Cyber security takes center stage with new presidential directive

Executive order gives government agencies a year to devise a 'baseline framework' that will incorporate peer-based standards and industry best practices


Howard A. Schmidt, the former White House cyber security coordinator, told the Washington Times that there have been lengthy negotiations about the roles and responsibilities of government agencies – especially DHS – moving forward. He said that the new EO defines “specific responsibilities” for Homeland Security to secure federal computer networks.

Information sharing between the private sector and the federal government is not new. There are open lines of communication between the Feds and 17 key industrial sectors; however, Schmidt admitted that the DHS-private sector relationship needed to be stronger.

For experts like Sotto, she sees the new information sharing landscape coming with more responsibilities related to the private sector. “The key issue is information sharing,” she says. “I view it as both a blessing and a curse — it is blessing in that there will be much faster delivery to the private sector on cyber threats and better coordination between the government and private sector. The curse is that now the private sector will have knowledge of threats, and they will have to act on them.

“I think the private sector and government are running scared,” she adds. “Everybody is gravely concerned and this president is the first one to raise this to a different level – appropriately so given the threats we’ve experienced over the past several years. The fact that he spent a good amount of time on this topic in his speech shows a great level of concern.”

 Another partner in the new cyber security strategy is The National Institute of Standards and Technology (NIST), which has been charged with establishing the peer-based, voluntary security framework that will serve as a pseudo book of standards for critical infrastructure based on input it receives from federal, state and local governments, standards-setting organizations, industrial advisory groups and infrastructure owners and operators.

Evan Wolff, who serves as director of Hunton & Williams’ homeland security practice, says there is a precedent for how the White House and its agency partners are rolling out their plan. “I think the cyber security framework will have some intended and unintended uses,” he says.

Wolff continues to say that the new set of policies will aid insurance companies when it comes to litigation settlements because they will now have a defined set of rules to play by. The new rules will also have a role in an organization’s internal audit. 

DHS will be working to compile a list of critical infrastructure assets and their greatest risks that will serve as a checklist of best practices. Wolff, who once served as an infrastructure protection advisor to DHS senior leadership, says the EO creates a mechanism by which private owner/operators could be forced to adopt those best practices. When a company gets notified by DHS as a result of a perceived vulnerability or breach, there will be a standard set of procedures to become “compliant” and rectify the issue.

“They will understand the basis for that decision and there will be a process where they can actually decide if they want to get off that {voluntary} list or redress the process. DHS has done this before when addressing regulatory issues in the chemical industry (the CFATS program) and coming up with risk management assessment processes and lists,” Wolff says.“If a company is notified by DHS of some sort of cyber threat to their organization or they discover it on their own they will not be allowed to ignore it. Government contractors will be advised to adhere to the peer-based standards at risk of losing their ability to do business with the government.”

Sotto agrees that the financial element is a key to putting teeth to the voluntary standards framework. “This is critical point. If anything is persuasive in this entire scenario, it is the power of the purse. That possible sanctions will impact the ability to get a government contract, it is highly incentivizing.”

From the perspective of a security practitioner like Martin Zinaich, information security officer for the city of Tampa’s Technology and Innovation Department, excitement is tempered by the reality of the mandate. “I see the announcement as a small step forward, but not one giant leap for mankind,” he says. “We already have numerous frameworks in the information security space (ISO27002, NIST, PCIDSS) that do a good job defining what ‘should be done’ — but the work is getting businesses to adopt and take that risk seriously.