Assessing the Cyber Executive Order
The Obama administration has released an Executive Order (EO) designed to improve the cybersecurity of the nation’s critical infrastructures such as power plants, financial systems, and telecommunications networks. The document represents a solid first step, but as the administration and leaders in Congress recognize, much remains to be done. This paper summarizes five strengths of the EO and highlights five areas where additional steps are required.
1. Relying on Market Forces
The Executive Order’s general approach enables owners and operators of critical infrastructure (CI), the vast majority of whom are in the private sector, to take responsibility for protecting themselves. Although the government will play a convening role to spur progress, the EO does not mandate a single standard for all parties. Neither does it require the use of specific products or services or mandate compliance through force of law.
The EO’s intent is to rely on market forces where possible to allow innovation and creativity to flourish. This is the right approach because government organizations cannot hope to keep up with rate change of both technology and business practices that utilize technology.
2. Prioritization of Critical Infrastructures
The United States holds tens of thousands of infrastructure facilities—the state of Texas alone has identified over 5,000. It cannot protect them all equally well. The EO has rightly called for the identification of the most critical infrastructures so that the government can focus its efforts on the highest priorities. While making such an assessment will be difficult, in part because of the interconnected nature of our nation’s infrastructures, it is a necessary step in making significant progress on this issue.
3. Creating Both Baseline and Tailored Standards
The president’s order describes a process that will develop a Cybersecurity Framework that provides cross-sector security standards and guidelines for critical infrastructures. This Framework has two major components. First, it will identify cyber security standards for computer systems and functions (e.g. email) that are generally found in all critical infrastructure settings. Second, it will support the development of standards that are tailored to the needs of specific sectors. For example, the CI operators in some sectors use specialized industrial control systems that are not covered by standard cybersecurity best practices. These include SCADA (supervisory control and data acquisition) systems like those targeted in the Stuxnet attack on Iran’s nuclear facilities. The EO rightly addresses this need by noting that standards need to be tailored for specific sectors in a partnership with members of those sectors.
4. Facilitating Unclassified and Classified Information Sharing
Many critical infrastructure owners and operators do not have a good understanding of the threat environment they face. This lack of knowledge often results in an underinvestment in cybersecurity measures. It can also limit the ability of cyber defenders working for CI operators to defend themselves against sophisticated adversaries.
The information sharing provision of the EO can have a significant impact by providing both unclassified and classified cyber threat data to critical infrastructure organizations. Such information can inform executives about adversary campaigns that are targeting specific industries or types of companies. It can also provide specific signatures and tactics, techniques and procedures that cyber defenders can use to block, detect and remove malware they otherwise would not have known about.
Finally, it is important to note the EO contains strong privacy protections that apply to all aspects of the recommended initiatives, including information sharing.
5. Offering Services to CI Operators
While information sharing can be incredibly useful, detecting and countering sophisticated cyber attacks often requires a dedicated team of highly skilled cybersecurity analysts who are in very short supply. Most organizations do not employ such teams. For this reason, it will be necessary for critical infrastructure owners to rely on outside companies to provide such capabilities on demand. The EO supports this need by enabling infrastructure operators to participate in the Department of Homeland Security’s Enhanced Cybersecurity Services (ECS) initiative—a program developed to bolster the cybersecurity of companies in the defense industrial base through the use of services provided by selected commercial service providers (CSPs).
Five Areas for Improvement
1. Developing Incentives to Change Behavior
Because participation in the EO’s initiatives is purely voluntary, it stands to reason that critical infrastructure operators will not comply with those standards unless it is in their interest to do so. The EO explicitly recognizes this point by requiring the identification of incentives “designed to promote participation in the Program.”
The provisions within the EO may not, by themselves, change the fundamental incentives driving the behavior of critical infrastructure operators. As important as it is to identify possible incentives for changing the behavior of critical infrastructures, the government will need to experiment with these incentives to see which ones work. Conducting such experimentation will require the establishment of a well-structured and rigorous evaluation program. Congressional action may be needed to implement some incentives and to enable the proper evaluation of different options.
2. Sponsoring and Supporting Broader Information Sharing Efforts
The EO provides for the sharing of cyber threat information from government to industry. As useful as this sharing can be, it does not go far enough. For one thing, the federal government cannot share information with every critical infrastructure owner in the country. Its efforts will be focused on those infrastructures that can cause “catastrophic regional or national effects.” A majority of infrastructures will not meet that threshold, yet their protection from cyber attack is still important.
A key step to improving the cybersecurity posture of these infrastructures is to encourage and support cyber threat information sharing at the local and state levels, and to foster company-to-company sharing mechanisms where possible. The federal government may not be directly involved in such efforts, but it can fund them, incentivize them and help establish technical mechanisms that make information sharing easier. DHS has taken a few steps in this direction, but more work is needed. In addition, Congressional action is needed to provide the liability protections that can incentivize and enable information flows from industry to government and between private sector actors.
3. Expanding Services for CI Operators
In Homeland Security’s ECS program, commercial service providers receive threat indicators from the U.S. government and use those indicators, potentially in combination with their own proprietary information, to identify and block malware targeting protected companies. While this service will prove highly beneficial to many critical infrastructure operators, it is not sufficient to provide the full range of services such organizations will need. Critical infrastructure operators may also require assistance with insider threats, forensic capabilities, incident response and other services that they cannot perform on their own. These capabilities must become part of the ECS program. To broaden its set of services and respond to the needs of a potentially large market demand, the number and type of approved commercial service providers in ECS will need to grow.
4. Addressing Supply Chain Risks
It is not clear if the EO intends for the Cybersecurity Framework to address supply chain risks. Often such risks are not addressed in lists of cyber security best practices, because assessing such risks requires the examination of manufacturing and shipping processes that lie beyond the purview of those charged with cybersecurity responsibilities. However, supply chain risks can be serious, especially in ensuring the integrity of industrial control systems. The Department of Defense is currently funding a program to address supply chain risks within its own systems, and the Department of Homeland Security has made similar efforts to address supply chain problems through the Critical Infrastructure Partnership Advisory Council. If supply chain risks to critical infrastructures are not adequately addressed through the Cybersecurity Framework, then either the Executive Branch or Congress should take steps to ensure that the issue receives appropriate attention.
5. Improving Infrastructure Resilience
The Presidential Policy Directive issued in concurrence with EO is titled “Critical Infrastructure Security and Resilience.” The EO is clearly focused on the security aspects of critical infrastructure protection and does not address resilience explicitly. However, security and resilience cannot be addressed separately. Creating resilience in critical infrastructures may require changes in network architectures, cyber security processes, technology purchases and personnel decisions—all of which are likely to be part of the Cybersecurity Framework. To that end, the issue of resilience should be explicitly addressed within the Framework and other initiatives in the EO.
Irving Lachow is a Senior Fellow and Director of the Program on Technology and U.S. National Security, and Jacob Stokes is a Research Associate at the Center for a New American Security.