Six weeks after President Barack Obama signed a cybersecurity executive order that called for a clear framework of industry standards to prevent cyber attacks on “critical infrastructure,” the federal government on Wednesday took its first promised step toward implementing it.
An eight-hour conference at the Department of Commerce featured panels of industry and government leaders discussing the cyber threats facing various industry sectors and detailing their visions for the framework, which Commerce’s National Institute on Standards and Technology must draft by October.
It’s going to be race to the finish. Responding to a question about why some industries are getting less attention than others, NIST’s Senior Information Technology Policy Adviser Adam Sedgewick implored business leaders to give more feedback.
“We have a deliverable here,” he said. “The president told us to do something in 240 days, so we’re going to do it, but it will only be as good as the input we get.”
“Critical infrastructure” is generally understood to mean institutions and industries whose disruption by cyber attack would be catastrophic, but one of the criticisms of the order has been that it does not spell out the criteria for determining whether a company is running a “critical” operation.
The industry leaders and regulators on hand Wednesday provided some hints: chemical companies, water and electric utilities, telecommunications providers, government defense contractors, healthcare providers, technology companies and financial institutions were all represented on panels.
A few concerns were common across sectors: panelists said the framework should be flexible to accomodate the fast pace of technological change; several called for liability protection for companies sharing threat information with the government (legal immunity is part of the cyber bill awaiting markup in the House); and representatives of larger companies repeatedly said that the framework should be crafted with international rules in mind.
Multinational corporations, those panelists said, already find themselves in the position of violating one country’s standards even as they adhere to another’s — and it will only get more complex now that the European Union countries are also moving forward on cybersecurity standards.
The chief information security officer for chemical company Merck raised a related concern.
“What happens if we have a non-U.S. company owning and operating critical infrastructure?” Terry Rice said, adding that government officials haven’t given him a clear answer on that question yet.
Meanwhile, the EU’s policy will mean multinationals will have to deal with at least “28 new regulators” sitting watch over the United States’ largest trading partner, noted Paul Nicholas, global security strategy director for Microsoft.
The simultaneous pushes for better standards on both sides of the Atlantic highlight cybersecurity’s rising profile; the higher level of concern was also evident in the packed auditorium at Commerce’s headquarters Wednesday.
With higher profiles come more money, but Bruce McConnell, senior counsel on cybersecurity at the Department of Homeland Security, suggested business leaders don’t fully appreciate the gravity of the threat.
“How do we tell CEOs how much to spend and what should the next dollar be spent on, right,” he said in response to a question about measuring the efficacy of security measures.
“That is a challenge,” McConnell continued. “It continues to be a challenge for all of us in the cybersecurity profession, to kind of make the return on investment clear and help prioritize investments.”
McConnell said the next worksop, scheduled for May 29-31 in Pittsburgh, will be the place for stakeholders “roll up their sleeves” and more actively participate in pulling together a set of guidelines. (His department, Homeland, will be tasked with putting the information-sharing program and the framework in place once NIST develops it.)
But that’s about six weeks after Congress’ “Cyber Week” — planned for later this month — so there’s a chance legislation making the executive order obsolete could be passed before the workshop.
That possibility was raised Tuesday at Dow Jones’ Global Compliance Symposium, where Huntington & Williams LLP partner Lisa Sotto speculated the order was mostly the White House’s attempt to “goad Congress” into passing legislation.
“And once legislation comes,” Sotto added, “this whole thing is out the window, so it’s not worth the paper it’s written on, because legislation of course takes priority.”