Phil Agcaoili, CISO with Cox Communications, was first to speak this morning at our CSO Confab event in Braselton, Ga. His message: President Obama's executive order on cybersecurity will lead to fast changes, and private enterprise can't afford to ignore it.
First, he noted the elevated anxiety in the public and private sectors over malware specifically designed to attack critical infrastructure, including:
Then he noted that many of the everyday devices we take for granted have computers vulnerable to attack, including:
--The U.S. drone fleet
Meanwhile, he said, all the old problems remain, including phishing attacks, Windows and other OS flaws, app security holes and cloud security vulnerabilities.
The government has reacted with several proposed bills, none of which are expected to go anywhere. Enter President Obama and his executive order. In October, the draft of the US Cybersecurity Framework comes out. It is expected to be finalized in February 2014 and agencies are to report back in three years.
According to the White House, this is what's coming:
New information sharing programs to provide both classified and unclassified threat and attack information to U.S. companies. The Executive Order requires Federal agencies to produce unclassified reports of threats to U.S. companies and requires the reports to be shared in a timely manner. The Order also expands the Enhanced Cybersecurity Services program, enabling near real time sharing of cyber threat information to assist participating critical infrastructure companies in their cyber protection efforts.
The development of a Cybersecurity Framework. The Executive Order directs the National Institute of Standards and Technology (NIST) to lead the development of a framework of cybersecurity practices to reduce cyber risks to critical infrastructure. NIST will work collaboratively with industry to develop the framework, relying on existing international standards, practices, and procedures that have proven to be effective. To enable technical innovation, the Cybersecurity Framework will provide guidance that is technology neutral and that enables critical infrastructure sectors to benefit from a competitive market for products and services.
The order also:
Includes strong privacy and civil liberties protections based on the Fair Information Practice Principles. Agencies are required to incorporate privacy and civil liberties safeguards in their activities under this order. Those safeguards will be based upon the Fair Information Practice Principles (FIPPS) and other applicable privacy and civil liberties policies, principles, and frameworks. Agencies will conduct regular assessments of privacy and civil liberties impacts of their activities and such assessments will be made public.
Establishes a voluntary program to promote the adoption of the Cybersecurity Framework. The Department of Homeland Security will work with Sector-Specific Agencies like the Department of Energy and the Sector Coordinating Councils that represent industry to develop a program to assist companies with implementing the Cybersecurity Framework and to identify incentives for adoption.
Calls for a review of existing cybersecurity regulation. Regulatory agencies will use the Cybersecurity Framework to assess their cybersecurity regulations, determine if existing requirements are sufficient, and whether any existing regulations can be eliminated as no longer effective. If the existing regulations are ineffective or insufficient, agencies will propose new, cost-effective regulations based upon the Cybersecurity Framework and in consultation with their regulated companies. Independent regulatory agencies are encouraged to leverage the Cybersecurity Framework to consider prioritized actions to mitigate cyber risks for critical infrastructure consistent with their authorities.
We've been talking to infosec pros who remain skeptical that the order will accomplish much. Agcaoili disagrees.
"The government is driving this. We (private enterprise) have to take a swing at the ball or we'll miss out," he said. "This is huge. It isn't your daddy's regulation."
His biggest bit of advice: Don't assume you're not in scope and decline to participate in the discussion, because the order covers a wide swath of economic activity and technology.
"Security is everyone's responsibility," he said. "You have to look at what your company does that touches other sectors. All you have to ask to start is if there's a computer in it and does it connect to the Internet. Think of what you do as part of an ecosystem."