Wednesday, February 20, 2013

2013 Cyber Security Executive Order & Local Governments

The 2013 Cyber Security Executive Order (EO) is focused on critical infrastructure and applies to federal executive branch agencies as defined in the US code. I’ve read the order a few times and have some thoughts. As with many of these orders, the implementation is still somewhat of a mystery and we should all keep a close eye on how this evolves.

Centerpiece of the EO is in section 7, the creation of a “framework” of new cyber security standards for critical infrastructure by the National Institutes of Standards and Technology (NIST).

  • There are two new programs that may be of interest to localities, participation is voluntary.  
  • There may be grant opportunities of other incentives for adoption of the new framework.
  • There may be some impact to localities departments with federal interactions.
  • State and local government are not mentioned at all in the order.  
  • There may be some impact to corporate partners that adopt the framework, and tangential impact to localities.
The EO can be found here.

There are two interesting programs to evaluate.
1.       The EO directs the creation of a new “experimental” program in section 4 for advanced warning to critical infrastructure sites of cyber security threats, information sharing and the declassification of  materials. It has been written that this is a real time sharing of threat and incident data between the participating sites, although that is not entirely clear from the EO. This program may require significant security infrastructure and compliance monitoring for participation (think VCIN, in Virginia).
2.       The EO directs the National Institutes of Standards and Technology (NIST) director in section 7 to construct a new framework of standards for critical infrastructure. This will almost certainly be the basis for legislation in the future. This will be a “consultative process” involving the private sector, and will begin in April 2013. Preliminary version is due October 2013 and the final version is due February 2014. Localities may choose to adopt those standards, in whole or part.

The EO is not clear at all with respect to critical infrastructure that is owned by state and local governments.
The focus is on US companies that operate critical infrastructure, federal agencies that regulate the security of critical infrastructure and strengthening a partnership between the two. I certainly consider local government utilities facilities to be critical infrastructure. Power, water, sewer, communications and storm water are all handled as critical utility functions by localities. Add to that  local airports, dams and public safety radio systems. Section 9 of the EO states that within 150 days a list of critical infrastructure will be drafted and that “Sector Specific Agencies” will participate in this, and that does not include local government. I suspect localities that have a heavy federal presence such as Hampton, VA and Arlington, VA will feel involvement in this. It is unclear whether “local” critical infrastructure will be included at all.

Adoption of the standards is mandatory or optional, depending on who you are.
1.       Section 10 deals with the mandatory adoption of the framework for cyber security of critical infrastructure. There are federal agencies that will be required by this EO to comply with the new framework. They are referenced as “Agencies with responsibility for regulating the security of critical infrastructure..”  Section 10 is quite detailed.
2.       Section 8 deals with the voluntary adoption of the program. Private companies and others are not required to adopt the framework. The EO also  mandates that a set of “incentives” be published and provided within 120 days of the EO, for adoption of the framework. Localities will need to keep track of this, there may be grant opportunities or other advantages to adoption.

The internet is not included in the critical infrastructure list.
This identification also does not include commercial information technology products, which leaves out most of the internet infrastructure. However, the manner in which the critical infrastructure sites use the internet for communications will certainly come under scrutiny. Expect to see encryption and other security standards written for the use of the internet, and included in the new NIST standard.

Local County/City Departments with Federal ties may see impact in mid calendar year 2014.
Utilities, Airport, Public Works, Engineering, Transportation, Police, Fire and Environmental departments may see some level of impact and associated Federal agencies adopt the new standards and in turn compel their local partners to adopt new standards.

Corporate Partners may cause impact with localities.
If corporate partners such as Dominion VA Power, Verizon, Columbia Gas adopt the standards there may be a downstream impact. That will not be for over a year if at all. Private businesses are encouraged, but not compelled, to adopt the new framework.

The effect of this EO will certainly be far reaching and foundational for more government efforts. Local government technology leaders and infrastructure managers need to watch the development of this carefully.

The fact sheet for the EO can be found here.  

No comments: