The President unveiled his long awaited Executive Order to improve the cybersecurity of critical infrastructure during the State of the Union.
It's the first step in creating a more structured and standardized cybersecurity response. But how will it actually work? And will industry be able to work alongside government? Trey Hodgkins is the Vice President of TechAmerica's Global Public Sector Advocacy. He told Chris Dorobek on the DorobekINSIDER program that the executive order is a good first step.
"The Executive Order has some similarities to the legislative language and prose that the bill in Congress had last August. They just took a slightly different take. They want to create a government inter-agency body to come up with standards and best practices sector by sector," said Hodgkins. Along with the Executive Order was the Presidential Policy Directive-2. It details the government approach to creating standards and improving information sharing with critical infrastructure owners and operators. Next Steps
"The administrative priorities are pretty clearly spelled out in some concert directions. The government will trigger fairly quickly the evaluation on a sector by sector basis of vulnerabilities and outline what steps can be taken and standards that can be adopted to demonstrate a more secure infrastructure and ways to prevent a cyber attack," said Hodgkins. Role of Congress
"I think we are going to see some Congressional legislation fairly quickly. They will want to add elements that the Executive Order can not cover, like information sharing and liability protections," said Hodgkins. Federal Times: Agency Breakdown's in Executive Order
The Commerce Department’s National Institute of Standards and Technology will publish a draft cybersecurity framework by October. The framework will include voluntary security standards for critical infrastructure companies, based on best practices and industry input. NIST will work with the Department of Homeland Security to publish a final version of the framework within a year.
DHS will create a program to support voluntary adoption of the standards. By June, DHS, in coordination with the Treasury and Commerce departments, must recommend incentives to entice private-sector involvement in the program.
DHS will identify companies that control the most critical infrastructures, the target audience for the voluntary program.
The Defense Industrial Base Information Sharing Program will be expanded to include more critical infrastructure companies. Under the program, government and industry share classified threat information, including software code used to determine malware.
By June, the Defense Department and General Services Administration will recommend the feasibility and benefits of incorporating security standards into federal contracts and acquisition planning and whether those standards are consistent with existing procurement requirements.
Agencies are directed to regularly assess the privacy and civil liberties impacts of their activities and share that information with the public.
For sectors currently regulated by the federal government, such as the chemical and nuclear sectors, security standards could become mandatory.
The executive order directs regulatory agencies to assess whether their current cybersecurity regulations are sufficient. “If the existing regulations are ineffective or insufficient, agencies will propose new, cost-effective regulations based upon the cybersecurity framework and in consultation with their regulated companies,” the White House said.
Administration officials would not say what legal or financial ramifications regulated companies could face if they did not comply with potentially new standards.