451 Research on Cybersecurity Executive Order 13636

Brian Wood Blog

There has been much hand-waving about President Obama’s recent Executive Order pertaining to cybersecurity.

The article, by analyst Carl Brooks of 451 Research, is a brief synopsis.

Key takeaway themes:

  • Voluntary
  • Critical infrastructure: public utilities, power plants, transportation hubs, and distribution systems for good and services
  • Sector-specific seats at the table

Emphasis in red added by me.

Brian Wood, VP Marketing


Executive order on cybersecurity: a long-term shift in policy

The Obama administration has signed Executive Order 13636: Improving Critical Infrastructure Cybersecurity, theoretically to enhance national security and get federal law enforcement off the defensive when it comes to protecting against the myriad of Internet-enabled threats that are now commonplace.

Contrary to speculation in the IT community, the executive order is heavily weighted toward upgrading and protecting critical infrastructure in sectors that are not IT or communications sectors, but instead things like public utilities, power plants, distribution systems for goods and services and the like. However, the IT and communications sectors are the bridge to reaching those other sectors, so these markets have a key role in the new cybersecurity efforts.

The order attempts to balance carrot and stick, setting in motion a number of potentially beneficial policies as well as laying out a framework for how civil liberties come into play and setting expectations for cooperation and information sharing by private companies as well. But at its heart, Executive Order 13636 is two things: a directive for the National Institute of Standards and Technology (NIST) to come up with a framework to identify ‘critical infrastructure’ vulnerable to cyber-attacks, and an exhortation to the US Department of Homeland Security (DHS) to develop an explicit working relationship with all of the parties involved that fall under that framework.

The DHS is directed to do this in consultation with the Sector Coordinating Councils, made up of industry leaders from each sector. Progress on each front is expected to occur throughout 2013, with the first publications regarding the framework to be released in 250 days or more. So, there are no immediate ramifications to the order, but by the end of 2013, there will be a clearer idea of what will be expected of IT and communications companies; in general, now we have just the broad outlines of the administration’s plans.

Carrot and (voluntary) stick

The order formalizes several existing federal policies and projects around cybersecurity and presumably gives them more priority than before. These include the National Strategy for Trusted Identities in Cyberspace (NSTIC), a NIST effort to standardize online identities around a common framework to reduce the complexity of managing multiple discrete online accounts; an information-sharing program regarding imminent and developing threats online, something a bit like the Emergency Broadcast System only for civilian infrastructure operators. This directive also fast-tracks security clearances for infrastructure operators to get this kind of information.

The order directs the Secretary of Commerce to develop a ‘consultative process’ and engage industry representatives. Requests for data disclosures with follow the Fair Information Practice Principles (FIPPS), a set of policies created in the 1970s to ensure individuals’ computerized data is kept reasonably private.

The other side of the order is that NIST will work to develop the cybersecurity framework: a broad reaching set of criteria for identifying vulnerable online infrastructure and recommendations for mitigating risks, including standardizing security practices and technologies where possible. Adherence will be voluntary. It is important to stress that this will largely apply to non-IT infrastructure, like power plants and transportation hubs and utility systems, but IT vendors will be expected to provide the necessary solutions.

The DHS will coordinate a voluntary critical infrastructure cybersecurity program to push industry to both communicate about threats and adopt security recommendations. This is where the friction will inevitably occur, since the DHS will eventually be pushing for the entities it selects to make improvements and hew to the government’s expectations. For IT and telecom providers, the adoption of FIPPS theoretically will protect end users from intrusion and snooping, but providers may well be asked to disclose operational details and expose internal data to DHS, all without formal legal action. However, it will be voluntary.

Sector councils

The directive specifies that the sector-specific councils for each industry should get a seat at the table before the cybersecurity framework or the voluntary cybersecurity program officially go into effect. It says in part, “Sector-Specific Agencies, in consultation with the Secretary and other interested agencies, shall coordinate with the Sector Coordinating Councils to review the Cybersecurity Framework and, if necessary, develop implementation guidance or supplemental materials to address sector-specific risks and operating environments.”

This is encouraging because it seems that the organizations most educated about their technologies and networks are the creators of those technologies and networks, and neither NIST, with its small cadres of researchers, or DHS is equipped to evaluate the very large array of modern IT products and services.

The Information Technology Sector Coordinating Council (IT-SCC) is made up of companies such as Adobe, eBay, Microsoft, Hewlett-Packard, Cisco, IBM and many others; it is chaired by Cheri F. McGuire of Symantec and Larry Clinton, president of the Internet Security Alliance. The Communications Sector Coordinating Council (CSCC) is composed of the likes of Alcatel-Lucent, AT&T, Verizon, Motorola and others. It is chaired by Rosemary Leffler (AT&T) and Marcus Sachs (Verizon). These are the people that will be engaging with federal law enforcement as a result of this order and helping shape the cybersecurity framework and program.

The 451 Take

This order is extremely judicious, on paper. There are no immediate effects from the order but it sets a number of things into slow motion that will have profound effects on how cybersecurity is accomplished. The effects will be more profound on some industries than others. The administration isn’t concerned with AT&T or Microsoft, for example, suffering an outage thanks to malicious attacks; AT&T can and does take care of that itself. It is (rightly) much more worried about plants, factories and transportation hubs that run unsecure systems. But the government seems to want to have more access to communications and technology providers on all fronts and that may be a concern. At this point, it is up to the industry to be proactive about engaging with the agencies and the administration to keep as much control of this process as possible on the side of the technology makers.