Tuesday, May 14, 2013
Federal Agencies Begin Rule-Making Process under Executive Order to Improve Critical Infrastructure Cybersecurity
This past week, Northern Alabama received a stark local reminder of the cyber threat danger. As reported by Leada Gore of al.com, Nick Lough of WAFF television, and Bloomberg, Chinese hackers infiltrated the regional office of a major security contractor’s computer networks over a three-year period. In addition to stealing some significant trade secrets, the hackers may have also gained access to sensitive U.S. Government information.
The threat of cyber attacks and network shutdowns are neither limited to companies selling to the Government nor foreign governments intent on stealing defense designs and plans. Rather, these threats extend to major U.S. industries that touch almost every facet of American lives and livelihood.
The Federal Government has worked diligently over the last several years to respond to the cyber threat. President Obama recently issued an Executive Order and Presidential Policy Directive that attempt to assist in the uniform creation of a cybersecurity protective “framework” for “critical infrastructure” industries with the ultimate goal of having these industries share cyber information with the Federal Government and with each other. DHS, DOD, Commerce, and ODNI have been tasked with addressing various aspects of the puzzle.
The major thrust of the Executive Order is to create common standards among these 16 critical infrastructure industries to share information regarding cyber attacks with the Federal Government. Equally importantly, the Executive Order sets up a framework under which the companies within these industries can voluntarily create standards for information sharing within each industry.
While information sharing is an excellent goal, the Federal Government recognizes that separate privacy-related legislation will bar the robust sharing of information in most industries and that companies are unlikely to want to provide the details of their lucrative intellectual property and R&D either within industries or to the Federal Government without equally robust controls.
A delicate balance must be struck between protecting the nation and data privacy. Coinciding with the Fifth Annual Cyber Summit in Huntsville, Alabama on June 6, 2013, we will explore and assist readers in unraveling this ‘Meereenese knot’ over the next several weeks. In so doing, we will identify the current efforts and challenges the Federal Government and critical infrastructure industries face as they tackle these issues as well as new and impending compliance requirements set forth in acquisition regulations.