- President Releases Executive Order on Cybersecurity
- House Bill Takes on Cyber Issues
- Implications of the Executive Order
- Executive Order Sets U.S. Policy
- Need for Cybersecurity Information Sharing
- Establishing a Voluntary Cybersecurity Framework
- Identifying Critical Infrastructure at Greatest Risk
- The Rogers-Ruppersberger Cyber Bill
Cybersecurity was at the forefront of industry issues this week for USTelecom members, with developments including legislation on the Hill and the release of an Executive Order.
President Releases Executive Order on Cybersecurity
During his State of the Union address, President Barack Obama announced the release of an Executive Order on cybersecurity that, among things, establishes a policy reaffirming our industry’s view on the importance of public-private partnerships in assessing and combatting cyber threats.
USTelecom President & CEO Walter B. McCormick Jr. issued a statement calling the security of cyberspace a “pressing national imperative.” McCormick also noted that the Executive Order takes “some important steps toward achieving policy goals that will help protect our nation from harmful threats,” including the order’s requirement that federal agencies reduce excessively burdensome cybersecurity requirements. McCormick said he was “pleased that the order reaffirms the importance of public-private partnerships in assessing and combatting threats,” but pointed out that “a strong cybersecurity policy is best achieved through enactment of legislation that enables appropriate sharing of information between government and industry.”
House Bill Takes on Cyber Issues
In calling for legislation, McCormick was referring to the “Cyber Intelligence Sharing and Protection Act” or CISPA, which was reintroduced by House Intelligence Committee Chairman Mike Rogers (R-MI), and Ranking Democrat C.A. Dutch Ruppersberger (D-MD).The bill, which passed the House on a bipartisan vote last April, would enable government and the private sector to work together to strengthen cybersecurity protections.
McCormick immediately expressed support for the bill, stating that it “would enable the government and private sector to more efficiently detect, deter and respond to cyber threats.” He also emphasized the bill is “needed even more urgently now than when it passed the House on a bipartisan vote last April.”
Implications of the Executive Order
While the Executive Order focuses largely on establishing voluntary standards for critical infrastructure owners to improve cybersecurity, USTelecom believes that any standards adopted in that process should be narrowly focused on addressing a specific set of prioritized threats. Additionally, any voluntary standards developed through the partnership must be flexible and industry-driven. As McCormick noted in his statement, the most important action that can be taken is to enact legislation that removes any legal uncertainty around the practice of information sharing – something which cannot be addressed by the Executive Order.
Executive Order Sets U.S. Policy
The Executive Order states that repeated cyber intrusions into critical infrastructure demonstrate the need for improved cybersecurity, and says the cyber threat “represents one of the most serious national security challenges we must confront.” Acknowledging the national and economic security implications of the need for reliable critical infrastructure, the order establishes a national policy to enhance cybersecurity through a “partnership with the owners and operators of critical infrastructure to improve cybersecurity information sharing and collaboratively develop and implement risk-based standards.”
Need for Cybersecurity Information Sharing
The order directs the federal government to increase the volume, timeliness, and quality of cyber threat information shared with U.S. private sector entities so that they may better defend against cyber threats. It mandates the rapid dissemination of such reports to private sector partners; expands the Enhanced Cybersecurity Services program to all critical infrastructure sectors; and expands and expedites the processing of security clearances to certain personnel employed by critical infrastructure owners and operators.
Establishing a Voluntary Cybersecurity Framework
The order also calls on the federal government to develop a voluntary Cybersecurity Framework within one year through a public review and comment process. The framework will include standards and procedures to address cyber risks, and must be flexible, cost-effective and technology neutral. The framework will be reviewed and updated as necessary, taking into consideration technological changes, changes in cyber risks, and operational feedback from owners and operators of critical infrastructure.
A voluntary program will be established to encourage adoption of the Cybersecurity Framework by owners and operators of critical infrastructure and any other interested entities. The federal government will develop a set of incentives to promote adoption of the framework. Sector-specific agencies will report annually to the President on the extent to which owners and operators are participating.
While adoption by USTelecom members is voluntary, federal agencies will be reviewing the preliminary Cybersecurity Framework and determining if current cybersecurity regulatory requirements are sufficient. Agencies are directed to then propose prioritized, risk-based, efficient, and coordinated actions to mitigate cyber risk. Within two years after publishing the final Cybersecurity Framework, agencies must consult with owners and operators of critical infrastructure, and report on any critical infrastructure subject to ineffective, conflicting, or excessively burdensome cybersecurity requirements. The agency must then make recommendations to minimize or eliminate such requirements.
Identifying Critical Infrastructure at Greatest Risk
Through a consultative process, the federal government is directed to identify critical infrastructure where a cybersecurity incident could reasonably result in catastrophic regional or national effects on public health or safety, economic security, or national security. Owners and operators of infrastructure so identified will be confidentially notified of this designation, although they may avail themselves of a reconsideration process for review of the designation.
The Rogers-Ruppersberger Cyber Bill
Meanwhile, the Rogers-Ruppersberger bill would enable government and the private sector to work together to strengthen cybersecurity protections. The legislation would enable the government and private sector to more efficiently detect, deter and respond to cyber threats. The legislation addresses this critical need for cooperation, while providing the appropriate safeguards necessary for facilitating real-time information sharing.
The bill passed the House on a bipartisan vote during the last Congress, and USTelecom believes the legislation must be passed by Congress in this session. In the coming weeks, USTelecom staff will be working with Congressmen Rogers and Ruppersberger on this important legislation.
USTelecom will continue to work to promote cybersecurity policies that use public-private partnerships to protect our nation from harmful cyber-related threats.