Citing “repeated cyber intrusions into critical infrastructure,” President Obama has issued an Executive Order on Improving Critical Infrastructure Cybersecurity. The Order states that “the cyber threat to critical infrastructure continues to grow and represents one of the most serious national security challenges we must confront.” The Order seeks to improve the cybersecurity of Critical Infrastructures in the U.S. through improved communication and coordination with the private sector, directs the National Institute of Standards and Technology (NIST) to develop a comprehensive “Cybersecurity Framework” to reduce cyber risks to critical infrastructure, and creates a voluntary Critical Infrastructure Cybersecurity Program.
- defines Critical Infrastructure as “systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.”
- calls for increased policy coordination and information sharing across governmental agencies and with businesses.
- tasks the Dept of Justice with establishing procedures to expand the Enhanced Cybersecurity Services program to all critical infrastructure sectors. This voluntary information sharing program will provide classified cyber threat and technical information from the Government to eligible critical infrastructure companies or commercial service providers
- seeks to “expedite the processing of security clearances to appropriate personnel employed by critical infrastructure owners and operators.” Addressing a concern that has been repeatedly brought up by NERC, EEI, and others in the electric industry.
- Directs the Department of Homeland Security to expand the use of programs that bring private sector subject-matter experts into Federal service on a temporary basis “to maximize the utility of cyber threat information sharing with the private sector.”
- seeks “to establish a consultative process a consultative process to coordinate improvements to the cybersecurity of critical infrastructure.” .
The order also calls for NIST to develop a Cybersecurity Framework. This Cybersecurity Framework shall:
- seek to reduce cyber risks to critical infrastructures
- include a set of standards, methodologies, procedures, and processes that align policy, business, and technological approaches to address
- incorporate voluntary consensus standards and industry best practices to the fullest extent possible
- provide a prioritized, flexible, repeatable, performance-based, and cost-effective approach, including information security measures and controls, to help owners and operators of critical infrastructure identify, assess, and manage cyber risk
- focus on identifying cross-sector security standards and guidelines applicable to critical infrastructure
- provide guidance that is technology neutral and that enables critical infrastructure sectors to benefit from a competitive market for products and services that meet the standards, methodologies, procedures, and processes developed to address cyber risks
- include guidance for measuring the performance of an entity in implementing the Cybersecurity Framework
- and be open to a public review and comment process.”
One of the more controversial portions of the order is Section 8. Section 8 establishes a Voluntary Critical Infrastructure Cybersecurity Program that will devise a set of incentives to encourage private sector participation. The DHS in coordination with Sector-Specific Agencies, is to establish this program to support the adoption of the Cybersecurity Framework by owners and operators of critical infrastructure and any other interested entities. Other Sector-Specific Agencies, in consultation with DHS and the Sector Coordinating Councils to review the Cybersecurity Framework and, if necessary, develop implementation guidance or supplemental materials to address sector-specific risks and operating environments.
The DHS, DOD, and GSA are also directed to review procurement rules to assess “the feasibility, security benefits, and relative merits of incorporating security standards into acquisition planning and contract administration.”
DHS will is directed to determine the Identification of Critical Infrastructure at the Greatest Risk
- using a risk-based approach to identify critical infrastructure where a cybersecurity incident could reasonably result in catastrophic regional or national effects on public health or safety, economic security, or national security.”
- DHS is to “apply consistent, objective criteria in identifying such critical infrastructure without identifying any commercial information technology products or consumer information technology services.”
- Owners of such infrastructure will be confidentially notified and will be provided the basis for the determination
Finally, within 2 years after publication of the final Cybersecurity Framework DHS and other responsible agencies shall, in consultation with owners and operators of critical infrastructure, report to OMB on any critical infrastructure subject to ineffective, conflicting, or excessively burdensome cybersecurity requirements. This report shall describe efforts made by agencies, and make recommendations for further actions, to minimize or eliminate such requirements.
The Executive Order can be found here http://www.whitehouse.gov/the-press-office/2013/02/12/executive-order-improving-critical-infrastructure-cybersecurity
NERC’s Statement about the order is available athttp://www.nerc.com/fileUploads/File/News/EO%20Response%2013FEB13.docx.pdf
NBC News high-level summary http://www.nbcnews.com/technology/technolog/new-rules-cybersecurity-obamas-executive-order-explained-1C8349895