During his State of the Union address on Tuesday, President Obama declared that "America must also face the rapidly growing threat from cyber-attacks." On the same day, he signed the "Improving Critical Infrastructure Cybersecurity" Executive Order to strengthen cyber defenses and better protect our economic and national security.
OUR POINT OF VIEW:
While there is still much more work to be done, the executive order demonstrates an important step forward in protecting our Nation's cyber infrastructure by addressing two vital aspects of cybersecurity: information sharing and the development of a Cybersecurity Framework. Additional legislation by Congress is necessary to help ensure information sharing can occur between the private sector and federal government and done so in a safe harbor and with necessary liability protection. As described below, one of the major initiatives contained in the Executive Order is taken on by the Department of Commerce's National Institute of Standards and Technology (NIST) which will lead the government-private sector effort to create the Cybersecurity Framework. Producing a draft product in eight months will require extensive coordination within government and with the private sector.
EXECUTIVE ORDER MAIN POINTS
- Develop a partnership with the owners and operators of critical infrastructure to address the cyber challenge, including increased information sharing and the collaborative development and adoption of risk-based standards.
- DHS, Justice and the Director of National Intelligence (DNI)/Intelligence Community (IC) are tasked to: "Ensure the timely production of unclassified reports of cyber threats to the U.S. homeland that identify a specific targeted entity." DHS and Justice are tasked to rapidly disseminate the unclassified reports produced in response to the such threats as well as to disseminate classified reports to the critical infrastructure (CI) entities authorize to receive them.
Analysis: As a result of these provisions, there are now two authorized channels for passing threat information to the private sector, through DHS and through the FBI. This will help ensure uniformity in report dissemination and will prevent "one-off" distribution which may help a specific company, but may not contribute to overall situational awareness. The Executive Order does not address how the private sector should provide information to the US Government except to state that the information would be not be disclosed through FOIA.
- DHS and DOD are tasked with expanding the Enhanced Cybersecurity Services (ECS) initiative -- initially developed by DOD and the National Security Agency to support Defense Industrial Base (DIB) companies -- to the other 17 CI sectors. The ECS involves a highly cooperative arrangement executed among the supported CI entity, the entities' Commercial Service Provider (i.e. the entities' ISP) and NSA. The ECS provides tailored, classified cyber threat, vulnerability and mitigation information to participants.
Analysis: While the DIB Cyber Pilot (precursor to ECS) received mixed reviews, there is no question that extending ECS to the other 17 CI sectors is a great benefit. Companies who would benefit from ECS are usually very mature in their implementation of cybersecurity mechanisms and ECSs can be an effective "force multiplier."
- The Executive Order tasks DHS with expediting the processing of security clearances for CI owners and operators with emphasis provided for those associated with "CI at Greatest Risk."
Analysis: DHS' "suitability" evaluation process for current US Government and contractor personnel who have been granted clearance has been described as lengthy and ponderous. A more timely and expedited process for granting security clearances should be put in place.
- NIST is directed to lead the development of a Cybersecurity Framework. NIST will:
(1) Develop a framework through an open public review and comment process;
(2) Collaborate with DHS, Sector Specific Agencies and other interested agencies, OMB, owners and operators of critical infrastructure, and other stakeholders;
(3) Ensure their process is informed by relevant threat and vulnerability information provided by DHS and DOD; and
(4) Complete a preliminary draft in eight months and final draft within one year.
- The Cybersecurity Framework shall:
(1) Include a set of standards, methodologies, procedures, and processes that align policy, business, and technological approaches to address cyber risks;
(2) Incorporate voluntary consensus standards and industry best practices to the fullest extent possible and shall be consistent with international standards whenever feasible;
(3) Focus on identifying cross-sector security standards and guidelines applicable to critical infrastructure;
(4) Provide guidance that is technology neutral and that enables critical infrastructure sectors to benefit from a competitive market for products and services that meet standards, methodologies, procedures and processes developed to address cyber risks; and
(5) Include guidance for measuring the performance of an entity in implementing the Cybersecurity Framework.
- DHS in coordination with Sector-Specific Agencies:
(1) Shall establish a voluntary program to support the adoption of the Cybersecurity Framework by owners and operators of critical infrastructure and any other interested entities (the Program);
(2) If necessary, develop implementation guidance or supplemental materials to address sector-specific risks and operating environments
- DHS shall coordinate the establishment of a set of incentives designed to promote participation in the Program. Within four months, the Secretary of DHS and the Secretaries of Treasury and Commerce each shall make recommendations on what incentives can be provided to owners and operators of critical infrastructure that participate in the Program, under existing law and authorities, and what incentives would require legislation, including analysis of the benefits and relative effectiveness of such incentives.
- As an additional incentive, DHS, DOD, GSA and the Federal Acquisition Regulatory Council are required in four months to recommend:
(1) How security standards derived from the Cybersecurity Framework could be incorporated into acquisition planning and contract administration;
(2) How to harmonize and make consistent existing procurement requirements related to cybersecurity.
Analysis: The Chertoff Group will watch closely how this plays out as the impact could be significant. This will significantly affect federal contractors and vendors.
- Within three months agencies with responsibility for regulating the security of CI shall report whether or not those agencies have clear authority to establish requirements mandating the implementation of the Cybersecurity Framework.
Analysis: Early critiques of the Cybersecurity Framework contained two recurring themes: (1) the scope and depth of the task assigned to NIST and the extensive coordination requirements make achievement of the Executive Order's required deadlines unlikely; and (2) the requirement that oversight agencies stretch their authorities to include mandating the use of the Framework to CI under their purview was a circumvention of Congress' authority.
Identification of Critical Infrastructure at Greatest Risk
- The Executive Order defines critical infrastructure as: "Critical Infrastructure where a cybersecurity incident could reasonably result in catastrophic regional or national effects on public health or safety, economic security, or national security."
Analysis: The Executive Order does not state what happens to a critical infrastructure so designated. There could be follow on impact or action as such entities may be viewed for "regulatory-like" action, or be considered higher risk by boards. There may be greater liability risk. This provision does not apply to commercial information technology or vendors supplying cybersecurity components to critical infrastructure.
About The Chertoff Group
The Chertoff Group is a global security advisory firm that provides consulting, risk management and merger and acquisition (M&A) advisory services for clients in the security, defense and government services industries. With decades of trusted leadership experience across both government and financial services, The Chertoff Group advises clients on how to manage their risk, protect against a broad array of threats and crises, and grow their businesses within a complex national security market. The Chertoff Group, and its investment banking subsidiary Chertoff Capital, have advised on multiple M & A transactions totaling more than $4 billion in deal value. Headquartered in Washington D.C., the firm maintains offices in London, New York and San Francisco. For more information about The Chertoff Group, visit www.chertoffgroup.com.