What IT Pros Need to Know About the New Cybersecurity Executive Order
- select the contributor at the end of the page -
"Obama's recent executive order is significant for a few reasons," Cory Janssen, a Novell Certified Internet Professional and Microsoft Certified Solutions Expert from Techopedia, told TrainSignal. "First, it highlights the changing nature of threats. No longer is the image of a hacker some script kiddie fooling around, but rather nation states carrying out cyber-espionage and even cyber warfare."
The AP reports that the new cybersecurity plan is a move towards keeping China out of U.S. networks and that the U.S. government has been preparing a report estimating the damage that cyber espionage is having and will have on the economy. The New York Times reported in July 2012 that there has been a phenomenal rise in cyber attacks targeting U.S. infrastructure, 17 times as many in 2011 as there were in 2009.
With the rise in cyber attacks and the threats to the economy becoming all too real, the Obama administration worked to have a bill passed that would beef up cybersecurity in both the government and in other industries critical to the economy. The Congress passed the bill last year, but it was killed in the Senate because of privacy concerns.
Now, here comes the executive order.
The order urges intelligence and law enforcement agencies to adhere to a more thorough set of cybersecurity standards, as well as to share more information with each other. Obama also asked Congress to hurry up and pass legislation that would allow the government to do more when it comes to cybersecurity.
"Effective sharing of intelligence can definitely boost the security of USA as a nation," Bikash Barai, CEO and Co-Founder of IvizSecurity, told TrainSignal. "I believe this is a very interesting move which other countries might consider adopting."
The executive order also paves the way for a system bridging the private sector and the government. The system would enable government agencies to gather information on cyber attacks done to private companies in "critical industries," such as banking, utilities and defense. This will allow them to protect themselves better and as an extension, protect the economy and the general population.
"We've seen from examples like Stuxnet that the line is now blurred between public and private and the impact that attacks can have in the physical world," said Janssen.
"I personally welcome this initiative if it is used properly," added Barai. "Governments and secret service agencies do have access to a lot of information, which is beyond the reach of the private companies."
The order, though, is nothing like the Cyber Intelligence Sharing and Protection Act, the bill that was killed in the Senate last year. It does not have the unsettling privacy implications of the CISPA.
"[The executive order] highlights the need for sensitivity when it comes to Internet privacy and freedom," said Janssen. "For now, the EFF (Electronic Frontier Foundation) and ACLU (American Civil Liberties Union) seem to support the order, but details will need to be spelled out in upcoming legislation that balance the rights of citizens with threats to our critical infrastructure."
As an IT professional, what do you need to know about the new executive order? How will it affect the industry in general?
What You Need to Know About Improving Critical Infrastructure Cybersecurity
1. What is considered to be critical infrastructure?
Critical infrastructure, as defined by the executive order, includes all assets and systems, which may be physical or virtual, that are very vital to national economic security, public safety and public health. As such, critical infrastructure would include the networks of telecommunication companies, energy providers and other such companies that provide services that affect the economy.
It can be argued that most Fortune 500 companies as well as cloud-based services would be included in this category.
The Department of Homeland Security will have 150 days to identify which companies are considered critical infrastructure.
2. Cybersecurity Framework.
The cybersecurity framework will be developed by the government in cooperation with the affected companies. While it is still a work in progress, Obama promises that the final framework will address the needs of both the government and the private companies, as well as take into consideration the civil liberties of everybody affected.
The framework will also be routinely updated to reflect the latest threats and risks. It can also be changed to make it easier for companies to implement.
3. What are you supposed to share?
If you are an IT professional working with a company that's considered critical, then you will need to share information and data about your computer infrastructure and network. Personal data is not seen to be included in the executive order.
However, this is still a very grey area, as the framework has not yet been laid down. In time, we should know more about what is expected to be shared.
4. Do you need to update your skills to be able to adhere to the framework?
The framework will be technology-neutral, so you can continue using the hardware and software you are currently using. You will, however, be expected to beef up your network's security. If there are breaches to your network, the framework will be able to suggest measures on how to address it.
So, in effect, you would also need to brush up on your security knowledge and get yourself updated with the best practices relating to computer and network security.
If you have been putting off relevant certifications, now might be a good time to look up certifications from the International Information Systems Security Certification Consortium, such as the Certified Information Systems Security Professional or the Systems Security Certified Practitioner, or perhaps the Security Essentials from GIAC.
Other noteworthy certifications you can get include the Certified Information Systems Auditor, Certified Ethical Hacker and Certified Expert Penetration Tester.
5. What can we expect from the government?
If you work as an IT professional in a critical industry, you can expect the government to notify you if you have a cyber threat. This will be helpful in making sure that you are protected.
However, it is still best to amp up on your security measures.
As an IT professional, these are the basics you need to know about the new cybersecurity executive order. As it evolves, you'll want to consider doing some more research to keep yourself abreast of updates as the framework takes a more definite shape.
Photo credit: Official White House photo of Obama at Tuesday's State of the Union address.