On Tuesday, as part of the State of the Union address, President Obama issued an executive order on cybersecurity. The order focuses on the cybersecurity of critical infrastructure – defined in the order as
“systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.”
The order focuses on information sharing between the private sector and the federal government, as well as developing and implementing risk-based standards for critical infrastructure cybersecurity.
USACM issued a press statement yesterday in which our Council Chair, Dr. Eugene Spafford, outlined some suggestions for implementing the executive order. Specifically:
- Targeted Cybersecurity Standards. Any standards established should recognize differences across systems and sectors, allowing appropriate flexibility to stay current.
- Different Risk Management Responses. Mitigating all identified cybersecurity risks is an understandable goal. Such a goal, however, may not always produce the most effective results. We caution against any approach that unnecessarily restricts risk management options.
- Protections for Disclosed Information. Recognizing the controls in Section 5 of the executive order, and in related U.S. law to protect privacy and civil liberties, it is still possible for information shared under this order to (inadvertently) provide too much detail. We urge that the guidance provided for compliance with Section 5 include consideration of best practices like minimization and limited retention of shared data.
- Technological Changes. As the Cybersecurity Framework and associated incentives and standards are developed and implemented under Sections 7, 8 and 9 of the executive order, the pace of technological change needs to be addressed. Changes in technology may both eliminate and introduce new opportunities for attack in the risk environment. The Framework and any standards need to be flexible enough to accommodate technological changes.
- Consultative Process. The consultative process in Section 6 of the executive order is very encouraging. The breadth of community that will be consulted is encouraging, and USACM looks forward to participating in the process.