Cyber Security and Getting the President's Ear

On February 12 2013, the President signed Executive Order (EO) 13636 entitled “Improving Critical Infrastructure (CI) Cybersecurity.” Working within the confines of existing laws and agency authority, the EO directs better cybersecurity information sharing, creation of a cybersecurity Framework, and development of a DHS voluntary to encourage the adoption of the framework by CI, all of it with civil liberties and privacy concerns in mind.

In terms of better information sharing, processes must be developed by June 13, 2013 to expedite the sharing of cyber threat information, particularly with the entity targeted by the threat and with CI already cleared. Expedited security clearances will be prioritized for entities deemed to be “at greatest risk.” And finally, the Enhanced Security Services (ECS) program, heretofore only available to Defense Industrial Base (CIB) entities, will be expanded to share classified cyber threat and technical information with eligible CI entities in all sectors.  Incentives to promote the adoption of cybersecurity practices and participation in the voluntary DHS program will also be identified and analyzed by June 13, 2013.

The National Institute of Standards and Technology (NIST) will lead the development of a Framework to reduce cyber risks to critical infrastructure, with extensive collaboration with industry in its development.  To begin the process, NIST published a Request for Information (RFI) in the Federal Register to gather initial information needed to develop the Framework. Comment deadline is April 8, 2014.  NIST will draft a preliminary Framework by October 8, 2013 and the final by February 13, 2013.  NIST will also review the Framework one year after its final publication.  NIST has organizing four workshops, the first of which is scheduled for April 3, 2013, to discuss various aspects of the Framework including requirements, assessments, and metrics.

The Cybersecurity Framework will incorporate existing consensus-based standards, be performance-based and measurable, mitigate impact on privacy and civil liberties, and be informed by relevant threat and vulnerability information.  NIST does not intend to develop a brand new framework, but rather to generalize and repurpose existing frameworks that can be applied across critical infrastructure sectors and the evolving threat environment. The RFI asks 33 specific questions in three areas:  current risk management practices; use of frameworks, standards, guidelines, and best practices; and specific Industry Practices.  While the respondents are generally encouraged to answer the questions, the draft RFI also indicates that any type of input and comment is welcome.

Sections 9 and 10 have the potential for the greatest impact on energy and water utilities.  Section 9 directs DHS to identify by July 13 CI “at greatest risk” for which a cybersecurity incident will result in catastrophic regional or national effects.  A Cyber Dependent Infrastructure Identification Working Group has already begun work in this regard.

Section 10 directs that by January 9, 2014, executive branch agencies with authority to regulate the cybersecurity of CI must: 1) Review the preliminary Framework to determine whether current cyber regulations are sufficient; 2) Examine existing statutory authorities; and 3) Identify additional authority required.  If current regulations are deemed insufficient to address risks identified by the final Framework, executive agencies must, and independent regulatory agencies are encouraged to, propose prioritized, risk-based, efficient and coordinated actions to address those gaps.

The same day, the President signed the Presidential Policy Directive 21 (PPD-21), on “Critical Infrastructure Security and Resilience.”  PPD-21 specifically identifies energy and communications systems as “uniquely critical” and directs DHS to consider sector dependencies on these systems, cascading consequences of infrastructure failures and other CI interdependencies when updating the National Infrastructure Protection Plan.  By October 11, 2013, DHS must demonstrate near real-time, cyber and physical situational awareness capability of and for CI.

Prudence Parks is director of government affairs and legislative counsel for the Utilities Telecom Council. She can be reached at prudence.parks@utc.org.

This overview of the cybersecurity EO and related presidential policy directive where covered in depth in a recent Utilties Telecom Council (UTC) webcast. More information on the webcast and UTC can be found here:http://www.utc.org/

To subscribe or visit go to:  http://www.riskcenter.com

http://riskcenter.com/articles/story/view_story?story=99915174