NovaBlogger Jack “@sintixerr” Whitsitt, a local expert on national critical infrastructure protection issues, published this article last weekend while we were all enjoying ShmooCon. With his permission we are cross-posting it here. This post is the first in a series of two that nicely summarizes the Executive Order that Obama issued last week.
Section-by-Section translation of the EO based on my own interpretation; designed to get through all of the heavy government language to the spirit of what each section is attempting to convey. Some of this might be wrong, but I think I’ve hit the substance. Will refine over time:
Important to remember: EO can’t change existing law and responsibilities
Sec. 4. Cybersecurity Information Sharing
a) The US Government will pass more (unclassified) information than they already are, and from more sources, to the private sector faster so that they (industry) can better protect themselves.
b) More about the rapid dissemination of these reports, but now mentions the ability to disseminate limited classified reports
c)The government will enhance a new program (previously announced) to provide classified threat and technical information to qualified critical infrastructure companies (including commercial service providers who work with criticalinfrastructure)
d) The intel community will speed up processing of security clearances for private sector companies with critical infrastructure
e) Since actually becoming a fed is hard, and because not everyone wants to, there are initiatives going on – and which the EO directs to be hurried/expanded – to allow private citizen subject matter experts to come under temporary service
Sec. 5. Privacy and Civil Liberties Protections
a) Agencies already have privacy/civil liberty offices and procedures in place. They must make sure any action they take in regard to the EO is done using those offices and procedures.
b) DHS must make formally sure on a recurring bases that 5a) is indeed happening
c) When DHS reports on this, it will consult with OMB (to provide another layer of oversight)
d) Private entity information will be protected by the most protective interpretation of the law
Sec. 6. Consultative Process
The government will engage with private sector stakeholders on all aspects of the EO and will utilize mechanisms that already exist and are currently being used to collaborate with industry on cyber security and critical infrastructure – particularly those outlined in HSPD-7 and DHS’s National Infrastructure Protection Plan
Sec. 7. Baseline Framework to Reduce Cyber Risk to Critical Infrastructure.
a) NIST will lead the development of a framework to reduce risks to critical infrastructure from cyber systems. The framework speaks to the process of reducing risk. The framework is intended to make sure business efforts, policy efforts, and technical efforts are aligned and working together. The framework will incorporate existing standards and best practices as much as possible (clarification: NIST has said here that they mean interoperability/common frame of reference type standards, not performance or measurability focused standards. Ie, the intent of the standards is to help everyone work together.)
b) The framework is *process focused* and intended to deal with the fact that this is the real world; it’s goal is to work collectively to figure out the best ways to reduce risk – the process is the focus, not the results. “The journey is the destination”. The framework will include ways to measure how well organizations are participating in the process.
c) The framework will explicitly include ways to protect business interests and civil liberties
d1) This process will be as inclusive as possible. Government required to show up to the table and government required to engage industry as much as industry is willing to participate.
d2) The government will provide outcome goals for the framework based on critical determinations made in section 9 (the intricacies of this are a bit out of scope of this review. Suffice it to say that there is already existing work here being done and existing processes already in use that will most likely be used to fulfill this requirement.). This is assigned to the heads of relevant agencies, which means its a performance criteria for those individuals, which means it will get done.
e) a preliminary version of the framework will be done in 240 days, final in a year
f) The process of engagement and validity of approaches will be reviewed regularly for appropriateness in addressing cyber security
Sec. 8. Voluntary Critical Infrastructure Cybersecurity Program
a) There will be a program (outreach & engagement?) to encourage private sector adopting the framework process
b) The agencies already on the hook for industry engagement for critical infrastructure (sector specific agencies – SSAs – under HSPD-7 and the National Infrastructure Protection Plan – NIPP) will use their existing mechanisms (like CIPAC) to reach out to industry on a sector by sector basis and address sector specific risks and concerns
c)The Sector Specific Agencies will let the president know annually how this is all going – is industry participating or no?
d)the government will try and create additional value for industry to participate
e) The government will try and figure out how – or if it even makes sense – for the government to adjust its procurement and contracts to use/fit in with the framework
Sec. 9. Identification of Critical Infrastructure at Greatest Risk
a) Within 150 days, DHS will determine, based on potential national consequences from a cyber attack, what infrastructure is critical. This speaks to a consultative process (as described in section 6) that the government will use to identify what the framework and the rest of the Order is aimed at. I’ve been working within one industry for some time using a version of the process that will be used here. The process uses business-function driven risk analysis to determine priorities: Critical Functions->Value Chain->Supporting Cyber Infrastructure->Program level vulnerabilities->Scenarios to be protected against. Ish.
b) The sector specific agencies will, in line with their existing role, provide DHS with enough information to make these determinations. The EO assigned this to the heads of the sector specific agencies, in particular, and so it is a performance criteria for them. This tends to mean it will get done.
c) Owners and operators of critical infrastructure will be confidentially notified of their status as critical infrastructure and there will be a mechanism for them to ask to be reconsidered
Sec. 10. Adoption of Framework
(Read: Potential Regulation)
a) Agencies who can currently regulate will look at any new information provided by the preliminary framework and determine if the way they are currently handling regulation is sufficient based on framework identified risks (my note here: TSA has, in the past, declined to regulate because industry was actively participating already. This directive does not make future regulation a given).
b) If current regulation isn’t sufficient, regulatory agencies will propose actions.
c) within two years, agencies will work with owners and operators to determine if any new regulation is ineffective or excessively burdensome and will make recommendations for relief/changes
d) DHS will help out any agencies who don’t have the technical cyber qualifications to do this effectively
e) Regulatory agencies that aren’t sector specific agencies should consult with everyone and get on board, too
Sec. 11. Definitions
(Speaks for itself. Read these without translation)
(a) “Agency” means any authority of the United States that is an “agency” under 44 U.S.C. 3502(1), other than those considered to be independent regulatory agencies, as defined in 44 U.S.C. 3502(5).
(b) “Critical Infrastructure Partnership Advisory Council” means the council established by DHS under 6 U.S.C. 451 to facilitate effective interaction and coordination of critical infrastructure protection activities among the Federal Government; the private sector; and State, local, territorial, and tribal governments.
(c) “Fair Information Practice Principles” means the eight principles set forth in Appendix A of the National Strategy for Trusted Identities in Cyberspace.
(d) “Independent regulatory agency” has the meaning given the term in 44 U.S.C. 3502(5).
(e) “Sector Coordinating Council” means a private sector coordinating council composed of representatives of owners and operators within a particular sector of critical infrastructure established by the National Infrastructure Protection Plan or
(f) “Sector-Specific Agency” has the meaning given the term in Presidential Policy Directive-21 of February 12, 2013 (Critical Infrastructure Security and Resilience), or any successor.
Cross-posted from Jack Whitsitt: Art and Security in Washington, DC.
Today’s post pic is from GovInfosecurity.com. See ya!