Public and Private Sector, information sharing and information superiority are critical steps any company can take to address the cyber issue. As I have previously noted, there are four key steps:
- The first step companies must take to implement Information Superiority, and reduce the chances of an exploitable information imbalance, is understand what information they have.
- The second step companies must take is to create a governance structure that includes key senior stakeholders from departments that are relevant to governing information.
- The third step companies must take is to create a framework that classifies the company’s information based upon sensitivity.
- The fourth step companies must take is to make systematic behavioral changes to how information is collected and processed, so that information is appropriately shared with key stakeholders, both internal and external.
As the threats continue to grow, and the chances of governmental action increase, these are steps that companies can take to get ahead of the cyber security framework, and also reduce their cyber security risk. In these times of doing more with less, using Information Superiority to focus security efforts also offers many companies a path forward to address cyber concerns.