Thursday, February 14, 2013

CNAS Provides a Good Way to Grok the Executive Order

First of all, Happy Valentines Day, SGSB readers.  Hope you are finding as much success in your love lives as you are in your careers securing (or caring about securing) the most critical of critical infrastructures.

Yesterday found me walking down the street in Washington DC a little before noon, when suddenly I ran into some friends, old and new, who had just popped out of the US Department of Commerce. They witnessed directly, and gave me a  first-hand account, of the birth of the administration's Executive Order (EO) on better securing the nation's critical infrastructures.

We've been waiting for this, or something like this, for quite a while. The most recent legislative pushes were the GRID Act of 2010 which almost made it, and the Cybersecurity Act of 2012, which came similarly close but failed to pass both houses. The narrative goes: since Congress couldn't do it, the President did what he could.

Anyway, let's get to the EO while we're young. Of the torrent of analysis I came across yesterday, this one, by Irving Lachow and Jacob Stokes of the Center for New American Security (CNAS) stood out as the best and most comprehensible.

I'll highlight one section before giving you a link to their work. It's on the part many of us are wondering about ... that is, what is the likelihood that the EO will have a marked and observable impact on security posture. Nothing in the EO is mandatory; therefore, as some have suggested, it may turn out to be much ado about nothing.

Here's the CNASers' take:
The provisions within the EO may not, by themselves, change the fundamental incentives driving the behavior of critical infrastructure operators. As important as it is to identify possible incentives for changing the behavior of critical infrastructures, the government will need to experiment with these incentives to see which ones work. Conducting such experimentation will require the establishment of a well-structured and rigorous evaluation program. Congressional action may be needed to implement some incentives and to enable the proper evaluation of different options.
But I and many others hope it's much ado about something. Here's a LINK to the full CNAS write-up, and here's a LINK to the EO itself. We'll have to see how it plays out, and play our respective parts too. NIST is going to need your input and I'll share notices on how and when you can do that when I get the info. 

Meanwhile, have a great and potentially romantic day please.

1 comment:

NVH said...

I just can't help it:
1 x 1
1-Jurys out, except for regulated utilities (electric power) the market will drive to the lowest common denominator b/c no one knows how expensive cyber defense really is and probably can't afford it unless you're a big transmission level utility, though plent of distribution level less regulated utilities are making good strides, it's a question of timing, but that said a cyber attack on a district utility is a lot better than say a whole WECC entity right?
2-What do you think DHS has been trying to do for the last decade? They have a list of thousands of sites and can't pick the important ones. DoD is better at this and arguably should be the focus of prioritization where it's reliant on outside infrastructure for support to its critical missions. Maybe DoD should be asked to participate and take a bit of a lead here?
3-Baseline and tailored standards have been created. DoE, NIST, even DHS has stuff everyone can look at (NERC CIPs? what version are we on that still doesn't cover ICS and critical components enough?) Slap a DHS logo on the front page and we're done
4-DUH! We should have been doing this all along and actually can be if anyone at DHS, DoE, DoD could figure out that civilians with a clearance can be perm certed by whoever agency, this is a clearance IT network and paperwork drill (how many Cleared Defense Contractors are there in DC alone? who don't need to know any of this? Can we take their clearances and give them to people in private sector who can actually use them?)
5-Let me read this right. THE gov't is going to show the private sector utilities other private sector companies they can use to enhance cyber security? Is there a stamp of approval that DHS is giving these companies, that they've passed the Jedi trials (that don't exist) for cyber defense? Get gov't out of the way and they'll do this themselves since there are so many already, you'll be able to get competition and a premium on services for your dollar, capitalism at its finest. Move!
Improvements?! (should say weaknesses)
1-I can find no other strong incentive than gov't officials briefing CEOs of companies on threats they are seeing and saying you know we can't protect you like we can our networks (which we're not good at either). It's like a cop in your rear view mirror, best car safety device invented. Oh, and we've already briefed a bunch of these guys so, gee, the order says keep doing this. Thanks!
2-Wasn't this a strength above? See number 4 above. Wow! Almost fooled us
3-Ok, now take the NCICC at DHS and keep doing that, calling companies giving them a heads up, we'll rename it so it looks like we're doing more when really you're still funded the same with the same resources (except until after sequestration) to keep doing what you're doing. Getting a bit repetitive.
4-Supply chain risks are covered by a significant amount of activity already, please don't confuse the decent progress being made by having to link in another executive order to that policy effort.
5-Oh by the way, we written another directive that ties into this one, so when you put together the framework we've asked for in this one make sure you reference it in all the other ones and tie all this in. Thanks! Anyone heard of the NIPP that's being reworked? Yeah, use that thing and plagiarize.

Good lord, can I please get a couple of English majors at the NSC to write a few more of these since we're not busy enough DOING EVERYTHING IT SAYS WE SHOULD BE DOING ALREADY!