President Obama issued an Executive Order on February 12, 2013, declaring “the national and economic security of the United States depends on the reliable function of the Nation’s critical infrastructure” in the face of repeated cyber intrusions into crucial infrastructure and the growing and continuing threat to cyber security and critical infrastructure.
The Executive Order declares, as a policy of the United States, the need to “enhance the security and resilience of the Nation’s critical infrastructure” and requires this be done in a manner that encourages “efficiency, innovation, and economic prosperity” while promoting “safety, security, business confidentiality, privacy, and civil liberties.” The Executive Order includes physical as well as virtual systems and assets when defining critical infrastructure so long as the systems or assets are “so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.”
Significant among the requirements established in the Executive Order is the requirement that the Secretary of Homeland Security share greater detail regarding specific threats with the private sector, and particularly with the owners and operators of critical infrastructure systems and assets, so that those entities may better protect and defend themselves against cyber threats. The information sharing will come through reports to the targeted entity detailing the threat. The Executive Order contemplates providing classified cyber threat and technical information from the government to “eligible critical infrastructure companies or commercial service providers that offer security services to critical infrastructure.”
The Secretary of Homeland Security also is required to identify critical infrastructure “where a cybersecurity incident could reasonably result in catastrophic regional or national effects on the public health or safety, economic security, or national security.” The Secretary is charged with coordinating the effort to identify critical infrastructure assets on a sector-specific basis with the aid of relevant agencies, independent agencies, and owners and operators of the critical assets in each sector.
The Executive Order discusses the need for government agencies to coordinate their efforts in compliance with the Order to ensure that privacy and civil liberty protections are incorporated. The Order also contemplates a collaborative process among government agencies, independent agencies and, directly and indirectly, with the owners of critical infrastructure assets and systems to identify and define what amount to best practices, best technologies and best systems, while eliminating ineffective, conflicting or excessively burdensome cybersecurity requirements.
Public utilities will have direct and actual knowledge of threats made against their facilities and should work now to ensure processes are in place to receive and address reports of threats to their facilities if ever needed. Once a cyber-threat report issues, there will be no time available to develop processes as action will be required and failure to have processes in place may have dire consequences for the owner or operator of the asset and, potentially, for the nation.