More than 15 years after the United States adopted the Internet, President Obama is finally trying to get the federal government to tackle the admittedly complex issue of cybersecurity. This article discusses the effort to establish a framework that enables the government and private enterprise to experiment with possible solutions to the problem of securing cyberspace from the threat of cyberattacks and intrusions. It also touches on similar initiatives in the European Union which present significant opportunities for collaboration on a global scale.

Executive Order 13636 — A New Framework to Improve Critical Infrastructure Cybersecurity

Critical infrastructure protection policy has been growing in importance over the last two decades. Many attempts have been made, both by the government and in the private sector, to address cybersecurity risks. However, cyberattacks, be they intentional or accidental, are increasing at an alarming pace and could disrupt the supply of essential services we take for granted, such as water, health care, electricity or mobile services. Further, cybersecurity incidents are becoming more complex and they respect no border.

According to the World Economic Forum, there is an estimated 10 percent likelihood of a major critical information infrastructure breakdown in the coming decade. The European Commission estimates that 150,000 computer viruses circulate every day and 140,000 computers are compromised daily. Symantec has calculated that cybercrime victims worldwide lose around US$380 billion each year, while a McAfee study puts cybercrime profits at US$980 billion a year. According to the Center for Strategic and International Studies (CSIS), the US economy lost an estimated US$300 billion in trade secrets last year alone.

The President’s Executive Order 13636 on "Improving Critical Infrastructure Cybersecurity," issued February 12, 2013 (EO 13636), recognizes these growing concerns and aims to establish a new security framework for critical infrastructure.

The Framework

EO 13636 aims to establish a policy which would enhance the security and resilience of the nation´s critical infrastructure, such as energy, transportation, banking and health care. A key element of EO 13636 is the development of a baseline framework that reduces cyber risks to critical infrastructure (the framework). Its principal requirements are set forth in Section 7 of the Executive Order.

Under Section 7, the Director of the National Institute of Standards and Technology (NIST) is tasked with developing a framework that shall include a set of standards, methodologies, procedures and processes that align policy, business and technological approaches to address cyber risks.

The framework shall provide a prioritized, flexible, repeatable, performance-based and cost-effective approach that can help owners and operators of critical infrastructure to identify, assess and manage cybersecurity-related risks, while protecting business confidentiality, individual privacy and civil liberties.

The framework shall incorporate existing consensus-based standards and industry best practices and be consistent with voluntary international standards as well as with existing domestic provisional requirements, such as the National Technology Transfer and Advancement Act or the NIST Act.

Framework Development Process

In order to accomplish this mission, NIST plans to develop the framework through an ongoing, open public review and comment process with stakeholders in government, industry and academia to (i) identify cybersecurity standards, guidelines, frameworks and best practices that are already existing in the critical infrastructure sectors; (ii) specify high-priority gaps for which new or revised standards are needed; and (iii) collaboratively develop action plans by which these gaps can be addressed.

This engagement and consultation process started with a Request for Information on February 26, 2013 (Department of Commerce, NIST, Docket No. 130208119-3119-01), asking stakeholders to submit their ideas to assist NIST in prioritizing the work of the framework and in identifying the relevant performance needs of their respective sectors. Comments were due April 8, 2013.

Parallel to the Request for Information, NIST has also set up cybersecurity framework workshops, giving stakeholders the opportunity to engage with NIST and the framework developers face-to-face. The first of three planned workshops was held at the Department of Commerce in Washington, DC on April 3, 2013.

The preliminary version of the framework is to be published by the end of October 2013. The final version of the framework is due in February 2014.

Challenges for the Framework

In addition to the given timeline, EO 13636 directs NIST to undertake an enormous effort to develop a framework that will be applicable to different industry sectors and entities. The challenges will be complex:

  1. A wide variety of cybersecurity guidelines and standards already exists

The cybersecurity guidance arena is already crowded with procedures, relationships and standards. According to the Government Accountability Office report, Critical Infrastructure Protection: Cybersecurity Guidance Is Available, but More Can Be Done to Promote Its Use (December 2011, GOA-12-92), there are already up to 400 different cybersecurity guidelines available for entities within the critical infrastructure. Also, over the years federal law and policy have established roles and responsibilities for federal agencies trying to enhance the cyber and physical security of critical public and private infrastructures (e.g., The Homeland Security Act, establishing the Department of Homeland Security (DHS) in part to develop a comprehensive national plan for securing key domestic resources, and DHS´s National Infrastructure Protection Plan (NIPP)).

If the framework is to become the leading cybersecurity guide, NIST will need to leverage existing models, practices and standards and identify the guidance that is most effective and applicable to all sectors, owners and operators of the critical infrastructure.

  1. Critical infrastructure owners and operators are far from being a homogeneous group

According to EO 13636, NIST is to develop baseline guidance for cybersecurity. That means that NIST has to take into account that critical infrastructure entities are likely to vary in size and scale. Given the complexity of threats, the risks, and the different ways in which networks are configured and operated, the framework has to make certain that its recommendations can be implemented by all entities in the critical sectors — even by small and medium-sized ones that may lack the operational and financial resources to implement complex requirements. Thus cost-awareness and cost-effectiveness are likely to play a major role in the development process.

At the same time, this means that NIST will probably have to prioritize, since not all systems, assets and networks are critical or are critical to the same degree. If the framework attempts to protect everything at the same level, it risks becoming excessively broad and in the end, fails to become the ultimate cybersecurity guidance to all owners and operators of critical infrastructure.

  1. Framework and prescribed regulations

As the framework must reflect the dynamic nature of cyberattacks, its principles need to leave room for innovation and

flexibility. Therefore, the objective should be to establish a security guideline that leaves flexibility for owners and operators of critical infrastructure to innovate beyond those basic controls. In the long run, prescriptive regulation or other requirements could slow response times, exacerbate cyber incidents, and discourage innovative and evolving solutions to new and evolving threats. Fixed regulatory standards or checklists could limit owners and operators of critical infrastructure in managing their cybersecurity systems effectively in response to changing cyber threats.

In addition, a regulatory approach could have the negative side effect that private stakeholders could withdraw from participating, or not participate at all, in the framework development process due to a perceived sense of unwarranted, increased regulation. A performance-based or outcome-focused approach where only the required outcome is specified could leave the specific measures or techniques to achieve that outcome up to the discretion of the private entity in partnership with federal entities. Further, any attempt by the government to prescribe a particular cybersecurity solution bears the risk that the prescribed solution could be adopted by some, but not all entities of the critical infrastructure. The framework would also risk reducing itself to a compliance checklist that could, at best, be effective only against static threats.

  1. Global approach

Finally, the framework should be compatible with current and future international standards. As cybercrime respects no borders, governments across the world have started to develop cybersecurity strategies and to consider cyberspace an important international issue. In this respect, NIST should also focus on widely accepted international standards, because many online systems that are used around the world are incorporated in the US.

The harmonization with international standards would increase the likelihood that global operators in the critical infrastructure would adopt the framework. An initiative consistent with international standards would also reduce implementation costs. Globally acting entities would not have to implement different frameworks in different countries. Instead, they could use one single framework that matches cybersecurity requirements in many different parts of the world at the same time.

Moreover, a global approach could, in the long run, leverage the long list of existing cybersecurity methodologies, procedures and processes and also make the framework a truly leading and repeatable cross-sector security guideline.

Cybersecurity Strategy of the European Union

As governments across the world consider cybersecurity an increasingly important international issue, the European Commission with the High Representative of the Union for Foreign Affairs and Security Policy have just recently published a cybersecurity strategy, alongside a Commission-proposed directive on network and information security ("Directive of the European Parliament and of the Council concerning measures to ensure a high common level of network and information security across the Union," 02/07/2013, COM(2013) 48 final, 2013/0027 (COD)).

According to the proposed Directive, the member states of the European Union (EU) have to put in place a minimum level of national capabilities by (i) establishing network and information security (NIS) national competent authorities; (ii) setting up well-functioning Computer Emergency Response Teams (CERTs); and (iii) adopting national NIS strategies and national NIS cooperation plans.

As the European Commission is not a standard-setting body, the Directive does not impose any specific technical standards or mandate particular technological solutions. This work will be left to the European Network and Information Security Agency (ENISA) and other standardization bodies.

The Directive does, however, impose a minimum level of security by obliging operators of critical infrastructure and public administrations to assess their cyberattack risks, to adopt appropriate and proportioned cybersecurity measures, and to report significant incidents on their core services to competent authorities.

Are the EU and US Approaches Different?

Whether the cybersecurity approach under the President’s EO 13636 and the cybersecurity strategy of the European Commission are different cannot be determined until the collaboration and engagement process with all relevant stakeholders under both strategies is completed. Both initiatives are still at the beginning stage of this process.

However, the EU approach under the proposed Directive seems to be more compulsory than EO 13636, as the proposed Commission’s legislation, as mentioned above, requires critical infrastructure operators to implement a risk management and reporting system. EO 13636 is more likely to contain only recommendations for operators of critical infrastructure, and its guidance is not thought to prescribe one type of security over another.

Despite this, the US and EU authorities should make every effort needed to collaborate and align their cybersecurity strategies. As both governments have just begun their initiatives, the time for collaboration seems to be now.

Jan-Michael Dierkes, Görg law firm, in Germany