Kent Bressie and Madeleine Findley Analyze the Impact - Wiltshire ...

More documents

Recommendations

Info

the installation of underseacables in the navigable watersof the United States and incoastal estuaries pursuant tothe Rivers and Harbors Act of1899 and the Clean Water Act);and the U.S. Navy (which playsa key role in cable protectioninitiatives and works closelywith the State Department inprotecting treaty rights andfreedoms). Most of theseagencies are not even identifiedas stakeholders in the ExecutiveOrder or PPD. Even withinDHS, the agency componentmost versed in undersea cableissues—the Office of Policy,which acts for DHS in the TeamTelecom process—resides in acompletely different part of DHSfrom the National Programs andProtection Directorate, whichholds primary responsibility forcybersecurity matters.• Mandatory in All but Name.Although the program issupposedly “voluntary,” theExecutive Order requiresagencies to report annually onwhich owners and operatorsare participating—a “nameand shame” provision—and encourages agencies todevise incentives to encourageparticipation. In practice,program participation will be allbut mandatory.• New Requirements for Sales toGovernment Customers. TheDepartment of Defense (“DOD”)and the General ServicesAdministration (“GSA”)must also recommend how toincorporate the program intofederal procurement processes—13• Absence of Liability Protections.The cybersecurity informationsharingprogram contains noliability protection for industry.To obtain such protection, theCongress would need to passlegislation.
14further underscoring theessentially mandatory nature ofthe program. Federal law alreadyrequires industry to providecybersecurity information to GSAand DOD. The Executive Order,however, is likely to increaseongoing reporting obligationsfor federal contracts and to createnew compliance risks. Theserequirements would apply tocapacity sales to U.S. Governmentagencies, including the DefenseInformation Systems Agency.• Disparate Burden onInfrastructure Owners. TheExecutive Order createsobligations regarding bothphysical and virtual or cyberinfrastructure, but excludesfrom its scope “commercialinformation technology productsor consumer informationtechnology services.” As aresult, the Executive Orderclearly reaches physical networkand infrastructure providers,but may not clearly reachedge, application, and overthe-topproviders. Underseacable owners and operatorsmay find themselves subjectto additional regulatorycompliance requirements that donot apply equally to customersor end-users, and for whichthey may be unable to recovercosts. The Executive Order thusmay complicate commercialarrangements between networkor physical infrastructureproviders and edge or overthe-topproviders, and createambiguity about cybersecurityobligations and accountability.3. Initial Implementation Steps byNIST and DHSNIST began preparing forimplementation of the ExecutiveOrder and PPD long before the WhiteHouse issued final versions of thosedocuments, thereby underscoring theneed for early industry engagement.On February 12, 2013, NIST andDHS entered into a Memorandum ofAgreement (“MOA”) that sets forth theircollaboration plan for cybersecurityissues. Under the MOA, NIST agrees,among other things, to enable DHSparticipation in NIST-led engagementswith industry. DHS agrees to consultwith NIST on the metrics it intendsto use to measure the effectiveness ofcybersecurity programs.On February 26, 2013, NIST publishedin the Federal Register a Request forInformation (“RFI”) 4 to stakeholders,including critical infrastructureowners and operators, asking them toshare: (1) current cybersecurity riskmanagement practices; (2) current useof existing cybersecurity standardsand best practices; and (3) specificindustry practices concerning, amongother things, encryption and keymanagement, asset identification andmanagement, and security engineeringpractices. Stakeholders may submitresponses to the RFI until April 8, 2013.4. Congressional InitiativesCongressional action on cybersecurityremains likely. In the immediate4. NIST, Developing a Framework to Improve Critical Infrastructure Cybersecurity,78 Fed. Reg. 13,024 (Feb. 26, 2013).
Page 1 and 2: Voiceof theIndustry69m a r2013ISSN
Page 3: Cybersecurity Developments Raise Gr
Page 6 and 7: • Framework to Reduce CyberRisk t
Page 10 and 11: 15wake of the President’s action,

Kent Bressie and Madeleine Findley Analyze the Impact - Wiltshire ...

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?