From: Federal Times
By NICOLE BLAKE JOHNSON
Federal agencies will play a larger role in ensuring the nation’s most critical assets are secure from cyber intrusions, under a White House executive order released last week.
The Commerce Department’s National Institute of Standards and Technology, Department of Homeland Security and the Treasury Department are among the agencies that will decide which critical infrastructures — such as electric grid and water treatment operations — are most at risk of cyber attacks. They will work with industry to develop voluntary security standards for those companies and ensure companies get more useful and timely information about cyber threats.
The executive order can’t create new authorities, but it directs agencies with current regulatory authority, such as the Agriculture Department and Health and Human Services, to consider making new voluntary standards mandatory for the industries they regulate.
Industry experts question whether agencies have the manpower, expertise and financial resources to take on these additional tasks.
With steep budget cuts, whether through sequestration or other means, and with the possibility of furloughs and layoffs, “it isn’t clear to many of us how those [executive order] requirements will be resourced,” said Bob Dix, vice president of government affairs and critical infrastructure protection at Juniper Networks. Dix also serves as chairman of the Partnership for Critical Infrastructure Security, which coordinates security efforts in the private sector.
Industry will create the voluntary security standards for critical infrastructure companies, as called for in the executive order, with oversight from NIST, according to administration officials. NIST will publish a draft cybersecurity framework by October that includes those standards, and work with DHS to publish a final version of the framework within a year. What role government will play in measuring whether companies voluntarily meet the standards is unclear, but the president will be notified of which companies participate in the voluntary program.
Officials from the White House, the Commerce, Homeland Security and Justice departments, and U.S. Cyber Command last week emphasized a “whole of government approach,” as the only solution to the growing cyber threat. The officials urged that the executive order be viewed as only a first step in the effort to defend U.S. critical infrastructure.
“This executive order is really just a down payment,” Michael Daniel, White House cybersecurity coordinator, said at a news conference. “It’s a down payment on legislation because, while there is a lot that we can and will do under this executive order, … we still ultimately need legislation to deal with many of the critical aspects of cybersecurity.”
The message of teamwork among agencies and branches of government was joined by calls for cooperation from industry. Industry’s fears that voluntary standards could turn into requirements torpedoed last year’s cybersecurity legislation sponsored by then-Sen. Joseph Leiberman, I-Conn., and Sen. Susan Collins, R-Maine.
But the executive order does lay the groundwork for what could become mandatory standards for currently regulated industries, such as the chemical and nuclear sectors, and for companies seeking to do business with the government.
Leave a Reply