As expected for many months, the Executive Order entitled ‘Improving Critical Infrastructure Cybersecurity” has been signed and released. There are numerous write-ups providing analysis and perspectives. My favorites so far are from DWT , , and an article from American Banker.
What is important is businesses and leaders should take this in balance to their own business. The first is – if you are not considered infrastructure plainly, you should analyze if and how you support those industries, because if so you will need to meet and participate in the realm of requirements that will roll forward from this EO. The second is – if everybody is having serious problems on maintaining their business’ confidentiality, integrity of operations, and availability of services against foes, competitors, and nation states (as highlighted hundreds of times over the last few years) – how can Executives / Senior leadership / Board of Directors / and owners not consider this a risk that requires mature and top performer attention.
As I reviewed the EO with several clients this week (and I was both impressed with their interest and startled in some cases when the conversations shifted to ‘I don’t have to do this .. do I?’), I thought I would share several top points raised… I’ll update the list below over the next few weeks as the discussions continue:
- “Sec. 2. Critical Infrastructure. As used in this order, the term critical infrastructure means systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.”
- Virtual is an interesting point that I raise below in the riddle ..
- “4.12(c) of this order to ensure the timely production of unclassified reports of cyber threats to the U.S. homeland that identify a specific targeted entity.”
- The use of the phrase ‘timely’ instead of actionable was a highlighted environment. The difference is that actionable means that information shared would be more real-time, while timely may not meet this test.
- [updated 2/18/13] “10.(c) Within 2 years after publication of the final Framework, consistent with.. and Executive Order.. (Identifying and Reducing Regulatory Burdens).., agencies..shall..report to OMB on any critical infrastructure subject to ineffective, conflicting, or excessively burdensome cybersecurity requirements.”
- This is an important section that will hopefully drive cross-standard acceptance, and at least conform to the principle of establishing a unified corporate compliance framework, as I articulated in my book back in 2008.
A few riddles to debate and seek to understand:
- Is Amazon’s AWS considered Critical Infrastructure? What about Microsoft Azure? Expand that generally – what elements of PAAS, SAAS, IAAS are critical infrastructure.
- If they ARE the infrastructure (you know, that whole ‘Cloud’ thing is a pretty huge market and sometimes not always well understood what has shifted to a Cloud architecture), or what of the dependencies to the point that the Critical Infrastructure itself relies on these services (logging, alerting, big data analytics, etc…)