Cybersecurity and Corporate America: Finding Opportunities in the New Executive Order

Transcription

1 Executive Order: In the President s State of the Union Address on February 12, 2013, he announced an Executive Order Improving Critical Infrastructure Cybersecurity (EO) to strengthen US cyber defenses by increasing information sharing, and developing standards to protect national security, our jobs and our privacy. Cybersecurity and Corporate America: Finding Opportunities in the New Executive Order The Obama Administration is taking steps to address/focus on cyber attacks on critical US infrastructure the cyber identity theft, economic espionage, and sabotage activities that President Obama has called real threats to our security and our economy. 1 These measures represent the Administration s next steps in attempting to organize an in-depth defense of key assets, and the Federal Government is inviting the private sector to help shape and support this effort. Businesses with a proactive approach to cybersecurity may find opportunities in recent measures the Administration has announced. US CEOs anticipating cyberattacks more than global counterparts How likely is a cyberattack or major disruption of the internet? Unlikely to occur 32% US CEOs 31% Likely to occur 44% Global CEOs 20% 37% Not sure 35% Base: US: 167; Global: 1,330. Source:, 16th Annual Global CEO Survey, Quote from the State of the Union speech

2 In the President s State of the Union Address on February 12, 2013, he announced an Executive Order (EO), Improving Critical Infrastructure Cybersecurity to strengthen US cyber defenses by increasing information sharing, and developing standards to protect national security, our jobs and our privacy. President Obama also called on Congress to act on cybersecurity by passing cybersecurity legislation to give the US Government a greater capacity to secure its networks and deter attacks. The following day, Rep. Mike Rogers (R-MI) and Rep. Dutch Ruppersberger (D-MD), the chairman and ranking minority member of the House Permanent Select Committee on Intelligence, reintroduced the Cyber Intelligence Sharing and Protection Act (CISPA), which last year passed the House but stalled in the Senate. The proposed legislation would enable the US Government to share classified information with the private sector, encourage American businesses to share cyber threat information within the private sector, and provide liability protection for companies that act to protect their own networks or share threat information with others. These steps aim to increase the sharing of threat information among US companies and government agencies. Effective information sharing would impact more than the US economy, given the global nature of many US corporations. It may also raise challenging questions for multinational companies such as whether all global operating units would receive the same access as US-based entities. The initial heavy lifting of defining and fleshing out the EO guidelines falls to federal agencies, working on a deadline that must be met before any effects are felt in the private sector. In particular, a great deal of work is assigned to the Department of Homeland Security (DHS), the Department of Commerce s National Institute of Standards and Technology (NIST), and the Office of the Director of National Intelligence (ODNI). The EO also creates several areas where the government will consult with the private sector. This gives companies an opportunity to shape their future cybersecurity environment in the three critical areas that follow. Step One: Expanding public-private information sharing by mid-june The EO directs DHS and the Department of Justice (DOJ), in consultation with the ODNI, to step up the 'volume, timeliness, and quality' of cybersecurity threat information, both unclassified and classified, that is given the private sector. The EO also calls on DHS to make better use of private sector experts temporarily assigned to US government roles, as a means of better understanding what kind of information would be most useful to critical infrastructure owners and operators in mitigating cyber threats. This initiative might give the private sector a chance to guide the effective use of government information on cyber threats. Questions you should be asking now: Do you have a threat-based, asset-focused cybersecurity plan? Companies that know what they should be protecting will likely have the edge in seeking threat information from the Federal Government. Intelligence like this is a key element in a cybersecurity strategy. Knowing what questions to ask is the first step in getting the information you need to protect yourself. Page 2

3 Do you know how an adversary looks at your organization? Companies that actively participate in public-private information sharing will likely have a sharper understanding of the current threat environment and better insights into what the threats are, what their adversaries are after, and what techniques they use. Do you have a public-private partnership (PPP) strategy? As the Government s information sharing strategy evolves, companies that already have a solid understanding of the benefits of teaming with the right public sector partners will have the edge in protecting themselves in cyberspace. A comprehensive PPP strategy will help address the two-way flow of information sharing what companies receive and what they share. Step Two: Identifying and prioritizing US Critical Infrastructure by mid-july According to the EO, by mid-july 2013, DHS is required to identify the critical infrastructure that is 'at great risk'. While the specifics of this process have not been spelled out, the goal is to identify critical infrastructure where a cybersecurity incident might reasonably result in catastrophic regional or national effects on public health or safety, economic security, or national security. Once DHS has prioritized these critical infrastructure entities, it will confidentially notify the owners/operators. Entities will have an opportunity to appeal the designation. The EO does not identify specific sectors, but it explicitly exempts commercial information technology (IT) products or consumer IT services. Companies can help shape DHS s voluntary critical infrastructure security program and contribute ideas on what incentives DHS will offer to promote the voluntary program. The EO tasks DHS with outlining these incentives by mid-june 2013, but it is not yet known how DHS will develop these. Companies that do business with the Federal Government should note that the EO directs the DOD and the General Services Administration (GSA) to recommend ways to incorporate cybersecurity requirements in federal procurements and contracting by mid-july. This might have a significant impact on both supply-chain security and contracting costs. Questions you should be asking now: Do you know what your cybersecurity strategy is protecting? You should already have a solid understanding of whether your company s assets and activities are considered critical to the US Government. An effective risk-based cybersecurity strategy that focuses on resilience can give you the insights you need to explain why your company should or should not be identified as part of the critical infrastructure. It can prepare you to consider the reason, risk, and potential regulatory implications of being designated as critical infrastructure, and what that means for your strategy. It can also leave you better positioned to compete for federal contracts that have more explicit cybersecurity requirements. Everyone in your company should have a shared view of what the cybersecurity strategy is protecting and what their role in it is. Can you explain your corporate cybersecurity strategy to others? Corporate leaders with a clear vision of how cybersecurity protects both their company s value and US security can be much more effective in outlining their cybersecurity expectations and limitations to government agencies and industry counterparts. This is particularly true for those that may face increased costs to secure their supply chains in response to DOD or GSA regulatory requirements. Page 3

4 Are you prepared to have a dialogue with DHS on incentives that can help you further strengthen your cybersecurity strategy? Now is the time for corporate leaders to make note of what barriers exist to further investing in their cybersecurity strategy. Identifying what incentives the government can provide to remove those barriers may greatly accelerate your security posture and help further mitigate risks to your organization. Step Three: Building a Cybersecurity Framework by mid-august The Department of Commerce s NIST is tasked with developing a 'Cybersecurity Framework' that is to include standards, procedures, and guidelines to align business, policy, and technological approaches to cyber risk. The framework will be voluntary and consensus-driven. According to Michael Daniel, the White House cybersecurity coordinator, NIST will work with industry to identify existing voluntary consensus standards and industry best practices to incorporate into the framework. 2 So the framework is likely to be built around practices that already work well in the private sector. Consistent cybersecurity standards across critical infrastructure industries should give owners and operators a roadmap to follow in defending their networks. It is also expected to be an open process that will include public review. While federal agencies such as the Office of Management and Budget (OMB) and the National Security Agency (NSA) will contribute, the private sector should have an opportunity to assess, respond to, and plan for the proposed standards before they take effect. Questions you should be asking now: Is an integrated security strategy a pivotal part of your business model? Forward-leaning companies have a strategy that integrates the full scope of security, including technical, physical, process, and human capital, to protect the business. These companies are in a strong position to advise the government on what works well in a cybersecurity framework. Do you have a secure business ecosystem? Business are now interconnected, integrated and interdependent creating dynamic and evolving business ecosystems. Trusted business relationships and interactions with customers, service providers, suppliers, partners and employees rely on securely sharing information assets and critical data. Companies with a proactive strategy that provides visibility into the scope of the security strategies and practices of the various entities within their ecosystem will likely exceed the baseline standards that will emerge from the NIST process. As cybersecurity standard-bearers, they can also facilitate the sharing of ecosystem best practices within and across industries. Looking beyond the EO: The need to anticipate and evolve If the closer partnership between the private sector and federal agencies called for by the EO takes shape, there are likely to be tangible cybersecurity benefits for all concerned. But the cyber environment will continue to swarm with malicious actors seeking to penetrate organizations to steal sensitive data or disrupt operations. 2 Page 4

5 Successful, resilient enterprises will recognize this fact, which is unlikely to change. These companies will be as smart and adaptive as their adversaries, and constantly developing additional, proactive measures to protect their IT environment. These companies will likely see the EO as an opportunity to strengthen cybersecurity ultimately boosting profits from a cybersecurity strategy that drives value and enhances return on security investments. Other regulatory and legislative changes on the horizon On January 30, the Senate Commerce Committee chaired by Senator Rockefeller released some of the results of the Senator s September 2012 cybersecurity survey of the US Fortune 500 CEOs. Some 60% of those who received the Senator s letter requesting cybersecurity information, or approximately 300 Fortune 500 companies, responded to his survey. According to the committee staff, companies generally were supportive of cybersecurity legislation, with many supporting provisions that increased information sharing between the private sector and the federal government. However, staff also said that many companies raised concerns about any new federal program that would set mandatory cybersecurity requirements, create obligations that would impact their ability to address cybersecurity in a flexible manner, or duplicate efforts already underway, 3 according to a committee press release and report. This year, Congress appears set to take up cybersecurity in multiple bills, just as it did in 2012, focusing on such issues as Federal Information Security Management Act (FISMA) reform, education and workforce incentives, and research and development. The House of Representatives has already taken up the issue of two-way information sharing with the reintroduction of CISPA. That bill appears to reinforce the EO s steps for improving information sharing between business and government, and it also contains language addressing a significant concern of businesses: liability limitation for companies sharing information and acting on threat intelligence provided by the government. The EO itself provides a number of other potential hooks for legislative action, in addition to information sharing. Legislation might refer to the voluntary standards established by the EO s framework, as well as the designations of critical infrastructure owner/operators. Furthermore, regulatory needs identified by sector-specific agencies will highlight many areas ripe for legislative action. Companies should examine bills presented in the Congress for references to processes and products mandated by the EO, and understand how this might change companies regulatory obligations. Which sectors will be designated critical infrastructure? A presidential directive that designated critical infrastructure for protection from terrorism, issued in 2003, may offer clues as to which sectors and companies may receive similar designation from a cybersecurity perspective. Under the directive and subsequent DHS actions, 18 critical infrastructure sectors were identified for protection from terrorist attacks: Agriculture and food Banking and finance Chemical Commercial facilities Communications 3 Earlier in January, Senator John D. Rockefeller (D-WV) and several other Democratic senators introduced the Cybersecurity and American Competitiveness Act. Page 5

6 Critical manufacturing Dams Defense industrial base Emergency services Energy Government facilities Healthcare and public health Information technology National monuments and icons Nuclear reactors, materials, and waste Postal and shipping Transportation (aviation, as well as surface, sub-surface, and water transportation) Water It is likely that several of these sectors will not be covered by the cybersecurity EO. The commercial facilities, government facilities, and national monuments and icons sectors represent high-profile potential terrorist targets, but are less critical from a cyber perspective. The exceptions made for commercial IT products and consumer IT services will exclude much of the IT sector. Page 6

7 An acknowledgement to our authors: Laurie Schive, William Stallsmith, Neal Pollard, Jack Johnson Jr., and Amandeep Lamba For a deeper discussion please contact: David Burg (703) david.b.burg@us.pwc.com Michael Compton (313) michael.d.compton@us.pwc.com Peter Harries (213) peter.harries@us.pwc.com John Hunt (703) john.d.hunt@us.pwc.com Gary Loveland (949) gary.loveland@us.pwc.com Joe Nocera (312) joseph.nocera@us.pwc.com David Roath (646) david.roath@us.pwc.com 2013 PricewaterhouseCoopers LLP, a Delaware limited liability partnership. All rights reserved. refers to the US member firm, and may sometimes refer to the network. Each member firm is a separate legal entity. Please see for further details. This content is for general information purposes only, and should not be used as a substitute for consultation with professional advisors.