On Tuesday, President Obama issued a Cybersecurity Executive Order, which outlined policies to defend against cyber attacks and espionage on US companies and government agencies. The EO came nearly a year after the proposed and much-hated Cyber Intelligence Sharing and Protection Act (CISPA) got stalled in the Senate. The privacy community sees the CISPA as a great threat to Internet privacy. Many of them are encouraged by this executive order, which stayed away from suggesting changes to privacy laws and regulations.
The salient points of the EO are as follows:
- The president acknowledged formally that information warfare, at the level of nation states, is ongoing and is a clear and present danger.
- The government will build a “Cybersecurity framework” with the private sector to share information on cyber attacks and threats, with the goal to reduce Cyber risk to critical infrastructure.
- The Cybersecurity framework will expand existing government programs to bring more private sector subject-matter experts into Federal service on a temporary basis.
- Unlike the CISPA, the EO does not carry languages that will change or direct impact privacy laws and regulations.
- The EO puts forth specific timelines on the publication of the Cybersecurity framework as well as an assessment report on its implication to privacy.
However, many questions remain after reading the EO. A few of the top ones include:
- The complexity of the “Cybersecurity framework”. While the specifics of this framework are yet to be developed, there are already many security “frameworks” that government agencies have to abide by, including FISMA, NIST 800-53, FERC, NERC, etc. The complexity of layering yet another framework on top will surely create problems. If we don’t aggregate and streamline these frameworks, they will become red tapes rather than useful measures.
- Problematic voluntary adoption plan. Putting the complexity of the framework aside, the biggest problem we see with the EO is the lack of incentive plans for voluntary adoption of the framework by private sector companies. The EO talks about establishing a voluntary program to promote the adoption of the Cybersecurity framework. We at Forrester question how effective that will be. The 9/11 commission established a voluntary private sector preparedness program (PS-PREP) to promote sound business continuity practices in the private sector. We have yet to see a private sector company that had sought to be PS-PREP certified. To be effective, the government must establish more concrete programs, with the help of the private sectors, to promote and incentivize companies to adopt this framework.
- Privacy implications. The EO is respectful of privacy concerns but vague about its implications. In section 5, the order acknowledged privacy concerns that come with information sharing. The text calls for consultation with privacy officers and senior officials to ensure privacy and civil liberties protections are being incorporated. Such languages, while appropriate for this level of communication, do leave much room for interpretation and it is likely to spark further debates in the privacy community.
- Complexity to private sectors. We applaud the vision of expanding federal programs to bring private sector experts into federal services. However, there is a lack of clear directives of how that expansion will be implemented. The EO talks about expediting processing of security clearances, but that’s just one hurdle. What if the company in question, in order to send their security experts, will be asked to become compliant with the Cybersecurity framework, which could turn out to be as complex as FISMA?
- Scanty details on governmental level efforts. In addition to developing a national cybersecurity framework, we would have like to see the president outline plans, at the diplomatic level, to work with the foreign governments that are perhaps behind some of the cyber attacks.
Overall, my Forrester colleagues and I applaud the president for drafting the EO to put cybersecurity concerns in the spot light. This is a much needed move. We can no longer ignore the war that is being fought in the digital battleground. This EO formally acknowledges the risk and sheds light on how serious the problem is. While there is no question that better information sharing is needed, across the industry and between private sectors and the government, to combat the increasing threat of cyberattacks and espionage, it is unclear that the EO and the ensuing framework and programs will change the game significantly.
How will it impact you as an S&R pro?
- If you work with a private sector company and would like to influence the development of this Cybersecurity framework, you need to be appraised of what NIST is doing as a result of this EO. NIST will lead the development of the Cybersecurity framework. NIST’s normal practice, in addition to forming industry working groups, often includes public solicitation for comments for early drafts. That is where and when you can contribute.
- It’s too early to tell whether it will engender additional complexity or cost for private sector companies, and how much additional cost, etc, if your organization is a “critical infrastructure” operator and desires to become compliant with the framework. But one thing is certain, cybersecurity is a front and center initiative for this government. You need to make sure that you treat cybersecurity the same within your organization.