Executive Order Could Warrant Cyber-Security Response

With cyber-security legislation stalled in Congress, President Barack Obama issued an executive order that could have far-reaching effects on businesses of all types.

The order expands efforts to share information, both classified and un-classified, between companies and the government on imminent threats to critical infrastructure from online attacks. It also calls for standardized cyber-security practices. The National Institute of Standards and Technology will develop voluntary standards and practices for reducing cyber-threats to infrastructure, such as nuclear power plants and the electrical power grid.

The executive order was paired with a Presidential Policy Directive on Critical Infrastructure Security and Resilience, which provided greater detail on its initiatives and focused on resiliency and recovery after an attack.

Together, they “send a clear message that the government understands the threat that massive trade secret theft could pose to businesses and the U.S. economy,” says David Fagan, a partner at law firm Covington & Burling.

The renewed focus on cyber-security is particularly timely. In recent days, Apple was forced to disclose a security breach. Facebook, Twitter, and NBC.com were compromised by hackers. Burger King found its Twitter feed hijacked by the hacktivist collective known as Anonymous. Media companies, including the New York Times and the Wall Street Journal, were victims of exploits tracked to China. Months of Denial of Service attacks continue to plague banks.

The presidential push, by focusing as much on recovery as defense, expands upon efforts pioneered by energy and utility companies, says Roland Trope, a partner at law firm Trope and Schramm and an adjunct professor in the law department of the United States Military Academy at West Point. Companies will not be expected to be 100 percent effective in deterring cyber-attacks, judged instead on how well they prepare for attacks and how quickly they can recover when they do happen.

While companies get something they have long called for—access to government data and threat warnings—it comes with added responsibilities. Companies that get warnings will have to respond by beefing up security. “If shareholders or companies that depend on you are damaged as a result of a cyber-attack, one of the questions that is going to come up, possibly in court, is, ‘What did you do after you got the warning?'” Trope says.

It isn't just entities deemed as part of the nation's critical infrastructure that will receive warnings of attacks. They can be given to any company anywhere in the United States, Trope says. “A responsible board of directors is not going to wait until they get one of these notices,” he says.

The escalating threat of cyber-attacks, and the new presidential initiatives, will contribute to a rethinking of cyber-security and how risks are managed, says Kelly Bissell, a security and privacy specialist who leads Deloitte & Touche's Information & Technology Risk Management and Global Incident Response practices.

Modern risk assessment is made more difficult by the use of mobile and cloud services, data centers, the push toward employees using their own devices, and third-party suppliers, Bissell explains, and cyber-security needs have “caused a huge evolutionary change in thinking.” Many companies have, or will, rethink their chain of command for dealing with technology-related security problems, he says.

“The security guys cannot be those guys in a back room with the door shut anymore,” Bissell says. “They have to be business thinkers. They have to focus on business strategy and transform the way they think.”

“Efforts to harden the private sector targets of trade secret theft by improving cybersecurity may help to stem the flow of intellectual property out of the United States.”

—David Fagan,

Partner,

Covington & Burling

Boards will similarly need to adapt and evolve. Directors know how to look at a financial statement to see what their financial, operational, or strategic risk is,” Bissell says. But they are realizing that they don't have a clue what to ask senior management in order to hold them accountable when it comes to technology and cyber-risks. “Boards and senior management really have to start learning about it so they can make the right decisions,” he says.

One increasingly adopted strategy is to create an IT Committee, comparable to an Audit Committee, to assess security plans and make sure the right people are asking the right questions and pushing forward. “The board can learn along the way while drilling into the details and making sure that management has the appropriate responses and plans,” Bissell says. This board level committee, if needed, can be supplemented by company or external expertise if board members are concerned that their own understanding of technology issues is lacking.

 Another change afoot is that while security people have traditionally reported to the chief information officer, there is a move to bring them under a chief risk officer tasked with comprehensive oversight of financial, operational, and IT risks.

Bissell says the compliance function should be part of the process, but their involvement comes with a caution. “If companies take a solely compliance view, they fail almost all the time, because they do just enough to get by and then they are shocked that they were hacked,” he says. “I still see a lot of companies that do just enough to get by that are breached with very basic stuff.”

CRITICAL INFRASTRUCTURE CYBER-SECURITY

The following is an excerpt from a fact sheet that accompanied an Executive Order pertaining to cyber-security initiatives that was released earlier this month by the White House.

Defense Industrial Base Information Sharing Program Now Open to Other Sectors

The Order expands the voluntary Enhanced Cybersecurity Services program, enabling near real time sharing of cyber threat information to assist participating critical infrastructure companies in their cyber protection efforts.

National Institute of Standards and Technology to Lead Development of Cybersecurity Framework

NIST will work collaboratively with critical infrastructure stakeholders to develop the framework relying on existing international standards, practices, and procedures that have proven to be effective.

Partnering with Industry to Protect Our Most Critical Assets from Cyber Attack

The Executive Order strengthens the U.S. Government's partnership with critical infrastructure owners and operators to address cyber threats through:

The Executive Order requires Federal agencies to produce unclassified reports of threats to U.S. companies and requires the reports to be shared in a timely manner. The Order also expands the Enhanced Cybersecurity Services program, enabling near real time sharing of cyber threat information to assist participating critical infrastructure companies in their cyber protection efforts.

The Executive Order directs NIST to lead the development of a framework of cybersecurity practices to reduce cyber risks to critical infrastructure.

The Executive Order also:

Includes strong privacy and civil liberties protections based on the Fair Information Practice Principles. Agencies are required to incorporate privacy and civil liberties safeguards. Agencies will conduct regular assessments of privacy and civil liberties impacts of their activities and such assessments will be made public.

Establishes a voluntary program to promote the adoption of the Cybersecurity Framework. The Department of Homeland Security will work with Sector-Specific Agencies like the Department of Energy and the Sector Coordinating Councils to develop a program to assist companies with implementing the Cybersecurity Framework and to identify incentives for adoption.

Calls for a review of existing cybersecurity regulation. Regulatory agencies will use the Cybersecurity Framework to assess their cybersecurity regulations, determine if existing requirements are sufficient, and whether any existing regulations can be eliminated as no longer effective. If the existing regulations are ineffective or insufficient, agencies will propose new, cost-effective regulations based upon the Cybersecurity Framework and in consultation with their regulated companies.

Source: White House Executive Order.

Compliance officers, he says, will need to prepare for a greater focus on regulatory efforts. Such regulation is long overdue, says Fred Cate, director of the Center for Applied Cybersecurity Research at Indiana University.

He says the president's executive order reflects an “about-face” for the administration, which had previously resisted calls for regulation. He notes that President Obama, in May 2009, said his administration would look for “technology solutions” rather than “dictate security standards for private companies.” That approach went nowhere, and it has been more than a decade since Congress has passed any kind of major legislation on the issue.

Is It Critical?

Just what falls into the category of “critical infrastructure,” is still unclear. “While there might be some things we would all agree are unique, almost all infrastructure is pretty critical,” he says. “Is your grocery store critical? Well, maybe not on Day One, but if you've gone a week with it closed you are going to be in trouble,” he says. “From a compliance point of view, industries should be asking who is going to get regulated. Almost all infrastructure is interconnected and nearly every economic sector delivers some product of service that, over some period of time, is critical.”

The executive order and potential for new regulations may push companies to increase funding for cyber-security and related compliance efforts. “Until this point, unless you were in a highly regulated industry like nuclear power or healthcare, every dime you spent on cyber-security was one you really had to justify to your shareholders, because you had no regulatory obligation to do it,” Cate says. “Cyber-security is expensive. You really had to make the case that you are under attack, and nobody wants to make that case publicly. Now they have a legal peg to hang their hat on.”

“There may be people who were trying to persuade senior management that more cyber-security investment should be made, and this executive order has the potential to help them make the argument that those investments need to happen sooner, rather than later,” adds Sarah Jane Hughes, a fellow in commercial law at Indiana University's Maurer School of Law.

Many will be watching closely to see whether Congress, despite past failures, will take action. One day after the State of the Union, a new version of the Cyber Intelligence Sharing and Protection Act was filed by House Intelligence Committee Chairman Mike Rogers (R-Mich.) and ranking member Rep. Dutch Ruppersberger (D-Md.). The bill, identical to one defeated in the Senate last year, establishes protocols for companies to share otherwise private user information with the government without a court order, and with liability protections if that data is deemed relevant to cybersecurity efforts or a breach investigation. Critics of the bill, including the American Civil Liberties Union, say it would compromise privacy rights and allow authorities to spy on American citizens.

Sen. Jay Rockefeller (D-W.Va.), chairman of the Senate Commerce Committee, undaunted by the Republican-led defeat of last year's Cyber-Secutity Act, has also filed a new bill, the Cyber-Ssecurity and American Cyber Competitiveness Act of 2013. It too calls for public-private partnerships and information sharing, as well as increased funding for cyber-threat training and research, and even greater government-led prevention efforts related to identity theft and other online crimes.

Bissell suggests that companies should not sit idly by and just wait for new regulations to emerge. They should be part of the conversation with regulators so they can help shape legislation and “get some standards that are achievable, targeted, and focused on true change as opposed to theory,” he says.