The Nation increasingly relies on the Internet to run the systems that light our houses, provide gas for our cars, and ensure our water is safe to drink. Collectively, these diverse systems represent our cyber critical infrastructure. Linking our critical infrastructure to the Internet brings considerable benefits, but our daily reliance on this critical infrastructure means that we are vulnerable to disruptions in our ability to use it. Unfortunately, the threats against our cyber critical infrastructure are numerous, ranging from sophisticated nation states to common criminals.
The government’s senior-most civilian, military, and intelligence professionals all agree that inadequate cybersecurity within this critical infrastructure poses a grave threat to the security of the United States. Most recently, we have seen an increased interest in targeting public and private critical infrastructure systems by actors who seek to threaten our national and economic security. Along with dissuading their actions, we must better protect the critical systems that support our way of life.
Because of the importance of our cyber critical infrastructure, and the seriousness of the threats, the President issued an Executive Order yesterday directing federal departments and agencies to use their existing authorities to provide better cybersecurity for the Nation. These efforts will by necessity involve increased collaboration with the private sector and a whole-of-government approach.
In developing the order, the Administration sought input from stakeholders of all viewpoints in industry, the public sector, the legislative branch, and the advocacy community. Their input has been vital in crafting an order that incorporates the best ideas and lessons learned from industry experience, legislative efforts, and successful federal efforts. Over the course of the past six months, we hosted over 30 organizations, representing all 18 critical infrastructure sectors, and heard from over 200 companies directly. We also met with trade associations representing an additional 6,000 companies, over $7 trillion in annual economic activity, and over 15 million employees to discuss their concerns and ideas for solutions. As a result of our outreach, numerous stakeholders responded positively to the Executive Order.
The Executive Order: Improving security for our cyber critical infrastructure presents a set of complex issues. The Executive Order addresses the three areas that are necessary to address the problem holistically: information sharing, a flexible risk-based Framework of core practices based on existing standards, and privacy protections. (For more details, see our Fact Sheet on the Executive Order.)
Information Sharing. It is a national priority to efficiently, effectively, and appropriately increase the volume, timeliness, and quality of cyber threat information shared with authorized individuals and companies. One of the primary efforts of the Executive Order is to better enable information sharing on cyber threats between the private sector and all levels of government. The Executive Order fosters improved public-private sharing in three important ways.
First, it expands the Department of Homeland Security’s Enhanced Cybersecurity Services program to provide near real-time sharing of information on cyber threats with critical infrastructure companies and state and local governments.
Second, it directs federal agencies to provide timely notification to companies if we have information indicating that a company is the target or victim of a cyber intrusion. Finally, the Executive Order directs DHS to expedite the processing of clearances for appropriate state and local government and private sector personnel to enable the federal government to efficiently share cyber threat information at the sensitive and classified level.
Cybersecurity Framework: The Executive Order directs the National Institute of Standards and Technology (NIST) to lead the development of a framework to reduce cyber risks to critical infrastructure. NIST will work with industry to identify existing voluntary consensus standards and industry best practices to incorporate into the framework.
The Administration recognizes that there are private-sector cyber leaders in our critical infrastructure sectors who are already implementing strong cybersecurity controls, policies, and procedures. Rather than burdening such organizations with more to do, the Executive Order puts these innovators at the core of informing and driving the development of voluntary best practices for the framework. In this way, we can distil common cybersecurity practices from the experts that know them best and leverage them to improve the security of the Nation’s critical infrastructure.
The framework does not dictate “one-size fits all” technological solutions. Instead, it promotes a collaborative approach to encourage innovation and recognize the differing needs among critical infrastructure sectors. Organizations who want to upgrade their cybersecurity will have the flexibility to decide how best to do so using a wide range of innovative products and services available in the marketplace.
Privacy and Civil Liberties Protections: The Executive Order reflects the Administration’s deep commitment to ensuring that processes for sharing cyber threat and incident information between the federal government, state, and local government, and private companies incorporates rigorous protections for individual privacy and civil liberties. Accordingly, the Executive Order directs departments and agencies to incorporate privacy and civil liberties protections into cybersecurity activities based upon widely-accepted Fair Information Practice Principles, and other applicable privacy and civil liberties frameworks and polices. The Executive Order also requires regular privacy assessments and public reporting of any privacy and civil liberties impacts.
More Action is Needed: This Executive Order represents an important step in improving cybersecurity protections for our critical infrastructure, and reflects recommendations from many different groups, including the bi-partisan Commission on Cybersecurity for the 44th Presidency and the Recommendations of the House Republican Cybersecurity Task Force. However, more is needed. Executive action alone cannot create the new tools and authorities needed to meet the Nation’s collective cybersecurity challenges. The Administration continues to urge Congress to pass legislation to more fully address our Nation’s cybersecurity needs.
For decades, industry and all levels of government have worked together to protect the physical security of critical assets that reside in private hands - from airports and seaports to national broadcast systems and nuclear power plants. Similarly, we must now work in partnership to protect the cyber critical infrastructure systems upon which so much of our economic well-being, national security, and daily lives depend.
As we have made clear, industry has a significant role to play as well. As a first step, I would urge Chief Executive Officers (CEOs) to ask their team these five questions and ensure that they are satisfied with the answers. Additionally, I ask that industry, academia, the advocacy community, and all who are interested, participate in the NIST process to develop the Cybersecurity Framework. Visit NIST’s website to view NIST’s request for information (RFI) and find out how to participate.
As the President’s Cybersecurity Coordinator, I look forward to engaging all stakeholders in this important national mission.
Michael Daniel is Special Assistant to the President and Cybersecurity Coordinator.