Co-Authored by: Theodore J. Kobus III
A tempting response to the Cybersecurity Executive Order (the "Order"), announced by President Obama at his State of the Union address, is to ignore it. It is vague in key particulars, such as which companies are part of the "critical infrastructure" and therefore subject to the Order. The only immediate effect of the Order is to require various departments and agencies, led by the Department of Homeland Security ("DHS") to: (i) study issues; (ii) identify powers that can be exercised under existing laws; (iii) and come back with proposed plans of action. Maybe if we ignore it, it will go away.
But it won't. If you are a significant player in a regulated industry that that has already been identified by DHS as part of the critical infrastructure (which includes energy, health care, transportation, financial services, heavy manufacturing, food and drugs), if you are a government contractor, or especially if you are both - the Order is a statement of intent that should not be ignored.
The Administration has identified cybersecurity as "one of the most serious economic and national security challenges we face as a nation, but one that we as a government or as a country are not adequately prepared to counter." The Executive Order focuses on two solutions: 1) enhanced security standards; and 2) better sharing of information between government and the private sector.
While the Executive Order describes these security standards as "voluntary," it also directs regulators to identify "incentives" for adopting these standards. Incentives under consideration include potential preferred treatment for government contractors who participate.
With respect to information sharing, the Executive Order only specifically discusses the government sharing information with industry about identified threats. But the Administration has acknowledged that the achieving the goals of the Executive Order "will by necessity involve increased collaboration with the private sector and a whole-of-government approach." Initially this sharing may take the form of responding to questionnaires from the National Institute of Standards (NIST), or requests by the government to a company's security expert. Ultimately, be ready for requests for information related to cybersecurity threats coming from your regulators and government procurement officers.
What should you be doing now to prepare for the impact of the Executive Order on your company?
(1) Review your incident response policies and, if necessary, update them to address the concerns of this Executive Order. Historically, breach reporting obligations have focused on lost personally identifiable information and protected health information because state and federal laws have focused on these losses. The Executive Order focuses on "infrastructure threats" and includes risks posed by trade secret theft, cyber terrorism and hacktivism. Make sure that your policies in place adequately address identifying infrastructure threats and escalating those issues to the appropriate people within your organization. There are going to be "whistleblowers" waiting to assist you with making these disclosures if you are not willing to confront these issues head on.
(2) Look at your vendor lists and contracts. If you are not considered to be critical infrastructure, are your business partners? Are your business partners at risk for certain cybersecurity events like hacktivism and foreign government sponsored attacks? Are your key vendors demonstrating their readiness to you and should you be better protecting yourself in your contracts with these business partners?
(3) Establishing or upgrading security audits should be considered -- not just of your own house, but of your business partners as well. Increasingly government is not just looking at an organization, but an organization's business partners as well.
(4) Finally, develop a regulatory strategy. Just like any other government relationship, figure out how you are going to leverage your existing relationships to guide you through this process and what their expectations are. Government, whether as a regulator or a partner in the war against cyberterrorism, expects transparency, cooperation, and a good attitude. Think about reaching out and starting a dialogue about these challenges and concerns as we figure out how to combat these cyber attacks.