If you’ve been following our feed, you know that we covered, in some detail, the proposed cyber security executive orders of the new Trump Administration. The original draft, titled, “Strengthening US Cyber Security and Capabilities” was delayed so that revisions could be made.
The newly revised draft, titled, “Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure,” is expected to be signed in the coming weeks.
The new draft has more similarity to Executive Order 13636, the cyber security Executive Order of President Obama from 2013. It also has greater potential impact on the private sector, with some tight timelines to be aware of.
The Revised Order focuses on three main topics:
- Cyber security of federal networks, focusing on agency-led preparation and requiring federal agencies to adopt the National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cyber security. Wow, try saying that five times fast.
- Cyber security of “critical infrastructures”—more on that later, since it does impact private sectors.
- Cyber security of the nation, which again focuses on NIST and federal agencies, including a reiteration of the responsibility for cyber security resting squarely on shoulders of heads of departments.
As defined by the Revised Order, the critical infrastructure includes communications, energy, and defense structures. That’s about the extent of the definitions provided. For example, the “core communications infrastructure” is not defined (are we talking cell phones? internet? landlines? All of the above?).
The revised order does refer to smooth internet service and operations as both being a right and also a necessary component of the American business model. So, it may be that “communications” services will all be included.
Whoever it is, they’ll need to work with the Department of Homeland Security and Department of Commerce on a requirement of this order: to provide a report on the network.
Specifically addressed in the Order is also “automated and distributed” attacks, the botnet army that has become such a hot topic in the cyberverse.
Those organizations capable of detecting and predicting DDoS (distributed denial of service) attacks will be ahead of the game when these requirements roll out.
The revised order also speaks to the energy sector, referencing the potential of a “significant cyber incident” against the electricity subsector.
While there have not been successful hacks of power utilities in the United States, a suspected incident at a Vermont Utility had industry insiders scrambling to access the protection capabilities of key utilities.
Again, the “energy sector” in the Revised Order is not defined, but our best guess is that the required report referenced in the Order will include assessment of all utilities operating with a digital component within the United States—which includes government and private operations in some parts of the country.
The third component of the “critical infrastructure” referenced in the Executive Order is the “Defense Industrial Base,” which, as most anyone knows, includes federal and private companies, again. This subgroup will also be conducting an assessment, once the Revised Order is signed.
Considering an NSA hack last year may have involved a private contractor, it can be expected that federal agencies and private corporations will be required to increase engagement and cooperation.
Business as a Priority
The Revised Executive Order does speak to protecting business assets, particularly those that are traded and thereby regarded by this administration as part of the “critical infrastructure” of United States trade and operations.
Regardless of business size, however, you can prepare your organization. Familiarization with the standards outlined in the NIST framework, plus a risk assessment for threat mitigation can both protect your business assets as well as prepare you for potential future requirements of cooperation, once these Executive Orders move into action.