By Order Of The President
In February, Michael Daniel, special assistant to the president and cyber security coordinator, posted on the White House blog that President Obama’s executive order on cyber security was an attempt to “foster improved public-private sharing.”
The order expands the Department of Homeland Security’s Enhanced Cybersecurity Services program, Daniel noted, “to provide near real-time sharing of information on cyber threats with critical infrastructure companies and state and local governments.”
The order directs federal agencies “to provide timely notification to companies if we have information indicating that a company is the target or victim of a cyber intrusion,” and directs the Department of Homeland Security “to expedite the processing of clearances for appropriate state and local government and private sector personnel to enable the federal government to efficiently share cyber threat information at the sensitive and classified level.”
Under the order, the National Institute of Standards and Technology has a year to finalize a package of voluntary standards and procedures that will help companies address their cyber security risks.
That package must include “flexible, performance-based and cost-effective steps that critical infrastructure companies can take to identify the risks to their networks and systems and ways they can manage those risks,” Daniel said.
“Officials also need to create incentives that the government can use to encourage companies to meet the standards, and the Pentagon will have four months to recommend whether cyber security standards should be considered when the department makes contracting decisions.”
Daniels noted that the administration “recognizes that there are private-sector cyber leaders in our critical infrastructure sectors who are already implementing strong cyber security controls, policies and procedures.
“Rather than burdening such organizations with more to do,” the executive order places these innovators “at the core of informing and driving the development of voluntary best practices for the framework. In this way, we can distill common cyber security practices from the experts that know them best and leverage them to improve the security of the nation’s critical infrastructure.”
Noting that “industry has a significant role to play” in planning for enhanced cyber defenses, Daniels urged CEOs to ask their teams the following questions about their exposure to cyber risks:
1. How is our executive leadership informed about the current level and business impact of cyber risks to our company?
2. What is the current level and business impact of cyber risks to our company? What is our plan to address identified risks?
3. How does our cyber security program apply industry standards and best practices?
4. How many and what types of cyber incidents do we detect in a normal week? What is the threshold for notifying our executive leadership?
5. How comprehensive is our cyber incident response plan? How often is it tested?