Will the Cyber-Security Directive Guard the U.S.?
By Samuel Greengard
Over the last couple of years, businesses and government have been hammered by waves of cyber-attacks. With key systems and infrastructure at risk, there's a growing focus on fending off these potentially devastating incidents. On February 12, President Obama signed Executive Order 13549, which establishes a framework for developing better protections against cyber-espionage and cyber-attacks.
"Cyber-security issues are not merely an IT problem," says James Barnett, a former admiral in the U.S. Navy and former chief of public safety and homeland security for the Federal Communications Commission. "We've repeatedly seen that cyber-threats endanger the entirety of the country's critical infrastructures. Our transportation, energy, communications, manufacturing and financial services sectors are all expending tremendous energy and resources on protecting themselves from cyber-threats."
Barnett, now a partner at the law firm of Venable LLP, says that the presidential directive is a necessary step for addressing cyber-security issues in the United States. "The executive order represents a start, especially in requiring the National Institute of Standards and Technology [NIST] to lead the development of a cyber-security framework," he notes.
Of course, the bigger question is: How will the executive order affect businesses involved with critical infrastructure or those that rely on the Internet?
Some observers contend that the directive doesn't adequately address the extent of the problem—or the risk. Michela Menting, cyber-security senior analyst at ABI Research, argues that the risk of a catastrophic outcome is growing. "The proposed cyber-security framework falls far short of a pertinent and concrete solution to a problem that should have been addressed 10 years ago," she explains.
Menting isn't optimistic about any major change resulting from the directive. "The government is floundering in a hotly politicized deadlock with trade lobbies and civil liberties advocates," she says. "In comparison, the European Union is plugging ahead, building a resilient cyber-fortress around its critical infrastructure."
The result? "Hostile nations are picking the information superhighway apart, and the U.S. risks losing a very costly digital advantage," Menting warns.
Barnett suggests that businesses stay tuned and participate in the process to the extent possible. "At the very least, businesses should monitor what is happening as the framework and standards develop," he says.
Meanwhile, business and IT executives should focus on four primary issues, points out Andrew Serwin, chair of privacy security and information management practice at law firm Foley & Lardner and member of the advisory board of the Naval Post Graduate School's Center for Asymmetric Warfare. They are:
- Understand what data and information the enterprise possesses.
- Create a governance structure that includes key senior stakeholders from departments that are relevant to governing information.
- Establish a framework that classifies information based on sensitivity.
- Embrace systematic behavioral changes revolving around how information is collected and processed, so that information is appropriately shared with key internal and external stakeholders.
Concludes Barnett: "The Executive Order may be the most that can be done, short of legislation." Over the long-term, "A big part of all this will be whether Congress is able to pass comprehensive or 'wrap-around' cyber-security legislation in the near future."